On January 19, 2021, the U.S. Department of Commerce (Commerce) issued interim final regulations (interim rules) implementing Executive Order 13873, Executive Order on Securing the Information and Communications Technology Services Supply Chain (EO), which was intended to address alleged threats against information and communications technology and services (ICTS) in the United States. The new review mechanism focuses on transactions involving any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries.”
While the focus on the rules is not foreign investment per se, it will complement the Committee on Foreign Investment in the United States’ (CFIUS) investment security review mechanisms. Indeed, the interim rules borrow several concepts and definitions from CFIUS’s recently amended regulations.
Commerce invited interested parties to submit comments on the interim rules. Parties must submit comments by March 22, 2021. Commerce will publish final regulations after considering any comments submitted.
This post provides key takeaways and a brief summary of Commerce’s new review mechanism.
When do the interim rules take effect?
The interim rules take effect on March 22, 2021. However, the interim rules cover any transaction that is initiated, pending, or completed on or after January 19, 2021 (the date of publication of the interim rules).
How will the new review mechanism work?
The Secretary of Commerce will lead the review process in consultation with “appropriate agency heads,” including the Secretaries of Treasury, State, Defense, and Homeland Security, the Attorney General, the U.S. Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and any other agency head as the Secretary of Commerce deems appropriate.
After receiving information regarding a transaction, a written request for review by an appropriate agency head, or at the Secretary of Commerce’s discretion, the Secretary may consider any “referral” for review of a transaction. As part of its initial review, Commerce will consult with appropriate agency heads and may request information from persons involved in the transaction.
Commerce will issue an initial determination as to whether the transaction poses an “undue and unacceptable risk” and whether to prohibit the transaction or propose mitigation measures. Parties will have 30 days to respond and present arguments that there is not a sufficient basis for the initial determination or to propose remedial steps. Commerce will then issue a final determination prohibiting or permitting the transaction, or permitting it subject to negotiated mitigation. Unless the Secretary of Commerce determines that additional time is needed, the process from initial referral to final determination should take no longer than 180 days. Commerce may also determine that transactions are not prohibited, but such a finding does not preclude future review of the transactions.
Parties that violate Commerce’s final determination may be subject to civil and/or criminal penalties.
What qualifies as a transaction?
The interim rules define a “transaction” as an “acquisition, importation, transfer, installation, dealing in, or use of any [ICTS] including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.” The definition is very broad. For example, given that the definition covers “ongoing activities,” any updates to software that occur on or after January 19, 2021, could qualify as a transaction, even if a U.S. party acquired the software prior to January 19, 2021.
What types of technologies are covered?
Commerce identified six categories of technology covered under the interim rules:
- Critical Infrastructure – ICTS to be used in a sector designated by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience (e.g., communications, emergency services, government facilities, healthcare, and public health) and any subsectors or subsequently designated sectors
- Network, Satellite, and Cable Infrastructure – software, hardware, or any product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and controls, cable access points, wireline access points, core networking systems, and long- and short-haul networks
- Data Hosting and Computing Services – software, hardware, or any product or service integral to data hosting or computing services that uses, processes, or retains sensitive personal data on greater than 1 million U.S. persons at any point over the 12 months preceding a covered transaction
- Surveillance, Monitoring, Home Networking, and Unmanned Aerial Systems – any internet-enabled sensors, webcams, and any other end-point surveillance or monitoring device, home routers and modems, and drones if greater than 1 million units have been to sold to U.S. persons at any point over the 12 months preceding a covered transaction
- Communications Software – software designed primarily for connecting with and communications via the internet that is in use by greater than 1 million U.S. persons at any point over the 12 months preceding a covered transaction
- Artificial Intelligence, Quantum, and Advanced Robotics Technologies – any ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics
Who qualifies as a foreign adversary?
At this time, Commerce has designated the following countries and political actors as foreign adversaries:
- China, including Hong Kong
- North Korea
- Venezuela’s Maduro regime
The foreign adversary designation applies not only to government entities within these countries or regimes but also to citizens and residents of the nation-state controlled by them and nongovernment entities that are organized under the laws of the nation-state controlled by them or owned and controlled by a person or entity that is a foreign adversary. Commerce maintains the discretion to revise the list at any time. Any updates will be published in a Federal Register notice but will not be subject to notice and comment requirements.
The interim rules define a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” very broadly to include even companies “organized under the laws of a nation-state controlled by a foreign adversary.” For example, a subsidiary of an Australian parent company that is organized under the laws of China could qualify as an entity under the jurisdiction of a foreign adversary.
What is an “undue or unacceptable risk”?
The interim rules incorporate the definition of “undue or unacceptable risk” used in the EO, which refers to undue risks of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; undue risks of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or otherwise unacceptable risks to the national security of the United States or the security and safety of United States persons.
Are there any exemptions?
The interim rules identify two express exemptions from the scope of Commerce’s review. The first are acquisitions of ICTS items by a U.S. person as a party to a transaction authorized under a U.S. government-industrial security program. The second are covered transactions or covered real estate transactions under active review or that CFIUS has previously reviewed.
The preamble to the interim rules also highlight what is effectively a third exemption. The preamble states that Commerce “acknowledges that ICTS Transactions solely involving personal ICTS hardware devices, such as handsets, do not warrant particular scrutiny.” Thus, it appears that, in practice, Commerce likely will not review such transactions even though they could qualify as covered ICTS transactions.
Can parties seek preapproval or obtain “safe harbor”?
The interim rules do not provide for a preapproval process or the ability to obtain “safe harbor” from future review. As noted, even if Commerce reviews a transaction and determines it is not prohibited, this does not preclude Commerce from reviewing the transaction again later and determining that it is prohibited or requiring mitigation measures.
However, the preamble of the interim rules states that Commerce will publish regulations outlining a licensing process to afford parties greater certainty. Commerce intends to publish these regulations by March 22, 2021, and intends to implement the licensing process starting on May 19, 2021. The license application review process will conducted within a 120-day period. If Commerce does not provide a decision by the end of the 120-day period, the license is deemed granted. Other details related to the licensing process will be released in the future regulations.