Pursuant to Executive Order 13959, as amended by E.O. 14032, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned eight additional Chinese companies for operating as part of the Chinese Military-Industrial Complex (CMIC) and supporting human rights abuses against the Uyghur population in Xinjiang under China’s biometric surveillance apparatus. The Commerce Department’s Bureau of Industry (BIS) imposed corresponding Entity List sanctions on 34 parties in China and six companies in other countries.

The following Chinese technology companies were added to OFAC’s “Non-SDN Chinese Military-Industrial Complex Companies List” (“NS-CMIC List”):

• Cloudwalk Technology Co., Ltd.;
• Dawning Information Industry Co., Ltd.;
• Leon Technology Company Limited;
• Megvii Technology Limited;
• Netposa Technologies Limited;
• SZ DJI Technology Co., Ltd.;
• Xiamen Meiya Pico Information Co., Ltd.; and
• Yitu Limited.

The NS-CMIC sanctions restrict the ability of U.S. persons to purchase or sell publicly traded securities or derivatives in the above entities. Note that the 50 percent rule does not apply to entities on OFAC’s NS-CMIC List, meaning that only named entities are subject to these restrictions.

Of the 40 new entries to BIS’s Entity List, 34 pertain to entities located in China, three to entities located in Georgia, one to an entity located in Malaysia, and two to an entity located in Turkey, with three of the entities being located in multiple destinations. The eight Chinese firms listed above are on BIS’s Entity List, and the final rule adds the following four Chinese entities previously identified under E.O. 13959:

• Aerosun Corporation;
• Changsha Jingjia Microelectronics Company Limited;
• Fujian Torch Electron Technology Co., Ltd.; and
• Inner Mongolia First Machinery Group Co., Ltd.

Citing national security and foreign policy concerns, BIS’s Entity List additions target an array of firms determined to have made efforts to support the modernization and enhancement of Chinese and Iranian military capabilities. Such efforts include the purported use of biotechnology processes to support China’s development of brain-control weaponry, as well as the actual or attempted provision of U.S.-origin items to China and Iran. Notably, BIS’s final rule also revises Huawei Technologies Co., Ltd.’s entry to add three additional aliases under one of its affiliated entities, Huawei Marine Networks:

• HMN Technologies;
• Huahai Zhihui Technology Co., Ltd.; and
• HMN Tech.

U.S. and non-U.S. exporters are generally prohibited from transferring goods, software, or technology subject to the U.S. Export Administration Regulations to listed entities without first obtaining a U.S. export license. BIS will review such requests under a “presumption of denial” licensing policy.

Please contact our sanctions and export control team with any questions about ensuring compliance with these latest developments.

The new E.O. resets the U.S. government’s approach to ICTS by ordering a review of the national security threats posed by software applications that collect Americans’ sensitive personal and business data and by foreign adversaries’ access to large repositories of U.S. person data. New restrictions are likely following that review, and companies that rely on software applications owned or managed by companies linked to China or other potential foreign adversaries, should closely watch developments in this space.

New reports on “unacceptable or undue risks” posed by foreign adversary-connected applications

The E.O. directs the Directors of National Intelligence and Homeland Security to provide threat and vulnerability assessments to the Secretary of Commerce. In turn, the Commerce Department will draft two reports on foreign adversary-connected software, defined as software that has the ability to collect, process, or transmit data over the internet. The reports will recommend actions to protect against harm from the sale of, transfer of, or access to U.S. persons’ sensitive data, including personally identifiable information, personal health information, and genetic information. In addition, the Commerce Department will recommend additional actions to address risks associated with software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Several criteria indicate national security risk of ICTS applications

Building on the criteria to assess national security threats listed in E.O. 13873, the new E.O. lists several factors that will be considered when evaluating the risks posed by foreign adversary-connected software, including:

• ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
• use of the connected software applications to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
• ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
• ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
• a lack of thorough and reliable third-party auditing of connected software applications;
• the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and
• the extent to which identified risks have been or can be addressed by independently verifiable measures.

These criteria will inform the U.S. government’s decision-making framework to adopt a “rigorous, evidence-based” analysis to address risks posed by ICTS transactions involving foreign adversary-connected software.

Further action on ICTS applications likely

Although yesterday’s E.O. rescinds the previous E.O.s dealing with Chinese mobile applications, new restrictions on Chinese and other software that collect large amounts of sensitive U.S. person data are likely to flow from the Commerce Department’s forthcoming report and recommendations, which are expected within 180 days. Furthermore, the E.O. provides the Commerce Department with authority to restrict transactions and business activities that may:

• Pose a risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of ICTS in the United States;
• Pose a risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or
• Otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.