We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
12 February 2021
What you need to know
What prompted the ICTS rule?
What ICTS transactions are covered by the ICTS rule?
Who is a foreign adversary?
What factors are evaluated in the ICTS transaction review analysis?
What are the review procedures?
What technology sectors are covered by the ICTS rule?
Are any ICTS transactions exempt or excluded?
Is there a licensing process for potential transactions?
What are the next steps?
How does the ICTS rule affect companies?
On 14 January 2021, as one of the last official actions of the Trump administration, the US Department of Commerce (Commerce) issued the Securing the Information and Communications Technology and Services [(ICTS)] Supply Chain interim final rule (ICTS rule), which would establish a structured process by which Commerce can assess certain ICTS transactions between US and foreign persons that pose an undue or unacceptable risk and "involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary".
Then-Commerce Secretary Wilbur Ross noted in a recent Commerce press release that:
[a]ggressively securing the ICTS supply chain will protect American citizens and businesses from vulnerabilities that could undermine the confidentiality, integrity, and availability of their personal information or sensitive data by malicious foreign adversaries and those who wish harm on the United States.
In effect, the interagency review process that would be created under the new ICTS rule to screen inbound foreign technology transactions would loosely parallel the one used by the Committee on Foreign Investment in the United States (CFIUS) to screen inbound foreign investments. The provisions of the ICTS rule itself, as issued, would ensure that there is minimal or no overlap between the two screening systems, and the contentious question of where to draw the boundary between the two reportedly led to a bureaucratic battle within the Trump administration between Commerce and the Treasury Department, which delayed the rule's publication.
If implemented by the Biden administration, the ICTS rule would significantly affect companies that have an international nexus in numerous sectors, including:
ICTS companies should note the following:
The ICTS rule was issued pursuant to Trump's 15 May 2019 Executive Order (EO) 13873 (Securing the Information and Communications Technology and Services Supply Chain), in which Trump declared a national emergency with respect to the threat to the national security, foreign policy and economy of the United States by foreign adversaries which are "increasingly creating and exploiting vulnerabilities in information and communications technology and services." The ICTS rule follows the publication of the 27 November 2019 proposed rule (for further details please see "Administration tests waters for unprecedented government review of international technology transactions"). The review process set out in the ICTS rule is principally designed to ferret out ICTS transactions that pose a threat to US national security.
From a broader vantage point, the ICTS rule represents the culmination of a series of actions taken by the US government under the Trump administration to decouple the US information and communications technology infrastructure from telecoms equipment and service providers that the Trump administration and bipartisan majorities in Congress believed might pose a national security risk to the United States. In 2020 Congress enacted the Secure and Trusted Communications Networks Act 2019 (the so-called 'rip and replace' programme), which requires the Federal Communications Commission (FCC) to identify and publish a list of communications equipment and services that pose a national security risk (eg, Huawei equipment) and reimburse providers for the removal and replacement of prohibited equipment and services. On 13 January 2020 the FCC published a final rule (Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programmes) identifying the criteria for types of equipment that will be on the covered communications equipment and services list, which includes anything that Commerce identifies in the course of the ICTS rule.
The ICTS rule seeks to prevent, among other things, a similar future scenario where communications equipment or other technology products and services that pose a national security risk to the United States become widely used and require costly replacement.
EO 13873 grants the Secretary of Commerce broad authority to prohibit "any acquisition, importation, transfer, installation, dealing in, or use of any" ICTS (an 'ICTS transaction') by any person, or with respect to any property, subject to US jurisdiction, when such ICTS transaction:
The ICTS rule defines 'information and communications technology or services' or 'ICTS' as:
any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.
This broad definition leaves a wide swath of transactions involving computing, cloud computing, data storage and retrieval and telecoms infrastructure open to review.
Under the new screening process that would be established, the interagency review would evaluate – to potentially block or require measures to mitigate – transactions that involve the acquisition, import, transfer, installation, dealing in or use of ICTS by any person, where the transaction:
As noted above, an ICTS transaction can be blocked after review if it:
The ICTS rule retains the definition of 'foreign adversary' in the proposed rule and the EO – namely:
any foreign government or foreign non-government person determined by the Secretary [of Commerce] to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.
The ICTS rule identifies six specific foreign governments and non-government persons as foreign adversaries:
This list of foreign adversaries can be revised by the Secretary of Commerce; updates would be effective immediately on publication in the Federal Register without prior notice or opportunity for public comment.
A 'person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary' includes:
This means that any ICTS designed, developed, manufactured or supplied by a Chinese, Cuban, Iranian, North Korean or Russian corporation (or other legal entity), or a third-country corporation owned or controlled by Chinese, Cuban, Iranian, North Korean or Russian corporations, or citizens or residents of those countries, is at risk for review under the ICTS rule. Between the vast breadth of the ICTS equipment whose transactions could be reviewed and the huge number of predominantly Chinese companies – and subsidiaries of Chinese companies that make ICTS equipment of this kind – the ICTS rule allows Commerce to review and potentially order the removal of Chinese ICTS equipment from US ICTS systems.
To determine whether an ICTS transaction involves ICTS designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary, Commerce would consider:
These criteria allow for an even greater expansion of the scope of ICTS transactions that could be reviewed. US companies that source components from China or other foreign adversary countries or from US companies that are owned by Chinese companies could have their transactions reviewed and blocked.
To determine whether an ICTS transaction poses an undue or unacceptable risk, Commerce would consider:
However, the ICTS rule does not offer any clear-cut standard as to which risks would trigger the blocking of transactions, instead adopting the standards set out in the EO, which include the murky "unacceptable risk to the national security of the United States or the security and safety of United States persons". Which risks are acceptable and which are unacceptable would be determined on a discretionary basis.
The ICTS rule, as issued, allows for federal agencies, including Commerce, to request a review of a transaction to determine whether it is an ICTS transaction covered by the ICTS rule. Commerce would have the power to accept the referral and commence an initial review of the transaction. If it found that the ICTS transaction met the criteria for an undue or unacceptable risk, Commerce would issue an initial written determination and would notify the transactions' parties through a Federal Register notice or by serving a copy of the initial determination. The parties to the transaction would have the option of responding to the initial determination within 30 days of it being served or its publication in the Federal Register. Upon receipt of such a submission, Commerce would consider whether the information provided affects the initial determination. Commerce would issue a final determination on the ICTS transaction within 180 days of accepting a referral and commencing the initial review unless it determined that additional time was necessary. The final determination would state whether the ICTS transaction was:
The ICTS rule, as issued, does not indicate which Department of Commerce office would handle reviews of ICTS transactions.
Commerce broke down the types of technology covered by the ICTS rule into six main categories:
The definition of 'sensitive personal data' in the ICTS rule includes many of the same categories of sensitive personal data as the CFIUS regulations. However, the CFIUS regulations exclude data maintained or collected by a US business concerning employees of the US business and data that is a matter of public record, whereas the ICTS rule does not contain such an exclusion. Therefore, there may be some ICTS transactions involving sensitive personal data that would be covered by the ICTS rule but are not covered by CFIUS.
The ICTS rule, as issued, clarifies that it would not apply to:
an ICTS Transaction that CFIUS is actively reviewing, or has reviewed, as a covered transaction or covered real estate transaction or as part of such a transaction under section 721 of the Defense Production Act of 1950, as amended, and its implementing regulations.
However, transactions separate or subsequent to transactions for which CFIUS has concluded action under Section 721 may be subject to review under the ICTS rule if they are separate from the transaction reviewed by CFIUS.
In addition, Commerce has exempted from ICTS transactions:
In the ICTS rule, as issued, Commerce stated an intention to publish licensing procedures by 22 March 2021 and to implement the licensing process by 19 May 2021. These procedures would provide criteria for seeking a licence to enter into a proposed or pending ICTS transaction or engage in an ongoing ICTS transaction. Parties to a proposed, pending or ongoing ICTS transaction would have the option of seeking such a licence. Reviews of licence applications would be conducted on a fixed timeline, not to exceed 120 days from acceptance of an application. A licence would be deemed granted if Commerce did not issue a licence decision within 120 days from acceptance of an application for one. It is assumed that this intention to issue a proposed licensing process, like the ICTS rule itself, is on hold while it is being studied.
The ICTS rule was slated to take effect on 22 March 2021. However, according to Politico, Commerce has delayed its implementation for now. Commerce's final rule would have addressed additional comments that were due by 22 March 2021, but that will likely be paused as well. Commerce has not yet announced a timeline for its review of the ICTS rule.
It remains to be seen exactly how the Biden administration will treat the underlying EO and the ICTS rule. Its apparent freezing of the ICTS rule does not come as a major surprise. Incoming administrations commonly freeze pending rules in order to conduct their own assessment and sometimes make adjustments. On 20 January 2021 Ronald Klain, the assistant to the president and chief of staff, sent a memorandum to the heads of executive departments and agencies asking them to consider a 60-day postponement of the effective date for any rules that have been published in the Federal Register but have not yet taken effect. The stated purpose of this postponement is to review any "questions of fact, law, and policy the rules may raise". The memorandum also encourages agency heads to consider opening a 30-day comment period for postponed rules to allow for comments on issues of fact, law and policy raised by those rules and further postponing the effective date if the rules raise substantial questions. Here, a 60-day postponement from 20 January 2021 would result in the same effective date (ie, 22 March 2021); however, the reported pause on the ICTS rule could be lengthier.
The Biden administration is expected to continue the relatively assertive approach to China, albeit with a greater emphasis on working with allied countries. The reported delay of this rule's effective date may allow for further narrowing of its scope, which may occur due to the significant impact that the ICTS rule may have on Commerce and industry, as well as the likelihood of substantial additional comments by the public.
If implemented as written, the ICTS rule would significantly affect companies that have an international nexus in numerous sectors, including:
In addition, the ICTS rule would cover a large swath of ICTS transactions and give the Secretary of Commerce great discretion in determining whether a transaction should be prohibited or permitted subject to mitigation measures. Critically, in addition to a large number of Chinese and Russian companies already caught within the proposed rule, the Secretary of Commerce would have the discretion to designate additional foreign adversaries without notice and with immediate effect.
ICTS companies should therefore be prepared to review their transactions closely in order to identify the equipment, software and technology that may fall under the scope of the ICTS rule, if it is implemented as issued. The docket for commenting on the ICTS rule is still open and interested companies should consider submitting comments now to highlight to the Biden administration the ways in which the rule might be unduly burdensome as written. Further, companies are advised to submit further comments if the ICTS rule is revised by the Biden administration and an additional comment period is opened, as expected.
For further information on this topic please contact David Hanke, Sylvia G Costelloe or Aman Kakar at Arent Fox LLP's Washington DC office by telephone (+1 202 857 6000) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). Alternatively, contact Marwa M Hassoun at Arent Fox LLP's Los Angeles office by telephone (+1 213 629 7400) or email (email@example.com). The Arent Fox LLP website can be accessed at www.arentfox.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.