The CFIUS Reform Legislation—FIRRMA—Will Become Law on August 13, 2018

Akin Gump Strauss Hauer & Feld LLP

Key Points

  • CFIUS will continue to have broad jurisdiction to conduct national security reviews of foreign investments that could result in foreign control of a U.S. business. When regulations implementing FIRRMA become effective within the next 18 months, CFIUS will have additional jurisdiction over (a) real estate transactions near sensitive government locations and ports, and (b) noncontrolling investments in U.S. businesses associated with critical technology, critical infrastructure or sensitive personal data. Certain covered transactions involving foreign government investors and, potentially, U.S. critical technology companies will trigger mandatory CFIUS filings.
  • To address concerns regarding the transfer of uncontrolled critical emerging and foundational technologies to foreign persons, FIRRMA requires an interagency process to identify and, after public notice and comment, control such technologies in the export control regulations. (This identification process has already begun.) Unlike the bill as introduced, FIRRMA does not expand CFIUS’s authority to review outbound investments to address this issue.
  • The timelines for CFIUS review of filings will be extended when the law goes in to effect. The Treasury Department is, however, required to publish regulations to create a quicker short-form “declaration”—“light filing”—process that could be used in place of full filings.
  • FIRRMA leaves many key details and definitions to the Treasury Department to address through implementing regulations. Those potentially affected by the new CFIUS authorities will likely want to monitor and eventually comment on them, particularly:
    • U.S. businesses that might receive noncontrolling foreign investments and that are involved in critical technology, critical infrastructure or sensitive personal data;
    • funds with foreign limited partners that might have access to such information or the ability to influence what is done with it; and
    • those involved, directly or indirectly, with covered investments by foreign governments and involving U.S. critical technology companies because of the mandatory filing requirements that will be created.

I. Introduction

On Monday, August 13, 2018, the President is expected to sign the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA), which includes the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) that reforms the Committee on Foreign Investment in the United States (CFIUS) process. Most of the changes affecting foreign investment in the United States will not become effective until implementing regulations are passed, which must occur within the next 18 months. The NDAA also contains the Export Control Reform Act of 2018 (ECRA), which, among other things, (a) establishes permanent statutory authority for the export control rules administered by the Department of Commerce and (b) requires the administration to identify and control emerging and foundational technologies essential to national security.

II. CFIUS

CFIUS is an interagency committee that conducts national security reviews of investments that could result in a foreign person’s gaining the ability to control a U.S. business—a “covered transaction.” CFIUS has the authority to initiate reviews of transactions, impose mitigation measures to address national security concerns, and recommend that the President block pending transactions or order divestitures of completed transactions. To mitigate against such risks, parties may file a voluntary notice with CFIUS seeking safe harbor clearance with respect to a notified transaction.

III. Reasons for Amending and Expanding the Authority of CFIUS

Sens. John Cornyn (R-TX) and Dianne Feinstein (D-CA), Rep. Robert Pittenger (R-NC) and many other co-sponsors introduced FIRRMA in November 2017 “to modernize and strengthen the process by which [CFIUS] reviews” foreign investments to address “gaps in the existing CFIUS review process” by which “potential adversaries . . . have been effectively degrading our country’s military technological edge by acquiring, and otherwise investing in, U.S. companies.” In particular, there was a concern that critical emerging and foundational technologies not subject to U.S. export controls were being transferred, intentionally or otherwise, to countries of concern, primarily China, as a result of foreign investments in the United States and foreign ventures abroad with U.S. companies. Those who introduced the legislation and the administration wanted more authority for the U.S. government to review and, if necessary, block or apply mitigation measures to such transactions to address emerging national security concerns.

Over the course of the subsequent eight months, multiple House and Senate committees held hearings1 to consider how best to address these issues. Members and staff engaged with industry representatives, former officials from previous Democratic and Republican administrations, subject-matter experts and the administration to develop what eventually became bills that passed the committees of jurisdiction and both houses with overwhelming bipartisan support.

Without specifically mentioning China, FIRRMA’s “sense of Congress” introduction echoes and refines the original policy objectives. Specifically, Congress stated that “it should continue to be the policy of the United States to enthusiastically welcome and support foreign investment, consistent with the protection of national security.” However, Congress pointed out that, “at the same time, the national security landscape has shifted in recent years, and so has the nature of investments that pose the greatest potential risk to national security, which warrants an appropriate modernization of the processes and authorities of [CFIUS] and the United States export control system.”

As an apparent effort to address concerns that CFIUS is, or might become, a tool of industrial policy or trade protectionism, FIRRMA states that CFIUS “should continue to review transactions for the purpose of protecting national security and should not consider issues of national interest absent a national security nexus.” Although FIRRMA contains guidance for the types of national security issues that CFIUS should consider when reviewing covered transactions, the definition of what is and is not an unresolvable national security risk is ultimately up to the discretion of CFIUS, its member agencies and the President.

IV. FIRRMA Creates Four New Types of “Covered Transactions”

Once regulations implementing FIRRMA become effective within the next 18 months, CFIUS will have jurisdiction over four additional types of “covered transactions.” That is, CFIUS will have the authority to review, mitigate, or recommend the block or divestiture of four additional categories of foreign investments in the United States:

A. First New Type of “Covered Transaction”—Investments in Real Estate Near Sensitive U.S. Government Locations and Ports

Under current rules, foreign investments in real estate near sensitive U.S. government locations or ports are within CFIUS’s jurisdiction only if they could result in a foreign person’s control over a U.S. business. FIRRMA expands CFIUS’s jurisdiction over the purchase, lease or concession of U.S. real estate to a foreign person that:

  1. is in close proximity to a U.S. military or other sensitive U.S. government location if such property could reasonably allow for the collection of intelligence or otherwise expose national security activities at a U.S. government site; or
  2. is located within, or will function as part of, an air or maritime port.

To address the potential breadth and ambiguity of this provision, FIRRMA requires the implementing regulations to (i) exclude investments in single-housing units or in urbanized areas, and (ii) create a bright-line definition of “close proximity.”

B. Second New Type of “Covered Transaction” —Noncontrolling Investments (Called “Other Investments”)

The final version of FIRRMA essentially combined the different approaches that the Senate and the House bills took toward giving CFIUS new jurisdiction over other noncontrolling investments of concern. The Senate bill focused on the nature of the target company, namely, whether it was a “critical technology company” or a “critical infrastructure company.” The House bill focused on whether investments involving specific countries could result in foreign persons’ gaining access to information about critical technology, critical infrastructure or sensitive personal data.

Once implementing and clarifying regulations become effective, there will be a multipart test nested with several critical definitions that determine whether a noncontrolling investment is a “covered transaction.” Such “other investments” will be subject to CFIUS jurisdiction if they are by a foreign person in an unaffiliated U.S. business that:

  1. owns, operates, manufactures, supplies or services “critical infrastructure;”
  2. produces, designs, tests, manufactures, fabricates or develops “critical technology;” or
  3. maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

However, such an investment will be covered only if it affords the foreign person:

  1. access to any “material nonpublic technical information” possessed by the U.S. business;
  2. membership, observer or nomination rights for the board (or equivalent body) of the U.S. business; or
  3. any involvement, other than through voting of shares, in substantive decisionmaking related to sensitive personal data, critical technologies or critical infrastructure.

Although FIRRMA does not use the term “passive investment,” this definition largely preserves the concept that purely passive investments should not be within the scope of CFIUS jurisdiction. This new provision will indeed subject many more investments, particularly smaller ones, to CFIUS jurisdiction. Its impact, however, may not be as broad as many think, given (i) the need for an investment to “afford” such access, membership or involvement to a foreign person for it to be caught; and (ii) that the current definition of “control” is already quite broad and could often be reasonably interpreted to apply to such investments.2

Key Definitions Related to “Other Investments”

Other definitions and clarifications through which one will need to work to determine whether an investment is a covered “other investment” are:

1. “Unaffiliated.” Although earlier versions of the bills defined the term to mean companies that did not have the same ultimate owner, FIRRMA left the definition of this term to the implementing regulations. The policy objective behind the limitation is a decision that CFIUS need not have jurisdiction over noncontrolling investments between affiliates, such as parent and subsidiary companies.

2. “Material non-public technical information.” As further defined in regulations, this will mean nonpublic information that provides (i) background to the design, location or operation of critical infrastructure; or (ii) that which is necessary to develop or produce “critical technologies” (discussed below). In addition to controlled technology, this definition, and the associated provision above, capture uncontrolled information (e.g., “EAR99” technology) that could be released to a foreign person through a noncontrolling investment. The provision does not create new export controls on technology but may overlap with the scope to the foundational and emerging technologies to be identified and controlled separately through the export control system. This term does not, however, include financial information regarding the performance of a U.S. business.

3. “Critical Technologies.” A “critical technology” is essentially any technology on an export control list, primarily the U.S. Munitions List (USML) (sensitive military items) or the Commerce Control List (CCL) (commercial, dual-use and less sensitive military items). If it is not listed, then it is not a “critical technology.”

Critical technologies will eventually include now-uncontrolled emerging and foundational technologies essential to national security that are identified through a regular order interagency process and, after a public notice-and-comment process, identified on an export control list. This element of the definition was the result of significant congressional debate pertaining to whether CFIUS should have jurisdiction over outbound investments to give the government the ability to review them, thereby deciding whether they involved technology that government officials subjectively would deem to be “critical,” even if not listed.

Congress ultimately decided on a regular order, list-based approach to enhance certainty about what would and would not be “critical,” both for export control and CFIUS purposes. This approach allows defined critical technologies to be controlled for release to foreign persons regardless of the nature of the underlying transaction. (Our forthcoming alert on the Export Control Reform Act of 2018 will contain more detail on this process and the types of technologies to be identified.)

4. “Critical Infrastructure.” FIRRMA adopts the existing definition, which is any “systems or assets, whether physical or virtual, so vital to the United States that incapacity or destruction . . . would have a debilitating impact on national security.” In response to concerns that the term is too broad, FIRRMA requires that the regulations limit this definition to what is likely important to national security and to give specific types and examples of such infrastructure.

5. “Sensitive Personal Data.” Although FIRRMA did not define the term, it did limit the scope to that which “may be exploited in a manner that threatens national security” and did not refer to the broader concept of “personally identifying information.” Nonetheless, this definition still is not specific enough to allow most companies with large quantities of personal data to discern whether their data would be sensitive or of national security concern. For this and other reasons, FIRRMA requires CFIUS to publish guidance on the types of transactions that would be “other investments.”

6. “Investment Fund Investments.” FIRRMA creates a specific carveout from the “other investment” provision for limited partner (or equivalent) investments in funds that are accompanied with advisory board or similar fund committee rights if:

  1. the fund is managed exclusively by a U.S. person general partner, managing member or equivalent;
  2. neither the board or committee nor the foreign person has the ability to approve, disapprove, or otherwise control investment decisions or decisions regarding the entities in which the fund is invested;
  3. the foreign person does not otherwise have the ability to control the fund, including the right to unilaterally dismiss, retain, select or determine the compensation of the general partner; and
  4. the foreign person does not have access to material nonpublic technical information.

For purposes of this exemption, FIRRMA excludes waivers of potential conflicts of interest and allocation limits from constituting control over a relevant decision of the investment fund. In other words, non-U.S. limited partners can have these rights and still not be subject to the “other investment” provision, assuming that they meet the other conditions of the exemption.

Investment funds may want to review and potentially revise their limited partner agreements in light of these more detailed standards to determine whether a fund investment would be covered.

7. “U.S. Business.” FIRMMA defines the term as a “person engaged in the interstate commerce in the United States.” The current regulatory definition is similar, but it applies “only to the extent of [the business’s] activities in interstate commerce.” We do not know whether CFIUS will carry this existing limitation forward to the new regulations. If it does not, then CFIUS would arguably have jurisdiction to mitigate or block transactions with respect to the non-U.S. activities of companies that are doing business in the United States.

C. Third New Type of “Covered Transaction” —Change in Rights

Any change in a foreign investor’s rights that results in foreign “control” of a U.S. business or an “other investment” (described above) constitutes the third new type of “covered transaction.” With respect to foreign control, CFIUS had already interpreted its jurisdiction to cover such situations, so this is not a significantly new concept.

D. Fourth New Type of “Covered Transaction”—Evasion

Any transaction designed or intended to evade or circumvent CFIUS jurisdiction is the fourth new type of covered transaction. The motivation for this provision was to address an oft-cited view that foreign investors were deliberately structuring investments to fall outside of CFIUS’s jurisdiction (such as by entering into joint ventures) to have the ability to access uncontrolled emerging and foundational technology, including know-how, without any U.S. government review or oversight. Other than to address this general policy concern, there was little discussion about how CFIUS intends to interpret this authority and when, for example, structuring a transaction to merely avoid CFIUS review might be considered a violation.

V. Countries Affected—There Is Neither a White List nor a Black List

Under current CFIUS regulations, the nationality of the foreign person investing in a U.S. business does not affect whether the investment is a covered transaction (i.e., whether it could result in control of a U.S. business). FIRRMA does not change this jurisdictional authority over controlling investments.

The Senate bill would have applied CFIUS jurisdiction over the real estate and other newly covered noncontrolling investments by foreign persons from any country, unless excluded by regulationsa “white list” approach. The House bill would have applied CFIUS jurisdiction over such transactions only if they involved, directly or indirectly, foreign persons from countries of special concern (primarily China and Russia) a “black list” approach. After much debate, Congress left it to the Treasury to draft regulations limiting the applicability of the new real estate and “other investment” provisions to “certain categories of foreign persons.” In promulgating such regulations, FIRRMA requires CFIUS to consider how a foreign person is connected to a foreign country or government, and whether the connection may affect the national security of the United States.

Given the policy motivations for FIRRMA’s introduction, the Treasury is likely to propose regulations stating that investments, directly or indirectly, involving China, Russia and other countries of concern, and nationals thereof, will be within the scope of the new provisions. If the Treasury wants to exclude countries from the scope of the new provisions as leverage to encourage them to adopt foreign investment regimes similar to CFIUS, then the country exclusions would be relatively limited. If, however, the Treasury focuses its concerns on activities involving countries and the types of entities that primarily gave rise to FIRRMA, the list likely will not affect most, if not all, investments involving North Atlantic Treaty Organization (NATO) and non-NATO allies.

CFIUS is authorized to apply its regulations to “certain categories of foreign persons,” not just specific countries. Thus, CFIUS may propose regulations to include or exclude from the new provisions those involved with various sectors of the economy. Industry groups will likely want to follow CFIUS’s proposed regulations closely and comment on them because the outcome will significantly affect the number of newly covered noncontrolling transactions that will become subject to CFIUS jurisdiction.

VI. Alternative Short-Form Voluntary and Mandatory Declarations

Under current regulations, CFIUS filings are voluntary unless CFIUS directs a filing in a particular case. The only type of filing is a full written notice, which is an extensive document filed jointly by the parties to a transaction. FIRRMA, however, requires CFIUS to allow for short-form filings that would not exceed five pages. CFIUS would be required to respond within 30 days that (i) the parties should file a full notice, (ii) CFIUS wants to begin its own review of the transaction or (iii) CFIUS has completed its review of the proposed transaction. The new filing fees would not apply to short-form filings.

The use of such light filings would generally be optional. They would be mandatory, however, for an investment that results in the acquisition of a “substantial interest” in certain U.S. businesses by a foreign person in which a foreign government has a “substantial interest.” (The regulations will need to define “substantial interest.”) The parties to such a transaction may elect to file the full notice as currently required. Alternatively, the parties may seek a waiver from the mandatory filing requirement, which CFIUS may grant if it determines that the investment is not directed by a foreign government and the foreign person has a history of cooperating with CFIUS. One reason motivating this mandatory requirement is that foreign governments, and related entities, may make investments for foreign policy reasons unrelated to economic considerations that warrant U.S. government review.

Additionally, FIRRMA gives CFIUS the discretionary authority to draft regulations to require declarations for “other investments” in U.S. businesses that produce, design, test, manufacture, fabricate or develop critical technologies.

Investors from closely allied countries and those dealing in relatively benign industries may be able to use the short-form declaration—or “light filing” —to get a CFIUS safe harbor response more quickly than under the current notice system. Those involved, or potentially involved, with foreign governments and critical technology companies will want to follow how the final regulations evolve in order to know whether CFIUS filings for investments that were once voluntary or not covered would become mandatory. Failure to comply with the new requirements could result in penalties.

VII. Timing of Reviews

Under the current regime, CFIUS has 30 days to complete its review, and it may initiate a 45-day investigation at the end of the review period. If CFIUS cannot make a determination during this 75-day period, parties often voluntarily withdraw and then refile their notice so that CFIUS has more time to continue its review and address concerns. FIRRMA extends the review period to 45 days and maintains the existing 45-day investigation period. CFIUS may extend the investigation by one 15-day period in extraordinary circumstances. (As discussed below, CFIUS will have the authority to use mitigation agreements and other conditions to address national security concerns when parties choose to abandon a transaction before CFIUS completes its review.)  These changes to the timelines apply to filings made after FIRRMA becomes law (i.e., August 13, 2018). Parties contemplating a covered transaction should factor them into their deal clearance timelines.

The submission to CFIUS of a draft notice—a “pre-filing” —is a standard procedure to get an initial response from CFIUS on issues, such as whether more information is required on a topic, before filing a final, full notice. Once implementing regulations become effective, CFIUS will be required to provide comments on, or accept, written notices within 10 days of a prefiling if the parties stipulate that the transaction is covered. This deadline could result in significantly shorter CFIUS reviews since the prefiling stage can drag out for a month or more under the current regime.

VIII. CFIUS’s Authority

To address national security concerns associated with covered transactions, FIRRMA explicitly gives CFIUS the authority to:

  1. suspend a proposed or pending transaction that poses a risk to national security while it is under review by the committee;
  2. refer transactions to the President for action at any time during the review or investigation;
  3. use mitigation agreements, including, when needed, to address situations where the parties have voluntarily abandoned a transaction before CFIUS completes its review;
  4. impose interim mitigation agreements;
  5. require plans for monitoring compliance with mitigation agreements;
  6. review older agreements and conditions to determine whether they are no longer warranted;
  7. unilaterally initiate a review of a previously reviewed transaction if the parties, intentionally or unintentionally, materially breach terms and conditions of CFIUS clearance; and
  8. allow for the use of independent parties to monitor agreements.

FIRRMA does not suggest that such actions were not authorized under previous authorities, only that they are now explicitly authorized for CFIUS to consider.

IX. National Security Factors for CFIUS to Consider

CFIUS is limited to making decisions based on whether there is an unresolved national security risk, as opposed to using its authority, for example, to make decisions for reasons relating to industrial policy or trade protectionism. Indeed, FIRRMA’s “sense of Congress” provision states that CFIUS “should not consider issues of national interest absent a national security nexus.” Although CFIUS and its member agencies are not constrained in defining “national security” as they see fit, Congress nonetheless identified the following types of national security issues that CFIUS should consider when making its determinations:

  1. A covered transaction involving a country of special concern that has a demonstrated or declared strategic goal of acquiring a type of critical technology or critical infrastructure that would affect U.S. leadership in areas related to national security. Although FIRRMA does not identify China in this regard, it is clearly referring to China and the technology acquisition plans described in its “Made in China 2025” plan.
  2. The potential national security-related effects of the cumulative control of, or pattern of recent transactions involving, any one type of critical infrastructure, energy asset, critical material, or critical technology by a foreign government or foreign person. Until FIRRMA, CFIUS has been limited to reviewing the transaction before it. This provision effectively authorizes CFIUS to look beyond the transaction at issue to determine whether the “cumulative” impact of the foreign investments would have an impact national security. This leaves open the possibility that CFIUS may block or apply mitigation measures to an investment that itself is benign, but, for example, is the latest in a string of foreign investments in the same industry where foreign ownership of the sector would present a national security concern.
  3. Whether any foreign person engaging in a covered transaction with a U.S. business has a history of complying with U.S. laws and regulations.
  4. The control of U.S. industries and commercial activity by foreign persons as it affects the capability and capacity of the United States to meet the requirements of national security, including the availability of human resources, products, technology, materials, and other supplies and services. FIRRMA specifies that CFIUS should construe the phrase “availability of human resources” to include “potential losses of such availability resulting from reductions in the employment of United States persons whose knowledge or skills are critical to national security, including the continued production in the United States of items that are likely to be acquired by the Department of Defense or other Federal departments or agencies for the advancement of the national security of the United States.” Although FIRRMA is not an employment-related law as such, Congress is nonetheless explicitly leaving open the possibility that the loss of key personnel or skills to foreign acquisition can be a national security issue.
  5. The extent to which a covered transaction is likely to expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security. This is a slightly broader standard than the “sensitive personal data” standard in the new “other transactions” provisions described above.
  6. Whether a covered transaction is likely to have the effect of exacerbating or creating new cybersecurity vulnerabilities in the United States or is likely to result in a foreign government gaining a significant new capability to engage in malicious cyber-enabled activities against the United States, including such activities designed to affect the outcome of any election for federal office.

Most of these issues are not new to CFIUS and have been factored into many past CFIUS decisions. Nonetheless, this listing may be of use to parties to covered transactions in better knowing the types of issues that CFIUS may consider when reviewing their filing.

X. Fees and Funding

A common comment in the CFIUS reform debate was that CFIUS and its member agencies needed more resources. There were more filings, and more filings that were complex. This caused backlogs and delays, or the perception of delays, which could inhibit benign foreign investment. Furthermore, member agencies needed more resources to research and review nonnotified transactions for potential national security concerns. To address such issues, FIRRMA:

  1. authorizes, with respect to full filings (as opposed to the short-form declarations to be created), CFIUS to impose a filing fee of 1 percent of the transaction or $300,000 (to be adjusted for inflation), whichever is less;
  2. creates a CFIUS fund for agencies and authorizes a $20 million appropriation each year until 2023;
  3. requires a study on a “prioritization fee” that would allow parties to pay for an expedited response from CFIUS to a draft or formal written notice;
  4. requires a report to Congress with an implementation plan and a description of additional staff and resources that CFIUS needs, including whether the President has determined that additional resources are needed;
  5. allows CFIUS to centralize certain CFIUS functions to improve interagency coordination and collaboration;
  6. creates a new Assistant Secretary position to be primarily responsible for CFIUS; and
  7. gives the member agencies special hiring authority for new CFIUS staff.

XI. Pilot Programs

For 570 days after the effective date of FIRRMA, CFIUS has the authority to conduct pilot programs to implement FIRRMA authorities after it has published a Federal Register notice describing the scope and procedures of the program. This scope is significantly narrower than pilot program authority proposed in earlier versions of FIRRMA.

XII. Information-Sharing

FIRRMA gives CFIUS the authority to share its national security analyses with allied governments to the extent necessary. Such authority is consistent with a general theme in FIRRMA that the administration should work with allies to coordinate efforts and to help them create or improve their foreign investment review authorities to address common concerns.

XIII. Congressional Reporting Obligations Regarding China

Although FIRRMA does not target new controls against China by name, it specifically requires detailed reports on Chinese investment. Such reports, which the Secretary of Commerce must file every two years with Congress and CFIUS, must break down total direct Chinese investment in various size categories, by type of investment, whether they are government or nongovernment investments, and details about their U.S. affiliates. The reports must also describe patterns of investment by volume, type and sector, and the extent to which such investments align with China’s objectives as set out in its “Made in China 2025” plan.

XIV. New Obligations Regarding the Annual Report to Congress

FIRRMA also requires CFIUS to include significantly more information in its annual reports to Congress, such as:

  1. a list of all notices filed and all reviews or investigations of covered transactions;
  2. detailed information about the outcome of the reviews, the parties involved, the nature of the businesses at issue and any withdrawals from the process;
  3. statistics on compliance plans conducted and related CFIUS actions, assessments of how parties complied with mitigation agreements and actions that CFIUS took to address violations of agreements;
  4. trend information on filings, CFIUS’s responses to them, and the business sectors and the countries involved in the declarations;
  5. descriptions of the methods that CFIUS used to identify nonnotified transactions of concern, resources needed to improve this process and the number of nonnotified transactions that were identified for further review;
  6. a list of waivers granted and a description of the new hiring practices authorized;
  7. a description of the technologies that the CFIUS chair (Treasury) recommended to be added to the export control lists of “critical technologies; and
  8. detailed statistics about the processing of CFIUS filings, with explanations for any delays.

These new reporting requirements, which will not become available for several years, will eventually provide significantly more visibility into the CFIUS process, allowing industry to have a better sense for the types of transactions CFIUS considers of national security concern.

The NDAA also requires the Defense Department to identify in a list the technologies that it believes are “critical technologies” and to recommend that they be controlled. This obligation, plus the obligation on the Treasury to identify technologies that it believes should be “critical technologies,” creates the potential for awkward interagency conflicts and congressional second-guessing if the recommendations do not align with the technologies identified for control through the interagency process required by the Export Control Reform Act.

XV. Judicial Review

FIRRMA authorizes civil actions challenging “an action or finding” under FIRRMA in the U.S. Court of Appeals for the District of Columbia. Such authority was not in FIRRMA as introduced. It is slightly broader than the Senate version of the provision, which would have limited judicial review to actions and findings of CFIUS.

XVI. Bankruptcy

During the congressional hearings, several members and witnesses expressed concern about the possibility that foreign acquisition of sensitive technologies and other assets could occur outside the scope of CFIUS’s jurisdiction. To address this issue, FIRRMA requires CFIUS to create regulations to clarify that the term “covered transaction” includes transactions that occur “pursuant to a bankruptcy proceeding or other form of default on debt.”


1 https://docs.house.gov/meetings/IF/IF17/20180426/108216/HHRG-115-IF17-Wstate-WolfK-20180426.pdf is a link to the prepared remarks of Kevin Wolf before one of the four congressional hearings at which he testified. It describes in more detail many of the background issues and concerns that were debated.

2 “Control” is defined as “the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity; in particular, but without limitation, to determine, direct, take, reach, or cause decisions regarding [a list of matters], or any other similarly important matters affecting an entity. . . .” Id. § 800.204(a). (emphasis supplied).

Written by:

Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.