Photo of Aaron Burstein

Aaron Burstein

Subscribe to Aaron Burstein's Posts

Email
(202) 342-8453
Bio

This summer continues to be a busy season at the intersection of data protection and national security. As we reported in July, the Schrems II decision invalidated Privacy Shield on the ground that its national security derogations were too expansive.

Last week, the President seized on concerns about surveillance by the Chinese government as a core rationale for Executive Orders directing the Department of Commerce to prohibit transactions involving TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  For instance, the TikTok Order asserts that the company’s data practices “potentially allow[] China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage;” and the WeChat Order states that WeChat’s data collection “threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.”

The scope of these Orders remains unclear.  Members of Kelley Drye’s Export Control and Sanctions team provide further analysis on Kelley Drye’s Trade and Manufacturing Monitor (see below), and we will continue to monitor how implementation of the Orders could affect companies’ communications and transactions on these popular platforms.

Last Thursday, the President issued two executive orders (“E.O.s”) targeting social media applications TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  The E.O.s direct the Department of Commerce (“DOC”) to prohibit transactions involving the applications.  Companies that deal directly with TikTok or WeChat in the United States and abroad or use their services need to evaluate the scope of those activities and determine if they will be affected by the E.O.s.

The E.O.s were issued pursuant to the national emergency declared in E.O. 13873 regarding information and communication services in the United States that are controlled by persons within the jurisdiction of a “foreign adversary.”  In issuing the E.O.s, the President cited concerns that the Chinese government could gain access to Americans’ personal information collected by the applications, among other policy considerations.  The President has the power to issue the directives under the International Emergency Economic Powers Act (“IEEPA,” 50 U.S.C. 1701 et seq.), which provides the President with the authority to declare national emergencies and implement sweeping trade controls based on national security concerns.

The intended scope of the E.O.s is not clear due to ambiguous language used in Section 1, which contain the E.O.s’ primary prohibitions.  Here is an excerpt of that section from the TikTok order:

Section 1.  (a)  The following actions shall be prohibited beginning 45 days after the date of this order, to the extent permitted under applicable law: any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, in which any such company has any interest, as identified by the Secretary of Commerce (Secretary) under section 1(c) of this order.

[…]

(c)  45 days after the date of this order, the Secretary shall identify the transactions subject to subsection (a) of this section.

There are two plausible readings of that section.  The first is that all transactions involving ByteDance and its subsidiaries will be prohibited within 45 days.  The second, and we believe more appropriate reading, is that all types of transactions specified by DOC will be prohibited.  The inclusion of the last sentence of Section 1(a) and of Section 1(c) suggests that DOC has discretion to impose targeted prohibitions that only apply to certain types of transactions involving the subject companies, rather than all transactions involving ByteDance.  While the ultimate scope of the prohibitions may not be clear until DOC takes action, the term “transactions” is often interpreted broadly, and could include many types of business dealings, not just financial transactions involving the companies.  The White House is reportedly pushing for a broad interpretation of both E.O.s, noting that prohibited transactions could include making the apps available on app stores, purchasing advertising on TikTok, or accepting terms of service to download the applications.

It is also important to note that the TikTok and WeChat E.O.s differ in scope.  The TikTok E.O. authorizes prohibitions on any transaction involving ByteDance and its subsidiaries.  In contrast, the WeChat E.O. is more narrowly constructed to authorize prohibitions on transactions with Tencent Holdings or its subsidiaries that are “related to WeChat.”  The more narrow construction with respect to Tencent may be intended to exclude Tencent’s many U.S. investments unrelated to WeChat from coverage under the E.O.

Much remains unclear about the intended scope and ultimate application of the E.O.s.  Given this regulatory uncertainty, companies with business dealings directly or indirectly involving ByteDance or Tencent should review their engagements closely for potential exposure under the new rules.  In particular, companies that use WeChat services for commercial purposes, including its IT and payment services, will need to evaluate whether they can continue that activity in the United States and abroad.

Please contact our Export Control and Sanctions team with any questions related to these developments.


Continue Reading Data Protection and National Security Concerns Meet in TikTok, WeChat Executive Orders

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked

Coronavirus testing and screening procedures are central to many companies’ return-to-work plans.  Because testing and screening data is often sensitive and may help to determine whether individuals are allowed to work, companies need to be aware of the privacy and security risks of collecting this data and protect it appropriately.  Failing to do so may

FTC

The FTC’s most recent COPPA enforcement action, announced on June 4 with app developer HyperBeard, provides evidence of an ongoing debate within the Commission about privacy harm and the role of monetary relief in the agency’s privacy enforcement program.  Specifically, Commissioner Noah Phillips voted against the settlement with app developer HyperBeard and two corporate officers,

On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.”
Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft

The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal informationThe California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information.  However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.

While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader.  For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII.  Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act.  Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.

This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open.  Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale.  With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.


Continue Reading The CCPA Non-Discrimination Right, Explained

FTC Guidance on AI: Don’t Surprise Consumers – Or YourselfFTC Bureau of Consumer Protection Director Andrew Smith this week published some helpful pointers for companies that are developing or using AI to support consumer-facing services.  These pointers are drawn from past FTC enforcement actions, reports, and workshops.  They boil down to one overarching message:  Companies shouldn’t surprise consumers – or themselves – in how

Data is helping governments, researchers, and companies across the world track the spread of the novel coronavirus, monitor cases and outcomes of COVID-19, and devise ways to halt the virus’s spread.  As part of these efforts, raw data, software tools, data visualizations, and other efforts are providing the public and policymakers with insights into the

Facial Recognition Tech Enforced by Vermont AG Under State Privacy & Data Broker LawsVermont Attorney General Thomas Donovan Jr. has ratcheted up ongoing scrutiny of facial recognition technology.  On March 10, the Vermont AG sued facial recognition technology provider Clearview AI and moved for a preliminary injunction against the company.  Clearview drew wide attention in January following the publication of a New York Times story that detailed how

California Attorney General (AG) released third draft of proposed CCPA regulationsOn Wednesday, the California Attorney General (AG) released a third draft of proposed CCPA regulations for public comment.  The draft contains a series of technical corrections, along with a handful of substantive incremental modifications to the prior draft.  The limited number of changes signals that the rulemaking process is reaching an end.

The following