By Attorneys, Megan Mohler and Vicky Wu, Braumiller Law Group
On January 19, 2021, the U.S. Department of Commerce published an interim final rule (interim rule) and proposed regulations (15 CFR Part 7) that could, effectively, mean a new licensing regime on imports related to Information and Communications Technology and Services (ICTS). The interim rule gives Commerce broad authority to conduct national security reviews and restrict U.S. transactions involving ICTS with foreign adversaries. While the rule becomes effective on March 22, 2021, the Department of Commerce is seeking public comment on the interim rule until that date and has committed to issuing a subsequent final rule after the comment period closes.
What is Covered?
In short, these regulations create the processes and procedures that the Secretary of Commerce will use to identify, assess, and address certain transactions between U.S. persons and foreign persons that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. The purpose of these regulations is to identify ICTS transactions that pose an undue or unacceptable risk to U.S. national security.
It is important to note that the ICTS transactions subject to this interim rule only apply to transactions involving officially designated “foreign adversaries.” Foreign adversaries for the purposes of this rule include: (1) The People’s Republic of China, including the Hong Kong Special Administrative Region (China); (2) Republic of Cuba (Cuba); (3) Islamic Republic of Iran (Iran); (4) Democratic People’s Republic of Korea (North Korea); (5) Russian Federation (Russia); and (6) Venezuelan politician Nicola´s Maduro (Maduro Regime).
The interim rule demonstrates that the Commerce Department intends to adopt an expansive view of what is to be covered by the regulations. According to the rule, Commerce considers an ICTS transaction to be “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including . . . activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”
For an ICTS Transaction to be covered by the scope of the interim rule, it must fall into at least one of six designated sectors or categories summarized below.
- ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21—Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors.
- Software, hardware, products or services integral to wireless local area networks; mobile networks; satellite payloads; satellite operations and control; cable access points; wireline access points; core networking systems; and long-and-short haul systems.
- Software, hardware, products or services integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process or retain sensitive personal data on greater than 1 million U.S. persons at any point in the 12 months prior to the ICTS transaction.
- Certain ICTS products, if greater than 1 million units have been sold to U.S. persons at any point over the 12 months prior to an ICTS Transaction, including: (A) internet-enabled sensors, webcams, and any other end-point surveillance or monitoring device; (B) routers, modems, and any other home networking device; or (C) drones or any other unmanned aerial system.
- Software designed primarily for connecting with and communicating via the internet that is in use by greater than 1 million U.S. persons at any point over the 12 months preceding an ICTS transaction, including: (A) desktop applications; (B) mobile applications; (C) gaming applications; and (D) web-based applications.
- ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
An ITCS transaction is covered by the scope of the interim rule if it:
- falls into one of the above categories, a party in the transaction uses the ICTS in one of the designated product and technology sectors;
- is conducted by any person subject to U.S. jurisdiction or involves properly subject to U.S jurisdiction;
- involves any property in which any foreign adversarial country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); AND
- is initiated, pending, or completed on or after January 19, 2021, regardless of when any contract appliable to the transaction is executed or when any license, permit, or authorization was granted.
How is a Review Initiated?
The Department of Commerce may initiate a review of a covered ICTS transaction in one of three ways: at the Secretary of Commerce’s discretion; upon written request of an appropriate agency head; or upon receipt of publicly available information, information obtained from state, local, or foreign government, etc., which can also be submitted to Commerce by private parties.
Once the Department of Commerce decides to initiate a review of a transaction, the Commerce Department will assess whether it falls within the scope of a covered transaction (as discussed above) and whether the ICTS is designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary. According to the interim rule, this may include, for example, a corporation organized under the laws of a foreign adversary or a corporation, wherever organized, that is owned or controlled by a foreign adversary. For Commerce to assess the level of foreign adversary involvement, the interim rule states it would consider the following criteria:
- whether the party or its component suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary;
- personal and professional ties between the party — including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary;
- laws and regulations of the foreign adversary in which the party is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and
- any other criteria that the Secretary deems appropriate.
The Secretary must also evaluate whether the covered transaction poses an undue or unacceptable risk to national security. In the interim rule, the Department of Commerce has identified ten criteria for making such determinations. To summarize, when determining if an ICTS transaction poses an undue or unacceptable risk, the Secretary will consider the nature of the information and communications technology or services at issue in the ICTS transaction, including technical capabilities, applications, and market share considerations; the nature and degree of the direction or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS transaction; and the statement and action of the foreign adversary at issue in the ICTS transaction. Other considerations include whether the ICTS transaction poses a discrete or persistent threat and the nature of the vulnerability implicated by the ICTS transaction.
After review of the ICTS transaction and consultation with the appropriate agency heads, the Secretary will issue an initial written determination as to whether the ICTS transactions is (1) prohibited, (2) not prohibited, or (3) permitted pursuant to the adoption of agreed-upon mitigation measures. Parties have 30 days to respond to the Secretary’s initial determination should they disagree. If the parties do not respond timely, the initial determination becomes final. If parties do respond, the Department meets again, then issues its final determination.
Can Penalties be Assessed?
Yes. Both civil and criminal penalties may apply for failure to follow the requirements of Commerce’s final determination. So, if a prohibited transaction proceeds, or the parties do not comply with mitigation measures, penalties could be assessed, pursuant to IEEPA.
- Civil: A statutory penalty not to exceed the greater of $250,000, which has recently been adjusted for inflation to $311,562, or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed.
- Criminal: If a willful violation and convicted, up to 20 years in prison and/or up to $1,000,000 fine. Penalties can be petitioned, and a determination will be made 30 days after a petition is received.
The impetus of taking the next steps on finalizing the interim rule and its implementation falls on the incoming Biden Administration. There is still a possibility that this rule could be scrapped, changed, or implemented. If implemented, the question becomes, how? The most recent Federal Register Notice on the subject suggests beginning some sort of licensing process for ICST Transactions in the future. Of course, because the interim rule is subject to change, importers at the very least can take steps now to be prepared by examining their supply chains for covered products from the listed foreign adversaries and take extra care regarding record keeping surrounding these transactions.