Commerce Department Rule Authorizes Review of ICTS Transactions Involving "Foreign Adversaries"
In Short
The Situation: Later this month, transactions in the information and communication technology and services ("ICTS") sector that involve designated "foreign adversaries" will be subject to review by the U.S. Department of Commerce ("Commerce").
The Result: Companies operating in the ICTS sector should carefully review the implications of that review process—as framed in the interim final rule ("IFR") issued by Commerce on January 19, 2021—for their ongoing and prospective activities.
Looking Ahead: Companies in the ICTS sector should prepare to comply with the rule and assess ongoing, pending, and recently closed transactions to identify and, if possible, mitigate any potential impact this new review process may have.
Later this month, companies operating in the information and communications technology and services ("ICTS") sector will begin to contend with a new national security review process with potentially broad and disruptive effects on cross-border transactions.
Building on a May 2019 Executive Order issued under the International Emergency Economic Powers Act ("IEEPA"), the U.S. Department of Commerce ("Commerce") recently issued an interim final rule ("IFR") establishing an interagency review mechanism through which Commerce can identify and potentially prohibit ICTS transactions that pose an "undue or unacceptable risk" to national security. This mechanism provides the U.S. government with an additional tool to scrutinize and limit inbound activities when "transactions," which are defined broadly, involve non-U.S. governments or persons determined to be "foreign adversaries" of the United States. Companies operating in the ICTS sector or sourcing or supplying ICTS products or services from the designated countries, including China and Russia, should consider how the new review mechanism may affect their business.
What Is the Scope of the IFR?
Under the IFR, Commerce asserts authority to prohibit, unwind, or mitigate risks associated with "covered ICTS transactions" where the ICTS is "designed, developed, manufactured, or supplied" by persons "owned by, controlled by, or subject to the jurisdiction or direction of" designated "foreign adversaries," and where the transaction is determined to pose an "undue or unacceptable risk" to U.S. national security.
Covered ICTS Transactions: The IFR defines "ICTS Transactions" to include the acquisition, importation, transfer, installation, dealing in, or use of ICTS, including hardware or software related to electronic communications, data storage, or data processing. Such transactions are "covered," and thus subject to review, when:
- The transaction is conducted by a person subject to the jurisdiction of the United States and relates to any property in which a foreign country or its nationals hold an interest; and
- The associated ICTS falls into one of the following categories: (i) critical infrastructure; (ii) networks and satellites; (iii) data hosting or computing services involving sensitive personal data; (iv) monitoring and home network devices; (v) internet and telecommunications software; or (vi) emerging technology (including advanced robotics, artificial intelligence and machine learning, drones, and quantum computing).
Importantly, ICTS transactions that are authorized under a "U.S. government industrial security program" or are submitted for review to the Committee on Foreign Investment in the United States ("CFIUS") are not subject to review under the IFR.
Foreign Adversaries: At present, Commerce has designated the following countries as "foreign adversaries" for purposes of ICTS review: China (including Hong Kong), Russia, Cuba, Iran, North Korea, and the Maduro Regime in Venezuela. However, the Secretary of Commerce has discretion to designate additional governments or persons as "foreign adversaries."
Undue or Unacceptable Risk: Commerce has not yet provided a precise definition of what qualifies as an "undue or unacceptable risk," but has made clear that the term at least includes the risk of sabotage or subversion of U.S. electronic communications, data storage, or data processing capabilities, as well as the risk of catastrophic effects on U.S. critical infrastructure or the U.S. digital economy.
How Is the Review Process Structured?
The IFR contemplates a multi-tiered review process of covered "ICTS Transactions":
- Commencement: Commerce may begin a review on its own initiative, on a referral from a different agency, or by a referral from a private party.
- Initial Review: If Commerce opts to proceed on a referral, it will conduct an review to make preliminary determinations regarding the risk posed by the "ICTS Transaction," including the nature of the technology in the transaction and the level of control exercised by the "foreign adversary." If Commerce determines that the transaction likely poses an "undue or unacceptable risk," Commerce will then provide notice to and consult with an interagency panel to determine whether the "ICTS Transaction" meets the criteria established in the IFR for assessing "undue or unacceptable risk[s]." If Commerce determines that the transaction meets that criteria, then it will issue an initial determination and invite the parties to the transaction to respond within 30 days.
- Final Determination: If a party opts to respond, Commerce, in consultation with the interagency panel, will consider any new arguments or circumstances, and then issue a final determination that prohibits, permits, or sets out mitigation measures necessary for the transaction to proceed.
Unless the Secretary of Commerce determines in writing that additional time is necessary, all reviews will be completed within 180 days.
At present, the IFR does not include a "safe harbor" procedure similar to that found in CFIUS or an affirmative licensing process. Commerce indicated in the IFR, however, that it intends to publish procedures "to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license" within 60 days of the publication of the IFR. Commerce further indicated that it intends to implement this licensing process within 120 days of the publication of the IFR. Notably, Commerce explained that it intends this license review process will include a fixed timeline, which would be similar to the approach used in CFIUS reviews.
What's Next?
Although the IFR is slated to take effect on March 22, 2021, the future of Commerce's ICTS review process remains uncertain. The IFR remains open to public comment and, more significantly, the Biden administration has yet to explain publicly whether or how aggressively it plans to use the new interagency review structure and prohibition authority.
Nevertheless, companies in the ICTS sector should prepare to comply with the proposed review procedures and assess ongoing, pending, and recently closed transactions to identify and, if possible, mitigate any potential impact this new review process may have, including by adding appropriate terms to the contract to apportion regulatory risk and plan for ICTS review contingencies.
Megan McKnelly, in the San Diego Office, assisted in the preparation of this Commentary.
Three Key Takeaways
- As framed, Commerce's new ICTS national security review process is poised to have significant impacts on companies in the ICTS sector.
- Companies have until March 22, 2021, to comment on Commerce's proposed ICTS review process. In the meantime, companies should prepare for the robust process framed in the IFR.
- Companies should assess ongoing, pending, and recently closed transactions to identify and, if possible, mitigate any potential impact this new review process may have, including by adding appropriate terms to the contract to apportion regulatory risk and plan for ICTS review contingencies.