U.S. companies in tech, infrastructure and data seeking foreign investment will require approval from the Committee on Foreign Investment in the United States (CFIUS) before closing certain transactions. Last year, President Trump signed into law the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which outlined the expansion of CFIUS jurisdiction to review certain foreign acquisitions and investments in U.S. businesses on grounds of national security. FIRRMA left the specifics to regulations to be passed by the U.S. Department of Treasury (Treasury).

On September 17, 2019, Treasury issued proposed regulations (the Proposed Rules) to implement FIRRMA. The Proposed Rules are subject to public comment before they become final. A summary of the Proposed Rules and key takeaways is set forth below.

What U.S. Companies and Foreign Investors Need to Know

Key Takeaways:

• CFIUS will have authority to review certain non-controlling foreign investments in “TID U.S. Business” (short for tech, infrastructure, and data), defined to include companies that:
  • are involved in “critical technologies,” as originally set forth in the Pilot Program, (see our previous alert) which remains in place for now without change;
  • are involved in “critical infrastructure” (including energy, telecommunications, finance, manufacturing, and transportation); or
  • collect “sensitive personal data” of U.S. citizens (including certain identifiable data and genetic data).
• Jurisdiction over transactions in which a foreign party obtains “control” over a U.S. business with national security implications remains mostly unchanged.
• CFIUS will have authority to review the purchase or lease of certain U.S. real estate by a foreign person.
• CFIUS filings will be mandatory for (i) a foreign person’s acquisition of a substantial interest in a TID U.S. Business where a foreign government holds a substantial interest in the foreign person, and (ii) critical technology investments under the Pilot Program.
• Filers will have the option to file a “short-form” declaration rather than a full blown filing for all transactions. CFIUS will review such declarations within 30 days of receipt.
• Comments concerning the Proposed Rules may be submitted until October 17, 2019. This is the only opportunity for interested parties to influence and shape the final regulations that will set out CFIUS’s expanded jurisdiction. The final regulations will go into effect no later than February 13, 2020. We recommend that all parties who will be affected by FIRRMA review the Proposed Rules and submit comments where appropriate.

Which Foreign Investments Are Covered?

CFIUS will continue to have jurisdiction over transactions that result in foreign “control” of a U.S. business that raise national security concerns. This “control” level authority remains unchanged from the jurisdiction that CFIUS has had historically.

Under the Proposed Rules, CFIUS will also have jurisdiction to review “covered investments” in any unaffiliated “TID U.S. Business” (short for Technology, Infrastructure, and Data). A transaction would fall under CFIUS jurisdiction if it satisfies both the “covered investment” and a “TID U.S. Business” prongs.

First Prong: Covered Investments
“Covered investment” is defined as an investment (regardless of size and control) by a foreign person that affords the foreign person any of the following:

• access to any material nonpublic technical information in the possession of the TID U.S. Business;
• membership or observer rights on the board of directors or equivalent governing body of the TID U.S. Business or the right to nominate an individual to a position on the board of directors or equivalent governing body; or
• any involvement, other than through voting of shares, in substantive decision-making of the TID U.S. Business regarding either (1) the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the TID U.S. Business; (2) the use, development, acquisition, or release of critical technologies; or (3) the management, operation, manufacture, or supply of covered investment critical infrastructure.

As such, if a foreign investor only acquires a non-controlling interest in a “TID U.S. Business” but obtains one of the above-listed rights, the investment would be a “covered investment” and may require a CFIUS filing.

Second Prong: TID U.S. Business
“TID U.S. Business” is defined as a U.S. business that:

• produces, designs, tests, manufactures, fabricates, or develops one or more “critical technologies”;
• performs certain functions with respect to covered investment “critical infrastructure”; or
• maintains or collects, directly or indirectly, “sensitive data of U.S. citizens.”

Critical Technology
The Proposed Rules do not modify the definition of “critical technology" that was published in the Pilot Program in October of 2018 and do not modify the Pilot Program in any respect. The Proposed Rules, therefore, continue to grant CFIUS jurisdiction over covered investment in the 27 industries listed in the Pilot Program that involve critical technology as described in our previous alert. Emerging and foundational technologies that will be defined by the Department of Commerce pursuant to the Export Control Reform Act (ECRA) will fall under the definition of “critical technology” as previously contemplated by the Pilot Program. The Department of Commerce has not yet published the definitions of emerging and foundational technologies but is expected to in the coming weeks.

(“Critical Technology” includes: (1) items controlled under the International Traffic in Arms Regulations and included on the United States Munitions List; (2) certain items controlled under the Export Administration Regulations and included on the Commerce Control List; (3) certain nuclear-related materials; (4) select agents and toxins regulated under the Select Agents and Toxins Regulations; and (5) emerging and foundational technologies controlled pursuant to the Export Control Reform Act.)

We do expect the final rule to modify the Pilot Program and to better define the industries that it controls, which are currently designated by reference to the North American Industry Classification System (NAICS) codes.

Critical Infrastructure
In protecting infrastructure, the government is generally concerned about “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.”

The Proposed Rules, therefore, grant CFUS authority to review covered investments in U.S. businesses that perform specified functions relating to particular types of “critical infrastructure” categories. The functions and critical infrastructure categories that are covered are fairly limited and are specifically listed in the Proposed Rules (they are set forth on the attached Schedule I). The infrastructure categories include assets in the telecommunications, energy, financial services, transportation, water, critical manufacturing, and defense industrial sectors. For most infrastructure categories, the covered functions are limited to owning, operating, or manufacturing such infrastructure, although supplying and servicing functions do attach to certain categories.

As such, if a U.S. business performs the specified service (i.e., owns, operates, manufactures, services, supplies) with respect to one of the identified categories of “critical infrastructure,” the U.S. business qualifies as a “TID U.S. Business” and CFIUS would have jurisdiction over covered investments.

Sensitive Personal Data
One of the most important changes under the Proposed Rules is CFIUS’s new authority to review covered investments that relate to U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that “may be exploited in a manner that threatens to harm national security.”

The Proposed Rules grant CFIUS authority to review covered investment in U.S. business that maintain or collect, directly or indirectly “sensitive personal data,” which is defined fairly narrowly to include only certain categories of “genetic information” and “identifiable data”.

“Genetic information” includes genetic tests, manifestations of diseases or disorders, and requests for, or receipt of, genetic services (or participation in clinical research relating to genetic services), and excludes information about sex or age.

“Identifiable data” includes “data that can be used to distinguish or trace an individual’s identity, including without limitation through the use of any personal identifier.” Identifiable data does not include:

• aggregated data or anonymized data (unless a party has the ability to disaggregate or de-anonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual’s identity),
• encrypted data (unless the U.S. business “has the means to de-encrypt the data so as to distinguish or trace an individual’s identity”),
• sensitive personal data that relates exclusively to data maintained or collected by a U.S. business concerning its employees (unless the employees work for a U.S. Government contractor and hold personnel security clearances) or that is a matter of public record.

Identifiable data is only deemed to be “sensitive personal data” if it meets both of the following requirements: (1) it falls within one of the ten designated categories of information listed below, and (2) it is maintained or collected by a U.S. business in three specific circumstances listed below:

Category of Information:

• Data that could be used to analyze or determine an individual’s financial distress;
• A set of data in a consumer report, as defined pursuant to 15 U.S.C. § 1681a, subject to exceptions;
• A set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
• Data relating to the physical, mental, or psychological health condition of an individual;
• Non-public electronic communications (e.g., email, messaging, chat communications) between or among users of a U.S. business’s products or services;
• Geolocation data collection by positioning systems, cell phone towers, or WiFi access points (including mobile applications, vehicle GPS, other onboard mapping tools, or wearable electronic devices);
• Biometric enrollment data, including without limitation facial, voice, retina/iris, and palm/fingerprint templates;
• Data stored and processed for generating a state or federal government identification card;
• Data concerning U.S. Government personnel security clearance status; or
• Set of data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust.

Information is Maintained or Collected in One of the Following Circumstances:

• The U.S. business targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security, or homeland security responsibilities (or personnel and contractors thereof);
• The U.S. business has maintained or collected covered data on greater than one million individuals at any point over the preceding twelve (12) months; or
• The U.S. business has demonstrated a business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.

Transactions Exempt from CFIUS Review

The Proposed Rules provide the following exemptions from CFIUS jurisdiction:

Additional Interest Acquired: If a foreign person or any of its wholly owned subsidiaries previously acquired “control” in a U.S. company and submitted a CFIUS filing that got approved, and such foreign person acquires additional interest, the additional interest acquisition will not require approval.

Lending Transactions: A loan or a similar financing arrangement by a foreign person does not generally constitute a covered transaction. A loan that provides financial or governance rights characteristic of an equity investment, however, may constitute a covered transaction.

Indirect Investments through Investment Funds: Just as in the Pilot Program, if a foreign person invests indirectly in a TID U.S. Businesses through an investment fund that gives the foreign person membership as a limited partner or equivalent on an advisory board or a committee of the fund, that alone will not trigger CFIUS jurisdiction, provided certain conditions are met. For this exception to apply, however, the limited partner may not obtain control rights or any of the rights that trigger a “covered investment.”

Excepted Foreign Countries: The Proposed Rules introduce the concept of an “excepted foreign state” but do not list the countries that fall under this category. Instead, this list will be separately published by the Department of the Treasury and updated periodically. Not all parties located in or organized under the laws of an “excepted foreign state,” however, would be exempt from CFIUS’s jurisdiction. The Proposed Rules exempt a foreign investor only where such investor is:

• A national of one or more excepted foreign states and is not also a national of any foreign state that is not an excepted foreign state;
• A foreign government of an excepted foreign state; or
• A foreign entity that meets certain criteria, including: (1) being organized under the laws of either an excepted foreign state or the United States; (2) having a principal place of business in an excepted foreign state or the United States; (3) having all members of its board of directors (or comparable body) as citizens of either the United States or an excepted foreign state; and (4) having all investors with either an equity interest of five percent or more, a right to five percent of the profits, or a right to five percent or more of the assets of the entity (upon dissolution) meeting the same tests set forth in (1) through (3), above.

Even if all of the above criteria are met, however, a foreign person may not qualify as an “excepted investor” if that person has been subject to any adverse action by CFIUS or a range of other U.S. government agencies in the past five years or if the criteria above cease to met.

CFIUS Filings – Mandatory vs. Voluntary

Mandatory Filings:

• A CFIUS filing will be mandatory for “control” transactions as well as for “covered investments” that involve a “TID U.S. Business” that results in the acquisition of a substantial interest (defined as 25% or greater voting interest) by a foreign person in which a foreign government has a substantial interest (defined as 49% or greater voting interest). For funds and partnerships, a foreign government is deemed to have a “substantial interest” if it holds either 49% of the interest in the general partner or has 49% of the limited partner voting interest.
• CFIUS filings also continue to be mandatory for critical technology investments under the Pilot Program.
• Changes in a foreign party’s existing rights can also be subject to CFIUS jurisdiction and may trigger the mandatory filings above.
• Parties that are subject to the mandatory filing requirement can choose whether to submit a declaration (the shorter filing) or a full notice.
• Mandatory filings under the Pilot Program must be submitted 45 days before the completion date of the transaction. Mandatory filings due as a as a result of foreign government ownership must be filed 30 days before the completion date of the transaction.
• Failure to submit a mandatory filing may result in a penalty of up to the greater of $250,000 per violation or the value of the transaction.

Voluntary Filings:

• CFIUS filings remain voluntary in all circumstances other than the foreign government investment and Pilot Program investments described above.
• All real estate-related CFIUS filings also remain voluntary (unless they also fall under the foreign government investment or Pilot Program investment categories above).

Filing Type – Long-Form Notice or Short-Form Declaration

The Proposed Rules offer two types of filings for both mandatory and voluntary filings – the full notice filing that has been used historically and a “declaration” filing that is a five page, much abbreviated version of the full notice filing. Parties can choose which type of filing to submit for both, mandatory and voluntary filings.

The advantage of the short form declaration is that it is much easier to complete and CFIUS will provide a response within 30 days of receiving the declaration. The disadvantage is that CFIUS may choose not to take final action pursuant to a declaration filing or can request a full-blown, standard long-form review. A majority of the Pilot Program declarations filed have been pushed into the standard review process, which actually resulted in a longer review process all together. The declaration will be best suited for parties with a long history of CFIUS clearances and transactions that are unlikely to trigger national security issues.

The advantage of a full blown notice is that CFIUS is will provide a definitive response. The downside is the amount of time and information that goes into completing the filing and the waiting period of up to 130 days.

Covered Real Estate Transactions

The Proposed Rules expand CFIUS’s jurisdiction to include certain “covered real estate transactions” involving the purchase or lease by, or a concession to, a foreign person of certain U.S. public or private real estate, even where there is no investment in a U.S. business.

Covered Real Estate. The Proposed Rules define “covered real estate” to include real estate that is located within, or will function as part of, certain airports or maritime ports; or is located within:

• Close proximity (i.e., one mile from the outer boundary) of a designated military installation or another facility or property of the U.S. Government;
• Extended range (i.e., 100 miles outward from the outer boundary or, where applicable, 12 nautical miles of the U.S. coastline) of certain, specified military installations;
• Any county or other geographic area identified in connection with certain, specified military installations;
• Any part of certain, specified military installations located within 12 nautical miles of the coastline of the United States.

Covered Real Estate Transactions. The Proposed Rules define “covered real estate transactions” to include:

• Any purchase or lease by, or concession to, a foreign person of “covered real estate,” that affords the foreign person at least three of the following four rights: (i) physical access to the real property, (ii) right to exclude individuals from accessing the real property, (iii) right to improve or develop the real property, and (iv) right to affix structures or objects to the real property.
• A change in the rights that a foreign person has with respect to “covered real estate” in which the foreign person has an ownership or leasehold interest or concession arrangement if that change could result in the foreign person having at least three of the above qualifying property rights; or
• Any other transaction, transfer, agreement, or arrangement designed or intended to evade or circumvent the application of the CFIUS regulations related to real estate.

Assuming the transaction at issue involves “covered real estate,” any combination of three of the foregoing rights is sufficient under the Proposed Rules to trigger CFIUS jurisdiction, regardless of whether the rights are exercised (or shared among multiple parties).

Covered Real Estate Transactions Filing Requirements. The Proposed Rules do not impose a mandatory filing requirement on covered real estate transactions. As such, CFIUS filings remain voluntary, however, CFIUS also continues to hold the right to unwind a transaction after closing if it has national security implications and was not submitted to CFIUS for review.

Exceptions to CFIUS Jurisdiction

The Proposed Rules incorporate certain exceptions to CFIUS jurisdiction over covered real estate transactions based on the identity of the foreign investor and the minimum excepted ownership, consistent with the rules on financial investments described above. The Proposed Rules also exempt certain types of real estate transactions that involve urban clusters, single housing units, retail, accommodation or food serve establishments, commercial office space and American Indian land. The extension of a mortgage, loan, or similar financing arrangement by a foreign person to another person for the purpose of the purchase, lease, or concession of covered real estate is also generally exempt. Each of these exceptions contains specific requirements and guidelines.

Next Steps

Parties have until October 17, 2019 to submit comments to CFIUS regarding the Proposed Rules. CFIUS will consider these comments and issue final binding regulations on or before February 13, 2020. We recommend that U.S. businesses and foreign investors carefully review the Proposed Rules to determine how they will affect future transactions. The Proposed Rules clear show that the final regulations will vastly expand CFIUS jurisdiction and will create complex new requirements.

Review a Chart of Schedule I – Covered Critical Infrastructure

[View source.]