CFIUS Rules Would Expand Jurisdiction Over Investments Related to Technology, Infrastructure, Personal Data, and Real Estate

On September 17, 2019, the U.S. Department of the Treasury released two proposed rules to implement various aspects of the Foreign Investment Risk Review Modernization Act of 2018. The Part 800 Rule would replace existing Part 800 — the backbone of the Committee on Foreign Investment in the United States (CFIUS) review process — by expanding CFIUS’s jurisdiction to include non-“control” investments in U.S. businesses engaged in certain activities related to critical technologies, critical infrastructure, and the sensitive personal data of U.S. citizens. The Part 802 Rule would establish CFIUS jurisdiction over a foreign person’s purchase, lease, or concession of certain real estate.

Other new features include mandatory reporting obligations for certain transactions involving a substantial interest of a foreign government; a voluntary short-form Declaration in lieu of the traditional Notice, now available for all CFIUS reviews; and a “white list” designed to except a narrow set of investors from the new coverage over non-“control” investments and real estate transactions.  The existing jurisdiction over “control” transactions and the investment fund exemption previewed in the CFIUS Pilot Program (also still in effect) remain in substantially similar form. Treasury will propose a subsequent rule concerning filing fees. 

The proposed rules will have a comment period of 30 days (until October 17, 2019), with final rules to follow by no later than February 13, 2020. Parties seeking to complete transactions under the current regulations must “complete” the transaction or execute a binding written agreement with material terms before the effective date of the new regulations.

I. The Part 800 Rule exercises CFIUS’s new authority to review non-“control” foreign investment in certain U.S. businesses based on technology, infrastructure, and data.

Many of the Part 800 Rule’s new components are triggered by an investment in a “TID U.S. Business” (Technology, Infrastructure, and Data) that affords certain rights to a foreign person. The two-part analysis requires an investor-side assessment of the afforded rights (described in Part II(B) below) and a company-side assessment to determine if the company is or has a “TID U.S. Business.” This means a “U.S. business” that does any of the following:

A. Produces, designs, tests, manufactures, fabricates, or develops one or more “critical technologies.”

• “Critical technologies” were defined in the October 2018 Pilot Program, described here; however, the scope of this important term is poised for expansion through the Commerce Department’s “emerging technologies” rulemaking, with a proposed rule (see here) believed to be imminent.
• Unlike in the Pilot Program, a U.S. business engaged with “critical technologies” will be subject to CFIUS’s expanded jurisdiction — but not necessarily a mandatory filing requirement — irrespective of its activities in any particular Pilot Program industry.
• Unclear is whether the mandatory filing component will be maintained in the final rule, other than for certain foreign government-related investments in a TID U.S. Business (discussed below).

B. Performs identified “functions” with respect to “covered investment critical infrastructure.”

• “Covered investment critical infrastructure” is described in an appendix to include internet protocol networks, satellite systems serving the Department of Defense, trading exchanges, energy transmission facilities, airports, and many other types of U.S. infrastructure.
• The table identifies one or more “functions” corresponding to each type of infrastructure — e.g., a U.S. business that owns, operates, manufactures, supplies, or services the infrastructure — that bring the U.S. business within the Part 800 Rule’s scope.

C. Maintains or collects, directly or indirectly, “sensitive personal data” of U.S. citizens (other than of its employees, unless they hold security clearances).

• “Sensitive personal data” is, with exceptions, “identifiable data” of these types: data pertaining to a person’s financial distress; consumer report data; data from insurance applications; data pertaining to one’s physical, mental, or psychological health; non-public electronic communications; geolocation data; biometric data; and various data associated with certain government-granted statuses.
• The Part 800 Rule ties these data to sensitive populations by limiting its impact only to U.S. businesses that (1) have collected — or plan to collect — these types of data on more than one million individuals; or (2) target or tailor products or services to U.S. executive branch agency or certain military department personnel and contractors.
• A special distinction belongs to U.S. companies that collect “genetic information,” which, regardless of population size or sensitivity, will always constitute “sensitive personal data.”

Note that an acquisition of or investment in a non-U.S. company could trigger the “TID U.S. Business” definition to the extent, e.g., the non-U.S. company has a branch office or subsidiary in the United States. This avenue of jurisdiction has been frequently overlooked in otherwise foreign-to-foreign transactions.

II. The Part 800 Rule maintains CFIUS’s jurisdiction over “control” transactions and expands its jurisdiction over certain non-“control” investments beyond the “critical technologies” Pilot Program.

The Part 800 Rule preserves CFIUS’s jurisdiction over any “covered transaction,” now defined as:

A. “Covered control transactions,” which are transactions, including joint ventures, that confer “control” over a U.S. business on a foreign person, including through even a low-level voting interest, board representation, or other rights, such as the right to terminate significant contracts or the right to veto the dismissal of senior executives (this is the traditional concept of CFIUS jurisdiction and it applies to all U.S. businesses, including but not limited to a TID U.S. Business); or

B. “Covered investments,” which are direct or indirect investments by a foreign person (other than an “excepted investor,” more on this below) in an “unaffiliated” TID U.S. Business that confer:

• access to “material nonpublic technical information” (a term defined distinctly for each of technology and infrastructure);
• membership or observer rights on the board of directors;
• or any “involvement,” other than voting shares, in decisions relating to “sensitive personal data,” “critical technologies,” or “covered investment critical infrastructure” — with “involvement” defined so broadly as to include even the “ability” of a foreign person to provide input on a final decision; or

C. Any change in a foreign person’s rights that could result in either of the above, or any transaction deigned to evade or circumvent these rules.

The Part 800 Rule preserves the Pilot Program’s exclusion for certain fund investments by foreign limited partners, as generally described here.

The rule does not create any new mandatory CFIUS filing requirement, except where the foreign person would acquire 25 percent or more voting interest in a TID U.S. Business, and a foreign government would hold a 49 percent or greater voting interest in that foreign person, subject to complex provisions regarding how these interests are to be calculated. A Declaration must be filed at least 30 days prior to the completion of a transaction meeting the foreign government-substantial interest criteria.  Note also that the “Critical Technologies” Pilot Program, including its mandatory filing requirement, remains in full effect, subject to possible modification in a forthcoming final rule.

III. CFIUS’s jurisdiction over certain real estate transactions has been expanded.

The Part 802 Rule concerns CFIUS’s expanded jurisdiction over certain real estate transactions. Key to this rule is “covered real estate,” which includes real estate that:

A. Is, is located within, or will function as part of an airport or maritime port; or

B. Is located within:

• “Close proximity” (one mile) of any of more than 100 identified military installations;
• The “extended range” (within 99 miles of the one-mile “close proximity” boundary) of any of 32 identified military installations;
• Any county or other geographic area identified in connection with certain Air Force bases located in Colorado, Montana, Nebraska, North Dakota, and Wyoming; or
• Any part of 23 identified military installations and located within 12 nautical miles of the U.S. coast.

A “covered real estate transaction” is any purchase or lease by, or concession to, a foreign person of “covered real estate,” or a change in rights, that affords the foreign person at least three of the following: right to physical access, right to exclude physical access, right to improve or develop the property, or right to attach fixed/immovable structures or objects.  Excepted from this scope is real estate within an urbanized area or urban cluster, single housing units, certain retail/other concessions, certain commercial office buildings, and certain tribal properties.

“Covered real estate transactions,” assuming they are not “excepted” through the white-list mechanism discussed below, would be subject to CFIUS jurisdiction; however, unless the transaction is also subject to the Pilot Program or would trigger the foreign government-substantial interest provision, they would not be subject to a mandatory CFIUS filing requirement. Note also that an investment in real estate could be a “covered control transaction” (see Part II.A above) and subject to review by CFIUS even if it is not a “covered real estate transaction.”

IV. The rules create the structure for a “white list” that could exempt certain investors from certain forms of CFIUS jurisdiction.

The Part 800 and 802 Rules propose a “white list” of friendly countries that would exempt certain investors from CFIUS jurisdiction over “covered investments” and “covered real estate transactions” (but would not exempt them from “covered control transactions”). If a foreign investor bears the requisite “substantial connection” to an “excepted foreign state” and satisfies other requirements in the Rules, it can qualify for this “excepted” status — subject to a three-year requirement that it continue to satisfy certain such requirements, barring which CFIUS jurisdiction would be restored to retroactively review the prior investment. 

Given the diplomatic and other sensitivities of identifying such countries and excluding others, we expect the initial country list to be narrow although subject to revision over time.

V. The Declaration is an alternative to a full Notice for all CFIUS reviews.

The Declaration is made available to all CFIUS “covered transactions” and “covered real estate transactions” as a short-form alternative to the longer Notice process. The advantages of the Declaration option include that it requires less (and less intrusive) information and holds the prospect that the transaction may be cleared within 30 days.

The primary disadvantages concern reports that CFIUS has been clearing only roughly 10 to 15 percent of Declarations, with the balance of transactions subjected either to the longer Notice process or to the uncertainty of the so-called “shoulder shrug” letter — i.e., CFIUS not requiring a Notice from the parties but also preserving its jurisdiction by not clearing the transaction.  Unless the CFIUS clearance rate for Declarations materially improves, many transaction parties may continue to elect the Notice option. 

One significant improvement for timing predictability in the Notice process: if the parties stipulate that their transaction is a “covered transaction,” CFIUS is required to provide comments on the Notice or to accept it for review within 10 business days of submission.

***

Goodwin has a cross-disciplinary team of attorneys available to answer your questions about the proposed CFIUS regulations, including lawyers in our Global Trade, Privacy & Cybersecurity, Technology, Life Sciences and Real Estate practices. If you would like additional information about the issues addressed in this client alert, please contact the authors of this alert or the Goodwin attorney with whom you typically consult.