US Commerce Department Proposes Sweeping New Rules for National Security Review of US Information and Communications Technology or Services Transactions

On November 27, 2019, the US Department of Commerce published a notice of proposed rulemaking (“Notice”) that would establish sweeping new authority to conduct a national security review and potentially unwind any transactions involving information and communications technology or services (“ICTS”) with ties to a “foreign adversary.”

The proposed rules would potentially impact operations and purchases by any person in the United States as well as transactions by non-US persons that have a sufficient US nexus. The rulemaking represents a significant new regulatory framework for national security reviews of international transactions. Notably, unlike the US government’s national security reviews of foreign investments run by the Committee on Foreign Investment in the United States (“CFIUS”), Commerce’s proposed framework here would not establish any process for pre-clearing potentially impacted transactions. The rules would apply to transactions initiated, pending or to be completed after May 15, 2019, including those for which a contract was executed prior to that date. The Department of Commerce is seeking written comments from the public by December 27, 2019.

I.   BACKGROUND

On May 15, 2019, President Trump issued Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain (“E.O. 13873”) to address national security concerns that foreign adversaries are increasingly exploiting ICTS supply chains to commit nefarious cyber actions, including economic and industrial espionage against the United States. Specifically, E.O. 13873 authorizes the secretary of commerce, in consultation with other relevant federal agencies, to prohibit or mitigate transactions that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary” if such transactions pose an undue or unacceptable national security risk in the United States or to the safety of US persons.  E.O. 13873 does not specifically name China, but China, and particularly Chinese telecommunications company Huawei Technologies Co., Ltd., is believed to be a likely target of this action. 

E.O. 13873 gave the secretary 150 days to publish rules. However, the November 27 Notice marks the first development in the rulemaking process.  

II.        KEY ELEMENTS

Expansive Scope of Covered Transactions. The Commerce Department proposes to adopt an extremely expansive view of what “transactions” would be covered by the proposed regulations.  Unless otherwise excluded, the proposed regulations would define as a covered “transaction” any “acquisition, importation, transfer, installation, dealing in, or use” of ICTS as long as that transaction: (i) involves any foreign person or their property interests; (ii) involves any person in the United States (regardless of nationality), any US person wherever located, or otherwise any property subject to US jurisdiction (a term with expansive implications based on past Commerce Department practice); and (iii) was initiated, is pending or will be completed after May 15, 2019, regardless of contract execution date. 

As the above suggests, the proposed rule as currently contemplated would cast an extremely wide net and would establish sweeping discretion to review a broad array of ongoing or contemplated ICTS transactions to determine whether they pose sufficient national security risk to warrant action based on the criteria described below. Notably, Commerce has not proposed any categories of ICTS transactions that it would categorically exclude from this wide net but has invited comments on whether it should consider exclusions. 

Initiation of a Review. There are three ways the Commerce Department may initiate review of a covered transaction under the proposed regulations: (i) self-initiated and commenced at the secretary’s discretion; (ii) at the request of another US government department or agency; or (iii) based on credible information submitted to the secretary by private parties. 

Review Criteria.  Once the Commerce Department decides to initiate a review of a covered transaction, the secretary (in consultation with several other departments and agencies) will evaluate the effect of the transaction on US national security. In particular, the proposed rule would establish the following criteria:  

• US Jurisdiction.  This criteria is effectively the same as the criteria for determining the transaction is a covered transaction. Notably, the proposed rule would extend to not only transactions involving US persons (including entities organized under US law and their foreign branch offices, US citizens and US permanent residents and persons otherwise in the United States) but would also extend to transactions that otherwise “involv[e] property subject to the jurisdiction of the United States.” The proposed definitions in the Notice do not include a definition of this term, but we note the agency could seek to assert jurisdiction (as it has in other contexts) over transactions outside the United States based on the origin or content of the items involved rather than the nationality of the parties.
• Ties to Foreign Adversary.  The ITCS involved in the transaction must be “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Notably, the proposed rule does not identify any particular foreign adversary (whether countries, entities or persons) and notes that this determination is a matter of executive discretion. Under the proposed rule, either governmental or non-governmental actors may be considered “foreign adversaries,” and a designation may be based either on a “long-term pattern” or “serious incidents” of conduct significantly adverse to US national security interests or the safety of US persons.  
• Undue or Unacceptable National Security Risks. Where the covered transaction otherwise meets the criteria above (subject to US jurisdiction and ICTS with relevant ties to a foreign adversary), the secretary (in consultation with other departments and agencies) will evaluate whether the transaction has an “undue risk” to ICTS, critical infrastructure or the digital economy of the United States or otherwise poses an “unacceptable risk” to US national security. 

Conduct of the Review and Limited Involvement of the Parties. A key feature of the proposed rule is that the parties to the covered transaction in the secretary’s review may have little to no involvement in the process prior to a preliminary determination.  

The secretary would have extremely broad powers to conduct a review, including using “all appropriate tools available to collect information” on the transaction. This would include  drawing on assessments from the secretary of homeland security and the director of national intelligence and other authorities, in addition to publicly available information.  Notably, the Commerce Department may seek information from the parties, but the first time the agency would be required to provide notice under the proposed rule would be once Commerce has made a preliminary determination that a transaction with sufficient ties to a foreign adversary poses a national security risk and the basis for that determination. At that time, the party has 30 days to provide a response before a final determination is made regarding potential remedies (whether measures to mitigate the national security risks or unwind the transaction). Final determinations must be in writing and detail the potential penalties for failure to comply.

Re-Initiation of Reviews for Material Changes. Even where a final determination is made, the secretary may initiate a new review, or make a new determination, where “circumstances, technology or available information has materially changed.” 

Penalties.  The proposed regulations would be subject to enforcement under the International Emergency Economic Powers Act (“IEEPA”), the same statutory authority for the Commerce Department’s implementation of the export control laws of the United States and for various US sanctions laws administered by the Commerce and Treasury Departments. IEEPA provides for civil penalties for violations of the proposed regulations (including any final determination or terms of mitigation) up to the greater of twice the value of the transaction or approximately $302,000 per violation, as well as criminal fines and imprisonment.        

III.       CONCLUSION
The proposed rule is broad and sweeping in its potential scope and impact. Parties to ICTS transactions must now give consideration to whether and to what extent the equipment, software and technology involved in their transactions may come under the expansive scope of the rule. The secretary of commerce is seeking public comment on the rule in its entirety. This includes potential considerations relating to the current scope of what would be a potentially covered transaction, whether certain categories of ICTS transactions can and should be categorically excluded (or included) for review and the nature of the review process and the current limitations on the opportunity for engagement, advisory opinions or preclearance for parties to potentially impacted transactions.

Written comments must be submitted by December 27, 2019.