New Articles

UNPACKING US-CHINA SANCTIONS AND EXPORT CONTROL REGULATIONS: HUAWEI

export controls

UNPACKING US-CHINA SANCTIONS AND EXPORT CONTROL REGULATIONS: HUAWEI

This is the first in a series of articles by Eversheds Sutherland partners Ginger Faulk and Jeff Bialos explaining the legal and regulatory impacts of certain recent US sanctions and export control actions targeting various Chinese entities. Each article focuses on a different aspect of a recent US sanctions or export control regulatory action targeting China and explains in-depth the regulatory context. Recognizing that this is a highly charged political topic, the article does not condone or promote any governmental actions discussed here but is only explanatory in nature.

You undoubtedly will have heard by now that the United States has effectively blocked Huawei’s access to US exports of goods, software and technology, handicapping a giant in the global battle for 5G dominance, upsetting telecom supply chains and setting off a telecom cybersecurity crisis of conscience among many of the world’s developed and developing nations. As a result of Huawei’s designation on the US Department of Commerce’s “Entity List” in May 2019, all companies – no matter where they are – are prohibited under US law from exporting, re-exporting or transferring items that are “subject to the [US] Export Administration Regulations (EAR)” to 152 non-US Huawei affiliates. As a result, hundreds of telecommunication and software companies in third world countries are faced with the binary choice of whether to source technology and software from the United States or to transact business with Huawei.

The US government apparently concluded that this move alone did not work to prevent Huawei from benefiting from US-origin 5G semiconductor technology. Thus, more than a year later, recent rules have expanded the definition of what is “subject to the EAR,” with respect to Huawei specifically, to include offshore semiconductor production based on US technology. The changes to the rule demonstrate how US export controls are evolving to address perceived national security threats in the telecom sector writ large.

All of this is occurring against the backdrop of the US seeking to encourage friends and allies in Europe and beyond to eliminate or at least restrict the role of Huawei in their domestic telecom network infrastructure. This effort is based on concerns over the risk that Huawei theoretically could, at the behest of the Chinese government, either disrupt such infrastructure during periods of exigency or use their access to these platforms to conduct surveillance. In this regard, the new and more restrictive US regulatory approach to Huawei’s access to offshore semiconductor chips appears to have been effective. The UK has reportedly restricted its engagement with Huawei in 5G, apparently as a consequence of supply chain risks resulting from the new US rules, in other words, out of concern that Huawei might not have sufficient access to necessary semiconductor chips to meet the UK’s telecom needs. Whether other US friends and allies will do likewise remains to be seen.

 1. The initial Huawei ban

Since May 2019, the Export Administration Regulations have prohibited US and non-US persons and companies from exporting, re-exporting or transferring in the country, or causing, aiding, abetting or soliciting the export, re-export or transfer of, any item that is “subject to the EAR” to the designated Huawei affiliates.

Items that are “subject to the EAR”[1] include all commodities, software and technology, regardless of their sensitivity, that are:

1. a) in the US (even temporarily);

2. b) produced in the US, or

3. c) exported from the US.

The EAR state further that “items subject to the EAR” include all hardware, software and technology that meet the definition of that term, whether or not the items are listed on the Commerce Control List (CCL) in Part 774 of the EAR. Items subject to the EAR that are not listed in the CCL are designated as “EAR99,” which serves as a catchall category.

Non-US-origin items produced and sold from outside the US also may be subject to the EAR in the following ways:

(a)   Under the “De minimis Rule,” non-US items subject to the EAR include items anywhere in the world that contain more than a certain percentage (25% in most cases) US-origin content by value based on fair market price.

(b)  Under the “Direct Product Rule,” foreign items that:

(i)  are the direct product of certain “National Security”-controlled US technology, software, or

(ii)  are the direct product of a factory or major component of a factory (such as, chip manufacturing equipment) that is itself the direct product of specified controlled technology or software that may be subject to the EAR.

The Entity List designation created challenges for numerous US companies that are suppliers to Huawei or that afford it access to their technology platforms, such as Google’s Android operating system. Following the BIS designation, some of these US technology companies – including Google, Intel, Qualcomm and Broadcom – announced they would cease doing business with Huawei, effective immediately. Specifically, Google announced it would cut off Huawei’s access to the Google Play Store and to the core components of the Android ecosystem that are built by Google (i.e., not those distributed under the Android Open Source Project (AOSP)). Given that many third-party apps rely on Google Maps, this restricted the offerings of Huawei handsets, especially in the European markets. The chips manufacturers also were forced to shift outside of the US manufacturing and processing of silicon wafers that would ultimately be sold to Huawei.

Shortly after Huawei’s designation, in response to clamoring by industry, a Temporary General License (TGL) was issued to authorize the continued operation of existing networks and equipment, continued support to existing Huawei personal devices and equipment and cybersecurity research and vulnerability disclosures. It also authorized engagement with Huawei companies for the development of 5G standards. The goal of the TGL was to allow time in which to phase in the application of the designation for US firms with pre-existing arrangements with Huawei and allow them time to plan for an appropriate transition.

2. What was the perceived “loophole” in the rule?

Meanwhile, chipmaking factories outside of the United States, including Taiwan-based manufacturers, apparently continued to fabricate cutting-edge chips for Huawei using certain equipment that was designed, in part, based on US-origin technology.

This is because, for the first year of the rule (until May 16, 2020), whether intentionally or not, chips manufactured outside of the United States – even those designed or produced using US technology – appeared to fall outside of the EAR’s jurisdiction. Indeed, for purposes of determining US content value, the value of technology incorporated into a software or hardware component or used to design chip manufacturing equipment is not valued. As such, the “direct product rule” (prior to May 15, 2020) applied only to certain types of controlled technology to certain countries and did not extend to reexports to China of non-US-manufactured semiconductors not containing US-manufactured components.

3. How did US regulators fill in the loophole?

On May 15, 2020, almost exactly a year after the Entity List ban came into place, a new “footnote 1” was added to the Entity List banning the unlicensed export specifically to listed Huawei entities (but not to others on the Entity List) of a broad spectrum of foreign-produced telecom and computer components and equipment that are (i) the “direct product” of US technology or US software, or (ii) are the “direct product of manufacturing equipment that itself is a direct product of US technology or software. This extended the ban to, for example, semiconductor designs – and chipsets produced from those designs – that are developed on the basis of US software or technology. It also extended the ban to chipsets produced using semiconductor manufacturing equipment, even in Taiwan, if that equipment was designed on the basis of US-origin technology. According to industry experts, this seems to cover almost any chip currently in production. “To prevent immediate adverse economic impacts on foreign foundries utilizing US semiconductor manufacturing equipment that have initiated any production step,” the US provided a 120-day grace period for exports to Huawei of items based on (US-derived) Huawei design specifications as of May 15, 2020.

Under this revised rule, foreign-produced chips are prohibited for export or re-export when there is “knowledge [including awareness of a high probability] that they are destined for re-export, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.” This change threatens to impact Huawei’s access to 5G microprocessors and appears to have caused the UK to rethink the role of Huawei in its developing 5G network. The US work to close the loophole was not yet complete, however…

4. The grip tightens…

The most recent rule change on August 20 ended the Temporary General License and also further tightened the screws on Huawei by clarifying that the ban applies (1) not only when a listed Huawei affiliate is the destination for or receives an item but also whenever it is an indirect party to a transaction involving a subject item, e.g., as a “purchaser,” “intermediate consignee,” “ultimate consignee” or “end-user,” and (2) when the foreign-produced item will be incorporated into or used in the production or development of any part, component or equipment produced, purchased or ordered by a listed Huawei entity. These changes were principally designed to address concerns raised by public commenters that Huawei could continue to procure US manufactured items through third-parties who incorporate the subject US-controlled component into a system that is ultimately sold to Huawei.

Critics of the rule have commented that the new rule will encourage China to develop its own computer and telecom system chips and technologies in order to support Huawei and other Chinese companies that rely on such chips for their products. Others have voiced concerns that – without US security patches and software updates permitted under the TGL – overseas consumers and operators will be vulnerable to severe disruptions and cyber-security risks.

Meanwhile, the global telecom sector is carefully watching countries like Germany, which is deciding the role that Huawei will play in domestic telecoms infrastructure. These decisions will signal whether continental Europe and other US friends and allies in Asia and elsewhere will fall in line behind US efforts to exclude Huawei from global networks – thereby decoupling US-China telecom supply chains. Or alternatively, whether these countries will assert their own “digital sovereignty” and allow Huawei a continued role – with attendant repercussions on their security relationships with the United States.

Meanwhile, the Department of Commerce enjoys the latitude to issue specific export licenses to firms that request to keep supplying Huawei with software or components. The stage is set for the battle to continue as China is reportedly considering retaliatory measures of its own, possibly to include its own export controls.

_______________________________________________________________

Ginger T. Faulk, partner at Eversheds Sutherland, represents multinational companies in matters involving US government regulation of foreign trade and investment. She has extensive experience advising and representing global companies, counseling clients in matters arising under US sanctions, export controls, import and other national security and foreign policy trade-related regulations.

Jeffrey P.  Bialos, partner at Eversheds Sutherland, assists clients in making multi-faceted business decisions, structuring transactions and complying with complex regulatory requirements. As former Deputy Under Secretary of Defense for Industrial Affairs, he brings deep experience in defense, homeland security and national security matters, including antitrust, procurement, export controls, industrial security and the Foreign Corrupt Practices Act.

[1] See generally 15 CFR Parts 732 and 734.

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.