Today, the U.S. Department of Commerce ("Commerce") published for comment proposed regulations that would create sweeping authority to oversee, and potentially require the removal of, purchases of foreign telecommunications and IT technology linked to "foreign adversaries" by persons in the United States and U.S. companies overseas. The draft regulations on "Securing the Information and Communications Technology and Services Supply Chain" (the "Proposed Regulations")1 are open for comment for thirty days.
The Proposed Regulations create a process for national security reviews of purchases of information and communications technology and services ("ICTS") within U.S. jurisdiction. Commerce will be able to initiate a review of any transaction connected to a foreign person occurring after May 15, 2019, including agreements signed prior to that date that are still being performed.
If Commerce concludes, after interagency consultation, that an ICTS transaction with links to a "foreign adversary" poses an "undue risk" to U.S. critical infrastructure or the U.S. digital economy or an "unacceptable risk" to U.S. national security or U.S. persons, it will be empowered take a range of actions to address any concerns, including prohibiting or unwinding the transaction or imposing mitigation measures. There is no process for pre-clearance or advisory opinions contemplated; U.S. buyers will be subject to after-the-fact remedies at Commerce's discretion.
This memorandum summarizes key elements of the Proposed Regulations, which are attached as Appendix A.
I. OVERVIEW OF THE PROPOSED REGULATIONS
The Proposed Regulations implement Executive Order ("E.O.") 13873 by giving Commerce broad, discretionary authority to review any "acquisition, importation, transfer, installation, dealing in, or use of" any "hardware, software, or other product or service" related to information processing or communications that: (1) is within U.S. jurisdiction, (2) involves any property in which a foreign country or national has an interest (broadly defined to include sales), and (3) was initiated, is pending, or will be completed after May 15, 2019 (the date of E.O. 13873).
If Commerce decides to review an ICTS transaction, it will do so on a case-by-case, fact-specific basis in consultation with other agencies to determine whether the transaction (1) involves ICTS with a connection to a person owned, controlled by, or subject to the jurisdiction of a "foreign adversary," and (2) poses risks to U.S. critical infrastructure, digital economy, national security, or persons. Once the evaluation is complete, the Secretary of Commerce ("the Secretary") will make a final determination that the transaction is either prohibited, not prohibited, or approved subject to mitigation measures. Commerce can impose draconian penalties for violations of these regulations or any material mitigation measures.
- Expansive scope. The definition of "transaction" captures virtually any ICTS transaction with a non-U.S. person occurring within the United States or involving a U.S. person overseas, "foreign adversary" is left undefined, and virtually any activity within the jurisdiction of a foreign adversary (e.g., a European manufacturer using a factory or R&D center in that country) is covered.
- No opportunity for advance review or clearance. The Proposed Regulations explicitly prohibit advisory opinions or declaratory rulings. Although the final regulations may exempt certain classes of ICTS transactions, the Proposed Regulations appear to contemplate that persons within U.S. jurisdiction will be subject to reviews requiring them to discard, reverse, or install safeguards around goods and services already acquired.
- Extremely limited opportunity for engagement. Although Commerce may request information from the parties, the first contact with the U.S. person under review may be a preliminary determination by the Secretary outlining remedies to be imposed, to which the U.S. person has only 30 days to respond before final agency action. Even that limited process can be dispensed with on the basis of public harm or national security risk.
II. KEY DEFINITIONS
Several definitions are critical for understanding the scope of the Proposed Regulations. These include:
- "Foreign adversary." Defined, consistently with E.O. 13873, to include any "foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons." The Proposed Regulations note that the Secretary will make this determination in consultation with the heads of other federal agencies.
- "ICTS." Defined broadly to include "any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display." As Commerce notes, "[a] majority of entities today, large or small, utilize some manner of ICTS."
- "Transaction." Defined to track the actions covered by Section 1(a) of E.O. 13873, including "any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service."
The Proposed Regulations cover any "transaction" (as defined above) that meets all of the criteria below:
- it is conducted by any person subject to U.S. jurisdiction or involves property subject to U.S. jurisdiction (which would include persons and assets physically within the United States and the foreign branches of U.S. legal entities);
- it involves "any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service)"; and
- it "was initiated, pending, or completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit, or authorization applicable to such transaction was granted" (thus capturing ongoing activities such as services, deliveries, updates, and repairs under pre-existing contracts).
IV. EVALUATION CRITERIA
Once Commerce decides to review a transaction, it will consider—in consultation with the Departments of Treasury, State, Defense, Justice, and Homeland Security, the Office of the United States Trade Representative and Director of National Intelligence, the General Services Administration, the Federal Communications Commission, and other appropriate government departments and agencies—whether the transaction:
- Falls within scope. The transaction meets the requirements noted above (e.g., it is within U.S. jurisdiction, involves foreign property interests, and meets the timing requirements).
- Is linked to a "foreign adversary." The transaction involves ICTS "designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary." This determination may include both the laws and practices of a foreign jurisdiction and governance rights that a foreign adversary may hold over the relevant suppliers.
- Poses undue or unacceptable risks. The transaction poses an: (i) "undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States," (ii) "undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States," or (iii) "unacceptable risk to the national security of the United States or the security and safety of United States persons."
V. PROCESSES AND PROCEDURES
The Proposed Regulations provide guidance on the stages of a review, although any of these steps may be waived or altered on national security grounds.
Initiating a Transaction Review
The Secretary can initiate a transaction review at the Secretary's discretion, at the request of another U.S. government agency, or based on information submitted by private parties and determined to be credible by the Secretary. The Proposed Regulations provide a link for private parties to submit information to Commerce on ICTS issues.
Notably, the Secretary can also begin a new evaluation of "any transaction"—apparently including those already evaluated—where "circumstances, technology, or available information has materially changed."
The Secretary is authorized to use "all appropriate tools" to collect information, including public information, classified information, information from foreign governments, and information from the parties to the transaction. Parties notified by Commerce of a pending evaluation must immediately preserve all relevant records.
Once the Secretary makes a preliminary determination regarding the ICTS transaction, the parties will be notified of the preliminary determination and, to the extent consistent with national security, its basis.
Opportunity to Respond
Parties have 30 days after notification of a preliminary determination to submit a response opposing the determination along with information in support of the response or proposing additional measures for mitigation.
After receiving a response, the Secretary has 30 days from receipt to issue a final determination that:
- the transaction is prohibited;
- the transaction is not prohibited; or
- as a condition of approval, "require measures and specific timeframes to mitigate risks identified during an evaluation."
All final determinations must be in writing and will set out the potential penalties for failure to comply with the prohibition (if applicable) or mitigation measures (if applicable). The final determination is a "final agency action" subject to judicial review.
The Proposed Regulations permit the Secretary to alter or dispense with any of the procedures above where "public harm is likely to occur if the procedures are followed or national security interests require it." The Secretary is directed to include—to the extent consistent with national security—the basis for emergency action as part of the written final determination.
The Proposed Regulations establish significant penalties for parties who violate the requirements of the regulations or any mitigation conditions imposed by Commerce. First, any person who violates, conspires to violate, or causes a violation of any prohibition or other action issued under the Proposed Regulations is potentially liable for civil penalties under IEEPA of up to $302,584 (to be adjusted for inflation) or twice the transaction value. The same penalties apply to anyone who directly makes a false or misleading statement or conceals any material information from U.S. authorities in connection with action under the Proposed Regulations or who does so indirectly through another person. Second, any person who violates a material provision of a mitigation measure or condition imposed by Commerce is potentially liable for civil penalties of up to $302,584 (to be adjusted for inflation) or the value of the transaction.
The Secretary has authority to determine the amount of any penalties will be "based on the nature of the violation." Parties will receive written notice and may request reconsideration within 15 days of receipt. The Secretary would then have 30 days to issue a final decision.
1. 84 Fed. Reg. 65316 (Nov. 27, 2019).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.