Earlier this year, new regulations promulgated by the Committee on Foreign Investment in the U.S. (the “CFIUS”) that implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) took effect, strengthening the oversight authority and expanding the jurisdictional reach of the CFIUS. Although the new CFIUS regulations initially went largely unnoticed by the vast majority of investors, investors are starting to feel the effect of these expanded regulations as they are advised by deal counsel of a need for targeted due diligence and additional representations and warranties related to CFIUS compliance obligations.
CFIUS Regulatory Framework
The CFIUS, which was created by the Defense Production Act of 1950, is tasked with reviewing any transaction “which could result in foreign control of any person engaged in interstate commerce in the United States.” 50 U.S.C. § 2170. The basic premise of the regulatory scheme is that the CFIUS will review these transactions, assess the potential for impact on national security, and make formal recommendations to the President as to the appropriate mitigating action necessary to protect the national interest.
Recent Changes to CFIUS Regulations
Until recently, the CFIUS’s jurisdiction was limited primarily to acquisitions of U.S. businesses by non-U.S. businesses. See Ralls Corporation v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014). Earlier this year, however, new CFIUS rules permanently expanded CFIUS jurisdiction to include certain “other” investments—namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as “TID” businesses, for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business’s decision-making with respect to the technology, infrastructure, or data.
In sum, the new CFIUS regulations expanded the jurisdiction of regulators to transactions involving U.S. businesses that: (1) produce, design, test, manufacture, fabricate, or develop “critical technologies”; (2) own, operate, manufacture, supply, or service “critical infrastructure”; or (3) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security. 31 CFR § 800.211. Thus, even if a transaction will not result in foreign control of a U.S. business, it may still be subject to CFIUS review if it involves a TID U.S. business.
For purposes of CFIUS regulations, critical technology is defined as follows:
(a) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130);
(b) Items included on the Commerce Control List (CCL) set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730–774), and controlled—
(1) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or
(2) For reasons relating to regional stability or surreptitious listening;
(c) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);
(d) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);
(e) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and
(f) Emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).
31 C.F.R. § 800.215. The nuances of each of these critical technologies should be carefully considered when engaging in a transaction involving foreign investors.
Sensitive Personal Data
The CFIUS also may review certain transactions involving U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of (1) financial (e.g., bank account statements, credit applications, payment history, credit reports, credit scores); (2) geolocation, (3) health data (similar to HIPPA’s definition of non-public health information), (4) e-mail communications, (5) chat or other similar communications, (6) biometrics, and (7) information regarding government contractors. See 31 C.F.R. § 800.241.
While this may seem like an unreasonable burden, the administrative record includes policy statements that inject some degree of restraint into the definition of sensitive personal data. 84 FR 50177. More specifically, the ancillary information published in the federal register provides the following:
Given that most companies collect some type of data on individuals, the proposed rule protects national security while attempting to minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected. In particular, the proposed rule identifies specific categories of data that constitute sensitive personal data only if the U.S. business (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The proposed definition also includes all genetic information and generally carves out data pertaining to a U.S. business’s own employees.
Id. at 50177-78 (emphasis added).
It is also of note that the information collected does not qualify unless it includes “identifiable data.” 31 C.F.R. § 800.239. Based on the administrative record, it is clear that regulators wanted businesses to use common sense in assessing whether data constituted “identifiable data” by including the following as part of the administrative record:
In some cases, a U.S. business may maintain or collect the data described in § 800.241(a)(1)(ii)(A)-(J), but it is not possible to attribute such data to any specific individual. For example, a U.S. business may store health records on its servers, but those records are encrypted such that only a third party in possession of the encryption key can read the data. The U.S. business in these circumstances would not be maintaining or collecting sensitive personal data. The proposed rule makes clear, however, that identifiable data is not limited to data that includes an individual’s name or other obvious identifier, but rather includes any personal identifier, as defined in § 800.239.
84 FR 50178 (emphasis added). Thus, if the information is encrypted or otherwise anonymized, it will not qualify as identifiable data. See 31 C.F.R. § 800.202 (“The term anonymized data means data from which all personal identifiers have been completely removed.”).
Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to the CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remains mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.
- A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person. FIRRMA §1705(v)(IV)(bb)(AA); 31 CFR §800.244;
- CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, the CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of “export control licensing requirements.” In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.
For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to the CFIUS. FIRRMA §1706(v)(1). These provisions are expanded in the new, final regulations. 31 CFR §800.401. The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: the CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition transaction. This may act as a significant deterrent to the use of this mechanism.
FIRRMA directs the CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation. 31 C.F.R. 800.901(a). Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater. 31 C.F.R. 800.901(b). Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction. 31 C.F.R. 800.901(c). Further guidance on penalties is expected in new rules to come from the CFIUS.
FIRRMA and the recently enacted final regulations make a variety of sweeping changes to the CFIUS process that will certainly bring more transactions under the scope of CFIUS review. These changes were implemented in response to increased national security concerns but were carefully crafted to avoid suppressing foreign direct investment in the United States. Nevertheless, given the significant penalties associated with violations of CFIUS regulations, it is extremely important that all parties to investment transactions take steps to ensure compliance with CFIUS regulations.