On November 26, 2019, the US Department of Commerce (“Commerce”) issued a highly anticipated proposed rule with proposed regulations (“Proposed Regulations”) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (“Executive Order 13873“).
Executive Order 13873 gives the Secretary of Commerce (“Secretary”) sweeping, unprecedented authority to prevent or modify transactions involving information and communications technology and services (“ICTS”) originating in countries designated as “foreign adversaries” which pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to US national security or the safety of United States persons. All industries are potentially affected by the Proposed Regulations, whether directly or indirectly, which allow for case-by-case reviews of transactions at the Secretary’s discretion. Any transaction that is ongoing as of, or was initiated on or after, May 15, 2019, can be reviewed and there is no mechanism by which a company may seek to clear transactions in advance.
A summary of the background and the Proposed Regulations is provided below:
I. Covered Transactions
On May 15, 2019, President Trump issued Executive Order 13873, which grants the Secretary the authority to prohibit or condition certain transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or directed by a foreign adversary. Our previous blog post regarding Executive Order 13873 can be read here.
Consistent with Executive Order 13873, the Proposed Regulations are sweeping in nature. Under the Proposed Regulations, the Secretary will consider the following five prongs in determining whether a transaction is covered by Executive Order 13873 and whether or not to permit the transaction:
- The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
- The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
- The transaction was initiated, is pending, or will be completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted (Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, constitute transactions that “will be completed” on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019);
- The transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
- The transaction: (i) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (ii) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.
In determining whether a transaction involves ICTS designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” Commerce will consider a number of factors, including:
- the laws and practices of the foreign adversary; and
- equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.
The following are key defined terms in the Proposed Regulations:
- Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783. The Proposed Regulations do not specify which parties are “foreign adversaries,” but state that this is a matter reserved for executive branch discretion.
- ICTS means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display. This is a broad definition, which would appear to cover virtually all hardware/commodities, software, technology, or services associated with the telecommunications and communications sectors.
- Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service. Use of the term “transaction” in this part includes a class of transactions. “Dealing in, or use” is not further defined.
II. The Proposed Review Process & Penalties
The Proposed Regulations establish a regime for the Secretary to engage in a case-by-case, fact-specific analysis of certain transactions involving ICTS, with a goal of targeting transactions that must be prohibited or mitigated without inadvertently barring less risky transactions or precluding innovation or access to technology in the United States. There is no process to clear any transactions in advance. In fact, the Proposed Regulations state that no advisory opinion or declaratory ruling will be issued with respect to any particular transaction.
Further, the Secretary has declined to identify classes of transactions or technologies that are subject to prohibition or are excluded from prohibition. As mentioned above, the Secretary conducts the review on a case-by-case basis. The Secretary, however, has reserved the right to issue class exclusion or inclusion determinations and related guidance in the future.
1. Initiation of Review
The Secretary may commence a review of a transaction in one of three ways: (i) at the Secretary’s discretion; (ii) upon the written request of other Government department, agency, governmental body, or the Federal Acquisition Security Council; or (iii) based on information submitted to the Secretary by credible private parties.
The Proposed Regulations do not provide for any time bars for review, which means that any transaction conducted post-May 15, 2019 could be reviewed. Parties will only find out that a review has been initiated when they receive a preliminary determination.
2. Commerce’s Review Procedure
Commerce’s proposed review framework and its timeline are as follows:
- The Secretary provides a preliminary determination in the form of a written notice to the parties to a transaction that the aforementioned criteria have been met and the basis thereof.
- Within 30 days after receipt of the notice, the party may submit an opposition to the preliminary determination and supporting information or information on proposed mitigation measures. The Secretary can, but is not required to, grant an extension of time.
- Within 30 days of receipt of such information, the Secretary will then issue a final determination describing whether the transaction is prohibited, not prohibited, or an otherwise prohibited transaction is permitted pursuant to the adoption of mitigation measures (and a description of the mitigation measures adopted). A summary of the Secretary’s final determination will be made public on https://www.commerce.gov/issues/ict-supply-chain and in the Federal Register.
Any determination to either prohibit a transaction or permit an otherwise prohibited transaction based on mitigation measures will also provide a clear statement of the penalties that parties will face if they fail to comply fully with either the prohibition or the mitigation measures.
- Any person who violates any determination, regulation, prohibition, or other action issued under the Proposed Regulations or makes false or misleading representation to Commerce may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or an amount that is twice the value of the relevant transaction.
- Any person who violates a material provision of a mitigation measure or a material condition imposed under the Proposed Regulations may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or the value of the relevant transaction. Any penalty assessed because of such violation will be separate from any damages sought pursuant to a mitigation measure.
A determination to impose penalties under either of the above situations will be made by the Secretary with a written notice to the penalized party. Within 15 days of receipt of notice of a penalty, the penalized party may submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct. The Proposed Regulations do not address whether an extension of time can be granted for the petition. The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition. The actual amount of the penalty assessed for a violation shall be based on the nature of the violation.
III. Request for Comment
Commerce invites comments on all aspects of the Proposed Regulations except for the determination of a “foreign adversary,” which is a matter reserved for executive branch discretion. Specifically, Commerce requests public comments on questions including:
- Are there instances where the Secretary should consider categorical exclusions or exempt certain classes of persons whose use of ICTS can never violate Executive Order 13873?
- Are there transactions involving types or classes of ICTS where the transaction could present an undue or unacceptable risk but that risk could be reliably and adequately mitigated? What form can such mitigation measures take?
- If mitigation measures are adopted for a transaction, how should the Secretary ensure that parties consistently execute and comply with the agreed-upon mitigation measures? How best could Secretary make sure the mitigation measures are not obsolete?
- How should the definition of “transaction” (in particular, the terms “dealing in” and “use”) be interpreted?