- Consumer Financial Protection Bureau Unveils Proposals for Financial Data Rights Rule
- First BIPA Trial Results in $228 Million Judgment against Defendant
- Recent DOJ ADA Web Accessibility Guidance Creates Compliance Questions, not Answers
- New Presidential Directive for Foreign Investment Reviews of U.S. Technology and Data Companies
- FTC Launches “Commercial Surveillance and Data Security” Rulemaking
- Cybersecurity Disclosures Required by the SEC’s Recently Proposed Rules
- The Future is Now: Data Subject Requests in 2023
- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- State Privacy Law
- Data Privacy
- Financial Institutions
- National Security
- Website Accessibility
- Cyber Insurance
- Data Breach
- Infosec Plan
- U.S. Law
- Workplace Privacy
- Vendor Management
- SHIELD Act
- Denise M. Barnes
- Michael Baumert, CIPP/US
- Sara J. Brundage
- Brandy Bruyere, NCCO
- Daniel S. Elkus
- Angela I. Gamalski
- Emily E. Garrison
- Jewel M. Haji
- Michael P. Hindelang, CIPP/US, CIPM
- Karl A. Hochkammer, CIPP/US
- Matthew Keuten
- Molly K. McGinley
- Ahmad H. Sabbagh
- Jad Sheikali, CIPP/US
- Jenna R. Simon
- Steven M. Wernikoff
- Mahja D. Zeon
- November 2022
- October 2022
- September 2022
- August 2022
- June 2022
- May 2022
- April 2022
- March 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- April 2020
- March 2020
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China. These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei. This article discusses certain new restrictions with significant data, privacy and cybersecurity implications.
Last week, the U.S. Department of Commerce (“Commerce”) proposed sweeping restrictions on imports or use of software and IT hardware produced by, in, or licensed from a person located in or under the control of China (including Hong Kong), Russia, Iran, Cuba, North Korea or the Maduros regime of Venezuela. On January 19, 2021, Commerce issued an Interim Final Rule targeting all business transactions deemed ICTS Transactions (as defined below) by U.S. companies sourcing information technology supplies and services deemed ICTS (as defined below) from designated “foreign adversaries”, specifically China and Hong Kong, Cuba, Iran, North Korea, Russia and Venezuela. Pending review by the incoming Biden administration, this Interim Final Rule will be effective March 22, 2021, and will require Commerce review and approval for certain technology transactions which could pose an undue or unacceptable risk to national security.
The technology restrictions focus on any hardware or software system that a third party could exploit to compromise the security or integrity of communications, infrastructure or sensitive personal data of U.S. persons or companies. Transactions include not only M&A transactions but also ongoing business transactions or even routine software updates. Such transactions will be subject to review by Commerce, which is currently on a voluntary basis, but may be required for certain critical infrastructure sectors as defined below under “Covered ICTS Transactions”. Transactions authorized under a U.S. government-industrial security program and transactions involving personal hardware devices, such as handsets, will not be subject to particular scrutiny.
This reporting is distinct and separate from the investment and acquisition review conducted by the Committee for Foreign Investment in the United States (“CFIUS”). Business transactions which are covered transactions subject to review before the CFIUS are likewise not subject to this Interim Final Rule. Violations of this Interim Final Rule are subject to the maximum civil and criminal penalties under International Emergency Economic Powers Act (“IEEPA”).
- ICTS: hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.
- ICTS Transactions: any acquisition, importation, transfer, installation, dealing in, or use of any integral information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.
- Covered ICTS Transactions: There are six categories of ICTS Transactions which may be reviewed by Commerce under this Interim Final Rule:
- Integral to businesses in a critical infrastructure sector as established under Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Sector-Specific Agencies
- Transportation Systems Sector
- Water and Wastewater Systems Sector
- Wireless and fiber optic networking devices and applications;
- Advanced technical systems such as artificial intelligence, machine learning, quantum computing, drones, autonomous systems, or advanced robotics.
- Software, hardware, or services (including VPN) that processes, uses or retains sensitive personal data on more than 1 million U.S. persons, or a related hosting, cloud-storage, or content delivery service;
- Hardware with U.S. sales of more than 1 million units per year; or
- Internet-based communications software or apps with more than 1 million U.S. users.
More regulatory action to follow:
Pending Biden administration review, the proposed new import restrictions will be effective March 22, 2021 and can apply to any Covered ICTS Transaction happening on or after January 19, 2021. While the Biden administration has issued a freeze for any new or pending regulations or rules issued prior to noon, January 20, 2021, the Office of Management and Budget may exempt any rule for national security purposes. Therefore, while the status of this rule and the precise timing of its implementation may be in flux, it is likely to become effective in relatively short order.
Commerce has committed to publishing procedures to allow parties to a proposed, pending or ongoing ICTS Transaction to voluntarily seek a pre-approval and obtain a license for a transaction, which would not otherwise undermine U.S. national security. This process would be similar to the CFIUS “safe harbor” that may be obtained for foreign direct investments or foreign buyer acquisitions.
Companies operating in a critical infrastructure sector or developing advanced technical systems should begin review of their supply chain for any integral technological products or services sourced from a designated foreign adversary. These restrictions may need to be considered as part of legal diligence for client matters involving a business or M&A transaction in any of the above-listed critical infrastructure sectors.
For more information or to discuss how this rule will impact your business, contact your regular Honigman attorney.
Angela Gamalski is a regulatory compliance attorney who is a member of the firm’s Corporate Department. She advises firm clients regarding a variety of trade and international regulatory and transactional matters. Her areas of ...