Skip to Main Content
 
Thought Leadership

Commerce Proposed Rule Could Restrict Tech & Data Transactions Involving Foreign Counterparties

 
Legal Updates

Key Points

  • A recently proposed U.S. Department of Commerce rule would empower the Secretary of Commerce to prohibit information and communications technology or services transactions with “foreign adversaries” on a case-by-case basis if the Secretary determined those transactions threaten the U.S. digital economy or national security.
  • Many aspects of the proposed rule are unclear, including who qualifies as a "foreign adversary" and how far jurisdiction extends.
  • The proposed rule could negatively impact U.S. companies that rely on technology hardware, software, data or services from non-U.S. vendors, with a potential focus on those in China.
  • Interested parties have an opportunity to provide comments before the final rules take effect, but comments must be received by the Department of Commerce on or before Friday, December 27, 2019.

Background 

On Thanksgiving Eve, Wednesday, November 27, the U.S. Department of Commerce released a proposed rule that intends to provide the U.S. Secretary of Commerce the authority to block, require the unwinding of or require mitigating modifications to information and communications technology or services (ICTS) transactions involving "foreign adversaries" if the Commerce Secretary determines that such transactions threaten U.S. critical infrastructure, the U.S. digital economy or U.S. national security. While this proposed rule is not yet final, it does threaten to complicate the holiday season for many beleaguered data security and trade compliance professionals as they scramble to compile and submit comments to the Department of Commerce before the proposed rule’s comment submission deadline expires on Friday, December 27, 2019.  

The Department of Commerce issued the proposed rule to satisfy a mandate under Executive Order 13873 (the ICTS Order), which President Trump issued on May 15, 2019 to authorize the Department of Commerce and other federal agencies to more strictly regulate ICTS transactions in the interest of U.S. national security. The ICTS Order required the Commerce Secretary to publish rules or regulations implementing the ICTS Order within 150 days of its issuance and gave the Commerce Secretary the authority to include provisions within those rules to: (1) specifically identify “foreign adversaries” and persons determined to be owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries,” (2) establish criteria to advise the ICTS industry on specific types of transactions that were either categorically subject to or exempt from the rules, and (3) identify specific technologies or countries that would warrant particular scrutiny under such rules. The Department of Commerce ultimately delayed publishing the proposed rule until 44 days after the ICTS Order’s deadline and declined to include most of the ICTS Order’s contemplated practical guidance, instead giving the Commerce Secretary broad authority to review and suspend ICTS transactions involving foreign adversaries in its own discretion on a case-by-case basis.  

The proposed rule

The proposed rule provides the Commerce Secretary authority to prohibit, require the unwinding of or require mitigating measures to ICTS transactions that threaten the national security, foreign policy or economy of the United States. In order for an ICTS transaction to be subject to the proposed rule, the transaction must satisfy three requirements: (1) the transaction must involve either persons or property subject to U.S. jurisdiction; (2) a foreign country or national thereof must have interest in property involved in a transaction (which can be acquired through an interest in a contract for the provision of technology or services); and (3) the transaction must be initiated, pending or completed after May 15, 2019 (the date of the ICTS Order). Notably, the proposed rule expressly rejects any sort of grandfather exception for ongoing transactions performed under pre-existing contracts executed prior to May 15, 2019.

The proposed rule requires the Commerce Secretary to first conduct a formal evaluation before the Commerce Secretary can take actions to block or suspend any ICTS transaction. The Commerce Secretary may initiate such an evaluation: (i) in its own discretion, (ii) at the written request of another U.S. government agency or (iii) in response to information received from third parties that the Commerce Secretary deems to be credible.

When an ICTS transaction becomes the subject of a formal evaluation, the Commerce Secretary (in consultation with other U.S. government agencies) will consider the three threshold criteria identified above (U.S. jurisdiction, foreign interest and timing) as well as the following fourth and fifth additional criteria:

4.    Whether the transaction involves ICTS designed, developed, manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary (the proposed rule broadly defines ICTS as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.”); and

5.    Whether the transaction either:

(i) Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of ICTS in the United States;

(ii) Poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the U.S. digital economy; or 

(iii) Otherwise poses an unacceptable risk to U.S. national security or the security and safety of U.S. persons.

If the Commerce Secretary determines that an ICTS transaction meets all five of the proposed rule’s criteria, then the Commerce Secretary will provide a written preliminary determination to the transaction parties to inform them of the Commerce Secretary’s decision to prohibit, require the unwinding of or require mitigating measures to the reviewed transaction and explain the Commerce Secretary’s basis for that decision (however, if providing the preliminary determination or any accompanying explanation would be inconsistent with national security, then the proposed rule gives the Commerce Secretary the authority to immediately respond with a final determination or to withhold explanation from a preliminary determination). After receiving a preliminary determination, the parties to the transaction then have 30 days to protest the Commerce Secretary’s preliminary determination and/or propose alternative mitigating measures to permit the parties to continue with the transaction. If the transaction parties do submit a protest, then the proposed rule requires the Commerce Secretary to consider that protest and then issue a written final determination to the transaction parties within 30 days after receiving the protest. The proposed rule requires the Commerce Secretary to publicly post summaries of each final determination on its website and in the Federal Register.

The proposed rule also establishes civil penalties that apply to any person who violates the proposed rule, supplies any false or misleading information to the U.S. government in connection with the proposed rule or violates any mitigating measures to an ICTS transaction imposed by the Commerce Secretary. These penalties may reach as high as the greater of either $302,584 or twice the amount of the applicable transaction.

Uncertainty in the proposed rule

As stated above, despite an authorization to do so under the ICTS Order, the proposed rule does not specify certain classes of transactions as being either categorically included within or excluded from the proposed rule’s scope. The Commerce Secretary has also stated that it will not issue advisory opinions or declaratory rulings with respect to any particular transaction on a preemptive basis. From a practical standpoint, if the final rules follow the proposed rule’s template, then this lack of guidance could make it very difficult for companies in the ICTS industry to comply with the ICTS Order and the proposed rule.  

Some of the proposed rule’s key uncertainties include:

  • It is unclear which persons and property are subject to U.S. jurisdiction and therefore subject to the proposed rule. The proposed rule clearly applies to any physical networks and hardware that are located within the United States. However, the proposed rule also captures functions such as storage, retrieval and transmission which can and do frequently take place outside of the United States. The proposed rule does not provide clear guidance on how it is supposed to apply to this type of conduct when it occurs outside the United States.
  • It is unclear who will be treated as a foreign adversary. The proposed rule defines a “foreign adversary” as “any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” As discussed above, the proposed rule also gives the Commerce Secretary the authority to block, require unwinding of or require mitigating measures to any ICTS transaction if anyone “owned by, controlled by, or subject to the jurisdiction or direction” of a “foreign adversary” has an interest in the transaction. The proposed rule does not identify who the Commerce Secretary will consider to be foreign adversaries when implementing the proposed rule and simply says that “the determination of a ‘foreign adversary’ for purposes of implementing the [ICTS Order] is an executive decision." It is widely speculated that Chinese telecommunications giant Huawei will be treated as a “foreign adversary” due to the fact that the Trump Administration issued the ICTS Order to coincide with its decision to add Huawei and 68 of its affiliate companies to the Entity List maintained by the Department of Commerce Bureau of Industry and Security (BIS) (we discussed this initial designation in this blog post and then discussed BIS’s placement of an additional 46 Huawei affiliate companies on the Entity List on August 19, 2019 in a subsequent blog post). The Commerce Secretary could also treat Huawei’s fellow Chinese telecom company ZTE as a “foreign adversary," which seems probable because the 2019 Defense Authorization Act already prohibits federal agencies from using hardware or services from either ZTE or Huawei. Many companies are currently concerned that the Commerce Secretary could decide to treat the entire Chinese government as a foreign adversary, in which case any transactions involving hardware or other services provided by any Chinese company subject to the Chinese government’s jurisdiction could potentially be subject to blocking, unwinding or mitigation under the proposed rule. The ICTS Order required the Office of the Director of National Intelligence (ODNI) to issue a threat assessment to identify threats to the United States posed by ICTS systems designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. The ODNI has issued this report and the Commerce Secretary has indicated that it will rely on the ODNI report when enforcing the proposed rule; however, that report is classified and not available to the general public. As a result, for the time being it is unknown who the Commerce Secretary will deem to be a foreign adversary when enforcing the proposed rule and it is also unclear whether the Commerce Secretary ever intends to publicize those determinations after the proposed rule takes effect.
  • It is unclear how the Commerce Secretary will enforce the proposed rule. The proposed rule generally states that the Commerce Secretary will adopt a “case-by-case, fact specific approach” to determine which ICTS transactions require intervening action under the proposed rule. The Commerce Secretary has indicated that it intends to rely on the above-described ODNI report as well as a separate vulnerabilities assessment issued by the Department of Homeland Security under the ICTS Order (which is also not currently available to the public).   Because the Commerce Secretary intends to enforce on a case-by-case basis while opting against bright line rules to define the proposed rule’s scope, many companies are uncertain as to what types of ICTS transactions could potentially be included within or excluded from the proposed rule.
  • It is unclear whether companies will receive notice when the commerce secretary initiates a review of their ICTS transactions. The proposed rule does not specify whether the Commerce Secretary must notify parties to an ICTS transaction when it first initiates a review of a transaction under the proposed rule. There is one provision which states that if the Commerce Secretary does notify the parties that their transaction is being evaluated then those parties must immediately retain all records associated with the transaction. However, that provision does not obligate the Commerce Secretary to provide such notice.  It is possible that parties might not know that their ICTS transactions are under review until they receive a written preliminary determination from the Commerce Secretary.
  • The proposed rule’s timing is unclear. The ICTS required the Commerce Secretary to publish actual implementing rules on or before October 12, 2019. That deadline has obviously passed and for the time being the proposed rule only provides proposed regulations. The proposed rule establishes a deadline for submitting comments but does not establish any timeline for how quickly the Department of Commerce will review those comments or publish the required final rules and regulations. Assuming that the eventual final rules will follow the proposed rule’s format and apply retroactively to transactions existing as of or initiated after May 15, 2019, this puts ICTS companies in a difficult position because they know the transactions they are currently negotiating will likely be subject to the forthcoming rules but they do not know exactly what those forthcoming rules will require or when they will take effect.

Comment submission process

The Department of Commerce will accept comments to the proposed rule via web portal submission, e-mail, U.S. mail or hand delivery. To be considered, the comments must be received by the Department of Commerce on or before December 27, 2019. The Department of Commerce has invited comments on all aspects of the proposed rule but has specifically noted that the Commerce Secretary and heads of other federal agencies will be responsible for making the ultimate determination as to who will be treated as a “foreign adversary” under the final rule. In particular, the Department of Commerce is seeking feedback on: (1) whether there are any categories of transactions that should be categorically excluded from the forthcoming rules, (2) what sort of mitigation measures the Commerce Department could require in order to permit the continuance of ICTS transactions that would otherwise present undue or unacceptable risks to the United States, (3) how the Commerce Department should interpret the ICTS Order’s definition of a “transaction," and (4) the forthcoming rule’s recordkeeping requirements. 

Contact us

If you have questions about the proposed rule please contact Cortney Morgan or Grant Leach with Husch Blackwell’s Export Controls & Economic Sanctions Team or Mindi Giftos or Bob Bowman with Husch Blackwell’s Data Privacy, Cybersecurity & Breach Response Team.

Professionals:

Grant D. Leach

Partner

Mindi S. Giftos

Partner