ICTS Investigations: The Commerce Department's New Tool

Holland & Knight LLP
Contact

Holland & Knight LLP

Highlights

  • The U.S. Department of Commerce (Commerce) can now prohibit or otherwise restrict certain information and communications technology and services (ICTS) "transactions" that pose an undue or unacceptable risk to U.S. national security or the safety of U.S. persons where those transactions involve "foreign adversaries."
  • Commerce's expanded power covers future and ongoing ICTS activities of preexisting contracts and gives wide discretion to the Secretary of Commerce to evaluate and address threats from six identified "foreign adversaries": China (including Hong Kong), Russia, Iran, North Korea, Cuba and Venezuela.
  • Procedures for preclearance or a licensing process for entities seeking preapproval before engaging in or continuing to engage in ICTS transactions are under construction and open to public comment until April 28, 2021.

Back in May 2019, the Trump Administration issued Executive Order 13873, which was meant to police the use of certain information and communications technology and services (ICTS) purchased from "foreign adversaries." Then, on the day before the Trump Administration left office in January 2021, the U.S. Department of Commerce (Commerce) issued interim regulations intended to secure ICTS supply chains (ICTS Interim Rule).

There was much speculation as to whether the Biden Administration would utilize this new tool or if it would simply be pushed aside as another turn away from Trump-era policies. However, with no adjustments by the Biden Administration, the ICTS Interim Rule went into effect on March 22, 2021.1 In fact, the Biden Administration embraced the concept even before the new regulations took effect. On March 17, 2021, Commerce issued subpoenas to multiple Chinese companies seeking information about their ICTS operations in the United States.

ICTS Rule Overview

Under the ICTS Interim Rule, Commerce can prohibit or otherwise restrict, on a case-by-case basis, certain acquisition and use transactions (including individual commercial sales) that 1) were initiated, pending or completed on or after Jan. 19, 2021; 2) involve ICTS and 3) were "designed, developed, manufactured, or supplied" by a person under the control of, owned by or subject to the jurisdiction of a "foreign adversary." At present, named "foreign adversaries" include China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela. The list, however, is not static and may be reviewed and revised at the discretion of the U.S. Secretary of Commerce (Secretary).

Changes from Proposed Rule and Continuing Barriers

Unlike the proposed rule, the procedural flaws of which were addressed in a previous Holland & Knight alert (see "Proposed ICTS Supply Chain Review Regime Raises Procedural Concerns," Dec. 26, 2019), the ICTS Interim Rule has a more defined and limited scope — applying to transactions with six specific, named "foreign adversaries" that involve an ICTS hardware, software or technology product from one of six sectors. Importantly, the ICTS Interim Rule also:

  • develops review protocols
  • defines key terms (e.g., "undue or unacceptable" risk)
  • develops a mechanism for parties to request a meeting with Commerce officials following an initial determination (which the Secretary of Commerce can decline, at his or her discretion)
  • confirms that the Secretary can consider mitigating factors when evaluating a ICTS Transaction risk, and
  • sets a clock on Commerce's review, generally requiring the final determination be issued within 180 days of the review's commencement2

In some respects, however, the ICTS Interim Rule retains the overly inclusive nature of the proposed rule. By way of example, the Secretary continues to be able to scrutinize U.S. persons' acquisition or use of ICTS, such as cloud and network management or data storage, in all industries.

Transactions Subject to Review

An "ICTS Transaction" covers acquisitions, transfers, installations, import and dealings in or use of ICTS that occurred on or after Jan. 19, 2021, as well as ongoing activities such as transmissions, software updates, platforming or data hosting for consumer downloads, and managed services. Therefore, even if the underlying contract was entered into before Jan. 19, 2021, installation of subsequent software updates may be reviewable as a new, separate ICTS transaction.3

To trigger the review process, the ICTS transaction must meet certain criteria. First, the ICTS must fall into one of the following six product and technology categories.

  1. Critical Infrastructure: ICTS transactions in one of the 16 critical infrastructure sectors identified in and any subsectors or subsequently designated sectors, which includes, but is not limited to information technology and communications sectors and has overlap with, but is not a direct replica of covered investment critical infrastructure sectors identified by the Committee on Foreign Investment in the United States (CFIUS)
  2. Network Infrastructure: ICTS that is integral to software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems
  3. Data Hosting or Computing of Sensitive Personal Data: ICTS that is integral to data hosting or computing services that engage with sensitive personal data4 on greater than 1 million U.S. persons at any point in the 12 months prior to an ICTS transaction (readers familiar with the CFIUS review process will note that the ICTS Interim Rule's definition of personal data generally tracks that offered by CFIUS)
  4. Popular Surveillance and Monitoring Devices, Home Networking Devices: If 1 million units of such item at issue have been sold to U.S. persons at any point in the 12 months prior to an ICTS transaction
  5. Popular Communications Software: Software designed primarily for connecting with and communicating via the internet that is in use by greater than 1 million U.S. persons at any point in the 12 months prior to an ICTS transaction, including desktop, mobile, web-based and gaming applications, or
  6. Emerging Technology: ICTS that is integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems or advanced robotics

Second, the ICTS product must be sourced (i.e., supplied, developed, manufactured or designed), by a person controlled by, owned or subject to the direction or jurisdiction of a named "foreign adversary" — at present, China (including Hong Kong), Cuba, Iran, North Korea, Russia or Venezuela. To put into context, to determine whether a non-Chinese entity is controlled by China, the Secretary may considers factors such as whether the non-Chinese entity or its suppliers conduct key operations (e.g., research and development, manufacturing, testing and distribution) in China, or have key personnel, employees, consultants or contractors in China.

Transactions Not Covered by ICTS Interim Rule

Only two transaction types are not covered by the ICTS Interim Rule:

  1. acquisition transactions involving ICTS items authorized under a U.S. government-industrial security program
  2. transactions reviewed or being reviewed by CFIUS

Proceed with caution, however, as Commerce retains the authority to review an ICTS transaction if it is separate from, and subsequent to, a transaction that CFIUS reviewed. Therefore, CFIUS review related to a particular ICTS, by itself, does not constitute a safe harbor for future transactions involving the same ICTS.

Further, although Commerce has not explicitly excluded them, it has indicated that transactions involving ICTS hardware devices such as handsets will not be of particular interest to the agency.

Mechanics of Commerce's Review and Penalties

Commerce can initiate a review unilaterally (i.e., at the Secretary's discretion), or at the referral of an appropriate agency head or a private party (e.g., industry competitor). Commerce's review will generally last 180 days, from day of acceptance to final determination, and will begin with Commerce evaluating a non-exhaustive list of 10 criteria to answer one threshold question: Is the ICTS transaction likely to pose an "undue or unacceptable risk" to U.S. national security?

  • If it likely does not, Commerce will terminate the review without prejudice, meaning the agency can revisit the transaction should additional information come to light.
  • If it likely does, Commerce, in interagency consultation with other appropriate agencies (including, but not limited to, the U.S. Department of the Treasury, the Office of the U.S. Trade Representative and the U.S. Department of State), will determine whether the ICTS transaction actually poses an undue or unacceptable risk, looking at the same 10 non-exhaustive criteria, and serve its initial determination.5 Interestingly, Commerce has a choice in how it serves the parties — either through publication in the Federal Register or via more traditional routes such as U.S. registered mail, electronic mail, etc.

Commerce's initial determination will 1) explain the agency's basis for prohibiting the transaction or imposing mitigating measures thereon and 2) allow parties 30 days to comment. If the parties respond, Commerce must commence another interagency consultation round to consider any new evidence or argument. If the parties fail to respond, Commerce can proceed without further interagency consultation. Commerce will then publish its final determination, either permitting, prohibiting or imposing mitigating measures on the transaction, in the Federal Register. No further administrative appeals process is available, and violations of Commerce's final determinations or imposed mitigation measures can result in severe criminal and civil liabilities (up to $307,922 or twice the value of a transaction per violation).

Conclusion and Next Steps

Given bipartisan support for decreasing dependence on China in critical supply chains and the Secretary's own statements that ICTS sourced from China warrant increased scrutiny, it is anticipated that a healthy number of Commerce's reviews will have a China nexus.6 For advice on how the ICTS Interim Rule may impact your operations or for assistance in commenting on the preclearance and licensing procedures by April 28, 2021, please reach out to the experienced attorneys in Holland & Knight's International Trade Group.


Notes

1 Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4913 (U.S. Department of Commerce, Jan. 19, 2021).

2 However, the Secretary may unilaterally extend that deadline if he or she determines additional time is necessary.

3 Commerce explains that any subsequent act or service with respect to an ICTS transaction, such as installation of software updates is an ICTS transaction on the date that the service or update is provided.

4 Sensitive personal data includes personally identifiable information collected by a U.S. business operating in a specific area and results of individual genetic testing.

5 However, the Secretary may unilaterally extend that deadline if he or she determines additional time is necessary.

6 Press Release, U.S. Department of Commerce, U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order(March 17, 2021).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP
Contact
more
less

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.