On November 26, the US Department of Commerce (DOC) issued a proposed rule to implement Executive Order 13873 (Executive Order on Securing the Information and Communications Technology and Services Supply Chain) that could have far-reaching consequences for certain transactions involving information and communications technology and services (ICTS). The proposed rule covers a wide variety of transactions and would give DOC significant discretion to review, prohibit, or require mitigation for such transactions. The public comment period, initially set to close on December 27, has been extended to January 10, 2020, after which DOC will review submitted comments before taking further action.

Review Criteria:

In evaluating a given transaction, the Secretary of Commerce and other enumerated US government officials will consider five specific criteria, including whether:

  • the transaction is “subject to the jurisdiction of the United States;”
  • the transaction involves property in which a foreign country or foreign national has an interest, including a contractual interest for the provision of a technology or service;
  • the transaction was initiated, pending, or incomplete as of May 15, 2019;
  • the transaction involves ICTS “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;” and
  • the transaction: “(1) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (2) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (3) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

The term “foreign adversary” is defined to mean “any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783.” The Federal Register notice containing the proposed rule notes that while DOC invites comments on all aspects of the rule, “the determination of a ‘foreign adversary’ for purposes of implementing the Executive Order is a matter of executive branch discretion ….” This broad language would allow the US government to identify governments – such as Iran, North Korea, or possibly even China – as “foreign adversaries,” and also would allow for such determinations to target individual companies. In this sense the proposed rule has the potential to result in yet another US government list of parties with whom US persons are in some way restricted from doing business.

The proposed definition for the term “information and communications technology or services” is quite broad, and would include “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.” While certain products and services would clearly fall within this definition there is likely to be a significant array of products and services for which the situation is less clear.  For example, it is unclear how passive components designed for use in communications devices would be treated.

The term “transaction” is also broadly defined to include “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.”  Because of the existence of legal regimes already covering exports (such as the Export Administration Regulations and International Traffic in Arms Regulations) and foreign investment (the Committee on Foreign Investment in the United States), it seems likely that this new DOC procedure would be utilized primarily in situations involving the importation into the United States of a covered good or service. However, given the broad drafting of the term “transaction” it is also possible the proposed rule would overlap with situations covered by preexisting regimes and it is not clear which regime would take precedence in such situations, or whether parties would need to navigate both regimes simultaneously.

Adding to the uncertainty over the scope is the rule’s assertion that DOC will “not issue an advisory opinion or a declaratory ruling with respect to any particular transaction.”

In short, then, under the proposed rule, if a US company were found to be engaged in a transaction – including a transaction for the “use of” – any ICTS from a “foreign adversary,” it is possible that the US government could prohibit, require mitigation of, or even require unwinding of, the transaction. The parties would have no ability to go to DOC to seek an advisory opinion or declaratory ruling in advance, nor would they even be advised that DOC was reviewing the transaction until a preliminary determination had been made, as described in more detail below.

Mechanics of Review Process:

As drafted, the review process would occur on a case-by-case basis with no general classes of ICTS being excluded or included. An “evaluation” may be commenced at the discretion of the Secretary of Commerce, at the request of a number of other department or agency heads, or based on information submitted to DOC by private parties.

If a preliminary determination is made that a transaction should be prohibited or mitigated, DOC will provide written notice to the parties (again, under the proposed rule DOC is not required to notify the parties in advance). The parties will then have 30 days to submit information in opposition to the preliminary determination.

The Secretary of Commerce has 30 days to review any submitted information, after which the Secretary may: (1) determine the transaction is prohibited, (2) determine the transaction is not prohibited, or (3) “require measures and specific timeframes to mitigate risks identified during an evaluation as a precondition of approving a transaction that may otherwise be prohibited.” The proposed rule does not elaborate as to the types of mitigation that DOC might require.

Emergency Action Provision:

Of particular note is the short but potentially important section of the proposed rule on “emergency action,” which states that while DOC generally intends to follow the proposed rule, in situations “when public harm is likely to occur if the procedures are followed or national security interests require it” the Secretary of Commerce may “vary or dispense with any or all of the procedures set forth in this part.” Use of this emergency action provision appears to be at the discretion of the Secretary, as no specific emergency criteria are listed other than potential “public harm” or “national security interests.”

Key Takeaways:

While much of the impact of this proposed rule will ultimately depend on how it is interpreted and implemented by DOC, the proposed rule as drafted is quite broad and, if robustly implemented and broadly interpreted, would have a significant impact on a wide variety of both US and non-US companies. As currently drafted, it may be difficult for companies to determine when a particular transaction is likely to implicate the rule, and parties to such a transaction would only receive notice and an opportunity to respond after a preliminary determination had been made. The above described emergency action provisions would also allow DOC to proceed without such procedural protections in certain circumstances. Companies who believe their business may be impacted by the proposed rule may wish to submit a comment to DOC pursuant to the extended comment period that now runs through January 10, 2020.