by Pacôme Ziegler 
States walk a tightrope when the protection of the general interest requires encroaching upon private interests, as it often does. Should they fail in this balancing act, effective redress may be available to aggrieved private investors under the applicable investment treaty.
Investors do not hesitate to avail themselves of this avenue when it exists. Paradigmatic examples thereof include the arbitration brought against Germany by a Swedish company (Vattenfall AB), following the German government’s decision to abandon nuclear energy production; or the arbitrations brought by German companies (RWE and Uniper) against the Netherlands, following the Dutch government’s decision to ban coal-ﬁred power generation. More recently, in 2022, an English company (Ascent Resources) filed for arbitration against Slovenia following the state ban on natural gas extraction by hydraulic fracturing, whilst an American company (MC Invest) launched arbitration proceedings against Kyrgyzstan following the state ban on uranium mining. In all these cases, the bans were adopted in favour of the environment or public health. Even so, the investors claimed that they violated the respective state’s obligations arising from the applicable investment protection treaties. In several cases of this type, the private investors’ claims were upheld.
Many of these arbitrations take place in parallel with actions brought before national administrative courts. What are the reasons for this duplication of proceedings? One of them is that arbitration tribunals set up under investment protection treaties do not hesitate to award multi-million-dollar settlements, amounts that would be unthinkable in many national courts. Some of the largest awards have been as much as two per cent of the gross national product of the convicted country (e.g. Russia, Ecuador, Venezuela or Pakistan).
The spectre of this type of arbitration may be hanging over Portugal following deliberation No. 1/2023 of the Security Assessment Commission of the Supreme Council for Cyberspace Security (CSSC). This deliberation prepared the ground for equipment supplied by companies considered to be “high risk” to be excluded from the national 5G network, or its use restricted. The criteria contained in that decision undoubtedly include the Chinese company Huawei. Huawei has confirmed this much by challenging deliberation No. 1/2023 before Portuguese administrative courts.
A similar decision by the Swedish government has already led Huawei to sue Sweden before an international arbitration tribunal for alleged violations of the investment protection treaty between China and Sweden. In this arbitration, which is currently underway, Huawei has provisionally quantiﬁed its losses at EUR 520 million, having warned that “the total estimated revenue losses will be considerably larger” than that amount. Similarly, Huawei has now notiﬁed the UK of a dispute based on an alleged violation of the investment protection treaty between China and the UK, precisely because of the UK government’s decision to ban and withdraw Huawei equipment from the UK’s 5G network.
It should be noted that Huawei has made clear its intentions to sue Portugal if it were to be excluded from the country’s 5G network. Under the investment protection treaty between China and Portugal (2005 China – Portugal BIT), Chinese investors in Portugal generally beneﬁt from the same protections as Chinese investors in Sweden or the UK. In particular, they are guaranteed “fair and equitable treatment” and “[no] less favourable treatment than that which it accords to the investments and associated activities by its own investors” or “by the investors of any third State”. Furthermore, the treaty prohibits “arbitrary or discriminatory measures” and only allows expropriation or “other measures with effects equivalent to expropriation” subject to compensation (among other requirements). The treaty does, however, allow discriminatory measures against Chinese investments if the measures in question are “taken for reasons of public security and order.”
On this basis, the central issues in a possible arbitration between Huawei and Portugal are likely to be the following. On the one hand, whether the bans or restrictions imposed on Huawei’s 5G equipment are based on objective cybersecurity concerns or rather reﬂect geopolitical considerations emerging from the growing rivalry between the West and China. On the other hand, whether such bans or restrictions may have violated Huawei’s legitimate expectations of participating in the development of the 5G network in Portugal. Finally, whether the decision on Huawei’s 5G equipment was proportionate to the objective pursued.
Unfortunately, international case law does not provide clear clues to these issues. For example, arbitral tribunals disagree on their authority to rule on the existence of a threat to public security in a given case: some tribunals simply defer to the assessment made by the state (as in Global Telecom v. Canada); some consider that such deference yields when states have acted in bad faith or without a legal basis (as in Devas Ltd v. India); others do not shy away from critically scrutinising the state’s invocation of public security imperatives (as in Deutsche Telekom v. India). In any case, it is quite possible that the reasons that resulted in the CSSC issuing the deliberation at issue will survive the scrutiny of an international arbitral tribunal.
Huawei insists that its 5G equipment has never been implicated in any security incident. In 2021, it released to the public its “Product Security Baseline” detailing the cybersecurity management requirements it implements internally, which it states had “ensure[d] a stellar security record of Huawei products on customer networks”. However, public technical reports, such as those from the Huawei Cyber Security Evaluation Centre (HCSEC), made up of cybersecurity experts certified by the British government, paint a very different picture. In its report for 2019, the HCSEC pointed out “serious and systematic defects in Huawei’s software engineering and cybersecurity competence” that could lead to “security and quality issues, including vulnerabilities”. The HCSEC further stated that “[i]f an attacker has knowledge of these vulnerabilities and has sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly. Other impacts could include being able to access user traffic or reconfiguration of the network elements.” In its report for 2020, the HCSEC emphasised that “there ha[d] been no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected [by the UK government]” – a worrying observation given that the defects in question have been identified and brought to Huawei’s attention since 2011.
It is true that the software associated with Huawei’s competitors’ 5G technology will also have problems – no software is free of them. However, it has been argued that the number of bugs in the software developed by Huawei may be higher than normal. This factor, plus the obligation imposed on Chinese organisations and citizens to “support, assist and cooperate with the State in matters of National Intelligence”, could justify Huawei’s 5G equipment being singled out for specific treatment.
In December 2022, the New York Times revealed that TikTok employees in the US and China had accessed the data of American journalists in an attempt to find out the sources of their articles on TikTok. Similarly, the Belgian State Security Service is investigating an Alibaba hub in Liège as it suspects “possible espionage and/or interference activities” may be going on there. The Belgian security service, relying on the legislation forcing Chinese companies to share their data with Chinese authorities and intelligence services, has underscored that “China has the intent and capacity to use this data for non-commercial purposes[.]”
In these instances, as in Huawei’s case, no involvement by the Chinese government has been proven (yet). As regards Huawei’s software defects, the HCSEC emphasised that it “does not believe that the defects identiﬁed are a result of Chinese state interference[.]” However, the mere possibility that the vulnerabilities could be exploited by private actors or by the Chinese government could provide firm footing under international investment law for the prohibitions or restrictions entailed by the CSCC’s deliberation No. 1/2023.
All in all, the impending ban of Huawei’s equipment from Portugal’s 5G network is likely to set the stage for an arbitration claim under the 2005 China – Portugal BIT. Would such a claim succeed? If judged only on the merits of such ban (leaving aside due process issues), this author doubts it. National security concerns seem compelling enough in this particular instance to justify encroaching upon Huawei’s rights under this treaty.
Pacôme Ziegler is a founding partner of Delaloa, a Lisbon-based law ﬁrm specialising in arbitration and international investment law. All opinions remain the author’s own. ↑