In a first of its kind action, the US Department of Commerce has begun a rulemaking process to prohibit or impose conditions on certain transactions involving foreign technology used in so-called “connected vehicles” or “CVs,” as defined below for automotive applications.

The measure, announced by Commerce on February 29, 2024 in a press release and an advanced notice of proposed rulemaking (ANPRM), is Commerce’s first attempt to cover a class of transactions under the Department’s Information and Communications Technology and Services (ICTS) rules.

The ICTS rules, contained at 15 CFR Part 7, were first issued in 2021, but Commerce has not yet implemented or used the rules to cover a particular class of transactions. However, Commerce recently created a new Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS) and appointed the first ever director of that office (see additional detail here). Those measures, coupled with the ANPRM on CVs, suggest that Commerce has ramped up its efforts in this area and is becoming increasingly active in its use of the ICTS rules. It is all but certain that the ANPRM on CVs is just the first example of industries to be targeted, and we expect to see similar efforts in relation to other high-priority industries going forward.

Comments on the ANPRM are due by April 30, 2024. Commerce will likely publish a proposed rule after reviewing public comments on the ANPRM and provide an additional opportunity to comment on the proposed rule at that time.

About the ICTS Rules

The ICTS rules authorize Commerce to review and, if necessary, prohibit or impose mitigation on any ICTS transaction involving any acquisition, importation, transfer, installation, dealing in, or use of ICTS by a person, or with respect to property, subject to United States jurisdiction, when the transaction involves property in which any foreign country or a national thereof has an interest and ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary.”

Foreign adversaries are currently defined to include China (including Hong Kong), Russia, Cuba, Iran, North Korea, and the Maduro regime in Venezuela. Entities falling within that definition are referred to by BIS as “15 CFR 7.4 entities” (referring to the regulatory provision that describes those entities).

The BIS rules authorize Commerce to act with respect to a specific transaction or to a broader “class of transactions,” as is the case here.

For additional information on the ICTS rules, please see our prior blog post here.

ANPRM on CVs

The ANPRM explains that “BIS is considering proposing rules that would prohibit certain ICTS transactions or classes of ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs” and are 15 CFR 7.4 entities. BIS is also considering allowing market participants to engage in otherwise prohibited transactions if they can demonstrate that any national security risks can be “sufficiently mitigated using measures that are monitorable.”

The ICTS rules cover not only transactions that directly involve a foreign adversary, but transactions with any foreign person involving ICTS that is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. However, the ANPRM suggests BIS may be taking a narrower approach to this rulemaking by prohibiting transactions only if they involve “persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons identified at 15 CFR 7.4” (emphasis added). That language could be read as suggesting BIS will not seek to prohibit transactions with foreign persons that are not 15 CFR 7.4 entities even if they involve ICTS that is designed, developed, manufactured, or supplied by such an entity. This is likely something BIS will need to clarify in the proposed rule or final rule.

BIS is considering defining CV to mean “an automotive vehicle that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” It adds, “Such a definition would likely include automotive vehicles, whether personal or commercial, capable of global navigation satellite system (GNSS) communication for geolocation; communication with intelligent transportation systems; remote access or control; wireless software or firmware updates; or on-device roadside assistance.” That definition is quite broad and would seemingly include nearly all recently manufactured vehicles. However, the ANPRM indicates BIS is open to other definitions and to other terms besides “connected vehicles.” The proposed definition in the ANPRM appears focused on road vehicles, rather than air or sea vehicles.

The ANPRM explains that BIS is concerned with a wide-range of national security risks. For example, with respect to sensitive data, BIS is concerned about the potential access by foreign adversaries to data related to the vehicle itself (such as its travel history and current location), vehicle occupants, and communications between the vehicle and other vehicles or infrastructure. BIS is also concerned about the ability of foreign adversaries to effectively take over or disable a vehicle or, at a minimum, certain systems within a vehicle. The ANPRM examines these and other risks in detail, and suggests that BIS is concerned about these risks currently, but is also concerned about features such as self-driving modes that will become increasingly common in the future.

The ANPRM seeks comment on 35 distinct questions ranging from key definitions to national security risks to economic impact.

A Sign of Things to Come

As noted above, the ANPRM is the first time BIS has sought to implement restrictions on a class of transactions under the ICTS rules, but it is unlikely to be the last. As the office continues to staff up and develop internal processes and procedures, it seems likely it will target additional classes of transactions in the future.

While the ICTS rule is limited to ICTS falling within one of six enumerated categories, those categories are so broad that, in practice, BIS has significant discretion to target a wide range of industries and classes of transactions. For example, one of the six categories is ICTS “used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21.” President Policy Directive 21 lists 16 sectors, including very broad sectors such as “information technology,” “transportation,” “communications,” and “commercial facilities,” among others.

***

For assistance in submitting a comment on the ANPRM or any matters related to the ICTS rules please contact a member of our Export Controls Practice or National Security Practice.