As of March 2021, the U.S. Department of Commerce (“Commerce”) has the authority to block or impose conditions on the ordinary course procurement of certain information and communications technology or services (“ICTS”) from a “foreign adversary.” Commerce’s authority originates from a last-day Trump administration interim final rule (“the Rule”) on ICTS that went into effect under the Biden administration. The Rule gives Commerce broad authority to block or mitigate certain defined ICTS Transactions involving goods or services designed, developed, manufactured or supplied by persons owned, controlled, or subject to the jurisdiction of a “foreign adversary,” defined to include China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela.

See our previous blog post on the Rule here.

The U.S. government has had long-standing concerns over the use of Chinese origin ICTS, such as Huawei infrastructure equipment, in the United States, but its effort to limit such use has been less direct, using the Committee on Foreign Investment in the U.S. (“CFIUS”), the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (“Team Telecom”), government procurement or funding rules, export controls, or political pressure. The Rule now allows Commerce to directly prohibit such transactions. However, as drafted, the Rule is much more expansive in its potential reach. A variety of industry associations have voiced opposition to the Rule, which Commerce estimates will impact between 268,000 and 4.5 million firms and have an annualized compliance cost on such firms in the aggregate of $210 million to $20 billion. Conventional wisdom said that the provisions of the Rule were sufficiently ambiguous and potentially overbroad that the Biden administration likely would delay its effectiveness or at least modify it significantly. Indeed, the Biden administration generally placed any regulatory actions not already effective as of January 20, 2021 on hold for a minimum of 60 days, pending review, to consider issues of fact, law, and policy. However, the Biden administration allowed the Rule to go into effect as scheduled, reportedly to avoid creating any impression that it will be weak on China-related issues.

Commerce still may amend the Rule in response to public comments, which were allowed until the day the Rule took effect. Commerce is expected to establish a licensing process not earlier than June 2021 to allow parties to obtain pre-approval before engaging in or continuing an ICTS Transaction. In an advanced notice of proposed rulemaking published on March 29, 2021, Commerce invited comments to inform the design of the licensing process.

Ultimately, as discussed below, the Rule does not in itself prohibit any particular transaction; rather Commerce must issue a prohibition determination that covers such transactions. This means that even though the Rule has gone into effect, its impact is subject to the Administration’s discretion. Commerce announced on March 17, 2021 that it had issued subpoenas to multiple Chinese companies that provide ICTS in the United States to support the review process. It is likely that Commerce will take a targeted approach, focusing on companies alleged to be tied to, or owned by, the Chinese government or targeted under other U.S. regulatory authorities (such as the Commerce Entity List and the Department of Defense list of “Communist Chinese military companies”).

While some of the ambiguities in the Rule may be addressable in the licensing procedures, scoping of any determinations, and enforcement discretion, the breadth of the Rule is likely nonetheless to engender a degree of uncertainty for the immediate future, particularly for U.S. companies in the critical infrastructure, telecommunications or, mass-market internet-focused software application sectors that source goods, software, or services from China-based companies. There has been no public signal that the Biden administration intends to apply the Rule more narrowly than written, even though it would have the discretion to do so.

To avoid incurring potentially significant ex post mitigation costs, such as being required to rip-and-replace equipment purchased and installed after March 22, 2021, companies should be aware of the following contours of the Rule.

1. ICTS (goods and services primarily intended to fulfill or enable data processing, storage, retrieval or communication) is covered if it is for a listed purpose, but the listed purposes cover a substantial portion of the economy.

The rule defines ICTS to mean any hardware, software, or other product or service “primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means.” ICTS transactions covered by the Rule include only those that involve ICTS that fits within one of the categories enumerated in the Rule. However, many of the categories—summarized in the following list—are extremely broad, covering a substantial portion of the economy:

  • ICTS used in a sector designated as critical infrastructure by Presidential Policy Directive 21, which includes chemicals, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation, and water and waste systems sectors.
  • Wireless LANs, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, and long- and short-haul networks.
  • Internet-enabled webcams, home networking devices, and drones, if greater than 1 million units have been sold to U.S. persons in the prior year.
  • Software designed primarily for connecting with and communicating via the Internet that is in use by greater than 1 million people in the prior year, including desktop, mobile, gaming, and web-based applications.
  • ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.

2. Reaches goods and services of companies owned or under the direction of the foreign adversary government, companies organized in the foreign adversary country (potentially including subsidiaries of U.S. companies), citizens of the foreign adversary country, and potentially companies with extensive commercial or other ties to the foreign adversary country.

The Rule reaches ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.

In contrast to similar U.S. government national security review processes, such as CFIUS and Team Telecom, the Rule provides a defined list of “foreign adversaries” for purposes of implementing Executive Order 13873: China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela.

The Rule would capture state-owned enterprises, companies majority financed or subsidized by the foreign adversary, and any person that is under the direction or control of the foregoing, wherever located. It also captures any person “wherever located, who is a citizen or resident” of a foreign adversary country, on its face giving Commerce the authority to prohibit services by citizens of these countries in the United States, even if they are permanent residents. In addition, by covering any entity organized under the laws of the foreign adversary country, it potentially captures, for example, goods designed or developed by Chinese subsidiaries of U.S. or third-country companies.

The Rule states that a transaction can be deemed to involve covered ICTS even if the party to the transaction itself is not headquartered or domiciled in the jurisdiction of a foreign adversary country, but it, for example, has suppliers that have headquarters or operations in a foreign adversary country, it has ties (including directors, consultants, or contractors) to a foreign adversary, or it has operations in a foreign adversary with certain laws and regulations (presumably referring to the various Chinese national security laws that the Trump administration Commerce Department that promulgated the Rule viewed as indicative of the Chinese threat).

3. No application to actions completed before the effective date, and no pre-approval requirement going forward for, but Commerce can prohibit delivery on past contracts, prohibit future repairs of already-installed goods, and require rip-and-replace for goods installed after effective date.

The Rule does not have retroactive applicability, in the sense that it does not apply to completed actions. However, any activity yet to be performed would be subject to the Rule, even if it is performed pursuant to a contract formed before the effective date of the Rule. Thus, future deliveries of goods on pre-Rule contracts, on-going services (such as managed services), installation of software updates, and future repairs would all potentially constitute reviewable ICTS Transactions under the Rule.

Only those transactions for which Commerce has issued a prohibition determination based on a national security risk assessment are prohibited. Thus, parties can enter into ICTS Transactions without prior Commerce review. However, in doing so, they assume the risk that Commerce can review and prohibit (or impose other conditions on) such transaction ex post, potentially even requiring the U.S. party to remove the relevant software or hardware, if such mitigative action is determined by Commerce to be necessary.

As discussed below, Commerce will establish procedures for licensing of prospective or in-process transactions, if parties would like to obtain certainty prior to entering into an ICTS transaction.

4. The review process can last up to 180 days.

In contrast to a process like CFIUS, where most transactions are voluntarily notified by the parties, under the Rule, the Secretary of Commerce (“the Secretary”) initiates a review of an ICTS Transaction based on information developed by Commerce or based on a referral from another U.S. government agency or body. The parties will receive written notification of the initial determination about the transaction, including whether the Secretary will seek prohibition or mitigation, and will have 30 days to respond to the Secretary’s findings and/or propose mitigation. Once an initial review of an ICTS Transaction has begun, the Secretary will have 180 days to make a final determination and inform the parties whether the ICTS Transaction is prohibited, not prohibited, or permitted subject to mitigation.

5. Regulations outlining a licensing regime are forthcoming.

While the Rule itself does not provide for a licensing process, the preamble to the Rule stated Commerce’s intent to publish procedures for applying for a license to engage in ICTS Transactions that might otherwise be subject to mitigation or prohibition. License application reviews will be conducted on a fixed timeline, not to exceed 120 days. On March 29, 2021, Commerce published a notice of proposed rulemaking seeking comments on the forthcoming licensing regime. Specific areas Commerce is seeking public comment on include the extent to which the regime should resemble existing screening or licensing processes (e.g., CFIUS or the Bureau of Industry and Security’s export control regime), whether licenses should be transaction-specific or apply to multiple transactions with a single entity (as in a long-term supply contract), and whether granted licenses should have to be renewed. The comment period ends April 28, 2021.