U.S. Issues Updated Semiconductor Export Controls Aimed at Intermediary Jurisdictions

The United States has imposed enhanced export controls on semiconductors, semiconductor equipment, and supercomputers aimed at the PRC, first in 2022 and then in 2023.[1]

These enhanced export controls are aimed at proposed shipments directly to PRC end users, and to parties in third countries who then incorporate U.S. controlled items into products destined to PRC end users (i.e. the “foreign direct product rule”). Furthermore, U.S. export controls have always prohibited “re-exports” (i.e. the use of pass through intermediaries). However, the U.S. does not deem these tools to be complete. Its determination to fully implement these export controls has led to a new, more expansive approach. Namely, this approach involves imposing the same or substantially similar export controls on third countries on a blanket basis (primarily Middle Eastern jurisdictions) as they would on the PRC, in order to fully control the international supply chain.

These moves create new compliance obligations for non-U.S., non-PRC suppliers, re-suppliers, and distributors, who will increasingly have to carefully navigate the laws and regulations in their home jurisdictions, the U.S., and the PRC.

Direct Export Controls on Intermediary Jurisdictions

On 4 April 2024, the Bureau of Industry and Security (BIS) of the Department of Commerce issued the “Implementation of Additional Export Controls”, which enhanced the 2023 and 2022 controls while providing clarity on their application to intermediary jurisdictions. In particular, it reinforces the concept that the controls on consequential items will extend to targeted jurisdictions other than the PRC on a blanket basis^_[2], in order to prevent PRC headquartered entities from “setting up cloud or data servers in other countries to allow these [PRC] headquartered companies of concern to continue to train their AI models in ways that would be contrary to U.S. national security interests”.

In practice, the main targeted jurisdictions are located in the Middle East, including Bahrain, Egypt, Oman, Qatar, Saudi Arabia, and the United Arab Emirates.  

For example, one of the most consequential export controls is item “3A090 integrated circuits” above a designated processing power, subject to limited exemptions if they are not used for datacentres. For this item, the controls would also apply to the above Middle Eastern jurisdictions across the board, purportedly in order to prevent PRC entities, by themselves or through intermediaries in those jurisdictions, from using the controlled integrated circuits in their international operations.  

In practice, if non-PRC entities in the above Middle Eastern jurisdictions desire to purchase the controlled integrated circuits, they would have to apply for a license from BIS, which may be possible if they can demonstrate no PRC connection with respect to end use of the integrated circuits. However, they will now have to work with their U.S. supplier to obtain such license from BIS, even if they are not connected at all to PRC interests. 

Cloud Computing Regulation Aimed at Intermediary Jurisdictions

On 29 January 2024, the BIS issued a proposed rule “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. This proposed rule imposes KYC and reporting requirements on cloud computing providers for non-U.S. customers, including heightened reporting requirements for customers who train large AI models^_[3].

Importantly, the rules apply equally to “foreign resellers”, defined as non-U.S. persons who have purchased cloud computing products or services from U.S. providers, who then provide them on an onward basis to customers outside of the U.S. Under the proposed rules, these foreign resellers are subject to the same KYC and reporting requirement as their original U.S. providers. Furthermore, the original U.S. providers effectively have joint and several liability over compliance by their foreign resellers. The end result is that these non-U.S. resellers will also be bound by the compliance obligations under the proposed rules, even if they are not located in the U.S. and even if all of their customers are not U.S. or PRC customers.

Businesses that use integrated circuits or who provide reseller cloud computing services outside of the U.S. and the PRC may be puzzled by the application of these U.S. rules, and accompanying license/compliance obligations, which seemingly have nothing to do with them. However, in a new era of geopolitical tensions, they will nonetheless have to deal with these legal realities. 

For more information on how we can help you navigate US-China tensions, please contact Charles Wu at Charles.Wu@clydeco.com.

_{[1] 2022: Implementation of Additional Export Controls: Certain Advanced Computing and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Entity List Modification; 2023: Implementation of Additional Export Controls: Certain Advanced Computing Items; Supercomputer and Semiconductor End Use; Updates and Corrections}

_{[2] The targets are jurisdictions in Country Groups D:1, D:4, and D:5, excluding those also specified in Country Groups A:5 or A:6}

_{[3] The proposed rules permit a prohibition on opening accounts of non-U.S. customers if such non-U.S. customers are found to have been engaged in malicious cyber-enabled activities.  This narrow scope does not include a wholescale prohibition on all PRC customers or PRC customers operating in a specific field such as AI.  However, this may not be the ultimate outcome.  Rather, the narrow scope is constrained by a 2009 advisory opinion issued by BIS wherein BIS ruled that cloud computing services were not “items” subject to export control regulations.  If this determination were updated or new legislation emerges specifically stating that cloud services are “items” subject to export controls, broader cloud computing access controls may result.  The intent would be to further prevent PRC customers from accessing advanced integrated circuits indirectly by using cloud computing servers that run on them anywhere in the world.}