In the past, CFIUS reviews stemmed from a largely voluntary process. A review would be instigated for certain merger or acquisition transactions where a non-U.S. company or foreign government-controlled entity obtained a controlling interest in a U.S. company, and the parties would file for approval in order to determine the effect of the transaction on U.S. national security and whether the transaction can go forward as contemplated. Now, CFIUS also has the authority to review non-controlling "covered investments" by a foreign person in a U.S. critical technology, critical infrastructure or sensitive personal data company. These "TID Businesses" (U.S. Technology, Infrastructure and Data companies) include companies that engage in one of the following activities:

• produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;
• owns, operates, manufactures, supplies or services critical infrastructure; or
• maintains or collects sensitive personal data (e.g., health or financial data) of U.S. citizens that may be exploited in a manner that threatens national security.

CFIUS is now authorized to review non-controlling covered investments in TID Businesses. A "covered investment" includes circumstances where a foreign investor obtains:

• access to material non-public technical information;
• membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on that body; or
• any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure.

While the filing process will still largely be voluntarily, even when submitting a notice or declaration notifying CFIUS of a non-controlling investment in a TID Business, if a foreign government holds a "substantial interest" in the foreign investor that obtains a "substantial interest" in a TID Business, a CFIUS filing will be mandatory. Mandatory filings are a new feature provided for in FIRRMA, and the requirement is triggered when a foreign government holds a 49 percent direct or indirect interest in the foreign investor, whereas a foreign person will obtain a substantial interest in a TID Business if it seeks to obtain at least a 25 percent direct or indirect interest. In such scenarios, the parties must submit a mandatory notice at least 30 days prior to the transaction’s closing.

These are only a few of the key features of the CFIUS reform provisions of FIRRMA, and in terms of immediate impact, U.S. businesses and industries previously unfamiliar with the CFIUS filing process or that were previously outside the jurisdiction for a covered review will now have to anticipate the implications of a CFIUS filing when considering even passive forms of foreign investment. This includes businesses ranging from health care companies, tech start-ups, related infrastructure industries, venture capital funds, emerging technology companies and manufacturers, and any company that maintains or can access sensitive U.S. consumer data. Increased due diligence on proposed foreign investors will be more important than ever to ensure compliance with both mandatory and voluntary CFIUS declaration filings, which will ultimately result in cross-border deals being a much more time-consuming process that will require robust scrutiny and attention to detail when proposing contractual rights afforded to foreign investors.