Commerce Updates ICTS Regulations With New App Controls

June 28, 2023 – In a June 16, 2023 final rule, the U.S. Department of Commerce (“Commerce”) amended its Information and Communications Technology Services (“ICTS”) regulations to better address threats from software installed on personal electronic devices that can collect, process, or transmit data via the internet (“connected software applications”). The new rule, which will become effective July 17, 2023, lays the groundwork for Commerce to become a more active regulator of apps such as TikTok that have allegedly created national security and data governance challenges for the U.S. government.

Background

In Executive Order (“E.O.”) 13873 of May 15, 2019, President Trump declared a national emergency with respect to the threat posed by vulnerabilities in ICTS. Pursuant to that E.O., in January 2021 Commerce published a rule establishing a new ICTS regulatory regime, codified at 15 C.F.R. Part 7, under which Secretary of Commerce takes a lead role in reviewing ICTS transactions subject to U.S. jurisdiction that have a connection to “foreign adversaries”, defined to include China, Russia, Iran, Cuba, North Korea, and the Maduro Regime in Venezuela. The regulations authorize the Secretary of Commerce to prohibit ICTS transactions or require mitigation of national security concerns they may present.

The Biden Administration allowed the ICTS regulations to take effect in March 2021. President Biden then issued E.O. 14034 on June 9, 2021, which elaborated on E.O. 13873 by identifying increasing use of “connected software applications” linked to foreign adversaries, particularly China, as a specific threat. E.O. 14034 further laid out several new factors for Commerce to consider when reviewing the risks of connected software applications. In addition, E.O. 14034 also rescinded the following Trump Administration actions:

• E.O. 13942 of August 6, 2020, which together with a related action by the Secretary of Commerce on September 24, 2020 prohibited distribution of and provision of various services to TikTok in the United States. Notably, Tiktok sued the Trump Administration over these actions, and secured a preliminary injunction based on a showing that the actions likely exceeded the executive branch’s authority to regulate personal communications and informational materials under the International Emergency Economic Powers Act (“IEEPA”), and that the action was “arbitrary and capricious” and should be set aside under the Administrative Procedures Act. The parties ultimately agreed to dismiss the case after E.O. 14034 was issued. 
• E.O. 13943 of August 6, 2020, which together with a related action by the Secretary of Commerce on September 20, 2020 prohibited distribution of and provision of various services to WeChat in the United States. A group of WeChat users sued the Trump Administration over these actions, and secured a preliminary injunction based on a showing that the actions likely violated the plaintiffs’ First Amendment rights. Here also, the parties agreed to dismiss the case after E.O. 14034 was issued. 
• E.O. 13971 of January 5, 2021, which directed the Secretary of Commerce to regulate transactions involving certain Chinese “connected software applications.” 

On November 26, 2021, Commerce published a notice of proposed rulemaking seeking comments on amendments to the ICTS rule that would implementing E.O. 14034. The action of June 16, 2023 integrates Commerce’s responses to the comments received in a final rule. 

Changes to the ICRS Regulations

The new rule adds several new definitions to the list of defined terms in the ICTS regulations, including the term “connected software application.” (The definition is similar to the definition of the same term in President Trump’s E.O. 13971). The new rule also amends the definition of “ICTS” so that term explicitly references “connected software applications.”

The new rule then amends the ICTS regulations at various points to include reference to connected software applications:

• 15 C.F.R. § 7.1, “Purpose”, is amended to clarify that the ICTS regulations establish procedures for review of ICTS “including but not limited to connected software applications.”
• 15 C.F.R. § 7.3, “Scope of covered ICTS Transactions”, is amended to clarify that connected software applications in use by greater than one million U.S. persons at any point over the twelve months preceding a given ICTS transaction are reviewable by Commerce.

Finally, 15 C.F.R. § 7.103, “Initial review of ICTS Transactions”, is amended to include the criteria laid out in E.O. 14034 to guide consideration of the threat posed by an ICTS transaction involving a connected software application, namely:

• Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities.
• Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data.
• Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary.
• Ownership, control, or management of connected software applications by persons involved in malicious cyber activities.
• Whether there is regular, thorough, and reliable third-party auditing of connected software applications.
• The scope and sensitivity of the data collected.
• The number and sensitivity of the users with access to the connected software application.
• The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

Responses to Comments

The final rule contains several notable responses from Commerce to comments received pursuant to the notice of proposed rulemaking.

First, Commerce notes in its discussion of changes to 15 C.F.R. § 7.1, “Purpose”, that the agency considers that E.O. 14034’s purpose is to clarify that connected software applications fall within the existing national emergency under E.O. 13873. In other words, Commerce views its preexisting authority as sufficient to regulate any apps that now would be considered connected software applications. 

With respect to changes in 15 C.F.R. § 7.103, “Scope of Covered Transactions”, Commerce notes that it has added connected software applications to the category of covered ICTS transactions that require use by greater than one million U.S. persons at any point in the twelve months preceding the transaction. In other words, connected software applications in use by fewer than one million U.S. persons will generally not come within the scope of the ICTS regulations. Commerce added that it will consider revisions to this user requirement in the future. 

Next Steps

The new rule clarifies Commerce’s mandate and authority to regulate apps linked to foreign adversaries that gather data of U.S. persons. As the text of E.O. 14034 indicates, the main target of regulatory action is likely to be apps from China.

The added clarity provided by the new rule regarding the scope of the ICTS regulations, as well as the list of factors to consider for assessing the threat of connected software applications, may help Commerce defend any future actions it takes pursuant to the ICTS regulations against challenges in court similar to those mounted by TikTok and WeChat users against the Trump Administration. 

Since the ICTS regulations, as amended by the new rule, still ultimately derive from the President’s authority under IEEPA, the limitations of IEEPA will apply to the ICTS regulations. In particular, since IEEPA prohibits the President from regulating personal communications and informational materials, Commerce may face obstacles enforcing actions under the ICTS regulations against certain apps (including TikTok) that are arguably used to transmit informational materials or for personal communication. Users of such apps in the United States will also generally enjoy First Amendment protections. As a result, the extent of Commerce’s powers under the ICTS regulations will not be clear until tested through litigation.