Overview
On January 19, 2021, the Department of Commerce published an Interim Final Rule (the “Rule”) setting out a more detailed regulatory structure to implement Executive Order 13873, which authorizes Commerce to prohibit or otherwise regulate transactions involving information and communications technology or services (“ICTS”) with a nexus to “foreign adversaries” that pose an “undue or unacceptable risk” to US national security. See also our post on the predecessor proposed rule. The stated purpose of the Rule, which bears some resemblance to (though differs in many ways from) the foreign investment review and mitigation process administered by the Committee on Foreign Investment in the United States (“CFIUS”), is to protect US national security through a focus on the ICTS supply chain.
The Rule identifies for the first time the following as covered “foreign adversaries”:
- China (including Hong Kong)
- Russia
- Cuba
- Iran
- North Korea
- “Venezuelan politician Nicolás Maduro (Maduro Regime)
- Critical Infrastructure: ICTS used in sectors designated as critical infrastructure pursuant to Presidential Policy Directive 21, which covers a broad array of sectors, including chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems, and water and wastewater systems;
- Networks and Satellites: software, hardware, and any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- or short-haul networks;
- Sensitive Personal Data: software, hardware, or any other product or service integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million US persons at any point over the twelve months preceding an ICTS transaction;
- Monitoring and Home Networking Devices, Drones: surveillance or monitoring devices (e.g., sensors and webcams), home networking devices (e.g., routers and modems), and drones or any other unmanned aerial system, where greater than one million units have been sold at any point over the 12 months prior to the ICTS transaction;
- Internet/Telecommunications Software: software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million US persons at any point over the twelve (12) months preceding an ICTS transaction; and
- Emerging Technology: ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robots.
- Those in the ICTS sector may wish to prepare for the possibility of potentially significant restrictions affecting the goods and services they use or provide (and other risks, such as information requests from Commerce). Mapping out potential risk areas may be a good starting point.
- Stakeholders may wish to comment on the Rule by March 22, 2021.
- Parties engaged in proposed, pending, or ongoing ICTS transactions may benefit from availing themselves of the Commerce Department’s forthcoming licensing process.
- While it is possible the Rule may be paused and potentially reconsidered, we would expect some form of regulation of this type to move forward. The trend toward regulating a broader scope of activity involving non-US technologies impacting US national security has bipartisan support and, while the details may change, the direction of travel is clear.