TikTok Gets a Timeout From the Government
The Interim Rule for Federal Contractors
The Federal Government recently issued interim rule 88 FR 26430 (Interim Rule)—effective June 2, 2023—amending the Federal Acquisition Regulation (FAR) to implement a section of the Consolidated Appropriations Act of 2023. The Interim Rule implements guidance from the Office of Management and Budget (OMB) Memorandum M-23-12, “No TikTok on Government Devices.” TikTok (covered application), the social networking service, or any successor application(s) developed by ByteDance Limited, is prohibited from being present or used on any information technology used or provided by a contractor under contract, including on any equipment provided by the contractor’s employees. The purpose of this rule is to provide direction and deadlines for the removal of TikTok from devices used in Federal government business.
The Interim Rule prohibits contractors from having or using TikTok on any information technology owned or managed by the Government, including any information technology used or provided by the contractor under a contract and equipment provided by the contractor’s employees. The prohibition applies to all devices “whether the device is owned by the Government, the contractor, or the contractor’s employees (e.g. employee-owned devices that are used as part of an employer bring your own device (BYOD) program).” Personally-owned cell phones not used in the performance of a contract are not subject to the prohibition. Notably, the FAR Council has made determinations to apply this rule to acquisitions at or below the Simplified Acquisition Threshold (SAT) and to acquisitions for commercial products and services (COTS). All solicitations issued on or after June 2, 2023 are required to include the clause at FAR 52.204-24, Prohibition on a ByteDance Covered Application.
The Government expects that contractors already have the technology capabilities to block access to certain websites, prohibited applications, and remove a covered application from a device. However, the rule defines information technology very broadly implicating any equipment “used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency” or by a contractor under a contract with the executive agency.
Notably, contractors should remain mindful in their efforts to move into compliance with this new rule that equipment is subject to the rule regardless of its significance in performance of a service or furnishing a product. This is further underscored by the Government’s expectation that contractors update their existing employee policy for workplace technology and provide any supplemental communications or training necessary to ensure compliance.
Recently Proposed Federal Legislation
In addition to the issuance of the Interim Rule, at the federal level, lawmakers continue to contemplate legislative action to address national security and data privacy concerns relating to TikTok. On June 14, a bipartisan group of lawmakers, led by Senators Cynthia Lummis (R-WY), Ron Wyden (D-OR), Sheldon Whitehouse (D-RI), Bill Hagerty (R-TN), Martin Heinrich (D-NM), and Marco Rubio (R-FL) and Reps. Anna Eshoo (D-CA), and Warren Davidson (R-OH) introduced the Protecting Americans’ Data from Foreign Surveillance Act of 2023, which would establish criminal and civil penalties aimed at restricting employees of foreign corporations such as TikTok from accessing U.S. data abroad. The legislation would direct the Department of Commerce to identify categories of personal data that could pose national security risks if the data is exported and requires the Department to create a list of high-risk and low-risk countries where data would be subject to restrictions based on the risk status. The bill would regulate bulk exports and exports of all personal data by data brokers, entities such as TikTok, and parent companies in restricted foreign countries and individuals on the Bureau of Industry and Security’s Entity List. Additionally, the bill provides certain exemptions relating to protected speech and exempts new export rules data that is encrypted with NIST-approved technology. This legislation is similar to previous federal proposals on TikTok, and may have the potential to be incorporated into other legislative packages that Congress may consider, such as an AI legislative framework.
State Legislation Enacted and Challenged
Finally, multiple states have enacted laws and issued executive orders to ban or restrict the usage of TikTok and other software vendors and products across government-owned devices and government networks. As of April 2023, nearly forty states have taken various legislative and executive actions against the app in response to security and data privacy concerns. While a majority of the initial state actions occurred in Republican-led states, a growing number of Democratic governors have joined in efforts to curb TikTok and other foreign-owned apps due to cybersecurity and national security concerns. As states continue to pursue action in this space, multiple legal challenges on constitutional grounds are being filed against states, including in the state of Montana, which was the first state to pass a ban on TikTok.
*Cameron McCall contributed to this Advisory. Cameron will graduate from the Northwestern University School of Law in 2025 and is employed at Arnold & Porter’s Chicago office as a summer associate. Cameron is not admitted to the practice of law in Illinois.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.