On March 7, 2023, a bipartisan group of US Senators introduced legislation that would enhance the ability of the executive branch to restrict information and communication technology ("ICT") products and services linked to countries the United States considers foreign adversaries. The bill, entitled the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act ("RESTRICT Act"), is the latest development in a long-running effort in Washington to restrict Chinese ICT products and services that may pose a national security threat. The House of Representatives is considering legislative options of its own, and the Executive Branch is continuing its efforts under current legal authorities.
The Senate’s RESTRICT Act
The RESTRICT Act would expand upon existing regulations to create a regulatory system to investigate, restrict, and prohibit both transactions by, and financial holdings in, ICT entities that are related to "foreign adversary" countries. The legislation would incorporate the existing Information and Communications Technology and Services ("ICTS")1 regulations and direct the Secretary of Commerce to take action against ICT transactions, and would provide authority to expand those regulations to have broader scope. In addition, to restrict or prohibit holding an interest in certain ICT entities, the Secretary of Commerce would make recommendations to President Biden for action, and the president would decide whether to act and what action to take. This proposed approach is similar in structure to the Committee on Foreign Investment in the United States ("CFIUS").
The bill lists the People’s Republic of China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, under the Nicolás Maduro regime, as the initial list of "foreign adversary" countries. The Secretary of Commerce may expand or narrow the list based on certain criteria. The bill defines a "covered transaction" as any "acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology product or service," including ongoing activities such as managed services, data transmission, software updates, repairs, or the provision of data hosting services, in which (i) a foreign adversary, (ii) an entity subject to the jurisdiction of, or organized under the laws of, a foreign adversary ( a "foreign entity"), or (iii) an entity owned, directed or controlled by a foreign adversary or foreign entity, has an interest of any kind. An entity includes any government or organizational structure, but does not include a natural person, which is a narrower scope than the existing ICTS regulations.
The legislation directs the secretary to prohibit, restrict or mitigate covered transactions that "pose an undue or unacceptable risk" to the United States or United States persons. The undue or unacceptable risks include sabotage; subversion; catastrophic effects on critical infrastructure or the digital economy; interference in institutions, elections, and regulatory decisions; or other threats to national security or the safety of United States persons. The bill expands on the ICTS regulations by applying coverage to past transactions and adding interference in elections, institutions and regulatory decisions to the list of risks. Like the ICTS regulations it prioritizes for review products and services used in critical infrastructure, telecommunications, and other technologies that are considered to have serious national security implications.
In contrast, the new authority provided by the RESTRICT Act to address "covered holdings" applies to a smaller set of ICT entities. Specifically, the legislation would only permit the Secretary of Commerce to recommend to the president that he prohibit or restrict the holding of certain financial or management interests in an "ICTS covered holding entity" that owns, controls or manages ICT products or services that have not less than 1 million U.S.-based annual active users at any point during the year prior to recommendation or that have sold not less than 1 million units to persons in the U.S. prior to the recommendation. The financial or management interests that may be prohibited or restricted are those holdings that have the power, directly or indirectly and whether exercised or unexercised, to direct or decide important matters of the ICTS covered holding entity and that are held, directly or indirectly, by a foreign adversary, a foreign entity, or an entity owned, directed or controlled by a foreign adversary or a foreign entity. The Secretary of Commerce is directed to "identify and refer to the President" covered holdings if the secretary determines that those holdings pose an undue or unacceptable risk to the national security of the United States or the safety and security of United States persons. The president has 30 days to decide if a covered holding poses such a risk, and, if so, announce any mitigation measures or compel divestment of the covered holding with respect to any operations or assets in the United States, assets used to support or enable use of the product or services in the United States, and any data obtained or derived from use in the United States.
The legislation would provide expansive enforcement authorities, establish significant penalties for violations, provide exemptions from the Administrative Procedure Act, and set limits on judicial review. The bill also includes an expedited mechanism for Congress to overrule any determination by the Secretary of Commerce to designate a country as a foreign adversary or to remove a country from the foreign adversary list.
The RESTRICT Act is sponsored by ten Democratic and ten Republican senators, led by Senators Mark Warner (D-VA) and John Thune (R-SD), demonstrating broad bipartisan support. Upon introduction, it was referred to the Senate Commerce Committee, a committee with a reputation for bipartisan work and on which eight of the sponsors sit. The White House has been engaged with the development of the legislation and endorsed the RESTRICT Act immediately. A statement issued by National Security Advisor Jake Sullivan said Congress should pass the legislation quickly and send it to President Biden. Secretary of Commerce Gina Raimondo also similarly praised the legislation and promised to work with Congress to advance it.
The House of Representative’s DATA Act
A similarly motivated bill, the Deterring America’s Technological Adversaries Act ("DATA Act"), was introduced in the House of Representatives and approved by the House Foreign Affairs Committee in early March 2023.
The DATA Act takes a different approach from the RESTRICT Act. The DATA Act would amend the International Emergency Economic Powers Act ("IEEPA") to remove "sensitive personal data" as defined in the ICTS regulations2 from the "Berman amendment" that exempts information and informational materials from IEEPA. It then directs the Secretary of the Treasury to prohibit United States persons from engaging in any transaction with any person that the secretary determines knowingly provides or may transfer sensitive personal data subject to the jurisdiction of the United States to any foreign person that is subject to the jurisdiction, direction, ownership, control or influence of the Government of China.
The bill would also establish new sanctions for certain uses of "connected software applications," which are defined as software "that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet." The DATA Act directs the president to sanction under IEEPA any non-United States person or entity who knowingly "operates, directs, or otherwise deals in" a connected software application is subject to the jurisdiction, control, or influence of the Government of China and is reasonably believed to have been or may be used to facilitate or contribute to China’s military, intelligence, censorship, surveillance, cyber or information campaigns. The bill directs similar action against any foreign person who knowingly interferes in an election in the U.S. or an allied democratic country, or acts to steer United States policy and regulatory decisions in favor of China’s strategic objectives, as well as any foreign person who facilitates, assists, is owned or controlled by, or has acted on behalf of a person engaged in any of the listed activities.
Finally, the bill would empower the chairman or ranking member of certain Congressional committees to request that the president determine and report to Congress whether a foreign person meets the criteria under the DATA Act for a directive by the Secretary of the Treasury (for transfer of sensitive personal data) or for sanction by the president under IEEPA.
The DATA Act presently lacks bipartisan support. If either bill advances to the other chamber, the two chambers will have to reconcile the different approaches to arrive at a final bill to send to the president.
Executive Branch works to restrict Chinese ICT products and services
Since the Trump Administration, the Executive Branch has been exploring ways to ban or otherwise restrict Chinese ICT entities through both IEEPA and CFIUS. In 2019, President Trump issued Executive Order 138733 to declare a National Emergency and direct the Secretary of Commerce to adopt regulations to address ICT vulnerabilities. Upon taking office, President Biden issued a new executive order maintaining the National Emergency and expanding the guidance to the Secretary of Commerce regarding ICT vulnerabilities.4
In January 2021, the Secretary of Commerce issued the ICTS rule, which the Commerce Department began developing in response to Executive Order 13873. Under the rule, the Secretary of Commerce can prohibit certain ICT transactions initiated, pending or completed after January 19, 2021 that involve "foreign adversary" countries and pose an undue or unacceptable risk under the criteria in Executive Order 13873. Since the ICTS rule went into effect, there has been no public announcement of any enforcement action under the rule. Limitations of the ICTS rule’s underlying IEEPA authority, such as the Berman Amendment (a 1988 addition to IEEPA that prevents the president from blocking the trade of information or informational materials5), could be limiting the rule’s use. The RESTRICT Act could be a solution to these challenges. It would independently authorize the ICTS rule and expand it to allow targeting past, present and future transactions involving ICT products and services, as well as establishing new and broader risk assessment categories and by removing the need for continued National Emergency declarations.
The other potential avenue for addressing some of the US government’s concerns with Chinese ICT companies is CFIUS, which has existing authority to undo investment transactions. This route, however, would not address broader US Government concerns about other ways foreign technology companies may be operating in the United States. The narrow scope of CFIUS has prompted Congress and the Executive Branch to focus on developing tools like those in the RESTRICT Act and ICTS rule. CFIUS’ existing powers however raise the question of how the Executive Branch will decide which tool to use. The RESTRICT Act addresses the potential overlap by directing the Secretary of Commerce to address coordination with CFIUS in implementing the Act and specifying that the president may not compel the divestment of a covered holding that was ordered as mitigation under CFIUS.
The Senate’s RESTRICT Act, as introduced, can be found here.
1 See 15 CFR Part 7 for the current ICTS rule: https://www.ecfr.gov/current/title-15/subtitle-A/part-7.
2 See 15 CFR § 7.2: https://www.ecfr.gov/current/title-15/subtitle-A/part-7/subpart-A/section-7.2.
3 Executive Order 13873 of May 15, 2019, "Securing the Information and Communications Technology and Services Supply Chain".
4 Executive Order 14034 of June 9, 2021, "Protecting Americans' Sensitive Data From Foreign Adversaries".
5 See 50 U.S.C. § 1702(b): https://uscode.house.gov/view.xhtml?req=(title:50%20section:1702%20edition:prelim).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP