ICTS Investigations: The Commerce Department's New Tool

Back in May 2019, the Trump Administration issued Executive Order 13873, which was meant to police the use of certain information and communications technology and services (ICTS) purchased from "foreign adversaries." Then, on the day before the Trump Administration left office in January 2021, the U.S. Department of Commerce (Commerce) issued interim regulations intended to secure ICTS supply chains (ICTS Interim Rule).

There was much speculation as to whether the Biden Administration would utilize this new tool or if it would simply be pushed aside as another turn away from Trump-era policies. However, with no adjustments by the Biden Administration, the ICTS Interim Rule went into effect on March 22, 2021.¹ In fact, the Biden Administration embraced the concept even before the new regulations took effect. On March 17, 2021, Commerce issued subpoenas to multiple Chinese companies seeking information about their ICTS operations in the United States.

ICTS Rule Overview

Under the ICTS Interim Rule, Commerce can prohibit or otherwise restrict, on a case-by-case basis, certain acquisition and use transactions (including individual commercial sales) that 1) were initiated, pending or completed on or after Jan. 19, 2021; 2) involve ICTS and 3) were "designed, developed, manufactured, or supplied" by a person under the control of, owned by or subject to the jurisdiction of a "foreign adversary." At present, named "foreign adversaries" include China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela. The list, however, is not static and may be reviewed and revised at the discretion of the U.S. Secretary of Commerce (Secretary).

Changes from Proposed Rule and Continuing Barriers

Unlike the proposed rule, the procedural flaws of which were addressed in a previous Holland & Knight alert (see "Proposed ICTS Supply Chain Review Regime Raises Procedural Concerns," Dec. 26, 2019), the ICTS Interim Rule has a more defined and limited scope — applying to transactions with six specific, named "foreign adversaries" that involve an ICTS hardware, software or technology product from one of six sectors. Importantly, the ICTS Interim Rule also:

• develops review protocols
• defines key terms (e.g., "undue or unacceptable" risk)
• develops a mechanism for parties to request a meeting with Commerce officials following an initial determination (which the Secretary of Commerce can decline, at his or her discretion)
• confirms that the Secretary can consider mitigating factors when evaluating a ICTS Transaction risk, and
• sets a clock on Commerce's review, generally requiring the final determination be issued within 180 days of the review's commencement²

In some respects, however, the ICTS Interim Rule retains the overly inclusive nature of the proposed rule. By way of example, the Secretary continues to be able to scrutinize U.S. persons' acquisition or use of ICTS, such as cloud and network management or data storage, in all industries.

Transactions Subject to Review

An "ICTS Transaction" covers acquisitions, transfers, installations, import and dealings in or use of ICTS that occurred on or after Jan. 19, 2021, as well as ongoing activities such as transmissions, software updates, platforming or data hosting for consumer downloads, and managed services. Therefore, even if the underlying contract was entered into before Jan. 19, 2021, installation of subsequent software updates may be reviewable as a new, separate ICTS transaction.³

To trigger the review process, the ICTS transaction must meet certain criteria. First, the ICTS must fall into one of the following six product and technology categories.

1. Critical Infrastructure: ICTS transactions in one of the 16 critical infrastructure sectors identified in and any subsectors or subsequently designated sectors, which includes, but is not limited to information technology and communications sectors and has overlap with, but is not a direct replica of covered investment critical infrastructure sectors identified by the Committee on Foreign Investment in the United States (CFIUS)
2. Network Infrastructure: ICTS that is integral to software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems
3. Data Hosting or Computing of Sensitive Personal Data: ICTS that is integral to data hosting or computing services that engage with sensitive personal data⁴ on greater than 1 million U.S. persons at any point in the 12 months prior to an ICTS transaction (readers familiar with the CFIUS review process will note that the ICTS Interim Rule's definition of personal data generally tracks that offered by CFIUS)
4. Popular Surveillance and Monitoring Devices, Home Networking Devices: If 1 million units of such item at issue have been sold to U.S. persons at any point in the 12 months prior to an ICTS transaction
5. Popular Communications Software: Software designed primarily for connecting with and communicating via the internet that is in use by greater than 1 million U.S. persons at any point in the 12 months prior to an ICTS transaction, including desktop, mobile, web-based and gaming applications, or
6. Emerging Technology: ICTS that is integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems or advanced robotics

Second, the ICTS product must be sourced (i.e., supplied, developed, manufactured or designed), by a person controlled by, owned or subject to the direction or jurisdiction of a named "foreign adversary" — at present, China (including Hong Kong), Cuba, Iran, North Korea, Russia or Venezuela. To put into context, to determine whether a non-Chinese entity is controlled by China, the Secretary may considers factors such as whether the non-Chinese entity or its suppliers conduct key operations (e.g., research and development, manufacturing, testing and distribution) in China, or have key personnel, employees, consultants or contractors in China.

Transactions Not Covered by ICTS Interim Rule

Only two transaction types are not covered by the ICTS Interim Rule:

1. acquisition transactions involving ICTS items authorized under a U.S. government-industrial security program
2. transactions reviewed or being reviewed by CFIUS

Proceed with caution, however, as Commerce retains the authority to review an ICTS transaction if it is separate from, and subsequent to, a transaction that CFIUS reviewed. Therefore, CFIUS review related to a particular ICTS, by itself, does not constitute a safe harbor for future transactions involving the same ICTS.

Further, although Commerce has not explicitly excluded them, it has indicated that transactions involving ICTS hardware devices such as handsets will not be of particular interest to the agency.

Mechanics of Commerce's Review and Penalties

Commerce can initiate a review unilaterally (i.e., at the Secretary's discretion), or at the referral of an appropriate agency head or a private party (e.g., industry competitor). Commerce's review will generally last 180 days, from day of acceptance to final determination, and will begin with Commerce evaluating a non-exhaustive list of 10 criteria to answer one threshold question: Is the ICTS transaction likely to pose an "undue or unacceptable risk" to U.S. national security?

• If it likely does not, Commerce will terminate the review without prejudice, meaning the agency can revisit the transaction should additional information come to light.
• If it likely does, Commerce, in interagency consultation with other appropriate agencies (including, but not limited to, the U.S. Department of the Treasury, the Office of the U.S. Trade Representative and the U.S. Department of State), will determine whether the ICTS transaction actually poses an undue or unacceptable risk, looking at the same 10 non-exhaustive criteria, and serve its initial determination.⁵ Interestingly, Commerce has a choice in how it serves the parties — either through publication in the Federal Register or via more traditional routes such as U.S. registered mail, electronic mail, etc.

Commerce's initial determination will 1) explain the agency's basis for prohibiting the transaction or imposing mitigating measures thereon and 2) allow parties 30 days to comment. If the parties respond, Commerce must commence another interagency consultation round to consider any new evidence or argument. If the parties fail to respond, Commerce can proceed without further interagency consultation. Commerce will then publish its final determination, either permitting, prohibiting or imposing mitigating measures on the transaction, in the Federal Register. No further administrative appeals process is available, and violations of Commerce's final determinations or imposed mitigation measures can result in severe criminal and civil liabilities (up to $307,922 or twice the value of a transaction per violation).

Conclusion and Next Steps

Given bipartisan support for decreasing dependence on China in critical supply chains and the Secretary's own statements that ICTS sourced from China warrant increased scrutiny, it is anticipated that a healthy number of Commerce's reviews will have a China nexus.⁶ For advice on how the ICTS Interim Rule may impact your operations or for assistance in commenting on the preclearance and licensing procedures by April 28, 2021, please reach out to the experienced attorneys in Holland & Knight's International Trade Group.

Notes

¹ Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4913 (U.S. Department of Commerce, Jan. 19, 2021).

² However, the Secretary may unilaterally extend that deadline if he or she determines additional time is necessary.

³ Commerce explains that any subsequent act or service with respect to an ICTS transaction, such as installation of software updates is an ICTS transaction on the date that the service or update is provided.

⁴ Sensitive personal data includes personally identifiable information collected by a U.S. business operating in a specific area and results of individual genetic testing.

⁵ However, the Secretary may unilaterally extend that deadline if he or she determines additional time is necessary.

⁶ Press Release, U.S. Department of Commerce, U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order(March 17, 2021).

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.