Beyond TikTok: Commerce Issues New CFIUS-Like Review Rule for Transactions Involving Information and Communications Technologies and Services
On January 19, 2021, one day before President Biden assumed office, the US Department of Commerce (Commerce) published an interim final rule (Interim Rule) implementing its sweeping new authority to block, unwind, or condition "transactions" involving information and communications technology and services (ICTS)1 designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction of "foreign adversaries," (a foreign-adversary entity), including the Russian Federation (Russia) and the People's Republic of China (China). Under the new Interim Rule, Commerce has the power to block or impose conditions on any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download (ICTS Transactions), when the ICTS Transaction involves ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction of "foreign adversaries." This provides a new lever in regulating cross-border trade, entirely separate from other laws that restrict cross-border transactions (such as trade sanctions, traditional export controls, and reviews of foreign investments by the Committee on Foreign Investment in the United States (CFIUS)). In effect, the Interim Rule stands up a distinct "import control" regime when it comes to ICTS, with a scope potentially much broader than merely restricting the imports of certain goods and services.
The Interim Rule implements the Executive Order on Securing the Information and Communications Technology and Services Supply Chain (EO 13873), which was issued by President Trump on May 15, 2019, to "protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States." The Interim Rule, which reflects input received by Commerce on its proposed rule to implement EO 13873 issued in November 2019, becomes effective on March 22, 2021 and applies to ICTS Transactions initiated, pending, or completed after January 19, 2021 (the Interim Rule's publication date). Although the Interim Rule is "final" in that it will take effect in March regardless of further comments, Commerce is inviting such comments from the public until March 22, 2021.
Before he left office, President Trump took a number of actions, including against Tencent (WeChat), ByteDance (TikTok), and several other app developers, that illustrate the kind of restrictions Commerce might impose under the Interim Rule. Although the new administration's approach may be different in various ways, a wide array of business operations involving ICTS, including data centers, mobile app services and IT equipment providers, among many others, will want to carefully assess whether any of their existing business relationships or supply chains are exposed to potential review by Commerce under the Interim Rule because there is a nexus between the ICTS and a "foreign adversary." The Interim Rule clearly could have a major impact on the import and use of ICTS from China or Russia, or companies with close ties to those countries operating in the United States—violators of the Interim Rule could face significant civil and/or criminal penalties.
Apparently recognizing the significance of this potential impact, Commerce stated in publishing the Interim Rule that, "[t]o afford parties greater certainty, within 60 days of the publication date of this rule, the Department intends to publish procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license, pursuant to Section 2(b) of the Executive Order, in a manner consistent with the national security of the United States." Such procedures apparently would permit parties to obtain licenses preemptively—much like Office of Foreign Assets Control (OFAC) or export control licenses—to confirm that particular ICTS transactions will not be subject to any restrictions. How this review process will work remains to be seen, and whether to file for a review of any particular ICTS Transaction will no doubt be a difficult strategic decision in light of the broad scope of Commerce's authority under the Interim Rule.
Below, we provide an overview of the proposed ICTS Transaction landscape, highlighting key elements on which interested parties may wish to submit comments between now and March 22, 2021.
ICTS Transactions Covered Under the Interim Rule
As stated above, the Interim Rule provides Commerce with the authority to review and block or unwind certain ICTS Transactions between US persons and foreign persons that (1) involve technology or services "designed, developed, manufactured, or supplied, by" a foreign-adversary entity and (2) pose an "undue or unacceptable risk" to US national security. Commerce defines the term "ICTS Transaction" broadly to include "any acquisition, importation, transfer, installation, dealing in, or use of" ICTS, including ongoing activities, such as software updates, repairs, or hosting apps for consumer downloading. However, Commerce's jurisdiction under the Interim Rule is limited to transactions involving six specific categories of ICTS:
- Critical infrastructure. ICTS that will be used by a party to the transaction in one of the 16 "critical infrastructure" sectors identified by Presidential Policy Directive 21;
- Wireless networks. Software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads; satellite operations and control; cable access points; wireline access points; core networking systems; and long- and short-haul networks;
- Data hosting or computing services. Products or services integral to data hosting or computing services that use, process, or retain, sensitive personal data2on greater than one million US persons at any point over the twelve months preceding the transaction;
- Internet-enabled devices. Internet-enabled sensors, webcams, and any other end-point surveillance or monitoring device; routers, modems, and any other home networking device; or drones or any other unmanned aerial system if greater than one million units have been sold to US persons at any point over the twelve (12) months prior to the transaction;
- Internet-connecting software. Software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million US persons at any point over the twelve months preceding the transaction; and
- Artificial intelligence and machine learning. ICTS integral to artificial intelligence and machine learning; quantum key distribution; quantum computing; drones; autonomous systems; or advanced robotics.
Any services related to such ICTS—that is, any contracts with ongoing performance obligations including, but not limited to, those related to managed services contracts or software update installations—may be deemed a covered ICTS Transaction if the requisite nexus to a foreign adversary exists, even if the underlying contract was executed before the Interim Rule was published.
Commerce's authority under the Interim Rule does not extend, however, to a narrow set of ICTS transactions, including those (1) authorized under a US governmental-industrial security program, or (2) that CFIUS has reviewed, or is actively reviewing, as a part of a covered transaction or covered real estate transaction under section 721 of the Defense Production Act of 1950, as amended. It is unclear what this CFIUS carve-out will accomplish in practice, because CFIUS reviews are typically undertaken in a merger, acquisition, or investment context, whereas the focus of the Interim Rule is on the importation of goods and services with a relationship to "foreign adversaries."
Foreign Adversary Entities
As explained above, the Interim Rule applies to transactions involving ICTS designed, developed, manufactured, or supplied by persons "owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary." Such persons include not only entities controlled by foreign adversary governments, but also citizens or residents of foreign adversary nations, corporations and other business entities organized under the laws of a foreign adversary state, or any business entity anywhere owned or controlled by a foreign adversary. To determine whether ICTS Transaction involves such a person, Commerce has stated it will consider criteria such as threat assessments and reports from the US Intelligence Community, the US departments of Justice, State, and Homeland Security, and other relevant sources.
As defined by the Interim Rule, a foreign adversary is "any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons." While Commerce may designate foreign adversaries "without prior notice," the Interim Rule identifies six foreign adversaries at the time of publication:
- China, including Hong Kong;
- North Korea; and
- The Maduro Regime of Venezuela.
The Secretary of Commerce (Secretary) will periodically review the list of foreign adversaries in consultation with relevant agency heads; if the list is revised, the revised listing would apply to "any ICTS Transaction that is initiated, pending, or completed on or after the date that the list is amended." The breadth of potentially affected transactions has important implications for, among others, the global IT market. For instance, the Interim Rule applies to all companies incorporated or organized under the laws of China, including subsidiaries of US and EU parent companies, as well as the subsidiaries of Chinese and Russian state-owned entities, without regard to a subsidiary's place of incorporation.
ICTS Transaction Review
For covered ICTS Transactions, the Interim Rule sets out a framework for determining whether a particular ICTS Transaction poses an "undue or unacceptable" risk to the US government.3Specifically, upon referral of information regarding a transaction from an "appropriate agency head"4 or at the Secretary' discretion, the Secretary will assess whether to: (1) accept the referral, and commence an initial review of the transaction; (2) request additional information regarding the transaction, including the entities involved in the transaction; or (3) reject the referral.
Upon accepting a referral, the Secretary will conduct an initial review of the transaction to determine whether the transaction presents an undue or unacceptable risk. If the Secretary determines the transaction "likely" meets the Interim Rule's risk criteria, the Secretary must notify and consult with the appropriate agency heads to determine whether the risk posed by the transaction is in fact undue or unacceptable under the Interim Rule. If such a finding is made, the Secretary will make an initial written determination, which must explain why the transaction poses an undue or unacceptable risk and sets forth whether the Secretary has decided to prohibit the transaction or to propose mitigation measures by which the transaction may be permitted to proceed. The Interim Rule requires Commerce to notify the parties to the transaction if such an initial determination has been made either by direct service or through publication in the Federal Register.
A party to an ICTS Transaction may respond to the Secretary's initial determination within 30 days of notification by challenging the basis for the initial determination and/or proposing its own mitigation steps. Parties may also request a meeting with Commerce, which Commerce may, but is not required, to accept. Upon receiving a response, the Interim Rule requires the Secretary to consider, in consultation with relevant agency heads, whether such information affects the initial determination. If the Secretary and the agencies cannot reach a consensus with respect to the transaction, the Secretary must notify the president, who will then provide direction on a final determination with respect to the relevant transaction.
For parties concerned about the potential impact of entering into a prohibited transaction, the Interim Rule directs Commerce to "publish procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license" to engage in an ICTS Transaction by March 19, 2021. However, it is uncertain whether an ICTS licensing framework will be established as required by the Interim Rule due to the Biden Administration's regulatory freeze on new rules. Clarity regarding a safe harbor licensing process for ICTS Transaction may not be forthcoming for at least several months.
Parties (or related persons) that violate any final determination, mitigation agreement, or order issued under the Interim Rule may be subject to substantial civil penalties under the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. 1701 et seq. Violators may also be subject criminal prosecution under IEEPA for willful violations, including fines of up to $1,000,000, imprisonment of up to 20 years, or both.
Traditional export controls and trade sanctions provide a primary avenue for the US government to regulate outflows of goods, services and technology to parties outside the United States. Just last year, CFIUS exercised its mandate under the Foreign Investment Risk Review Modernization Act (FIRRMA), which was enacted in 2018, to expand US governmental review of certain transactions that give foreign persons certain rights regarding US businesses dealing with critical technologies, critical infrastructure, or sensitive personal data of US citizens. The Interim Rule focuses on concerns addressed by FIRRMA in several respects, including protection of critical US network assets and access to sensitive personal data. Notably however, the Interim Rule appears to address situations not always covered under FIRRMA—i.e., the national security implications of a private person or entity merely using certain foreign produced goods and services (including certain widely available mobile apps).
While the government, through the implementation of certain government contracting and FCC licensing and subsidy-related authorities, has already limited a number of transactions involving certain disfavored Chinese suppliers, the Interim Rule opens a new avenue for regulation of cross-border technology transactions. At a minimum, companies should carefully assess when and how their supply chain may be affected, particularly if there are significant technology suppliers from Russia, China or any of the other "foreign adversaries" listed in the Interim Rule.
It is unclear whether and how the Biden Administration may change the current course of US governmental review of ICTS Transactions contemplated by the Interim Rule, including by rescinding, altering, expanding or narrowing the scope of the rule. We will continue to closely monitor any announcements by the new administration for indications as to how its approach to these issues may differ from those of its predecessors.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Commerce defines the term "ICTS" to apply to virtually all modern IT systems, including "any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic and photonic), including through transmission, storage, or display."
The Interim Rule’s definition of "sensitive personal data" is nearly identical to the definition of that term in the regulations governing CFIUS reviews, 31 C.F.R. § 800.241(a)(ii). Under both definitions, "sensitive personal data" includes financial information, health-related data, non-public electronic communications, geolocation data, biometric information, data typically held by government contractors, and genetic information.
The Interim Rule sets out optional criteria for determining whether an ICTS Transactions poses an "undue or unacceptable" risk to US national security, including: (1) the nature and characteristics of the ICTS at issue; (2) the involvement of the foreign adversary over the design, development, manufacture, or supply of the technology or services contemplated by the ICTS Transaction; (3) statements and actions of the relevant foreign adversary; (4) statements and actions of persons involved in the design, development, manufacture, or supply of the technology or services contemplated by the ICTS Transaction; (5) statements and actions of the parties involved; (6) whether the ICTS Transaction poses a discrete or persistent threat; (7) the nature of the vulnerability implicated by the ICTS Transaction; (8) whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction; (9) the severity of the harm posed by the ICTS Transaction to certain US national security concerns; and (10) the likelihood that the ICTS Transaction would in fact cause the harm anticipated.
The Interim Rule defines "appropriate agency heads" to include the Secretaries of the Treasury, State, Defense, Homeland Security; the Attorney General; the United States Trade Representative; the Director of National Intelligence; the Administrator of General Services; the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies the Secretary of Commerce determines is appropriate.