Commerce restricts certain transactions involving Information Communications Technology and Services

On 19 January 2021, Commerce issued an interim final rule addressing national security concerns related to the Information and Communications Technology and Services supply chain, which takes effect 22 March 2021. Commerce is also accepting comments until that date. In addition, Commerce intends to publish additional regulations setting forth the licensing process for these rules within 60 days, which will also have a 60-day comment period of their own. Pursuant to the interim final rule, Commerce can review specified ICTS Transactions through a process similar to that of the Committee on Foreign Investment in the United States (CFIUS). Based on this review, Commerce may prohibit or restrict any ICTS Transaction connected to “foreign adversaries” that pose certain “undue or unacceptable risks.” At this time, “foreign adversaries” consist of China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Venezuelan regime of Nicolas Maduro.

Rather than waiting for Commerce and the other agencies involved in the review process to initiate a review on their own, companies will be able to apply for a license proactively, allowing Commerce to review ongoing or prospective transactions. Such license applications will be reviewed on a fixed timeline of no more than 120 days from accepting a license application. If Commerce does not issue a decision within 120 days, the application will be deemed granted. The rule does not appear to impose a mandatory licensing requirement, nor do the rules include a value or other threshold for transactions that would invite scrutiny, but violations of this interim final rule may be subject to significant civil and criminal penalties. Consequently, companies are advised to assess the risks of engaging in transactions with a connection to the “foreign adversaries” listed above.

Background

On 15 May 2019, President Trump issued Executive Order (EO) 13873, "Securing the Information and Communications Technology and Services Supply Chain." The EO authorizes the Secretary of Commerce to prohibit certain transactions involving ICTS that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversary” and that pose an “unacceptable risk” to U.S. national security or “undue risk” to U.S. ICTS or critical infrastructure.

Pursuant to this authority, Commerce issued a proposed rule in November 2019. After reviewing public comments, Commerce issued this interim final rule on 19 January 2020.

This interim final rule from Commerce is part of broader, multi-agency effort by the U.S. government to address national security concerns related to the use of foreign communications and information technology equipment in U.S. networks. Most notably, the Federal Acquisition Regulations (FAR) Council published a separate interim rule on 14 July 2020 implementing a government-wide ban on federal contracting with any entity that uses covered telecommunications equipment or services from certain Chinese entities. The FAR Council promulgated this interim rule to implement Section 889(a)(1)(B) (Part B) of the fiscal year 2019 National Defense Authorization Act (FY19 NDAA). See Hogan Lovells’ update on the FAR Council’s regulations here.

Summary of key provisions

In relevant part, this interim final rule states that Commerce may determine whether an ICTS Transaction that has been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses undue or unacceptable risks.” Based on this review, Commerce may approve the transaction, prohibit the transaction, or require mitigation. Below is a summary of key definitions and additional details regarding the scope of this interim final rule.

ICTS defined

ICTS means “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfil or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”

ICTS Transaction defined

An ICTS Transaction means “any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.” This definition includes “any other transaction, the structure of which is designed or intended to evade or circumvent the application” of EO 13873. This definition also includes a class of ICTS transactions.

Foreign adversaries definition

As of now, Commerce has identified the following government or non-government persons as “foreign adversaries” for purposes of these regulations:

• The People’s Republic of China, including Hong Kong;
• Cuba;
• Iran;
• The Democratic People’s Republic of Korea (North Korea);
• Russia; and
• The regime of Nicolas Maduro (Venezuela).

This list may be revised, and countries may be added or removed.

Scope of covered ICTS Transactions

The interim final rule only applies to ICTS Transactions that meet all of the four following criteria; that is, the transaction:

• Is conducted by any person, or involves any property, subject to U.S. jurisdiction;
• Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
• Is initiated, pending, or completed on or after 19 January 2021, regardless of when any contract applicable to the transaction is entered into, dated, or signed, or when any license, permit, or authorization applicable to such transaction was granted.  Any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract, installation of software updates, or the conducting of repairs, that occurs on or after 19 January 2021 may be deemed an ICTS Transaction even if the contract was initially entered into or the activity commenced prior to January 19, 2021; and
• Involves one of the following six kinds of ICTS:
• Critical infrastructure: ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
• Network infrastructure: ICTS integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, and long- and short-haul networks;
• Sensitive personal data: ICTS integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;
• Surveillance and monitoring: Internet-enabled sensors, webcams, any other end-point surveillance or monitoring device; routers, modems, any other home networking device; drones, or any other unmanned aerial system if greater than one million units have been sold to U.S. persons at any point over the twelve months prior to an ICTS Transaction;
• Communications software: Software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;
• Emerging technology: ICTS integral to artificial intelligence and machine learning; quantum key distribution; quantum computing; drones; autonomous systems; or advanced Robotics.

The regulations do not apply to an ICTS Transaction that:

• Involves the acquisition of ICTS by a U.S. person as a party to a transaction authorized under a U.S. Government industry security program; or
• CFIUS is actively reviewing or has reviewed the transaction as a covered transaction or covered real estate transaction, or as part of such a transaction.
  • ICTS transactions that were not part of the covered transaction or covered real estate transaction reviewed by CFIUS remain subject to the regulations.

Review process

Commerce may decide to make a referral for review of a transaction based on the written request of an appropriate agency head, at the Commerce Secretary’s discretion, or based on any of the categories of information set forth in section 7.100(a) of the regulations.

Upon receiving a referral, Commerce shall decide whether to conduct an initial review of the transaction to assess whether it poses an undue or unacceptable risk. In doing so, Commerce shall consider the following criteria:

• The nature and characteristics of the information and communications technology or services at issue in the ICTS Transaction, including technical capabilities, applications, and market share considerations;
• The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS Transaction;
• The statements and actions of the foreign adversary at issue in the ICTS Transaction;
• The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS Transaction;
• The statements and actions of the parties to the ICTS Transaction;
• Whether the ICTS Transaction poses a discrete or persistent threat;
• The nature of the vulnerability implicated by the ICTS Transaction;
• Whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction;
• The severity of the harm posed by the ICTS Transaction on at least one of the following: (i) Health, safety, and security; (ii) Critical infrastructure; (iii) Sensitive data; (iv) The economy; (v) Foreign policy; (vi) The natural environment; and (vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and
•  The likelihood that the ICTS Transaction will in fact cause threatened harm.

These criteria are to be assessed by Commerce in interagency consultation with the U.S. Departments of Treasury, State, Defense, Justice, and Homeland Security, as well the Office of the U.S. Trade Representative, the Director of National Intelligence, the General Services Administration, the Federal Communications Commission, and any other agency Commerce deems appropriate.

The initial review can result in a determination that the transaction does not meet these criteria, in which case the review will end. But if the transaction does meet these criteria, Commerce can propose mitigation measures or seek to prohibit the transaction.  The parties to the transaction must be notified in writing in either such case.

This written notification triggers a 30 day period whereby the parties may respond to Commerce, and such response may submit arguments contesting the basis of Commerce’s determination, or proposing remedial steps.

Commerce will then review these responses and, in interagency consultation, decide whether a final determination regarding the transaction shall be issued. A final determination can conclude that a transaction is: 1) prohibited; 2) not prohibited; 3) permitted pursuant to the adoption of negotiated mitigation measures.

Such a final determination must be issued within 180 days of accepting a referral and commencing the initial review of a transaction (though this period can be extended by Commerce).  The final determination must be sent in writing to the parties. Final determinations prohibiting a transaction will be published in the Federal Register.

Penalties

Violations of these regulations can be subject to civil or criminal penalties pursuant to the International Emergency Economic Powers Act (IEEPA). These include violations of any final determination, direction, or mitigation agreement pursuant to the regulations.

Civil penalties may not be more than the greater of either: i) US$307,922; or ii) twice the value of the transaction that is the basis of the violation, per violation.

Criminal penalties may be no greater than US$1,000,000 and/or 20 years’ imprisonment, per violation.

Next steps

Comments on this interim final rule are due 22 March 2021. Commerce has stated that it is committed to ultimately issuing final regulations. However, Commerce issued this interim rule under the Trump administration, and it is therefore uncertain what, if any changes, the new Biden administration may seek to make or may suspend the implementation of the rule.  

In the meantime, businesses should be cognizant of the potentially retroactive nature of the interim final rule. Though it does not take effect until 22 March 2021, the interim rule applies to ICTS Transactions “initiated, pending, or completed on or after” 19 January 2021.

For further information or assistance, please contact any of the Hogan Lovells lawyers identified below.

Authored by Ajay Kuntamukkala, Adam Berry, Molly Newell