2024-2025 Global AI Trends Guide
On 19 January 2021, the U.S. Department of Commerce (Commerce) issued an interim final rule addressing national security concerns related to the Information and Communications Technology and Services (ICTS) supply chain, which takes effect 22 March 2021. Pursuant to the interim rule, Commerce can review specified ICTS Transactions and may ultimately prohibit or restrict any ICTS Transaction connected to “foreign adversaries” that pose certain “undue or unacceptable risks.” Currently, “foreign adversaries” consist of China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Venezuelan regime of Nicolas Maduro. The interim final rule does not appear to impose a mandatory licensing requirement, but companies may proactively apply for a license, allowing Commerce to review a transaction prospectively. Violations of this interim rule may be subject to significant civil and criminal penalties.
On 19 January 2021, Commerce issued an interim final rule addressing national security concerns related to the Information and Communications Technology and Services supply chain, which takes effect 22 March 2021. Commerce is also accepting comments until that date. In addition, Commerce intends to publish additional regulations setting forth the licensing process for these rules within 60 days, which will also have a 60-day comment period of their own. Pursuant to the interim final rule, Commerce can review specified ICTS Transactions through a process similar to that of the Committee on Foreign Investment in the United States (CFIUS). Based on this review, Commerce may prohibit or restrict any ICTS Transaction connected to “foreign adversaries” that pose certain “undue or unacceptable risks.” At this time, “foreign adversaries” consist of China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Venezuelan regime of Nicolas Maduro.
Rather than waiting for Commerce and the other agencies involved in the review process to initiate a review on their own, companies will be able to apply for a license proactively, allowing Commerce to review ongoing or prospective transactions. Such license applications will be reviewed on a fixed timeline of no more than 120 days from accepting a license application. If Commerce does not issue a decision within 120 days, the application will be deemed granted. The rule does not appear to impose a mandatory licensing requirement, nor do the rules include a value or other threshold for transactions that would invite scrutiny, but violations of this interim final rule may be subject to significant civil and criminal penalties. Consequently, companies are advised to assess the risks of engaging in transactions with a connection to the “foreign adversaries” listed above.
On 15 May 2019, President Trump issued Executive Order (EO) 13873, "Securing the Information and Communications Technology and Services Supply Chain." The EO authorizes the Secretary of Commerce to prohibit certain transactions involving ICTS that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversary” and that pose an “unacceptable risk” to U.S. national security or “undue risk” to U.S. ICTS or critical infrastructure.
Pursuant to this authority, Commerce issued a proposed rule in November 2019. After reviewing public comments, Commerce issued this interim final rule on 19 January 2020.
This interim final rule from Commerce is part of broader, multi-agency effort by the U.S. government to address national security concerns related to the use of foreign communications and information technology equipment in U.S. networks. Most notably, the Federal Acquisition Regulations (FAR) Council published a separate interim rule on 14 July 2020 implementing a government-wide ban on federal contracting with any entity that uses covered telecommunications equipment or services from certain Chinese entities. The FAR Council promulgated this interim rule to implement Section 889(a)(1)(B) (Part B) of the fiscal year 2019 National Defense Authorization Act (FY19 NDAA). See Hogan Lovells’ update on the FAR Council’s regulations here.
In relevant part, this interim final rule states that Commerce may determine whether an ICTS Transaction that has been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses undue or unacceptable risks.” Based on this review, Commerce may approve the transaction, prohibit the transaction, or require mitigation. Below is a summary of key definitions and additional details regarding the scope of this interim final rule.
ICTS means “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfil or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”
An ICTS Transaction means “any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.” This definition includes “any other transaction, the structure of which is designed or intended to evade or circumvent the application” of EO 13873. This definition also includes a class of ICTS transactions.
As of now, Commerce has identified the following government or non-government persons as “foreign adversaries” for purposes of these regulations:
This list may be revised, and countries may be added or removed.
The interim final rule only applies to ICTS Transactions that meet all of the four following criteria; that is, the transaction:
The regulations do not apply to an ICTS Transaction that:
Commerce may decide to make a referral for review of a transaction based on the written request of an appropriate agency head, at the Commerce Secretary’s discretion, or based on any of the categories of information set forth in section 7.100(a) of the regulations.
Upon receiving a referral, Commerce shall decide whether to conduct an initial review of the transaction to assess whether it poses an undue or unacceptable risk. In doing so, Commerce shall consider the following criteria:
These criteria are to be assessed by Commerce in interagency consultation with the U.S. Departments of Treasury, State, Defense, Justice, and Homeland Security, as well the Office of the U.S. Trade Representative, the Director of National Intelligence, the General Services Administration, the Federal Communications Commission, and any other agency Commerce deems appropriate.
The initial review can result in a determination that the transaction does not meet these criteria, in which case the review will end. But if the transaction does meet these criteria, Commerce can propose mitigation measures or seek to prohibit the transaction. The parties to the transaction must be notified in writing in either such case.
This written notification triggers a 30 day period whereby the parties may respond to Commerce, and such response may submit arguments contesting the basis of Commerce’s determination, or proposing remedial steps.
Commerce will then review these responses and, in interagency consultation, decide whether a final determination regarding the transaction shall be issued. A final determination can conclude that a transaction is: 1) prohibited; 2) not prohibited; 3) permitted pursuant to the adoption of negotiated mitigation measures.
Such a final determination must be issued within 180 days of accepting a referral and commencing the initial review of a transaction (though this period can be extended by Commerce). The final determination must be sent in writing to the parties. Final determinations prohibiting a transaction will be published in the Federal Register.
Violations of these regulations can be subject to civil or criminal penalties pursuant to the International Emergency Economic Powers Act (IEEPA). These include violations of any final determination, direction, or mitigation agreement pursuant to the regulations.
Civil penalties may not be more than the greater of either: i) US$307,922; or ii) twice the value of the transaction that is the basis of the violation, per violation.
Criminal penalties may be no greater than US$1,000,000 and/or 20 years’ imprisonment, per violation.
Comments on this interim final rule are due 22 March 2021. Commerce has stated that it is committed to ultimately issuing final regulations. However, Commerce issued this interim rule under the Trump administration, and it is therefore uncertain what, if any changes, the new Biden administration may seek to make or may suspend the implementation of the rule.
In the meantime, businesses should be cognizant of the potentially retroactive nature of the interim final rule. Though it does not take effect until 22 March 2021, the interim rule applies to ICTS Transactions “initiated, pending, or completed on or after” 19 January 2021.
For further information or assistance, please contact any of the Hogan Lovells lawyers identified below.
Authored by Ajay Kuntamukkala, Adam Berry, Molly Newell