- Technology Infrastructure and Data. CFIUS will focus its review on investments in critical Technology, critical Infrastructure, and sensitive personal Data (“TID Businesses”).
- Critical technologies is defined to include certain items subject to export controls along with emerging and foundational technologies under the Export Control Reform Act of 2018.
- CFIUS provides a very helpful list of critical infrastructure and functions to help assess whether any business is a TID Business. We reproduce most of this list at the end of this blog article. (Sneak preview: telecom, utilities, energy, and transportation dominate the list.)
- The proposed regulations provide much-needed guidance on what constitutes sensitive personal data and also seek to limit the reach of the definition so it does not cast too wide a net over transactions in which CFIUS really should have no national security concern.
- Exceptions for Certain Countries. Investors from certain countries may be excepted from CFIUS jurisdiction when making non-controlling investments.
- New Set of Rules for Real Estate. In a companion piece, CFIUS proposed for the first time a detailed set of rules related to investments in real estate. We will cover this in a separate blog article to be published in the near future.
- Expansion of Short-Form Declaration Use. The proposed rules provide parties the choice to use a short-form declaration for any transaction under CFIUS jurisdiction in lieu of a long-form notice.
- Comments Due by October 17, 2019. Members of the public may submit comments on the proposed regulations any time between now and October 17, 2019. Final regulations must be adopted by CFIUS and become effective no later than February 13, 2020.
Technology controls are tightening in the U.S. and around the world. New regulations proposed this week by the Committee on Foreign Investment in the United States (CFIUS) continue and strengthen that trend.
On September 17, 2019, CFIUS published two separate proposed rules that will implement many of the changes to U.S. foreign investment review outlined in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA): one rule expanding covered investments, and another clarifying controls on real estate investments. Although the public has been invited to comment, and the rules are subject to change before their final publication, it appears that the two rules will effectively expand and clarify CFIUS jurisdiction.
The Covered Investment Proposed Rule brings some bad news and some good news for investors. The changes proposed in this rule will increase CFIUS authority by expanding what constitutes a “covered investment” and clarifying the definition of a “covered transaction.” However, on a positive note for some investors, the rule will also create a “Pre-Approved List” for certain countries where investors may be excepted from CFIUS review. The rule may also streamline the filing process for certain covered transactions.
1. Expansion of “Covered Investments”
The Committee will continue to exercise jurisdiction over any transaction which could result in a foreign person acquiring control of any U.S. business that could impact U.S. national security. Additionally, the Covered Investment Proposed Rule would expand CFIUS jurisdiction to cover investments that afford a foreign person any one of following three privileges:
- Access to any material nonpublic technical information of the U.S. business;
- Membership or observer rights on the board of directors (or equivalent) of the U.S. business or the right to nominate an individual to a position on the board; or
- Any involvement in the substantive decision-making of the U.S. business regarding critical technology, critical infrastructure, or sensitive data. These three areas of business are known as “TID” (Technology Infrastructure Data).
Those points may look familiar from the FIRRMA pilot program, but the proposed rule contains two substantial changes to the pilot program: (1) the rule is not limited to the 27 industries of the pilot program; and (2) a filing for these new covered investments would not be mandatory under certain criteria.
2. TID U.S. Business
The new covered investments are specifically limited to U.S. businesses that will be considered “TID U.S. Businesses.” A TID U.S. Business deals in one or more of (1) Critical Technologies, (2) Critical Infrastructure, or (3) Sensitive Personal Data, as described below.
The Covered Investment Proposed Rule provides CFIUS jurisdiction to review non-controlling foreign investment in businesses “producing, designing, testing, or developing one or more Critical Technologies.
The rule brings the definition of critical technologies in line with the definition from the FIRRMA pilot program, including the following:
- Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR);
- Items included on the Commerce Control List (CCL) set forth in the Export Administration Regulations (EAR) and controlled (1) pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or (2) for reasons relating to regional stability or surreptitious listening;
- Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);
- Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);
- Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and
- Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (ECRA).
“Emerging and foundational technologies” have not yet been defined in regulations, but an Advanced Notice of Proposed Rulemaking published in November 2018 indicated that technologies such as biomedicines, artificial intelligence, virtual reality, and robotics may be among those controlled under the ECRA.
The Covered Investment Proposed Rule also grants CFIUS authority to review non-controlling investments in U.S. businesses that own, operate, manufacture, supply, or service specified segments of critical infrastructure termed “covered investment critical infrastructure.” The rule includes an Appendix detailing the critical infrastructure areas, which include the following, among others:
- Telecommunications or information services;
- Submarine cable system licensees and landing facilities;
- Defense-related logistical and communications networks or systems;
- Sole-source industrial resource businesses;
- Utilities such as electric, oil, water, and gas; and
- Specific airports and maritime ports.
Not every business in industries related to the critical infrastructure listed here will be considered covered. The Appendix to the proposed rule lists specific functions that the business must perform in the covered investment critical infrastructure area in order to be considered subject to CFIUS jurisdiction under the Covered Investment Proposed Rule.
Finally, the Covered Investment Proposed Rule would authorize CFIUS to review non-controlling investments in U.S. businesses that maintain or collect the sensitive personal data of U.S. citizens. The proposed rule shows that CFIUS will take a broad view of what constitutes sensitive personal data, including the following categories:
- Financial data, including bank account statements, home mortgages, and consumer transactions;
- Consumer reporting agency data;
- Personal insurance applications;
- Health-related data;
- Non-public electronic communications, including email;
- Geo-location data;
- Biometric data generated by companies providing biometric identification services; and
- Data used to issue government identification.
However, the proposed rule will limit the scope of review to businesses that maintain or collect sensitive personal data in one of three ways:
- By targeting or tailoring products or services to any U.S. executive branch agency or military department with national security responsibilities, or to its civilian personnel or contractors;
- By maintaining or collecting sensitive personal data on greater than one million individuals at any point over the preceding 12 months; or
- By demonstrating a business objective to maintain or collect sensitive personal data on greater than one million individuals where that data is an integrated part of the TID U.S. Business’s primary products or services.
3. Country-Based Exceptions
The regulations create an exception from “covered investments” for certain foreign persons defined as “excepted investors.” The scope and intended target of the excepted investor definition will be taken up in greater detail in a subsequent blog post, but for the moment suffice it to say that any private equity group or foreign entity that is or wants to be a repeat player in M&A markets in the U.S. will be well-advised to pay careful attention to this aspect of the new proposed rules. The definition of “excepted investor” incorporates the familiar five percent threshold that CFIUS practitioners have come to know as the level of investment CFIUS generally tracks closely. And the definition of “minimum excepted ownership” includes a nod to the familiar 10 percent safe harbor for private equity investors. The overriding issue with the definition of “excepted investors” will be which countries will be listed as “excepted foreign states,” and we have no idea how long that process could take.
4. Streamlining the CFIUS Process
The Covered Investment Proposed Rule also provides that parties may choose to file a short-form declaration for any transaction subject to CFIUS jurisdiction in lieu of filing a notice. There has been much debate in the CFIUS Bar over whether the short-form declaration actually speeds the CFIUS approval process but, in theory, it can be a time saver. The outline of the declaration is the same as the declaration provided for in the pilot program. It includes the abbreviated fillable form for filing, a 30-day response window for the Committee to address the declaration, and the four potential CFIUS responses to the declaration, as follows:
- Clearing the transaction by notifying the parties that CFIUS has concluded all action under Section 721;
- Taking no action by informing the parties that action cannot be completed on the basis of the declaration and that they may file a full voluntary notice;
- Requesting a full notice in order to review further information before providing clearance to the parties; or
- Initiating a unilateral review of the transaction through an agency notice.
5. New Mandatory Filings
Currently, only Pilot Program Covered Transactions can trigger a mandatory filing with CFIUS. Under the Covered Investment Proposed Rule, a filing will be mandatory if a foreign person obtains a “substantial interest” in a U.S. business where a foreign government, in turn, holds a “substantial interest” in the foreign person. Substantial Interest means a 25 percent voting interest in a U.S. business held by a foreign person and a 49 percent or greater voting interest held by a foreign government in a foreign person. Any voting interest held by a parent will be deemed to be a 100 percent voting interest in any entity of which it is a parent. The mandatory filing in this case may be fulfilled by a short-form declaration or long-form notice.
6. Clarifications and Limitations on Covered Transactions
The Covered Investment Proposed Rule offers further, smaller but potentially important clarifications on the jurisdiction of CFIUS. First, the proposed rule clarifies CFIUS’s jurisdiction over investment funds. If a foreign person indirectly invests in an unaffiliated TID U.S. Business through an investment fund that gives the foreign person membership as a limited partner on an advisory board or committee of the fund, that membership, by itself, does not render the foreign person’s investment a covered investment. Unaffiliated TID U.S. Businesses are those in which a foreign person does not directly hold more than 50 percent of the outstanding voting interest or have the right to appoint more than half of the members of that business’s board of directors.
Second, under current rules, a transaction is not within CFIUS jurisdiction if a foreign person or any of its direct or indirect wholly-owned subsidiaries previously acquired direct control in the U.S. business in a covered control transaction for which CFIUS concluded all action under Section 721. The Covered Investment Proposed Rule adds that this exception to a covered control transaction only applies to those for which CFIUS has concluded all actions based on a notice submission. This could mean that foreign persons who have already completed the CFIUS notice process may not have to repeat the process in a new transaction, but that would not apply to those covered transactions closed on the basis of a declaration. The proposed rule additionally clarifies that this exception does not apply to “incremental acquisitions” where the foreign person has not previously acquired control of a U.S. business or to a transaction that CFIUS has not cleared based on a notice submission.
7. Filing Fees
FIRRMA provided for the possibility that CFIUS could implement filing fees not to exceed the lesser of $300,000 or 1% of the value of the transaction. The Covered Investment Proposed Rule does not address those fees, except to note that Treasury is still considering how to implement them and will do so under a separately published proposed rule.
8. More to Come
The Covered Investment Proposed Rule introduces greater jurisdictional scope to CFIUS while clarifying certain exceptions and carve-outs. Please be on the lookout for our forthcoming blog explaining the proposed rule for how CFIUS will also be focusing on real estate investment. We will report on any major developments as the Covered Investment Proposed Rule makes its way to final publication.