Executive Order Imposes New Compliance Obligations on Parties to Transactions Involving Information and Communications Technologies

May 16, 2019 Advisory

On May 15, President Trump issued an Executive order declaring a national emergency with respect to the threat posed by “foreign adversaries” seeking to exploit vulnerabilities in U.S. information and communications technology infrastructure and services. The “Executive Order on Securing the Information and Communications Technology and Services Supply Chain,” which comes amidst heightened trade tensions with China, presents considerable new challenges and complications for U.S. companies dependent on Chinese information or communications technology. In particular, the order will require U.S. businesses to implement new compliance strategies as they race to adopt fifth-generation, or 5G, networking technology.

The order broadly prohibits U.S. companies from acquiring, importing, transferring, dealing in, or using any information and communications technology or service “where the transaction involves any property in which any foreign country or a national thereof has any interest,” if the Secretary of Commerce has made the following determinations: (1) the transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary”; and (2) the transaction (a) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (b) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (c) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.  

China is clearly the primary target of the order, though not expressly identified as such.  On the same day the order was issued, the Department of Commerce added Chinese telecommunications giant Huawei Technologies Co. Ltd. to its “Entity List” on the grounds that that Huawei “is engaged in activities that are contrary to U.S. national security or foreign policy interests.” As a result, U.S. companies are now prohibited from exporting equipment to Huawei without a license, with license applications subject to a presumptive policy of denial. In addition, the order follows and supplements a 2018 law, included in the Defense Authorization Act, that banned the U.S. government and government contractors from using equipment manufactured by Huawaei and fellow Chinese telecommunications company ZTE Corporation. Finally, the order defines “foreign adversary” as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons” – a definition that closely corresponds to U.S. Government intelligence and law enforcement assessments regarding Chinese government threats to the U.S. supply chain.

In addition to authorizing the Secretary of Commerce to block transactions of the nature described above, the order empowers the Secretary to designate specific countries and companies as “foreign adversaries” and to identify certain technologies that warrant particular scrutiny under the order.  The Secretary may also direct when and how U.S. businesses must cease using such technologies, and may establish procedures for licensing otherwise-prohibited transactions. The Secretary must publish regulations implementing these new authorities within 150 days of the order.

The ultimate impact of the order on business operations will be determined by the final form of implementing regulations and practical experience, but there is little question that the order will result in significant new compliance obligations for U.S. businesses. Even with a framework of published rules in place, regulatory uncertainty is likely to persist; like the U.S. sanctions on Russia, the order draws its legal authority in part from the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), and, if the Russia sanctions are any guide, U.S. businesses may find that compliance with the order is complicated by the fact that even the most well-intentioned rules are easier to follow in theory than in practice. At a minimum, forward-thinking U.S. businesses considering transacting with foreign companies in the information or communications technology space should begin to develop compliance processes that front-load due diligence on the ownership structures of prospective counterparties and the relationships between prospective counterparties and their home (or other foreign) governments.

Businesses can begin to prepare now for these new regulatory obligations and can implement new compliance processes by working with experienced legal counsel.