January 17, 2020

The Bitter and the Sweet: Expanded CFIUS Authorities over Foreign Investment in U.S. Businesses

On January 17, 2020, the U.S. Department of the Treasury published long-awaited regulations that substantially implement the balance of new authorities under which the Committee on Foreign Investment in the United States (CFIUS) will review inbound foreign investment for national security concerns, as granted in the August 2018 Foreign Investment Risk Review Modernization Act (FIRRMA). The new Part 800 Rule is complex and bittersweet, markedly expanding CFIUS’s powers and reflecting modest changes in response to public comments on the proposed rule (see our client alert here). The Part 802 Rule, not addressed in this alert, establishes CFIUS jurisdiction over a foreign person’s purchase, lease, or concession of certain real estate.

The Part 800 and 802 Rules take effect on February 13, 2020. Transactions remain subject to the prior regulations if, before the effective date, the transaction has been “completed” or the parties have signed a binding written agreement establishing the material terms of the transaction.

As a reminder, CFIUS has always had jurisdiction to review investments that would result in foreign-person “control” of a U.S. business—irrespective of that business’s technology, what data it accesses, its relationship to U.S. infrastructure, or otherwise.

FIRRMA’s most sweeping impact is the expansion of that CFIUS jurisdiction to certain types of non-“control” foreign-person investments (“covered investments”) in U.S. businesses engaged in certain defined activities. This designation of a “TID U.S. business” includes any U.S. business that:

  • Produces, designs, tests, manufactures, fabricates, or develops a “critical technology”[1];
  • Performs identified “functions” with respect to “covered investment critical infrastructure”[2]; or
  • Maintains or collects, directly or indirectly, “sensitive personal data”[3] of U.S. citizens.

The new Part 800 Rule expands CFIUS’s jurisdiction to include certain non-control, “covered investments” in TID U.S. businesses that implicate investment triggers—that is, investments by which a foreign person would gain:

  • access to “material nonpublic technical information” (a term defined distinctly for each of technology and infrastructure);
  • membership or observer rights on the board of directors of the TID U.S. business or a parent company; or
  • any “involvement,” other than voting shares, in decisions relating to “sensitive personal data,” “critical technologies,” or “covered investment critical infrastructure”—with “involvement” defined so broadly as to include even the “ability” of a foreign person to provide input on a final decision.

The full impact of the Part 800 Rule must await yet further rulemakings that define and refine important concepts, including changes to the roughly 14-month experiment called the “Critical Technologies” Pilot Program (our prior client alert here); the Commerce Department’s definition of “emerging and foundational technologies” (our prior client alert here), which will become “critical technologies” within the TID U.S. business definition; and the Treasury Department’s intention to impose a filing fee for initiating CFIUS reviews.

Below, we discuss important features of the Part 800 Rule, focusing on amendments and clarifications to the text of the rule proposed in September 2019. As will appear, the new rules bring relief and clarity (the sweet), as well as perils and pitfalls (the bitter).

1. CFIUS Filings Are Mandatory in Two Circumstances

As instructed by FIRRMA and addressed further below, the Part 800 Rule institutes a new mandatory filing requirement for certain foreign-government investments in TID U.S. businesses. The Rule also retains but narrows the mandatory filing requirement from the “Critical Technologies” Pilot Program, subject to modifications in forthcoming rulemakings.

The sweet: Several new exemptions will narrow the scope of U.S. businesses that could trigger a mandatory filing requirement, such as exemptions for U.S. businesses whose only “critical technology” relates to standards-based encryption. See Section 5 below. And for the balance of TID U.S. businesses—namely, those collecting “sensitive personal data” or engaged with “covered investment critical infrastructure”—only certain foreign-government investments require notification to CFIUS. See Section 3 below.

The bitter: The mandatory component requires careful, accurate conclusions about the controlled status of U.S. products and technologies, often demanding rare subject-matter expertise. The pending “emerging and foundational technologies” rulemakings will expand the scope of U.S. businesses for which foreign investment triggers a mandatory filing, falling hardest on start-up companies that develop novel technologies and are most needy of capital. Refinement of the civil penalty provisions in the Part 800 Rule suggest preparations to exercise those authorities where parties fail to make a mandatory filing with CFIUS.

2. The Declaration as a Vehicle for Review

The short-form Declaration process will be an alternative to the longer-form, lengthier Notice process for parties seeking review of any transaction that is subject to CFIUS jurisdiction. Since the advent of the Pilot Program that created the Declaration, only transactions within the Pilot Program have had this option.

The sweet: The Declaration holds out the promise that a covered transaction—including one merely proposed on a term sheet—could be cleared by CFIUS in 30 days, moving the review process closer to the business imperatives of parties to most transactions, particularly those engaged in early-stage investments where timing can be critical.

The bitter: CFIUS frequently responds to a Declaration other than by clearing the transaction, including by requesting a Notice, putting the parties on a longer path to conclusion; or by issuing a “no action” letter, leaving the parties to decide whether to close the transaction without filing a Notice and without the formal certainty of clearance. The utility of the Declaration process over time will turn on how frequently the Committee clears transactions upon a Declaration; otherwise, many will elect to skip the Declaration and proceed directly to the longer Notice process.

3. Country-Based Considerations for Foreign Investors and Foreign Governments

The sweet: One highly anticipated feature is the naming of Australia, Canada, and the United Kingdom of Great Britain and Northern Ireland as “excepted foreign states,” with a process to include additional states over time. “Excepted investors” are foreign nationals and governments of, and entities meeting complex requirements evidencing sufficient ties to, these three “excepted foreign states,” and they will not be subject to CFIUS’s expanded jurisdiction (but remain subject to CFIUS jurisdiction for investments resulting in their “control” of a U.S. business under the low-threshold concepts the Committee has traditionally applied). In response to comments, the Part 800 Rule makes it easier in several ways for a foreign entity to qualify for this “excepted investor” status—e.g., by requiring that only 75% of the board members of an entity be nationals of an “excepted foreign state” or the United States, rather than all of them.

The bitter: For other than “excepted foreign states,” the Part 800 Rule implements a new “substantial interest” test, imposing a mandatory, pre-investment filing requirement for any “covered transaction” resulting in the acquisition of 25% or more of a TID U.S. business by a foreign person that is itself owned 49% or more by the national or subnational government of a single foreign state. Any voting interest of a “parent” will be deemed a 100% voting interest in any entity of which it is a parent.

4. U.S. Businesses that Deal with “Sensitive Personal Data”

Of special interest to the life sciences, financial services, and other data-intensive industries, FIRRMA highlighted the national security dimensions of foreign investment in U.S. businesses that engage with “sensitive personal data.” The Part 800 Rule brings further clarity to that concept.

The sweet: Although the 11 distinct types of U.S.-person data meeting that definition are largely unchanged from the September 2019 proposed rule,[4] the Treasury Department scaled back the potentially unworkable concept of “genetic information.” Under the final rule, with exceptions, “sensitive personal data” will instead include “[t]he results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data.” Excluded from “identifiable data” are data that cannot be disaggregated, de-anonymized, or decrypted. These provisions narrow the scope of genetic data that would cause a U.S. business to be a TID U.S. business.

The bitter: For all but genetic data (for which there is no volume threshold), the rule is triggered by the gathering—directly, or indirectly through a third party—of data, or by a demonstrated objective to gather data, on greater than “one million individuals.” This volume threshold is not limited to data on U.S. persons; it can be reached through collection of data on non-U.S. persons. And the methods by which this figure can be calculated in the 12 months preceding the investment are several—for instance, a company that collects “sensitive personal data” of various types would aggregate those data, even if it does not collect any specific data type for greater than one million individuals.

An example calls attention to aspirational “pitch materials” as evidence of a company’s “demonstrated business objective” to collect data above the threshold—a possibility that will require careful thought by start-ups preparing such materials to woo investors.

5. U.S. Technology Companies and the Fate of the “Critical Technologies” Pilot Program

The sweet: The Part 800 Rule incorporates elements of the “Critical Technologies” Pilot Program, bringing them within the designation of a TID U.S. business and preserving the pre-investment mandatory filing requirement. But it exempts from that requirement certain investments, including those:

  • by excepted investors;
  • by FOCI-mitigated entities (i.e., that perform classified work under an approved agreement addressing foreign ownership, control, and influence);
  • by investment funds managed exclusively by general partners that are ultimately controlled exclusively by U.S. nationals; and
  • in U.S. businesses where the sole “critical technology” relates to an encryption item (i.e., certain encryption-enabling hardware, software, or technology) eligible for License Exception ENC of the Export Administration Regulations.

The exemption of encryption-related “critical technologies” from the mandatory filing requirement will be welcomed by U.S. technology companies in particular, as this feature of the Pilot Program has caused a nontrivial number of CFIUS filings for investments in U.S. businesses that offer Software-as-a-Service using standards-based encryption functionality to industries targeted by the Pilot Program, but which may not have been notified to CFIUS voluntarily.

A forthcoming rule will propose yet further changes to the mandatory filing requirement, moving away from reliance upon the North American Industry Classification System (NAICS) codes (a controversial metric that has proved difficult to apply in the Pilot Program context) and basing the filing obligation instead on export control licensing requirements. This should lead to greater certainty and agreement among parties to a transaction.

The bitter: Dashing speculation that the Treasury Department would abandon mandatory filing requirements for other than foreign-government investments in companies developing “critical technologies,” the Part 800 Rule preserves this feature. Although Commerce Department rulemakings to define and regulate “emerging and foundational technologies” have not proceeded as quickly as expected, technologies companies should brace for a series of new export controls across a range of cutting-edge technologies, which will also render those companies TID U.S. businesses and subject to CFIUS’s expanded jurisdiction over their acceptance of non-“control” investment.

6. Provisions of Special Interest to Investment Funds

The sweet: The Part 800 Rule leaves intact the provision that a foreign limited partner in an investment fund can participate on an advisory committee without implicating CFIUS jurisdiction, provided that the foreign limited partner’s rights and access to information and decisionmakers are constrained.

To determine whether a mandatory filing requirement applies where a foreign government holds a “substantial interest” in an investment fund that in turn has a “substantial interest” in a TID U.S. business, the Part 800 Rule disregards foreign government ownership as a limited partner in the investment fund and focuses instead on any such ownership in the general partner of the fund.

And the Part 800 Rule helpfully clarifies that an entity’s principal place of business is where its activities and investments are primarily directed and controlled, as by the general partner of an investment fund. Under this construction, many investment funds will not be considered foreign entities—and thus not foreign persons—even when organized outside of the United States, provided they are managed by a U.S.-based general partner and are not otherwise controlled by foreign persons.

The bitter: If, in any most recent filing to any government or subnational government, U.S. or foreign, an entity has asserted information indicating a principal place of business other than the United States, the entity will be made to live with that assertion for purposes of the CFIUS jurisdictional analysis unless it can demonstrate a change of location effectuated since that prior filing. This will require foreign investors to carefully scrutinize prior government filings where such an assertion might have been made.

* * * * * *

The Department of the Treasury’s revision and implementation of the Part 800 Rule marks a new era for CFIUS and the parties it regulates. U.S. businesses courting foreign investment should carefully evaluate the rights they offer to investors, the nature of those investors, and their own status under the new Part 800 and Part 802 Rules—both now, and as new rules emerge from the Commerce Department.

Foreign investors seeking access to U.S. companies (including foreign companies with U.S. operating subsidiaries) must plan carefully for CFIUS as a consideration across a broader, more diverse swath of U.S. companies, while reconciling the rights and access they seek with the possible exposure to CFIUS scrutiny.

And all parties concerned should not allow these targeted expansions of CFIUS authority to distract their attention from CFIUS’s traditional jurisdiction to review any “covered control transaction,” whether or not notified to CFIUS—and whatever the nature of the U.S. business taking foreign investment, or the foreign investor.

[1] This includes defense articles and defense services regulated by the International Traffic in Arms Regulations (ITAR); items on the Commerce Control List of the Export Administration Regulations (EAR) that are controlled for reasons relating to national security, chemical and biological weapons, nuclear proliferation, missile technology, regional stability, or surreptitious listening; certain nuclear facilities, equipment, material, parts, components, and software; select agents and toxins; and “emerging and foundational technologies” that will be defined under separate rulemakings by the Department of Commerce.

[2] This includes certain internet protocol networks; telecommunications or information services; satellite systems serving the Department of Defense; single-source, sole-source, priority-rated, or other special industrial resources; systems and facilities for the generation, transmission, distribution, or storage of electric energy; oil and gas refineries, storage facilities, and pipelines; water systems; financial trading exchanges; airports and maritime ports; and other types of U.S. infrastructure.

[3] This includes data pertaining to a person’s financial distress; consumer report data; data from insurance applications; data pertaining to one’s physical, mental, or psychological health; non-public electronic communications; geolocation data; biometric data; various data associated with certain government-granted statuses; and genetic data.

[4] See n.3 above.