Insights on the Information and Communications Technology and Services (“ICTS”) Rule

On January 19, 2021, the Department of Commerce published an Interim Final Rule (the “Rule”) setting out a more detailed regulatory structure to implement Executive Order 13873, which authorizes Commerce to prohibit or otherwise regulate transactions involving information and communications technology or services (“ICTS”) with a nexus to “foreign adversaries” that pose an “undue or unacceptable risk” to US national security.  See also our post on the predecessor proposed rule.  The stated purpose of the Rule, which bears some resemblance to (though differs in many ways from) the foreign investment review and mitigation process administered by the Committee on Foreign Investment in the United States (“CFIUS”), is to protect US national security through a focus on the ICTS supply chain.

The Rule identifies for the first time the following as covered “foreign adversaries”:

1. China (including Hong Kong)
2. Russia
3. Cuba
4. Iran
5. North Korea
6. “Venezuelan politician Nicolás Maduro (Maduro Regime)

The Rule would not impose a blanket prohibition on the importation or use of ICTS from “foreign adversaries,” but rather would enable Commerce to review these transactions, and possibly prohibit specific transactions or order modifications or other forms of mitigation to address US national security concerns.  However, we anticipate that this Rule, if implemented in its current form, may have a chilling effect due to concerns that ICTS transactions may be prohibited or otherwise restricted by Commerce, which may include orders to unwind completed transactions. Commerce’s broad discretion to restrict ICTS transactions in the name of US national security may make it challenging to obtain regulatory certainty under the Rule – although Commerce has indicated that it will soon publish related licensing procedures.  Stakeholders should therefore consider their exposure to “foreign adversary” ICTS transactions within US jurisdiction and assess whether engagement with Commerce at an early stage would be advantageous, potentially to include submitting public comments as set forth in the Rule.  Commerce will be accepting comments until March 22, 2021.  Engagement with other US government agencies may also be possible, such as the ICT Supply Chain Risk Management Task Force in the Department of Homeland Security.

Certain aspects of Executive Order 13873 generated considerable controversy in the early phases of its implementation.  Notably, several US district courts have issued injunctions barring Commerce temporarily from enforcing certain prohibitions, also based on Executive Order 13873, involving support for Chinese mobile applications TikTok and WeChat.  It remains to be seen how the Biden administration will approach this regulatory construct that was initiated under the previous administration.  But the Biden administration has indicated by pausing the TikTok and WeChat litigation that it is undertaking a review of these policies.

Although the Rule is currently slated to take effect on March 22, 2021, certain stakeholders (including the US Chamber of Commerce) are advocating for it to be paused and potentially reconsidered.  However, given the sweeping nature of the Rule, industry may nonetheless want to prepare for its implementation and consider submitting comments.

Key Points in the Rule

Executive Order 13873 and the Rule itself set out a very broad and discretionary authority for Commerce to regulate the global ICTS sector to the extent there is a sufficient link to the United States and US national security interests, and to a “foreign adversary.”  The Rule requires a US nexus (e.g., persons or products/services), as it refers to transactions “conducted by any person subject to the jurisdiction of the United States or [that] involve[] property subject to the jurisdiction of the United States.”  However, the Rule may apply to transactions outside the United States when such a nexus is present.  This jurisdictional scope, from the underlying statutory authority, the International Emergency Economic Powers Act (“IEEPA”), has been applied very broadly in the past in some contexts, such as under many US economic sanctions programs.

While the Rule is focused on ICTS from “foreign adversaries,” it can potentially apply even to products or services provided from third countries if they were designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.  The Rule defines very broadly what it means to be “subject to the jurisdiction or direction of a foreign adversary,” including acting “under the direction or control[] of a foreign

adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary.”  Moreover, the Rule states that Commerce may expand the list of foreign adversaries at its discretion, and that any such change may apply to transactions initiated, pending, or completed on or after the date of the change, giving it some degree of retroactive effect.

The authority that Commerce has set out to review and potentially restrict ICTS transactions goes well beyond imports into the United States, and includes “any acquisition, importation, transfer, installation, dealing in, or use of” covered technology or services. This can even include ongoing activity like software updates and data transmissions.  The Rule also provides an authority for Commerce to take action against “any other transaction, the structure of which is designed or intended to evade or circumvent the application of” Executive Order 13873.

There is no “grandfathering’ per se under this Rule, and Commerce can enforce these restrictions based on any “act or service with respect to an ICTS Transaction” that occurs on or after January 19, 2021, even if the activity had been commenced earlier or if there is a pre-existing contract.

Some of the most relevant limitations in the scope of the Rule can be found in the way it defines the six categories of technology and services that may be subject to restrictions, which are as follows:

1. Critical Infrastructure: ICTS used in sectors designated as critical infrastructure pursuant to Presidential Policy Directive 21, which covers a broad array of sectors, including chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems, and water and wastewater systems;
2. Networks and Satellites: software, hardware, and any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- or short-haul networks;
3. Sensitive Personal Data: software, hardware, or any other product or service integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million US persons at any point over the twelve months preceding an ICTS transaction;
4. Monitoring and Home Networking Devices, Drones: surveillance or monitoring devices (e.g., sensors and webcams), home networking devices (e.g., routers and modems), and drones or any other unmanned aerial system, where greater than one million units have been sold at any point over the 12 months prior to the ICTS transaction;
5. Internet/Telecommunications Software: software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million US persons at any point over the twelve (12) months preceding an ICTS transaction; and
6. Emerging Technology: ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robots.

The Rule provides a process for engagement with Commerce regarding the commencement of reviews of ICTS transactions, although Commerce does not need to wait for stakeholder input to take action.  It also sets out procedures for Commerce’s consideration of information received (including confidentiality) and interagency consultations.  Initial determinations about how Commerce proposes to restrict particular ICTS transactions will be notified in writing to the parties involved, explaining why the applicable criteria are satisfied and what restrictions are being proposed in response.  The Rule provides for parties to have an opportunity to respond (potentially offering remedial or mitigation measures) and for the government to consider those responses before finalizing the determination.  The Rule sets out specific timelines for each of these key steps in the process.

The Rule sets forth ten broad criteria that will be used to evaluate the risk of an ICTS transaction in light of US national security concerns.  For example, the Secretary may consider the technical capabilities, market share, vulnerability, potential for mitigation, and the nature and degree of the foreign adversary’s involvement, among other things.

Commerce has very broad discretion in determining the appropriate measures to propose in response to the US national security threats and vulnerabilities that are identified in this process, which may include prohibiting certain types of transactions and/or proposing mitigation measures, and even possibly ordering the unwinding of certain types of past transactions.

Commerce stated in the Rule that it intended to publish additional procedures within 60 days of the publication of the Rule that would provide for the licensing of ICTS transactions, although that timeline could be subject to change.  The Rule states that such a licensing process will be conducted on “a fixed timeline, not to exceed 120 days from accepting a license application.”

Commerce also has broad administrative subpoena power under this Rule, which may present a significant burden and risk to parties in the covered sectors.

The review and mitigation procedures set out in the Rule are in a sense similar to the regulatory structure governing the Committee on Foreign Investment in the United States (“CFIUS”).  Moreover, the Rule exempts transactions that CFIUS is actively reviewing or has reviewed, but cautions “that a transaction involving ICTS that is separate from, and subsequent to, a transaction for which CFIUS has concluded action under [CFIUS’s governing law] may be subject to review under this rule, if and to the extent that such transactions are separate from the transaction reviewed by CFIUS. Parties should therefore be aware that CFIUS review related to a particular ICTS, by itself, does not present a safe harbor for future transactions involving the same ICTS that may present undue or unnecessary risks as determined by the Department.”  In other words, even though CFIUS may not object to a particular business transaction, subsequent sales of products/services or other ICTS transactions may still be restricted under this Rule.

Key Takeaways

• Those in the ICTS sector may wish to prepare for the possibility of potentially significant restrictions affecting the goods and services they use or provide (and other risks, such as information requests from Commerce). Mapping out potential risk areas may be a good starting point.
• Stakeholders may wish to comment on the Rule by March 22, 2021.
• Parties engaged in proposed, pending, or ongoing ICTS transactions may benefit from availing themselves of the Commerce Department’s forthcoming licensing process.
• While it is possible the Rule may be paused and potentially reconsidered, we would expect some form of regulation of this type to move forward. The trend toward regulating a broader scope of activity involving non-US technologies impacting US national security has bipartisan support and, while the details may change, the direction of travel is clear.