By Russ Schlossbach, Andrew Updegrove, and Joanna Lee
As we have previously reported to you, the U.S. Department of Commerce Bureau of Industry and Security (BIS) added Chinese 5G technology giant Huawei to its Entity List more than three years ago. The immediate result was the spread of uncertainty and doubt among the hundreds of standards setting organizations (SSOs) in which Huawei participated as well as throughout the multitudes of U.S. companies who participated in those organizations.
The reason was that the rules bar U.S. companies from disclosing a broad array of technology to Entity List companies, which can of course occur during the work of a standards working groups. We have worked with many of our clients to help them adapt their processes in such a way as to allow Huawei to participate without incurring potential liability to U.S. authorities. But uncertainties remained, due to the ambiguity of previous BIS rules, and some clients were forced to take on new processes that they would not otherwise have found to be warranted.
On September 9 the Department of Commerce and BIS have finally released a long-awaited new Interim Final Rule that provides virtually everything we and other commenters have asked for, and in language that in most cases is clear and actionable. While complexities and nuances remain (e.g., relating to the type of technical work being undertaken) that will still require legal analysis, the good news is that the way is clear for most SSOs to allow any Entity List company to fully participate in standards development, as well as in related activities such as conformance assessment.
In order for a release of technology or software to be eligible for exemption under the new rule, all of the following must be true:
1) The technology or software must be designated as EAR99; controlled for AT reasons only on the Commerce Control List; or meet specific requirements relating to the “development,” “production,” and “use” of cryptographic functionality;
2) The “release” of technology or software must be made in the context of a “standards-related activity;” and
3) There must be intent to “publish” the resulting standard. If there is no intent to publish the resulting standard, then a license will still be required.
If you have questions or want to discuss any related issues please contact Russ Schlossbach, Andy Updegrove or Joanna Lee below.
More specifically, the new, immediately effective Interim Final Rule:
- Deletes the previous references to “standards” and “standards organizations,” each of which was linked to the OMB A-119 definitions that mapped in some cases to processes common to traditional SSOs but not consortia. Instead, the new rule refers to “standards-related activity,” focusing on the purpose of the exercise rather than the particular processes used to support that activity. Consortia may therefore no longer concern themselves with conforming to (for example) the ANSI Essential Requirements in order to ensure that they fit within an identified exception category.
- Applies to all standards areas (earlier versions of the rule were said to be considering addressing only information technology standards).
- Covers the entire Entity List and not just Huawei.
- Covers traditional standards-related activities in addition to actual standards development, such as conformance assessment and certification testing.
- Covers the development of various types of software created in support of standards work.
- Exempts standards-related activity for EAR99 and Anti-Terrorism (AT)-controlled technologies and software, including in respect of certain types of cryptographic functionality.
Whether the new rule will benefit a given SSO (and sometimes a given working group within an SSO) will ultimately depend on a number of factual determinations, including the type of technology or software being developed, how and whether the resulting standard is made available to the public, and what (if any) restrictions apply to those who acquire the standard.
Analysis Still Required
While overall the news is good, ambiguities remain. Some examples:
- The Interim rule makes several references to insignificant risks associated with the release of “low-level technology” without addressing where the boundaries may exist for such technology.
- Can a standard made available only to the members of an SSO be considered to be “published?”
While the Interim Final Rule takes immediate effect, the Federal Register Notice announcing its effectiveness invites comments on the rule as released and also and poses four questions on topics where the Agency seeks further guidance (see the end of this post for the list). Comment periods may, but do not always, result in modifications to already released rules.
The upshot is that an SSO will want to do a careful review of all of its in-process and proposed work streams, as well as of its internal rules, to be sure they lie within the bounds of the new rule. But that aside, the long wait is over. SSOs that meet the requirements of the new Interim Final Rule can get back to the work they do best without spending scarce time on needlessly retooling their processes. And U.S. companies can once again help create the best standards possible to enable important new technologies to do their part in assisting the recovery of the world economy.