BIS Expands Export Controls over Biotechnology Software with Implications for CFIUS Mandatory Filing Requirements
On October 5, 2021, the Bureau of Industry and Security (“BIS”) issued a final rule formally expanding its controls over the export of biotechnology software. The final rule adds a new Export Control Classification Number (“ECCN”) to the Export Administration Regulations’ (“EAR”) Commerce Control List (“CCL”) — ECCN 2D352 — restricting exports of software related to certain nucleic acid assemblers and synthesizers. It also amends ECCN 2E001 to control technology used to develop software controlled under the new ECCN. This final rule is part of BIS’s effort to evaluate and control various emerging technologies, and it results in extensive licensing requirements on the newly controlled software and technology. Moreover, the changes to the CCL highlight the direct connection between the export control and the Committee on Foreign Investment in the United States (“CFIUS”)1 regulatory regimes.
Changes Under the Final Rule
The final rule makes two changes to the CCL to implement a decision made earlier in 2021 by the Australia Group (“AG”), a forum of 42 countries (including the United States) and the European Union that maintain multilateral export controls on items that could be used in chemical and biological weapons programs. First, the final rule adds ECCN 2D352 to control software designed for certain nucleic acid assemblers and synthesizers2 that is capable of designing and building functional genetic elements from digital sequence data. The software is controlled for chemical and biological weapons (“CB”) reasons — and thus requires a license to be exported, reexported, or transferred to or in most countries. Anti-terrorism (“AT”) controls and U.S. embargo restrictions applicable to virtually all items on the CCL also apply. The software, however, will not generally require a license to destinations located in countries participating in the AG.
Second, the final rule amends ECCN 2E001 — which controls technology for the development of most equipment or software in CCL Category 2 (Materials Processing) — to add technology for the development of software controlled by ECCN 2D352. Like the software itself, such technology is controlled for CB and AT reasons. Thus, development technology controlled under ECCN 2E001 will now require a license for export, reexport, or transfer to or in most countries.
The final rule also includes a “saving clause” that will permit certain exports to proceed if the new controls remove eligibility for export under previously applicable license exceptions or “no license required” (“NLR”) status. First, the new license requirements will not apply to certain shipments that were substantially underway on October 5, 2021, so long as the export event is completed before midnight on December 6, 2021. Second, deemed exports of technology and source code may continue under previously applicable license exceptions or NLR status before midnight on December 6, 2021.
Expansion of Export Controls Over Emerging Technologies
This final rule is not surprising. The Export Control Reform Act of 2018 (“ECRA”) defines emerging technologies as those technologies essential to the national security of the United States and not yet defined as a critical technology under ECRA.3 ECRA requires the U.S. President, in coordination with the Secretary of Commerce, Secretary of Defense, Secretary of Energy, Secretary of State, and heads of other federal agencies as appropriate, to identify emerging technologies through an interagency process that takes into account the foreign development of these technologies and the effect of export controls on their development and proliferation to foreign countries. ECRA further requires the Secretary of Commerce to establish appropriate controls over these technologies under the EAR, including proposing that identified emerging technologies be added to the relevant multilateral export control regimes.
On November 19, 2018, BIS identified biotechnology as a representative category of emerging technology.4 In accordance with ECRA, BIS issued a proposed rule on November 6, 2020, identifying software for the operation of nucleic acid assemblers and synthesizers already controlled under ECCN 2B352.j as an emerging technology warranting control due to its capability to be used in the production of pathogens and toxins.5 The lack of controls over the software presented a risk that the software “could be exploited for biological weapons purposes.”6 The proposed rule gave the public notice of its intent to add this software to the CCL, and invited public comment on these changes.
The final rule also reflects the decision made earlier in 2021 by the AG to add this software and technology to the AG Common Control List for dual-use biological equipment. The final rule implementing a multilateral agreement therefore demonstrates a global effort to control this type of software and technology.
Impact on CFIUS Requirements
These new controls highlight the interplay between export control regulations and CFIUS requirements. As we previously discussed here, in 2020, the U.S. Department of Treasury amended regulations under the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), which expanded CFIUS’s jurisdiction to include non-controlling, non-passive investments in U.S. businesses engaged in certain activities involving critical technologies, critical infrastructure, or sensitive personal data (“TID U.S. Businesses”). Thus, this reform broadened CFIUS’s jurisdiction to include not only transactions which could result in control by foreign persons, but also foreign investment in TID U.S. Businesses that will result in any amount of equity or contingent equity if the foreign investor will receive (1) access to material non-public technical information; (2) board member or observer rights; or (3) involvement in substantive decision-making pertaining to the relevant technology, infrastructure, or data.7 Further, a mandatory CFIUS filing is now required for any foreign investment in a TID U.S. Business when that business produces, designs, tests, fabricates, or develops “critical technologies” for which U.S. regulatory authorization would be required to export, reexport, transfer (in-country), or retransfer the technology to a foreign person.8 In other words, “critical technologies” for the purpose of CFIUS mandatory filing requirements are generally defined by export control classifications. The addition of ECCN 2D352 and modification of ECCN 2E001 result in new software and technology that are now deemed “critical technologies” under CFIUS regulations. This in turn broadens CFIUS’s reach because more businesses will now be subject to heightened scrutiny by CFIUS and mandatory filing requirements if they accept foreign investment.
What This Means for You
It is important for companies to carefully consider whether and how these new regulations apply to them. Violations of export control or CFIUS regulations can result in government investigations by one or more agencies and possible enforcement actions under the relevant regulatory regimes. For example, a willful violation of ECRA or the EAR can result in a criminal penalty of up to 20 years imprisonment, $1 million in fines per violation, or both; and criminal forfeiture of items or gross proceeds related to the transaction. ECRA also permits civil penalties of up to $308,901 (adjusted annually for inflation) or twice the value of the transaction, whichever is greater; and denial of export privileges, seizure and forfeiture, and loss of government contracting rights. Failure to comply with CFIUS regulations may result in civil penalties amounting to $250,000 or the value of the transaction, whichever is greater. CFIUS penalties are without prejudice to any other civil or criminal penalties available under law. If a company or individual discovers a violation internally, it may make a voluntary self-disclosure to the relevant agency, which can cut the applicable maximum base penalty in half. V&E has substantial experience helping companies with export control and CFIUS matters, including counseling companies on export control and CFIUS compliance, preparing CFIUS mandatory filings, assisting with internal investigations related to potential export control violations, and defending clients in government investigations and enforcement actions. Those contemplating a voluntary self-disclosure or facing a government investigation or enforcement action should contact legal counsel as early as possible to address any concerns and determine appropriate next steps.
1 CFIUS is an inter-agency panel of the U.S. government that reviews foreign investment for national security concerns.
2 As of April 2018, certain nucleic acid assemblers and synthesizers are already controlled under paragraph j of ECCN 2B352, which covers certain equipment capable of use in handling biological materials. See 83 Fed. Reg. 13,849 (Apr. 2, 2018) (implementing AG decisions).
3 See 50 U.S.C. § 4817. “Critical technologies” are defined under 50 U.S.C. § 4565(a)(6)(A). In addition to “emerging and foundational technologies” controlled pursuant to § 4817, critical technologies include defense articles and services included on the United States Munitions List set forth under the International Traffic in Arms Regulations; certain items included on the CCL pursuant to multilateral regimes or for reasons relating to regional stability or surreptitious listening; certain nuclear equipment, parts, components, materials, software, technology, and facilities; and select agents and toxins.
4 83 Fed. Reg. 58,201 (Nov. 19, 2018).
5 85 Fed. Reg. 71,012 (Nov. 6, 2020).
7 31 C.F.R. § 800.211.
8 Id. § 800.401. “Critical technologies” have nearly identical definitions under CFIUS regulations and ECRA. Compare id. § 800.215 (CFIUS definition), with 50 U.S.C. § 4565(a)(6)(A) (ECRA definition).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.