What You Need To Know

• The United States government wants to implement new Know Your Customer requirements and other controls on U.S. computing infrastructure services.
• Proposed rules would restrict U.S. persons from selling or transferring U.S. person bulk sensitive personal data to China and other adversarial countries.
• Industry is adjusting to new advanced computing controls and their impact on supply chains and product development.

Melissa Duffy and Trevor Coval contributed their thought leadership to the American Conference Institute’s 14th Annual Global Encryption, Cloud & Cyber Export Controls Conference, held in San Francisco on May 14-16. Melissa led a workshop on best practices in export compliance and contributed to a conversation on adapting to the new controls on advanced computing. This event brought together trade practitioners, industry technical experts, and government regulators to discuss the latest trade controls on advanced semiconductors, artificial intelligence, sensitive personal data, encryption, and cloud computing. The following valuable insights shared at the conference may benefit tech-forward companies as they navigate the increasingly complex landscape of trade controls regulation.

Expanding Cloud Computing and IaaS Restrictions

The January 2024 Bureau of Industry and Security (BIS) notice of proposed rulemaking would require U.S. Infrastructure-as-a-Service (IaaS) providers to implement Know Your Customer (KYC) diligence, including requirements to verify identities and confirm users’ beneficial owners. This development indicates a shifting policy focus from traditional controls on items (goods, software, technology) towards regulation of services. Separately, the ENFORCE Act, proposed legislation introduced in May 2024, would expand BIS authority under the Export Control Reform Act to restrict U.S. person activities related to AI systems that threaten U.S. national security. The message is clear: U.S. lawmakers and regulators are taking a closer look at cloud computing to prevent Chinese military actors from remotely taking advantage of U.S. computing infrastructure, regardless of whether any hardware or software crosses borders. U.S. cloud service providers are preparing to implement enhanced KYC diligence protocols to ensure they have clear insight into the customers’ identities and end uses in anticipation of these new rules.

Restricting Adversaries’ Access to U.S. Sensitive Personal Data

Connected devices have enabled the mass collection and commoditizing of U.S. person sensitive personal data, which has become a valuable asset for companies as well as malign actors. The February 2024 Executive Order 14117 and subsequent March 2024 Department of Justice advanced notice of proposed rulemaking are the latest effort to prevent adversary countries, including China, from exploiting U.S. person sensitive personal data and undermining U.S. national security. Under the proposed rule, U.S. persons would be prohibited from selling or transferring U.S. person bulk sensitive personal data to entities associated with, owned, or controlled by countries of concern. Certain covered transactions that present a significant U.S. national security risk could still be permissible so long as they meet certain security requirements similar to Committee on Foreign Investment in the United States mitigation measures. DOJ is actively requesting input from industry in its second 60-day comment period. Companies that collect or maintain U.S. person sensitive personal data have the unique opportunity to shape the forthcoming rules. The interagency rulemaking process indicates a whole-of-government and risk-based approach to identify multiple ways by which U.S. person data is exploited through data brokerage.

October 2023 and April 2024 Advanced Semiconductor Export Controls

Industry is adjusting to comply with the October 2023 and April 2024 rule updates aimed at restricting China’s and other adversarial countries’ access to advanced computing chips, tools needed to produce them, and supercomputing capabilities. The rule updates expand on the October 2022 rule by implementing controls on certain advanced computing items to China and a broad group of countries that pose a risk of diversion. Industry is responding quickly by reviewing and revising internal product export classifications; updating enterprise resource planning system logic to flag and escalate transactions captured under the new rules; and working with product management teams to identify impacts to product development, supply chain, and production activities overseas. We are also hearing across industry that use of a license exception that requires preauthorization by BIS for exports to China and other national security concern countries is rarely approved. In practice, BIS is directing companies to apply for export licenses instead of allowing use of the exception. Such authorizations are taking more than three months for approval and usually with rigorous conditions imposed. It is clear that BIS, along with its interagency partners, are closely scrutinizing the movement of advanced computing items to ensure U.S. technology is not used in support of Chinese military advancement.