This is the third in our multipart series of alerts addressing proposed regulations published in the Federal Register on September 24, 2019, for the Committee on Foreign Investment in the United States (CFIUS) to implement the Foreign Investment Risk Review Modernization Act (FIRRMA).
FIRRMA directed the U.S. Department of the Treasury (“Treasury”), as the chair of CFIUS, to issue regulations that, among other things, address national security concerns arising from foreign investment in U.S. businesses with critical technologies, critical infrastructure, and personal data (referred to in the proposed regulations as “TID U.S. businesses”). The proposed CFIUS regulations implement these provisions of FIRRMA by (i) defining what constitutes a TID U.S. business and (ii) expanding CFIUS’s jurisdiction to include not only transactions that result in control of a TID U.S. business, but also “covered investments” that give a foreign person certain rights with respect to a TID U.S. business (together referred to as “covered transactions”).
The major takeaways from the proposed TID U.S. business regulations are:
- Risk-Based Analysis: Long-time CFIUS practitioners have heard the refrain that CFIUS undertakes a risk-based analysis of transactions presented for review, examining the threat, vulnerabilities, and consequences to U.S. national security of a particular action. The proposed regulations now articulate these specific elements of the analysis that form the basis for CFIUS’s review of a notified transaction.
- CFIUS Filings Mandatory for Some But Not All TID U.S. Business Covered Transactions: The CFIUS pilot program that became effective in November 2018 requires the submission of a declaration (or full CFIUS notice) for covered transactions involving pilot program U.S. businesses, and this program will remain in effect at least until the final FIRRMA-implementing regulations are published. The proposed regulations do not impose a mandatory CFIUS filing for a covered transaction involving a TID U.S. business (outside the current pilot program’s requirements), unless a foreign government has a “substantial interest” in the acquiring party (more to come on this issue in the next alert in our series).
- Critical Technologies Definition Unchanged: The proposed regulations contain the same definition for critical technologies in effect under the current pilot program. A key component of the critical technologies definition will take effect once the U.S. Department of Commerce (“Commerce”) issues regulations defining the scope of “emerging and foundational technologies.” Commerce took the first step in this process in November 2018 by issuing an Advanced Notice of Proposed Rulemaking identifying and requesting comments on the categories of emerging technologies to be covered. Commerce officials’ most recent informal statements indicate that proposed new regulations may be forthcoming before year-end.
- Critical Infrastructure for Covered Investments Defined by Form and Function: Appendix A to the proposed regulations sets forth 28 categories of critical infrastructure (Column 1) and specific functions related to each critical infrastructure category (Column 2). Only a U.S. business that performs one of the specified functions listed in Column 2 of Appendix A with respect to the infrastructure listed in Column 1 is a TID U.S. business for purposes of a critical infrastructure covered investment.
- Expanded (and Evolving) Definition of Sensitive Personal Data: FIRRMA expands CFIUS’s jurisdiction to include covered investments by a foreign person in a U.S. business that maintains or collects sensitive personal data of U.S. citizens that “may be exploited in a manner that threatens to harm national security.” To implement this provision, the proposed rule sets forth a detailed definition of “sensitive personal data” that includes not only traditional personal information (e.g., name, address, telephone number), but also health, financial, behavioral, and genetic information. The proposed regulations note that CFIUS anticipates periodically revising this definition (along with other aspects of the regulations).
Key definitions are provided below as further context for the proposed regulations affecting TID U.S. businesses.
What Is a TID U.S. Business?
Under the proposed regulations, a “TID U.S. business” is any U.S. business that:
(1) Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
(2) Performs the functions as set forth in Column 2 of Appendix A with respect to covered investment critical infrastructure; or
(3) Maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.
With respect to this universe of businesses, CFIUS has jurisdiction to review any “covered investment” by a foreign person even if the foreign person will not obtain “control” of the U.S. business.
T: Critical Technologies—Continuation of the CFIUS Pilot Program
The scope of critical technologies in the proposed regulations is the same as the scope under the current CFIUS pilot program, and covers:
(1) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120-130);
(2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730-774), and controlled (1) pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or (2) for reasons relating to regional stability or surreptitious listening;
(3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);
(4) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and materials);
(5) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and
(6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. § 4817).
The proposed critical technologies regulations do not have a mandatory declaration requirement for covered transactions involving a U.S. business with critical technologies in one of the 27 pilot program industries, as in effect under the existing pilot program. Treasury notes in the background discussion of the proposed regulations that it is considering whether to continue the pilot program’s mandatory declaration requirement. For now, the pilot program remains in effect.
I: Critical Infrastructure—Covering Form and Function
The current (and proposed) regulations define critical infrastructure as “a system or asset, whether physical or virtual, so vital to the United States that the incapacity or destruction of the particular system or asset of the entity over which control is acquired pursuant to that covered transaction would have a debilitating impact on national security.” 31 C.F.R. § 800.208.
FIRRMA requires that the regulations implementing the critical infrastructure provisions limit the application of covered investment jurisdiction to a subset of “critical infrastructure.” To that end, Appendix A of the proposed regulations provides a detailed listing of critical infrastructure based on the specific type of asset or system (Column 1) and specific functionality applicable to each type of critical infrastructure (Column 2). Here is the first entry in Appendix A as an example:
|
Column 1 – Covered investment critical infrastructure
|
Column 2 – Functions related to covered investment critical infrastructure
|
|
(i) Any:
(a) internet protocol network that has access to every other internet protocol network solely via settlement-free peering; or
(b) telecommunications service or information service, each as defined in section 3(a)(2) of the Communications Act of 1934 (47 U.S.C. 153), as amended, or fiber optic cable that directly serves any military installation identified in § 802.229.
|
(i) Own or operate any:
(a) internet protocol network that has access to every other internet protocol network solely via settlement-free peering; or
(b) telecommunications service or information service, each as defined in section 3(a)(2) of the Communications Act of 1934 (47 U.S.C. 153), as amended, or fiber optic cable that directly serves any military installation identified in § 802.229.
|
The detailed technical and functional description of each of the 28 critical infrastructure categories and functionality should serve to provide clarity as to the scope of critical infrastructure defining a TID U.S. business. The subset of critical infrastructure identified in Appendix A is not intended to alter the definition of “critical infrastructure” as used in any other regulatory regime or context. As a result, even if an investment is made in a U.S. business that does not have the functionality covered by Appendix A, the transaction may still be subject to CFIUS jurisdiction if the transaction gives a foreign person control of a U.S. business.
D: Sensitive Personal Data—Not Just Name, Address, and Phone Number
CFIUS practitioners and U.S. businesses that collect personal information that have been before CFIUS are well aware of the growing interest in protecting the personal information of U.S. persons. CFIUS’s actions earlier this year ordering divestments of transactions that gave foreign companies potential access to personal information of U.S. persons are clear examples of this concern.
The proposed regulations define specific categories of data that constitute “sensitive personal data” within the scope of a TID U.S. business. This definition applies if the U.S. business:
(1) Targets or tailors its products or services to sensitive U.S. government personnel or contractors,
(2) Maintains or collects such data on greater than one million individuals, or
(3) Has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services, with respect to any of the following 10 categories of data:
(1) Data that could be used to analyze or determine an individual’s financial distress or hardship;
(2) Certain data in a consumer report, subject to exceptions and carve outs;
(3) The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
(4) Data relating to the physical, mental, or psychological health condition of an individual;
(5) Non-public electronic communications, including, without limitation, email, messaging, or chat communications, between or among users of a U.S. business’s products or services if a primary purpose of such product or service is to facilitate third-party user communications;
(6) Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;
(7) Biometric enrollment data, including, without limitation, facial, voice, retina/iris, and palm/fingerprint templates;
(8) Data stored and processed for generating a state or federal government identification card;
(9) Data concerning U.S. government personnel security clearance status; or
(10) The set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust.
The definition of sensitive personal data also includes genetic information, as defined in 45 C.F.R. § 160.103. Unlike the categories of data above, genetic information need not be identifiable to a specific individual or meet the tests above to be captured as sensitive personal data. Any U.S. business that maintains or collects genetic information, directly or indirectly, would be a TID U.S. business.
The proposed definition of sensitive personal data expressly excludes data (i) maintained or collected by a U.S. business concerning the employees of that U.S. business, unless the data pertains to employees of U.S. government contractors who hold U.S. government personnel security clearances, or (ii) that is a matter of public record, such as court records or other government records that are generally available to the public.
The proposed regulations also state that aggregated data or anonymized data is “identifiable data” if any party to the transaction has, or as a result of the transaction will have, the ability to disaggregate or de-anonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual’s identity. However, identifiable data does not include encrypted data (as defined in the proposed regulations), unless the U.S. business that maintains or collects the encrypted data has the means to de-encrypt the data so as to distinguish or trace an individual’s identity.
What Is a Covered Transaction?
CFIUS will continue to have jurisdiction over transactions that could result in foreign control of any U.S. business (called “covered control transactions”). The proposed regulations also afford CFIUS jurisdiction over “covered investments,” defined as an investment in a TID U.S. business that:
(a) Is not a covered control transaction; and
(b) Affords the foreign person:
(1) Access to any material nonpublic technical information in the possession of the TID U.S. business;
(2) Membership or observer rights on the board of directors or equivalent governing body of the TID U.S. business or the right to nominate an individual to a position on the board of directors or equivalent governing body of the TID U.S. business; or
(3) Any involvement, other than through voting of shares, in substantive decisionmaking of the TID U.S. business regarding:
(i) The use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the TID U.S. business;
(ii) The use, development, acquisition, or release of critical technologies; or
(iii) The management, operation, manufacture, or supply of covered investment critical infrastructure.
Those familiar with the CFIUS pilot program will recognize these as the same elements for pilot program covered investments.
Under the proposed regulations, covered transactions will also encompass “a change in the rights that a foreign person has with respect to a U.S. business in which the foreign person has an investment, if that change could result in a covered control transaction or a covered investment.”
Opportunity for Public Comment
The proposed rules are not yet in effect; rather, they are open for public comment through October 17, 2019. Senior Treasury officials hosted a public teleconference briefing on Part 802 on September 27, 2019, to provide an overview of the proposed real estate rules and answer questions. This alert takes into account the information provided in the Treasury briefing. After the “notice and comment” period, Treasury will develop and publish final rules expected to take effect by February 2020.
****
MoFo will publish additional articles providing deeper dives and practical guidance for clients on other key subjects in the proposed regulations. We will also continue to provide updates as these proposed CFIUS regulations are finalized, and as accompanying regulations are released, including the Department of Commerce’s regulations implementing the Export Control Reform Act of 2018.
Table 1: Key Definitions in the Proposed Regulations
|
Contingent Equity Interest
|
The proposed regulations adopt the pilot program definition of “investment” to cover the acquisition of equity interest, including “contingent equity interest,” which is in turn defined as “a financial instrument that currently does not constitute an equity interest but is convertible into, or provides the right to acquire, an equity interest upon the occurrence of a contingency or defined event.” Fortunately, the proposed regulations include a “timing rule” for contingent equity investments (similar to the timing rule for convertible debt in the existing regulations) that provides factors for determining whether the acquisition of a contingent equity interest is itself a covered transaction, in view of rights that a holder of contingent equity interest will acquire upon conversion, including:
(1) The imminence of conversion or satisfaction of contingent conditions;
(2) Whether conversion or satisfaction of contingent conditions depends on factors within the control of the acquiring party; and
(3) Whether the amount of interest and the rights that would be acquired upon conversion or satisfaction of contingent conditions can be reasonably determined at the time of acquisition.
|
|
Involvement
|
In an effort to provide clarity on when a foreign investor is afforded “any involvement” in substantive decisionmaking of a TID U.S. business, the proposed regulations define involvement to mean the right or ability to participate, including by doing any of the following:
(1) Providing input into a final decision;
(2) Consulting with or providing advice to a decisionmaker;
(3) Exercising special approval or veto rights;
(4) Participating on a committee with decisionmaking authority; or
(5) Advising on the appointment officers or selecting employees who are engaged in substantive decisionmaking.
In other words, CFIUS will likely view any activity of a foreign person related to a TID U.S. business’s decisions (other than through voting interests held) with respect to sensitive personal information, critical technologies, or critical infrastructure as “involvement.”
|
|
Material Nonpublic Technical Information (MNTI)
|
Expanding on the definition in the pilot program, MNTI is defined to cover information that:
(1) Provides knowledge, know-how, or understanding not available in the public domain, of the design, location, or operation of critical infrastructure, including without limitation vulnerability information such as that related to physical security or cybersecurity; or
(2) Is not available in the public domain and is necessary to design, fabricate, develop, test, produce, or manufacture a critical technology, including without limitation processes, techniques, or methods.
The MNTI definition expressly excludes financial information regarding the performance of an entity.
|
|
Substantial Interest
|
As noted above, the “substantial interest” threshold is used in the proposed regulations to denote an interest held by a foreign government in a TID U.S. business that would trigger a mandatory declaration requirement. CFIUS will find a foreign government has a substantial interest in a transaction if (i) for entities with voting securities the foreign investor acquires a 25% or greater interest in a U.S. business and a foreign government has, directly or indirectly, a 49% or greater interest in the foreign investor; or (ii) for limited partnerships it holds 49% or greater voting interest in the general partner or is a limited partner with a and holds 49% or greater interest. This mandatory filing requirement is not applicable to an “exempted foreign state investor” (to be discussed in a subsequent alert).
|
|
Substantive Decisionmaking
|
The proposed regulations further define “substantive decisionmaking” as the process through which decisions regarding significant matters affecting an entity are undertaken, including:
(1) Pricing, sales, and specific contracts, including without limitation the license, sale, or transfer of sensitive personal data to any third party, including without limitation pursuant to a customer, vendor, or joint venture agreement;
(2) Supply arrangements;
(3) Corporate strategy and business development;
(4) Research and development, including without limitation location and budget allocation;
(5) Manufacturing locations;
(6) Access to critical technologies, covered investment critical infrastructure, material nonpublic technical information, or sensitive personal data, including pursuant to a customer, vendor, or joint venture agreement;
(7) Physical and cyber security protocols, including the storage and protection of critical technologies, covered investment critical infrastructure, or sensitive personal data;
(8) Practices, policies, and procedures governing the collection, use, or storage of sensitive personal data, including the establishment or maintenance of, or changes to, the architecture of information technology systems and networks used in collecting or maintaining sensitive personal data or privacy policies and agreements for individuals from whom sensitive personal data is collected setting forth parameters regarding whether and how sensitive personal data may be collected, maintained, accessed, or disseminated; or
(9) Strategic partnerships.
The scope of the definition allows CFIUS to examine commercial relationships between parties in its evaluation of whether the foreign investor has involvement in substantive decisonmaking of a TID U.S. business.
|
