Department of Commerce Issues New Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain
Potential New Level of Scrutiny for Certain Foreign Transactions
In late January 2021, the U.S. Department of Commerce issued an Interim Final Rule (Interim Rule) that would empower the Department to prohibit, mitigate and unwind certain categories of transactions with certain foreign parties. The Interim Rule refines an earlier proposed rule first published by the Department of Commerce on November 27, 2019, and governs information and communications technology and services (ICTS) transactions involving “foreign adversaries.” The Interim Rule implements former President Donald Trump’s Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain. While the Interim Rule is slated to become effective March 22, 2021, this date may change as the Interim Rule remains subject to review by the Biden administration.
Under the Interim Rule, the Department of Commerce may conduct reviews of “covered” transactions between U.S. persons and a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” that include the acquisition, importation, transfer, installation, dealing in or use of ICTS. The review may be independently initiated by the Department of Commerce or requested by the parties to a transaction. The review may lead to mitigation, prohibition or unwinding of the transaction if the Department of Commerce determines that the transaction poses an undue or unacceptable risk.
Individuals or companies that expect to do business related to ICTS in a country considered a “foreign adversary” under the rule – a category that includes China and Russia, among other countries – should consider whether their transaction may be subject to the Department of Commerce’s review. The key provisions of the Interim Rule are set forth below.
Scope of Transactions Covered
Transactions “covered” by the Interim Rule meet four criteria:
- the transaction is conducted by persons subject to the jurisdiction of the United States;
- the transaction involves property in which a foreign country or foreign national has an interest;
- the transaction is initiated, pending or completed on or after January 19, 2021; and
- the transaction involves one of the six enumerated categories of information and communications technology or services identified in Section 7.3(a)(4) of the Interim Rule (described below).
The six categories identified in Section 7.3(a)(4) of the Interim Rule are:
- ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21— Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
- software, hardware or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems or long- and short-haul systems;
- software, hardware or any other product or service integral to data hosting or computing services that uses, processes or retains, or is expected to use, process or retain, sensitive personal data on greater than one million U.S. persons at any point over the 12 months preceding an ICTS transaction;
- certain ICTS products with sales of over one million units to U.S. persons at any point over the twelve months prior to the ICTS transaction;
- software designed primarily for connecting with and communicating via the internet that is in use by more than one million U.S. persons at any point over the 12 months preceding the ICTS transaction;
- ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems or advanced robotics.
The Interim Rule intentionally does not exclude any industries or geographic locations, as national security issues may arise in any industry and location.
The Definition of Foreign Adversary
The Interim Rule defines a “Foreign Adversary” as “any foreign government or non-government person determined by the Secretary of Commerce (the Secretary) to have engaged in a long-term pattern or serious instances of conduct significantly adverse to national security of the U.S. or security and safety of U.S. persons for the purposes of E.O. 13783.” Six governments are explicitly listed as “foreign adversaries” in the Interim Rules: (1) China (including Hong Kong); (2) Cuba; (3) Iran; (4) North Korea; (5) Russia; and (6) the Maduro Regime in Venezuela.
Persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” includes:
‘‘any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.’’
Undue or Unacceptable Risk
For a transaction that is “covered” and involves a “foreign adversary,” the Department of Commerce will decide whether such transaction poses an “undue or unacceptable risk” before taking action that affects the transaction. An “undue or unacceptable risk” is considered: (1) an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of ICTS in the United States; (2) an undue risk of catastrophic effects on the security or resiliency of the United States’ critical infrastructure or the digital economy of the United States; or (3) an unacceptable risk to the national security of the United States or the security and safety of United States persons.
Following review of a transaction, the Department of Commerce will provide parties to the transaction with an initial written determination explaining the Department of Commerce’s rationale for prohibiting, requiring mitigation, or unwinding the transaction. The parties will then have 30 days to respond to the initial written determination. Within 180 days of the Department of Commerce commencing its initial review, the Secretary of the Department of Commerce will make a final determination as to whether the contemplated transaction is prohibited, permitted, or permitted pursuant to negotiated mitigation measures. Final determinations will be published in the Federal Register, omitting confidential information.
The Interim Rule introduces a licensing process that parties to a proposed transaction may undergo to obtain preapproval of the transaction. The Department of Commerce has stated that it will provide additional details related to this licensing process before March 22, 2021 and expects to implement the licensing process by May 19, 2021. To date, the only detail provided regarding the license process is that once the program is implemented, the Department of Commerce will review applications and provide a decision within 120 days. If no decision is provided in that period, the license will be deemed granted. Failing to apply for a license will not create a negative inference or unfavorable presumption with respect to a transaction.
Overlap with CFIUS
Transactions that the Committee on Foreign Investment in the United States (CFIUS) is actively reviewing, or that CFIUS previously reviewed are exempt from review by the Department of Commerce under the Interim Rule. However, the Department of Commerce may review a subsequent covered transaction related to the previous CFIUS-reviewed transaction if the new transaction is distinct from the previous CFIUS-reviewed transaction or if new information about the transaction is discovered.
Several other specific exclusions to the review process are provided in the interim rule. The rule makes clear that “personal ICTS hardware devices, such as handsets, do not warrant particular scrutiny.” Also, the Interim Rule will not apply to the acquisition of ICTS items by a United States person as a party to a transaction authorized under a “U.S. government-industrial security program.” Finally, common carriers transporting ICTS goods, unless they know, or should have known, they were providing transportation services related to prohibited transactions will not be subject to the Interim Rule.
Comments and Effective Date; Impact of Administrative Change
Parties may submit comments on the Interim Rule on or before March 22, 2021, the date the Interim Rule will become effective. Note, however, that the effective date and the regulation itself remain uncertain. Upon taking office, the Biden administration issued a “Regulatory Freeze Pending Review” memorandum to the heads of executive departments and agencies, allowing President Biden the discretion to direct that agencies alter implementation dates, potentially suspend regulations, or otherwise modify existing obligations. That memorandum could affect the effective date of the Interim Rule and the timing of implementation of any licensing mechanism.
The White and Williams International Practice Group assists clients in structuring international transactions in compliance with CFIUS and other U.S. regulatory requirements. For more information regarding the Interim Rule, contact Gary P. Biehn, Chair of the International Practice Group (email@example.com; 215.864.7007), David Creagan (firstname.lastname@example.org; 215.864.7032), or Gwenn Barney (email@example.com; 215.864.7063).