A new rule effective March 22, 2021 establishes a process for the US Department of Commerce to review commercial transactions between US and foreign parties for certain information and communications technology and services (ICTS). Under the Interim Final Rule on “Securing the Information and Communications Technology and Services Supply Chain” (Interim Final Rule), Commerce has broad discretion to investigate, modify, block or unwind covered transactions involving certain identified foreign adversaries on national security grounds.
This rule, which was published by the Trump Administration on its last full day in office, is separate from the review of foreign acquisitions and foreign investments by the Committee on Foreign Investment in the United States (CFIUS), though the regulatory mechanisms are similar in certain respects. The Biden Administration is allowing the Interim Final Rule to come into effect despite criticism from some businesses and industry associations that it is too broad and opaque and creates considerable commercial uncertainty.
Commerce has already taken early steps to support its review of commercial ICTS transactions involving Chinese companies, even before the Interim Final Rule took effect. In particular, on March 17, 2021, US Secretary of Commerce Gina Raimondo announced that Commerce had served subpoenas on Chinese companies that provide ICTS in the United States (though the identity and number of companies subpoenaed were undisclosed). The announcement stated that Commerce issued the subpoenas “to support requirements for the review” of transactions. Secretary Raimondo stated that “[t]rusted information and communications technology and services are essential to our national and economic security” and that the Biden Administration will “ensure that untrusted companies cannot misappropriate and misuse data and ensur[e] that U.S. technology does not support China’s or other actors’ malign activities.”
Companies engaged in covered transactions that could potentially raise national security-related concerns—especially those involving the identified foreign adversaries (China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela) and critical infrastructure or sensitive technologies—should carefully assess the potential regulatory risk resulting from the Interim Final Rule. Companies should also monitor the development of a pre-transaction licensing process for ICTS transactions (expected to be implemented by May 2021), which may mitigate the risk of post hoc US government intervention in commercial ICTS transactions.
In May 2019, then-President Trump issued Executive Order 13873, “Securing the Information and Communications Technology and Service Supply Chain,” which declared an “emergency” arising from the threat posed by “the unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.” In November 2019, Commerce issued a Proposed Rule (which we previously discussed) seeking to clarify “the processes and procedures that the Secretary of Commerce will use to identify, assess, and address” those transactions between US persons and foreign persons that will be prohibited because they “pose an undue or unacceptable risk.”
The Interim Final Rule reflects Commerce’s responses to comments on the Proposed Rule. Commerce requested public comments on the Interim Final Rule, which were due on March 22, 2021. Commerce stated that it intends to issue a final rule, which could include further changes to the Interim Final Rule, but did not provide a timeline.
Scope of the Interim Final Rule
The Interim Final Rule defines “ICTS Transactions” to include “any acquisition, importation, transfer, installation, dealing in, or use of any [ICTS], including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”
ICTS Transactions may be subjected to scrutiny under the Interim Final Rule if they:
- are conducted by any person or involve property subject to US jurisdiction;
- involve any property in which any foreign country or national has an interest;
- are initiated, pending or completed on or after January 19, 2021. Ongoing activities occurring on or after this date are covered as well, even if the initial contract was concluded prior to January 19, 2021; and
- involve ICTS that:
- will be used in a sector designated as critical infrastructure by Presidential Policy Directive 21, including the communications, energy, financial services, food and agriculture, and information technology sectors, among many others;
- are integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems;
- are integral to data hosting or computing services that deal with sensitive personal data on greater than one million US persons;
- involve products such as end-point surveillance or monitoring device, home networking device or unmanned aerial system, where greater than one million units have been sold to US persons;
- involve software designed for connecting with and communicating via the internet that was in use by greater than one million US persons; and
- are integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
The Interim Final Rule specifically exempts ICTS Transactions that:
- have been authorized under a US government-industrial security program; or
- are under CFIUS review or have been previously reviewed by CFIUS.
The Interim Final Rule further limits its scope to ICTS Transactions that involve ICTS designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction of a “foreign adversary.”
Although the Proposed Rule left the designation of “foreign adversaries” to “executive branch discretion,” the Interim Final Rule expressly targets transactions with suppliers and service providers, wherever located, that are owned by, controlled by or subject to the jurisdiction or direction of China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela. This list of foreign adversaries is subject to change.
In reviewing a covered ICTS Transaction, Commerce will consider:
- whether a party to the ICTS transaction, or its component suppliers, have headquarters, research, development, manufacturing, test, distribution or service facilities or other operations in a foreign country, including one controlled by a foreign adversary;
- personal and professional ties between the party—including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary;
- the laws and regulations of the foreign adversary in which the party is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and
- any other criteria that the Secretary of Commerce deems appropriate.
The Interim Final Rule also clarifies that a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” means:
- any person, wherever located, who acts as an agent, representative or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed or subsidized in whole or in majority part by a foreign adversary;
- any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary;
- any corporation, partnership, association or other organization organized under the laws of a nation-state controlled by a foreign adversary; or
- any corporation, partnership, association or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.
Review Process for ICTS Transactions
The Interim Final Rule provides that Commerce will evaluate each covered ICTS Transaction on a “case-by-case basis, based upon the particular facts and circumstances.” A transaction may be reviewed based upon:
- receipt of information from, among other sources, US and foreign government agencies, publicly available information, confidential business or proprietary information, classified national security information, and information from parties to the transaction;
- a written request of certain federal agency heads; or
- the discretion of the Secretary of Commerce, i.e., based on Commerce’s own initiative.
To begin its review, Commerce will assess whether the matter falls within the scope of covered ICTS Transactions. If so, Commerce may commence an initial review, request additional information or decline to pursue the matter.
If it proceeds, then Commerce’s initial review of an ICTS Transaction will include its evaluation of several criteria to determine whether the ICTS Transaction poses an “undue or unacceptable risk” to US national security. These factors include (among others) the nature of the ICTS involved, the degree of control exercised by the foreign adversary, the statement and actions of the foreign adversary and parties involved, whether the ICTS Transaction poses a discrete or persistent threat, the severity of the harm it poses, the ability to mitigate the risks, and the likelihood that the ICTS Transaction will in fact cause the threatened harm.
The Interim Final Rule defines “undue or unacceptable risks” to include:
- an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of information and communications technology or services in the United States;
- an undue risk of catastrophic effects on the security or resiliency of US critical infrastructure or the digital economy of the United States; or
- an unacceptable risk to the national security of the United States or the security and safety of US persons.
If Commerce finds that the ICTS Transaction presents an undue or unacceptable risk to the United States, then, after consulting with other federal agencies, Commerce may issue an initial determination that a covered ICTS Transaction poses an undue or unacceptable risk, informing the parties of the reasoning for the determination and setting forth the proposed action, which may be to prohibit the transaction or to impose mitigation measures under which the ICTS Transaction may proceed.
Parties to the ICTS Transaction may submit comments on Commerce’s initial determination within 30 days. Comments can include arguments or evidence that there is an insufficient basis for the initial determination, as well as proposed remedial steps, such as corporate reorganization, disgorgement of control by the foreign adversary, engagement of a compliance monitor or similar steps. Commerce will consider the new information and consult with the appropriate agency heads to assess how such information might affect its initial determination. Commerce will seek to achieve interagency consensus, but if it is unable to do so then it will seek direction from the President.
Commerce is required to issue a final determination within 180 days of accepting a referral and commencing the initial review of the ICTS Transaction, unless it determines in writing that additional time is necessary. Final determinations will be published in the Federal Register.
Licensing Process and Safe Harbor Provision
Commerce plans to establish a pre-transaction licensing process so that parties to an ICTS Transaction can obtain pre-approval for a prospective transaction—similar to the clearance process that currently exists for CFIUS matters. On March 15, 2021, Commerce submitted draft licensing procedures to the Office of Management and Budget for interagency review. Commerce expects to publish the licensing procedures by May 19, 2021.