On November 26, 2019, the US Department of Commerce (Commerce) released a Notice of Proposed Rulemaking (NPRM) seeking public comment within 30 days on a new national security review process for information and communications technology. Contrary to some expectations, the rule does not have immediate effect and does not designate Huawei or any other entity as being subject to prohibitions. The new process would be similar to that of the Committee on Foreign Investment in the United States (CFIUS), but with a potentially enormous scope that extends to any acquisition or use of communications technology with a foreign nexus. Further, Commerce would have the authority to prohibit, require mitigation measures, or order the unwinding of a transaction. Comments on the NPRM are due on December 27, 2019. 

Key takeaways are:

New National Security Review Process: Similar to the CFIUS and Team Telecom processes, Commerce is seeking to establish a national security review process that could have a significant impact on companies operating in the United States. The breadth of companies potentially subject to Commerce’s review is vast, and Commerce’s authority to block, require mitigation, or unwind a transaction is largely discretionary. The NPRM articulates only a minimal review process, leaving open a number of questions about how the process will work, protections afforded to entities subject to review, and any priority areas for enforcement.

Evolving Review Process: Issuing the guidance as an NPRM and specifically seeking comment on a number of critical areas suggests that Commerce is open to entertaining recommendations and critiques from the private sector. Just as the prospect of a new national security process is daunting for companies, the burden of administering a new and high-profile program will be challenging for Commerce. Recommendations that would make the review process more palatable for both Commerce and the private sector are likely to be well received. 

Volatility in US Approach Towards China: The NPRM comes on the heels of a number of government actions involving Huawei and China, and what ultimately emerges from the rulemaking process will be affected by developments in the trade negotiations. Huawei continues to be unable to procure most U.S. goods following its placement on the “Entity List,” notwithstanding Commerce’s recent extension of the Temporary General License and granting of a limited number of specific licenses. Unlike the circumstances with ZTE, there is no sign that Huawei is actively engaging with Commerce to resolve its placement on the Entity List, and Huawei has signaled that it intends to proceed without such U.S. supply. At the same time, a number of senior administration officials, including National Security Advisor Robert O’Brien, have advocated for increased pressure on Huawei and China, and on November 22, the Federal Communications Commission prohibited the use of Universal Service Funds to purchase Huawei and ZTE equipment. All this leads to an unsettled state of affairs and suggests that Commerce is seeking further time for these matters to get closer to resolution.

Supply Chain Executive Order

The rule would implement the May 15, 2019, Executive Order on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain Executive Order), which prohibited information and communications technology transactions that pose an undue or unacceptable risk to national security. In the Supply Chain Executive Order, the President declared an emergency pursuant to the International Emergency Economic Powers Act (IEEPA) and prohibited any transaction that involves an information and communications technology or service “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction of a foreign adversary” that the Secretary of Commerce determines:

  1. Poses an undue risk of sabotage to, or subversion of, the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
  2. Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
  3. Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The NPRM, echoing the Executive Order’s definition, defines “foreign adversary” as “any foreign government or foreign non-government person determined by the Secretary to have engaged in a long term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”

As in the Executive Order, the definition of transaction in the NPRM is broad and includes “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.” The NPRM clarifies that the prohibitions potentially apply to any transaction that takes place after May 15, 2019, “regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit, or authorization applicable to such transaction was granted.” Further, “[t]ransactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, would constitute transactions that [were] completed on or after May 15, 2019.”

Evaluation Process

The NPRM provides that a review process can be initiated:

  1. At Commerce’s discretion;
  2. Upon request of another department, agency, or governmental body, including the Federal Acquisition Security Council; or
  3. In response to information provided to Commerce by private parties. 

In determining whether a transaction involves an information and communications technology or service designed, developed, manufactured, or supplied, by persons ‘owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,’ [Commerce] will consider a number of factors, including, but not limited to the laws and practices of the foreign adversary; [sic] equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.”

When Commerce makes a “preliminary determination” that a transaction constitutes a national security risk based upon the criteria in the Executive Order, it will “when consistent with national security,” provide written notice to the parties of the transaction. That notice will include “an explanation of the basis for such preliminary determination to the extent such explanation can be provided consistent with national security.” A party receiving a notice will have 30 days to submit “an opposition and information in support of such opposition to the preliminary determination or information on proposed measures for mitigation.” Commerce will take into account any comments it receives from the parties and issue a final determination no later than 60 days from the time it provided the notice of the preliminary determination.

The NPRM also contemplates a mechanism by which Commerce may consider “any referral, or materials that are filed while an evaluation is progress, concerning transactions of the same or related class and raising similar issues.” It is not clear from the text of the NPRM whether preliminary evaluations will be made public or how other entities with information “concerning transactions of the same or related class” will be become aware that they can provide information for Commerce to consider.

The final determination by Commerce will “be in writing and shall describe whether the transaction is prohibited; the transaction is not prohibited; or an otherwise prohibited transaction is permitted pursuant to the adoption of mitigation measures.” “Any determination to permit an otherwise prohibited transaction based on mitigation measures shall also provide a description of the mitigation measures adopted. A final determination shall be sent to the parties of the transaction by registered U.S. mail.” The NPRM notes that Commerce may also make the final determination available to the public, “as appropriate.”

Commerce may reevaluate a transaction previously reviewed “if circumstances, technology, or available information has materially changed.” The NPRM also notes that the Secretary of Commerce reserves the authority to take emergency action to block a transaction, and may vary or dispense with any or all of the procedures articulated in the guidance in doing so. 

Classes of Transactions

The Supply Chain Executive Order authorizes Commerce to exempt certain classes of transactions from review or to prohibit entire classes of transactions. The NPRM does not make any determinations with respect to these authorities and specifically seeks public comment on instances where Commerce should consider categorical exemptions or prohibitions. 

Maintenance of Records

The NPRM anticipates that the review of any transaction will require the preservation and disclosure of relevant documents. Although the NPRM acknowledges that it expects parties engaging in any transaction subject to the Supply Chain Executive Order to maintain records “in a manner consistent with the recordkeeping practices used in their ordinary course of business,” it also notes that “[a]ny parties notified that a transaction is being evaluated” should “immediately take steps to retain any and all records relating to such transaction.” “Information received [during the evaluation process] from agencies of the U.S. Government, state, local, tribal, or territorial governments, or business confidential or other trade secret information will not be made available for public inspection except as otherwise required by law.”

Penalties

The NPRM provides that penalties may apply to parties who fail to comply fully with a prohibition or mitigation measure. Any person who:

violates, attempts to violate, conspires to violate, or causes a violation of any determination, regulation, prohibition, or other action issued under this part, or makes any false or misleading representation, statement, or certification, or falsifies or conceals any material fact, either directly to the Department of Commerce, the Bureau of Industry and Security, United States Customs and Border Protection, or an official of any other United States agency, or indirectly through any other person in the course of any action under this part may be liable to the United States for a civil penalty up to $302,584,1  as adjusted annually for inflation under 15 CFR 6.5, or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed.

Similarly, if a person violates a material provision of a mitigation measure, they can be fined U.S. $302,584 or the value of the transaction (as opposed to twice the value of a transaction for violating the underlying prohibition). A person subject to a penalty “may, within 15 days of receipt of the notice of the penalty, submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct.” “The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition.”

Public Comment

In addition to general feedback on the rule, Commerce is specifically seeking public comment on the following issues:

  1. Are there instances where Commerce should consider categorical exclusions from potential review?
  2. Are there classes of persons whose use of information and communications technology and services could “never violate the Executive Order?"
  3. What measures would be appropriate to mitigate any national security concerns with information and communications technology transactions?
  4. What procedures should Commerce employ to monitor compliance with any mitigation measures or developments that would render those mitigation measures ineffective or obsolete?
  5. How should Commerce interpret “dealing in” and “use of” with regard to the definition of “transaction?”
  6. Should commerce impose additional recordkeeping requirements for information related to transactions potentially subject to the Supply Chain Executive Order?

Conclusion

Commerce’s NPRM is the latest development in an increasingly complex information and communications technology regulatory environment. With national security, economic, and technology priorities increasingly intertwined and in tension, volatility should be expected in this space. The Commerce telecom supply chain rules warrant particular attention as they could set the foundation for a broad new regulatory regime with significant consequences for companies manufacturing and relying upon information and communications technology.

Footnotes

1.The civil penalty for a violation of IEEPA was established in statute as US $250,000 in 2007 (see 50 U.S.C. § 1705) and is adjusted for inflation pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.