When multiple industry groups join efforts to push back on regulations proposed by the US Department of Commerce (“Commerce“), it likely means two things: first, the topic is highly relevant to many US businesses, and second, the proposed regulations need further refining.
Many trade associations and businesses expressed concerns with the highly anticipated proposed regulations issued by Commerce on November 26, 2019 (“Proposed Regulations“) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” dated May 15, 2019 (“Executive Order 13873“). Executive Order 13873 does not name a specific country, but China and, specifically, the Chinese telecommunications company Huawei Technologies Co., Ltd., is a likely target of this action, reflecting long-standing U.S. government national security considerations relating to China and the tech sector.
Most US businesses, including those buying information and communications technology and services (“ICTS”) overseas, will need to re-evaluate their supply chain arrangements and policies to comply with the Proposed Regulations. As written, the Proposed Regulations make it challenging for businesses to respond to the Proposed Regulations’ requirements due to their vagueness. Below we summarize the background of the Proposed Regulations and the industries’ heated responses, and outline some specific compliance challenges.
Summary of Proposed Regulations
Executive Order 13873 provides the Secretary of Commerce (“Secretary“) with unprecedented authority to block or restrict certain transactions involving ICTS. Any ICTS transactions that are ongoing as of May 15, 2019 or were initiated on or after that date may be targeted if they (1) originate in countries designated as “foreign adversaries,” (2) pose an “undue risk” to critical infrastructure or the digital economy in the United States, or (3) pose an “unacceptable risk” to US national security or the safety of US persons. In addition, the definitions of “ICTS” and “transaction” are broad and could cover a wide range of technology and services, including the purchase or use of a consumer electronic device produced by a foreign company.
Under the Proposed Regulations, Commerce has great discretion in determining which transactions it has the authority to block or restrict. It may initiate reviews of virtually any ICTS-related transactions unilaterally or at the request of other government agencies or credible private parties without notifying the parties to the transaction until it makes a preliminary determination. There is no option for advisory opinions or declaratory rulings. In making its determinations on whether to block or restrict transactions, Commerce will consider a number of factors, including the laws and practices of the foreign adversary, equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.
Violations of final determinations could result in a civil penalty up to $302,584 per violation, adjusted for inflation, or an amount that is twice the value of the relevant transaction. Under the Proposed Regulations, the penalized party would be able to petition for reconsideration to the Secretary, who would review the petition and issue a final decision within 30 days.
Industry Groups’ Response
Commerce received comments on the Proposed Regulations from more than 60 industry groups, companies, and individuals during the public comment period, which ended on January 10, 2020. This included telecommunications service providers, Internet and digital service providers, and vendors and equipment manufacturers – as well as industries that may not immediately come to mind as potentially impacted, such as film and television as well as the satellite industry. The wide range of industry groups demonstrates that nearly all industries are potentially affected by the Proposed Regulations.
While the industry groups generally agree that securing the ICTS supply chain is an important national security matter, they seem to share one major concern – that the Proposed Regulations, due to unprecedented breadth and overreach, vagueness, and lack of due process, would, if implemented, fail to address national security threats while jeopardizing US businesses’ established supply chains, supplier relationships, and competitive advantage. We set out below the major concerns expressed by the industry groups in their comments.
- Unprecedented discretion by Commerce. Many industry groups express that prohibiting private sector transactions is an extraordinary remedy that should be narrowly tailored. The broad scope of the Proposed Regulations authorizes Commerce to prohibit or modify nearly every transaction in US commerce. IBM notes that, “as currently drafted, it authorizes the Commerce Department to prohibit or unwind any U.S. company’s ‘use’ of ICTS from any foreign person, which is deemed to pose ‘an undue risk’ to ‘the digital economy of the United States.’ In practice, very little U.S. commercial activity today does not touch the digital economy. [..] In its current form, the Proposed Regulations would seem to cover the purchase or use of nearly any piece of IT equipment or any IT service, by any U.S. person.”
- Lack of clarity. To better tailor the scope of the Proposed Regulations, the essential terms need to be clarified or redefined. The definitions key to the scope of the proposal, such as ICTS, “transaction,” “undue risk,” “unacceptable risk,” and “interest,” are either undefined or defined so broadly that any determinations pursuant to the Proposed Regulations would arguably be vague and arbitrary.
Much of the lack of clarity stems from Commerce’s choice to avoid designating, providing criteria for, or even crafting exemptions from, the determination of “foreign adversaries.” Some groups, such as the Satellite Industry Association, request that Commerce identifies specific entities rather than whole countries when designating foreign adversaries.
- Lack of due process. The Proposed Regulations do not set out sufficient accountability and transparency measures. The Secretary has full discretion in deciding whether and how to evaluate a transaction. This, combined with the lack of clarity explained above, and the absence of a notice requirement for commencement of the review, would not allow US companies to evaluate what ICTS transactions may come under review and, once they do, when the parties should expect the result of the review. The Computing Technology Industry Association further suggests that Commerce should provide for an opportunity to request an advisory opinion and a preclearance mechanism to provide certainty and improve compliance.
Commerce may review the transactions virtually at any time in the transaction’s life cycle and even prohibit an activity after it has occurred. The looming risk of government intervention would likely negatively affect transaction structure and project development. The Semiconductor Industry Association notes that Commerce’s processes should include “a license, authorization, or some other form of safe harbor to engage in a proposed transaction with comfort that the Secretary will not later alter or unwind the transaction days, months, or years after the fact.”
- Potential economic harm to US businesses and transactions with foreign counterparties. The U.S. Chamber of Commerce refers to “significant uncertainty for U.S. businesses” that could result from the Proposed Regulations, potentially “disrupting global supply chains and making investment and sourcing decisions very difficult.” Under the Proposed Regulations, US businesses would bear high costs as they modify the existing business relationships with suppliers and vendors, as well as potentially unwind transactions, harming US competitiveness and technology leadership. Non-US parties may be reluctant to enter into transactions with US companies due to the risk of review by Commerce. The outcome could be a “U.S. technology sector necessarily designed-out and ultimately isolated from the rest of the world,” states the National Foreign Trade Council.
- Disregarding the existing national security regimes. The Proposed Regulations fail to recognize pre-existing national security and supply chain security initiatives, says the Telecommunications Industry Association, including the Foreign Investment Risk Review Modernization Act that expands the authority of the Committee on Foreign Investment in the United States to review a broad range of technology and other transactions and other relevant initiatives.
Compliance Challenges and Next Steps
The Proposed Regulations would present major compliance challenges for US businesses if implemented as proposed. Companies would likely need to create new supply chain-related compliance programs or modify their existing programs in order to respond to the requirements set out by the Proposed Regulations. For example, companies may consider putting in place safeguards against engaging in transactions that may involve ICTS and originate in countries designated as “foreign adversaries” without first conducting a risk assessment, though the broad and vague nature of the Proposed Regulations would make it challenging to know where to draw the line. With limited definitional guidance, businesses would likely struggle to address these requirements in their supply chain management and compliance programs. Given the extensive nature of comments submitted by the industry groups, the next step for Commerce could be the issuance of a supplemental notice of proposed rulemaking to clarify and narrow the scope of the proposal, to identify covered and excluded transactions, to provide proper due process protections, to ensure interagency collaboration, and to define more robust procedures for Commerce’s review, appeals, and mitigation. In the meantime, while the Proposed Regulations might be modified before they are issued as a final rule, Commerce is sending a clear message to US businesses that ICTS supply chain compliance programs are expected to become more robust and may need to be expanded to comply with the new requirements. Companies should ensure they are able to identify and understand each link in their ICTS supply chains, including suppliers, components, materials, factories and products, to put them in a better position to identify and mitigate risks quickly once Commerce moves forward with a final rule. We continue to monitor this process.