U.S. Department of Commerce Proposes Expansive New U.S. Person Controls Related to Military, Intelligence, and Security Activities

On July 29, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published two rules proposing sweeping new controls related to military, intelligence, and security activities. These proposed rules implement a directive from Congress in the Export Control Reform Act of 2018, as amended by the National Defense Authorization Act for Fiscal Year 2023, to control the activities of U.S. persons under the Export Administration Regulations (EAR) that are related to foreign military, security, or intelligence services. The expansion of U.S. person controls in the proposed rules parallels BIS’s strategy of expanding the extraterritorial reach of its regulations through an increased number of foreign direct product rules, including in the context of its expanded use of the Entity List. Concurrently, the U.S. State Department’s Directorate of Defense Trade Controls (“DDTC”) published a related proposed rule seeking to revise controls on defense services. 

The proposed rules would increase the due diligence burden on U.S. persons when analyzing whether they can engage in certain transactions and activities involving foreign counterparties. 

The proposed BIS rules addressing military- and intelligence-related controls is located here, the proposed BIS rule addressing security-related controls is located here, and the proposed DDTC rule addressing defense services is located here. Below, we summarize six key takeaways from these proposed rules. BIS and DDTC are accepting comments on the proposed rules until September 27, 2024.  

1. The Proposed Rules Would Significantly Expand the Number of End Users Subject to U.S Export Controls 

Although the proposed rules would nominally narrow the current definition of military end users, they would significantly expand the universe of restricted end users by creating three new categories of end users: military-support end users, intelligence end users (which would effectively replace and expand the current category of military-intelligence end users), and foreign-security end users. Each of these categories is defined broadly. Military-support end users would include “any person or entity whose actions or functions support military end uses”;¹ intelligence end users would include military and civilian intelligence and reconnaissance organizations;² and foreign-security end users would include a variety of governmental and nongovernmental entities with the authority to perform police and surveillance functions.³ The proposed rules would also revise the current definition of military end users to add entities that perform the same functions of military end users.⁴ U.S. persons would be restricted from engaging in certain transactions and activities with these end users, even absent the involvement of items subject to U.S. jurisdiction, as discussed further below. 

2. The Proposed Rules Would Restrict U.S. Person Activities Involving New End Users and End Uses

Under the EAR, U.S. persons may not engage in certain activities without a license, even if those activities occur entirely outside the United States and involve items that are not subject to the EAR (i.e., “U.S. person” activities).⁵ To date, these U.S. person controls have applied only in very limited circumstances, including with respect to “support” for activities related to the proliferation of nuclear, chemical, and biological weapons, the development and production of certain semiconductors, and a small number of restricted end users. The proposed rules would significantly expand these controls by restricting U.S. persons from providing support to (a) military end users in or from certain countries,⁶  (b) intelligence end users of certain countries,⁷ and (c) foreign-security end users and military-support end users that appear on the Entity List with a particular designation.⁸ The proposed rules would also add a new end-use restriction on U.S. person support for “military-production activities.” “Military-production activities” refers to the incorporation into, or any other activities that support or contribute to the operation, installation, maintenance, repair, development, or production of, (a) certain highly sensitive items described in the Commerce Control List (CCL) and (b) less-sensitive items that are described in the CCL when a U.S. person knows that the items are ultimately destined to or for use by a military end user.⁹ Both types of military-production restrictions would apply to foreign-origin items that are not subject to the EAR.¹⁰ 

3. The Proposed Rules Would Significantly Expand the Items and Countries Covered by Certain End-Use and End-User Controls

The proposed rules significantly expand the range of items and countries to which certain end-use and end-user restrictions apply. For example, if the proposed rules were adopted, the military end-use and end-user restrictions would apply to all items subject to the EAR, not only a restricted list of items defined in a supplement to the EAR, as is currently the case.¹¹ The country scope of military end-user and end-use controls would also expand from seven to 25 countries. Similarly, while the country scope of the current license requirement for military-intelligence end users applies only to 10 countries, the country scope of the license requirement for intelligence end users — which, as noted, effectively replaces the current end-user category of military-intelligence end users — would apply to 45 countries.¹²

4. The Variety of End-Use and End-User Controls Introduced by the Proposed Rules Will Complicate Due Diligence

If the proposed rules were adopted, the different sets of country-group scopes, item-based controls, U.S. person activity controls, and licensing regimes that would apply to transactions with military end users, military-support end users, intelligence end users, and foreign-security end users would complicate due diligence in a variety of transactions. For example, while certain end users with whom activities are restricted would appear on lists that could be screened against, such as the Entity List, in other instances U.S. persons would need to engage in a fact-specific analysis to determine whether a counterparty met the definition of a restricted end user and, if so, whether the relevant transaction might constitute U.S. person support for which a license would be required.  

5. The Proposed Rules Clarify the Relationship of BIS and DDTC Controls on U.S. Person Activities

Like BIS’s proposed rules, DDTC’s proposed rule seeks to restrict certain U.S. person activities related to military and foreign intelligence services. In relevant part, DDTC’s proposed rule would amend the International Traffic in Arms Regulations (ITAR) so that it controls defense services related to intelligence and military assistance that do not relate directly to defense articles.¹³ The BIS rules make clear that in light of DDTC’s proposed rule, the restrictions that BIS proposes on U.S. person activities would not apply to activities that are controlled under the ITAR.¹⁴ Thus, as a practical matter, if a U.S. person seeking to evaluate whether a particular military-, intelligence-, or security-related activity is restricted, the U.S. person should evaluate that activity against the ITAR before evaluating it against the EAR. This is the same order of review that applies when U.S. persons evaluate whether they require a license to export, reexport, or transfer (in-country) items controlled under the EAR.  

6. The Proposed Rules Also Introduce Potential Controls on Facial Recognition Systems 

The proposed rules also seek to amend the CCL in order to control the export, reexport, and transfer (in-country) of facial recognition systems. Specifically, the proposed rules would revise the CCL to control certain facial recognition hardware, software, and technology that are used in systems designed for crowd-scanning and mass surveillance.¹⁵  The proposed rule clarifies that the revised restrictions would not control facial recognition systems that simply verify whether persons are authorized to access “personal devices, automobiles, or residential or work premises.”¹⁶ Because these facial recognition technology items would be controlled only for crime control and antiterrorism reasons, they would not constitute critical technologies for the purpose of regulations administered by the Committee on Foreign Investment in the United States. Nevertheless, an export license would be required for export, including during cross-border development, of hardware, software, and technology for such systems to most countries. 

¹  See End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89 Fed. Reg. 60985, 60990 (July 29, 2024).
²  See id.
³  See Export Administration Regulations: Crime Controls and Expansion/Update of U.S. Persons Controls, 89 Fed. Reg. 60998, 61000 (July 29, 2024).
⁴  See End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89 Fed. Reg. 60985, 60989 (July 29, 2024).
⁵  See 15 C.F.R. § 744.6. 
⁶  See End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89 Fed. Reg. 60985, 60989 (July 29, 2024); see also id. at 60995.
⁷  See id. at 60991.
⁸  See Export Administration Regulations: Crime Controls and Expansion/Update of U.S. Persons Controls, 89 Fed. Reg. 60998, 61001 (July 29, 2024); End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89 Fed. Reg. 60985, 60990 (July 29, 2024).
⁹  End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89 Fed. Reg. 60985, 60995 (July 29, 2024).
¹⁰ See id.
¹¹ See id. at 60989.
¹² See id. at 60991.
¹³ See Revisions to Definition and Controls Related to Defense Services, 89 Fed. Reg. 60980, 60981 (July 29, 2024).
¹⁴ See End-Use and End-User Based Export Controls, Including U.S. Persons Activities Controls: Military and Intelligence End Uses and End Users, 89, Fed. Reg. 60985, 60987 (July 29, 2024).
¹⁵ Export Administration Regulations: Crime Controls and Expansion/Update of U.S. Persons Controls, 89 Fed. Reg. 60998, 61001 (July 29, 2024).
¹⁶ Id.