On October 14, 2020, the U.S. State Department issued a much-anticipated report pursuant to Section 5(a) of the Hong Kong Autonomy Act (HKAA), identifying ten individuals who were determined by the State Department to be “foreign persons” who “are materially contributing to, have materially contributed to, or attempt to materially contribute to the failure of the PRC to meet its obligations under” the Sino-British Joint Declaration of 1984 or Hong Kong’s Basic Law.

Under Section 5(b) of the HKAA, the U.S. Treasury Department is now given 30 to 60 days to release a report identifying any foreign financial institution (FFI) “that knowingly conducts a significant transaction with a foreign person identified” in the October 14 report. This report could be released by mid-November or December. Within one year of this Section 5(b) report, the Treasury Department could impose secondary sanctions on the FFIs identified therein, based on a menu of 10 sanctions laid out in Section 7 of the HKAA.

In conjunction with the State Department’s report, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued four Frequently Asked Questions (FAQs) providing additional guidance on how the agency intends to implement the secondary sanctions.

For additional background on this issue and a description of the secondary sanctions under the HKAA, see our blog post of July 15, 2020, “U.S. Executive Order Implements, Strengthens Hong Kong Sanctions.”

Continue Reading Update: Hong Kong Financial Institutions Face U.S. Secondary Sanctions after State Department Issues First Report under Hong Kong Autonomy Act

Following recent US regulations aimed at addressing forced labour issues in China, the UK government has published a series of proposed amendments to strengthen and expand the transparency in supply chains provisions of the Modern Slavery Act 2015 (“MSA”).  With the enactment of the MSA, the United Kingdom was the first country to require large businesses to publicly report the steps they were taking to prevent modern slavery in their operations – specifically, their supply chains.

The current transparency in supply chains provisions of the MSA require commercial organisations that carry on all or part of a business in the United Kingdom and have a total annual turnover of £36 million or more to report on the steps that they have taken during the financial year to ensure that slavery and human trafficking are not taking place in their business or supply chains.

The proposed amendments, if adopted, would beef up that reporting requirement by requiring subject commercial organisations’ modern slavery statements to include provisions on certain key topics, including due diligence and risk assessment measures to encourage openness about the steps those commercial organisations are taking to operate responsibly.

Continue Reading UK Government Moves to Strengthen and Expand Measures for Tackling Modern Slavery in Supply Chains

On September 30, 2020, President Trump issued Executive Order 13953 on “Addressing the Threat to the Domestic Supply Chain from Reliance on Critical Minerals from Foreign Adversaries and Supporting the Domestic Mining and Processing Industries.”

In the Executive Order, the President declared a national emergency under the International Emergency Economic Powers Act, in order to “deal with the threat posed by our Nation’s undue reliance on critical minerals, in processed or unprocessed form, from foreign adversaries.” The President also directed a group of federal agencies to recommend possible executive actions to ensure an uninterrupted supply of critical minerals for the US economy.

Meanwhile, the European Commission is also taking steps to increase the security of the European Union’s mineral supply chain, announcing an Action Plan on Critical Raw Materials in early September. The Commission’s Action Plan also contains a list of critical raw materials, as well as a description of the challenges for building resilience, sustainability, and open strategic autonomy with regard to the supply of those materials, and a set of related action items.

Click here to read the full Client Advisory to learn more about US and EU actions on critical mineral imports.

On September 21, Steptoe associate Peter Jeydel commented about recent U.S. export control developments relating to facial recognition.

To listen to Pete’s comments, please press play above. To listen to the entire episode, please visit Steptoe’s Cyberlaw Podcast on the Steptoe Cyberblog.

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.

Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others.  Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data.  Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany.  Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected.  In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.

As a result, victims of ransomware attacks often choose to pay the ransom.  However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient.  Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.

The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks.  While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government.  This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws.  It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.

Continue Reading Five Key Takeaways from OFAC and FinCEN’s Ransomware Advisories

On October 6, 2020, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) promulgated a newly expanded licensing policy relating to human rights under the Export Administration Regulations (“EAR”).  We believe this is an area of increasing regulatory interest on the part of the U.S. government, including the U.S. Congress, and we would expect to see more developments like this in the near future.

On the one hand, the immediate practical impact of this new licensing policy may be limited.  First, it only informs the factors that the U.S. government must consider when deciding whether or not to issue a license under the EAR – it does not impose any new restrictions or licensing obligations in cases when a license previously was not required.  Second, even when the licensing process is triggered, we believe human rights considerations would have often been taken into account before this rule took effect, though perhaps less formally.  On the other hand, this policy change may be more significant for what it says about the direction in which U.S. export controls are heading, and it may come into play in significant ways in certain types of license applications.

Continue Reading New Human Rights Licensing Policy under U.S. Export Controls – Convergence with the EU?

On September 15, 2020, the Committee on Foreign Investment in the United States (CFIUS), the inter-agency U.S. government body responsible for reviewing certain forms of inbound investment for national security risks, published a final rule, effective October 15, making important changes to the rules defining “critical technology” transactions subject to mandatory filing requirements.

CFIUS has traditionally allowed, but not required, parties to “covered transactions” to submit a filing to CFIUS to seek approval of their transaction.  However, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) authorized CFIUS to mandate filings for certain types of transactions.  Transactions subject to mandatory filings under FIRRMA fall into two categories: certain investments involving “critical technology” and certain investments involving foreign governments.  (See our prior International Law Advisory on FIRRMA’s implementing regulations here).

The final rule changes the circumstances in which a “critical technology” investment will trigger a mandatory filing requirement.  The rule ends the use of North American Industry Classification System (NAICS) codes to identify specific industries subject to mandatory “critical technology” filings, in favor of a filing requirement based on U.S. export controls.  A mandatory “critical technology” filing requirement is triggered under the final rule when a “U.S. regulatory authorization” would be required for the export, reexport, or transfer (in country) of the U.S. target company’s goods or technologies to the foreign investor or certain other foreign persons involved in the transaction.  The final rule also makes modest clarifications to the second category of transactions involving foreign government interests.  (See our prior blog post on the proposed version of the rule here).

Continue Reading New CFIUS “Critical Technology” Mandatory Filing Rules Increase Importance of Export Controls Analysis

On September 17, 2020 the EU Court of Justice (“the Court”) rendered a judgement, by which it upheld the General Court’s decision dismissing an action brought by members of the Rosneft group. The judgement concerned the validity of some of the EU’s sanctions imposed on Russian oil companies in the context of the Ukraine crisis. The Court ruled on the sanctions’ justification, requirements to state reasons for their adoption as well as their compatibility with international agreements.

  • Restrictive measures of general application: The Court explained that the adoption of restrictive measures of general application targeting a specific sector of the economy may lead to a situation in which, because of the specific characteristics of that sector, the number of actors in that sector may be very limited. The fact that only the Rosneft group and the Gazprom group were affected by the export restrictions provided for in Articles 3, 3a, 4(3) and 4(4) of, and in Annex II to Regulation 833/2014, and that the Council of the EU (“Council”) was aware of that, cannot call into question that the export restrictions were of general application. Therefore, the Council could justifiably maintain that the statement of reasons could be limited to indicating the overall situation which led to their adoption, on the one hand, and the general objectives which they were intended to achieve, on the other.
  • Statement of reasons for sanctions of individual application: The Court recalls that the statement of reasons for an act of the Council which imposes a restrictive measure of individual application, such as the restrictions to access the capital markets under the EU sanctions against Russia, does not have to identify the actual and specific reasons why such a measure must be adopted in respect of the person concerned. The statement of reasons must be appropriate to the act at issue and the context in which it was adopted but it is not necessary for the reasoning to go into all the relevant facts and points of law. In particular, the reasons given for a decision adversely affecting a person are sufficient if it was adopted in circumstances known to the party concerned which enable them to understand the scope of the measure concerning them. In that context, the Court recalls that the Rosneft group is a major player in the Russian oil sector, predominantly owned by the Russian State, and that those companies do not dispute that they meet the criteria set by the Council for the application of such targeted measures. Thus, the Court of Justice confirmed that the companies in question could not reasonably have been unaware of the reasons why the targeted restrictions at issue were imposed on them.
  • Connection between export restrictions and objective of the sanctions: The appellants argued that there was no rational connection between the export restrictions and the objective of the restrictive measures, because the non-conventional projects targeted by some of the EU measures at issue would not generate immediate revenue for the Russian State. The Court held that the Council could reasonably expect that undermining investment and future revenues of entities active in the oil sector targeted by those measures would help to put pressure on the Russian Government and to increase the costs of Russia’s actions to undermine Ukraine’s territorial integrity, sovereignty and independence. According to the Court, the legality of restrictive measures is not dependent on their being found to have immediate effects; all that is required is that they are not manifestly inappropriate in regard to the objective that the competent institution seeks to pursue.
  • Compatibility with EU-Russia Partnership Agreement and GATT: The Court recalled that the restrictive measures at issue are compatible with the EU-Russia Partnership Agreement and confirmed that they are also compatible with GATT. Like the EU-Russia Partnership Agreement, GATT also contains a provision relating to ‘security exceptions’, which, in circumstances such as those that led to the adoption of the measures at issue, enables the contracting parties to take any measures necessary for the protection of their essential security interests.

The EU restrictive measures targeting Russia is the EU’s sanctions framework with the most important practical relevance for many EU businesses. The Court’s judgement on the validity of some of these restrictions is of great importance insofar as it confirms their lawfulness. That being said, the ruling is of a very principal nature. It does not provide detailed guidance on the interpretation of individual sanctions provisions, which may be disappointing for many market operators interested in increased legal certainty.

On September 10, 2020, Judge John Bates of the DC District Court issued a memorandum opinion dismissing a lawsuit against the US Department of Commerce filed by a US-based carrier in June 2019 in response to the Bureau of Industry and Security’s (BIS) decision to add a major Chinese telecommunications manufacturer and numerous affiliates to the Entity List in May 2019. The carrier argued that the BIS rule infringed on its due process rights because the carrier could be held strictly liable for violations of the Export Administration Regulations (“EAR”) caused by its customers. It also argued that BIS exceeded its authority under the Export Control Reform Act of 2018 (“ECRA”).

The Decision

Under the EAR, carriers and other intermediaries can be held liable for facilitating violations of their customers. For example, a carrier that transports US-origin goods to a person on the Entity List who is not licensed to receive those goods could violate the EAR in addition to the sender who initiated the shipment. The carrier in this case had argued that it could not know the contents of every package it transported and that holding it strictly liable for its customers’ violations would not advance US national security or foreign policy goals. It also challenged the rationality of imposing strict liability on common carriers while holding customers liable only if they “knowingly” engage in a prohibited shipment.

The carrier argued that the EAR’s strict liability standard would require the company either to cease all business operations that create a reasonable risk of violating the EAR (e.g., shipping packages to persons on the Entity List) or to “proceed with its business operations and face a substantial risk that it will violate the EAR and suffer harm.”

Continue Reading Shipping Carrier Sent Packing as Court Rejects Challenge to New US Export Controls Rules

On September 18, 2020, the US Commerce Department announced the prohibited transactions (which would be effective as of September 20, subject to a court-ordered suspension discussed below) aimed at limiting the use of WeChat (and possibly also TikTok) within the United States. These prohibitions may have some effect outside the United States as well. Technology companies, Internet infrastructure companies, financial institutions, and other companies that support these apps should take particular note since the prohibitions are directed at business-to- business engagement, as opposed to individual users of these apps. However, users should consider that their ability to continue to use WeChat in particular within the United States may become severely restricted, and perhaps eventually eliminated. The Commerce Department’s September 18 announcement explains that these prohibitions are intended to “protect users in the U.S. by eliminating access to these applications and significantly reducing their functionality.”

As background, on August 6, President Trump issued Executive Orders 13942 and 13943, directing the Secretary of Commerce to identify, within 45 days, specific types of prohibited transactions related to ByteDance Ltd. (including TikTok) and WeChat. See our earlier blog post for more detail. In two Notifications issued on September 18 (the WeChat notice is available here, and the ByteDance / TikTok notice is here), the Commerce Department identified a broad set of business-to-business transactions involving WeChat and ByteDance / TikTok that would be prohibited under US law.

Importantly, the timing for these prohibitions is different for each of the two Notifications.

  • The WeChat prohibitions were to take effect on September 20. However, they were temporarily blocked by a preliminary injunction issued by a US federal magistrate judge on September 19. The outcome of this litigation remains uncertain.
  • The limited ByteDance / TikTok prohibitions that were slated to take effect on September 20 were suspended by the Commerce Department until September 27 at 11:59 p.m. eastern. In a press release issued after the Notifications themselves, the Commerce Department stated that this delay was provided “in light of recent positive developments . . . at the direction of President Trump.” The effective date of most of the ByteDance / TikTok prohibitions as stated in the Notification is not until November 12, 2020, which would align with the 90-day period for divestment of TikTok in the United States that was ordered by the President on August 14. A proposed divestment or other type of partnership to operate TikTok within the United States is currently under review by the Committee on Foreign Investment in the United States (CFIUS). President Trump stated that he has given the most recent proposed deal for TikTok his “blessing,” but the CFIUS process is not yet complete; nor has the deal closed. Commerce’s press release states that “the President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.” The Chinese government has also indicated that any such deal would be subject to its approval as well.

Continue Reading US Commerce Department Identifies Prohibited Transactions Involving WeChat and TikTok