On January 19, the U.S. Department of Commerce (“Commerce”) published an interim final rule (“Interim Rule”) that, effective March 22, authorizes Commerce to prohibit or otherwise restrict U.S. transactions involving the Information and Communications Technology and Services (“ICTS”) supply chain that have a nexus with “foreign adversaries.” Issued on the eve of the Inauguration, it remains to be seen whether or how the Biden Administration will finalize the rules in their current form and enforce them. However, given that regulations are now provisionally in place, companies engaging in ICTS transactions even under existing contracts, would be well-served to examine their potential exposure to transactions with designated “foreign adversaries,” including China and Russia, among others.
The View From Washington
Though the Interim Rule is directed at six countries, primarily it can be seen as another action taken by the Trump Administration directed towards China. A key driver is the U.S. government’s concern regarding China’s national strategy of military-civil fusion — i.e., using civil technology development for military development purposes and gaining access to U.S. data and information for the benefit of the Chinese government. In recent weeks, in response to this, Commerce has expanded the Entity List, created a new Military End User List, and implemented export controls targeting military-intelligence parties in China; the White House has issued executive orders prohibiting U.S. persons from making certain investments in designated companies linked to the Chinese military and restricting certain transactions involving developers of certain Chinese software applications; and the U.S. Department of Energy issued a prohibition order on Chinese-linked equipment used by certain electric utilities.
The Interim Rule expresses the Trump Administration’s concern that the ICTS supply chain “is critical to nearly every aspect of U.S. national security” and is one of a number of restrictive measures to eliminate Chinese-developed hardware and software from U.S. networks. Its implementation will rest in the hands of President-elect Biden, who has selected Rhode Island Governor Gina Raimondo to be Commerce Secretary. The Interim Rule, like other recent restrictions, appears intended to codify the Trump Administration’s vigorous policy towards China and other designated “adversaries,” to try to constrain the ability of the Biden Administration to undo or ease the restrictions.
Key Features of the Interim Rule
The Interim Rule stems from a May 2019 Executive Order, which was followed by a November 2019 proposed rule. The proposed rule provided for wide-ranging authority by Commerce to review and prohibit or substantially mitigate transactions, and requested industry comments. The Interim Rule also requests comments by March 22, and is to be followed eventually by a final rule.
Under the Interim Rule, as of March 22, on a case-by-case basis Commerce may prohibit or restrict transactions conducted by any person, or involving any property, subject to U.S. jurisdiction, if they involve (i) certain categories of ICTS; (ii) designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary”; and (iii) pose an “undue or unacceptable risk” to the national security of the United States. Violations of Commerce determinations or mitigation measures (i.e., conditions of its approval of an “ICTS Transaction”) are subject to penalties under the International Emergency Economic Powers Act, which can be severe.
ICTS / ICTS Transaction
“ICTS” is defined as any “hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”
“ICTS Transaction” is defined as any “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”
Product and Technology Categories
The Interim Rule applies only to the following six specific categories of ICTS:
- Critical Infrastructure: ICTS that will be used by a party to a transaction in a sector designated as “critical infrastructure” by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
- Network Infrastructure / Satellites: ICTS that is integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems;
- Sensitive Personal Data: ICTS that is integral to data hosting or computing services that uses, processes, or retains “sensitive personal data”1 of greater than one million U.S. persons at any point over the 12 months preceding an ICTS Transaction;
- Surveillance / Monitoring / Home Networking / Drones: Surveillance or monitoring devices (e.g., sensors and webcams), home networking devices (e.g., routers and modems) and drones or any other unmanned aerial system, where one million units of the ICTS item at issue have been sold in the 12 months prior to the ICTS Transaction;
- Communications Software: Software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the 12 months preceding an ICTS Transaction, including desktop, mobile, web-based, and gaming applications; and
- Emerging Technology: ICTS that is integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
The Interim Rule identifies the following six “foreign adversaries”: China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela (specifically, the Maduro regime). Commerce is authorized to revise the list at its discretion.
Commerce’s review of an ICTS Transaction will focus on whether the transaction involves persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” This includes, e.g., (i) “any corporation… organized under the laws of a nation-state controlled by a foreign adversary,” and (ii) “any corporation… wherever organized or doing business, that is owned or controlled by a foreign adversary.” Thus, for example, this could include all companies located in China (regardless of ultimate ownership or where the company is headquartered), as well as companies located outside China that are considered “owned or controlled” by China. In the Interim Rule, Commerce explained that at least for now, it was declining to issue categorical exemptions for companies with headquarters in U.S.-allied nations, such as Japan.
In determining whether an ICTS Transaction involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, Commerce stated it would consider criteria including:
- whether the party or its component suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary;
- personal and professional ties between the party — including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary; and
- laws and regulations of the foreign adversary in which the party is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution.
Undue or Unacceptable Risk
In determining whether an ICTS Transaction poses an “undue or unacceptable risk,” Commerce will consider the nature of the ICTS at issue, including technical capabilities, applications, and market share considerations; the nature and degree of the foreign adversary’s direction or jurisdiction over the design, development, manufacture, or supply at issue; the statements and actions of the foreign adversary at issue; whether the ICTS Transaction poses a discrete or persistent threat; and the nature of the vulnerability implicated by the ICTS Transaction.
The Interim Rule does not apply to an ICTS Transaction that involves purchases of ICTS items pursuant to an authorized U.S. government industrial security program, or that the Committee on Foreign Investment in the United States (“CFIUS”) actively is reviewing or has reviewed as a “covered transaction,” i.e., one subject to CFIUS’s jurisdiction. Though not exempt outright, Commerce indicates it is not apt to particularly scrutinize ICTS transactions “solely involving personal ICTS hardware devices, such as handsets.”
The Interim Rule applies to an ICTS Transaction “that is initiated, pending, or completed on or after” January 19, including managed service, software updates, and repairs carried out after that date, even if pursuant to contracts entered into prior to that date. This is notwithstanding the Interim Rule’s March 22 effective date. Thus, companies with pre-existing contracts that are still ongoing could find that they are caught by the Interim Rule.
The Interim Rule outlines a process to apply for licenses for ICTS Transactions and describes the procedures Commerce otherwise will follow in reviewing ICTS Transactions.
The Interim Rule provides that by March 22, Commerce intends to publish procedures that will allow a party to an ICTS Transaction to seek a license. Those procedures then would take effect within 60 days thereafter (i.e., by May 21). The opportunity to voluntarily apply to try to obtain pre-clearance for certain ICTS transactions conceptually is similar to the process for national security reviews administered by CFIUS. Notably, Commerce will have 120 days to review licensing applications and, if it does not issue a decision on an application in that timeframe, the application will be considered granted.
If Commerce determines to review a transaction in which there is no license application, it generally has 180 days to complete that review process unless it determines in writing that more time is needed.
- Initial Review: Commerce may self-initiate a review or either accept or reject a referral for review from another government agency or from a private party, such as an industry competitor. Commerce may independently identify transactions through public sources, such as company websites indicating commercial relationships, in addition to relying on referrals. If Commerce accepts the referral, in conducting its initial review it may request additional information from the referring entity and consult with other agencies.
- Initial Determination: If Commerce finds that a transaction poses an “undue or unacceptable risk,” it will make an initial determination as to whether it has decided to prohibit the transaction or propose mitigation measures. Commerce will notify the parties to the transaction regarding the initial determination, at which point the parties will have 30 days to make a written submission proposing mitigation measures or arguing that the transaction does not pose an undue or unacceptable risk. If no submission is received within 30 days, Commerce can proceed with a final determination without interagency consultation.
- Final Determination: After receipt of a submission, Commerce will consult with other agencies to try to reach consensus as to whether to prohibit the transaction or permit it with or without mitigation measures. If there is no consensus, Commerce will submit the matter to the President and await direction as to a final determination. Once there is a final determination, Commerce will notify the parties to the transaction, and for a final determinations to prohibit a transaction, will publish the determination in the Federal Register. The Interim Rule does not indicate that final determinations can be appealed.
- Though the focus of the “trade war” and strategic competition between the U.S. and China has largely been on denying China access to certain U.S. technology, the focus of the Interim Rule is more on denying certain Chinese technology access to the U.S. market.
- The rigor of the review process will depend on whether the Biden Administration preserves the Interim Rule in its current form and starts to select particular ICTS Transactions for review. If fully implemented, the Interim Rule provides Commerce with broad CFIUS-like authority to prohibit or unwind transactions or order mitigation measures.
- Because the Interim Rule provides that Commerce shall engage with U.S. international partners with respect to the implementation of the regulations, companies engaging in transactions that require or warrant disclosure to non-U.S. government regulators should ensure that such disclosures are consistent and transparent.
- Companies may want to gauge their potential exposure to China and other “foreign adversaries” in the context of ICTS Transactions, and be watchful for rules regarding a licensing process.
- Given the increasing regulatory risk with respect to China, companies should continue to assess their China exposure, including dealings with Chinese counterparties; reliance on Chinese supply chains; investments in Chinese companies; and utilization of Chinese hardware, software, or technology.
1. This definition of “sensitive personal data” tracks the one used in the CFIUS regulations, 31 C.F.R. § 800.241.↩