John P. Carlin, Nicholas J. Spiliotes, Robert S. Litt, Panagiotis C. Bayz, Charles L. Capito III, David A. Newman, and Jennifer S. Talbert
Global Risk + Crisis Management, National Security, CFIUS, Sanctions + Export Controls, and Privacy + Data Security
The Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”) now has significant new authority to review the national security implications of foreign investments in U.S. companies that are in possession of sensitive personal data of U.S citizens or involved in “critical” technologies. In addition, a new export-controls rulemaking process will impose restrictions on foreign technology transfers of U.S. businesses involved in “emerging and foundational technologies.”
These changes came about last month, when President Trump signed into law the Foreign Investment Review Risk Modernization Act of 2018 (“FIRRMA”) as part of the John S. McCain National Defense Authorization Act for 2019 (“2019 NDAA”). Among other things, FIRRMA for the first time expressly codifies CFIUS’s statutory authority to review and take action to address the national security risks posed by a foreign acquirer’s access to sensitive personal data.
FIRRMA is the most important reform to the CFIUS process since 2007 and is expected to have an immediate impact on foreign investors and the U.S. companies they invest in, with enhanced scrutiny of investments in and acquisitions of U.S. technology startup companies.
The key takeaways are:
Many of the new legislation’s provisions became effective on enactment, and several of them codify current (and, in some cases, longstanding) CFIUS practices. However, many of FIRRMA’s new provisions, including key definitional terms, will not become effective until CFIUS issues implementing regulations, or no later than 18 months after enactment of the law. In the interim, FIRRMA gives CFIUS tremendous leeway to interpret and apply policies reflecting FIRRMA’s core principles in evaluating the national security threat and vulnerabilities presented by a particular transaction.
Expanded Jurisdictional Scope
Prior to FIRRMA’s enactment, CFIUS had authority to review transactions in which an entity “controlled” (defined very broadly) by a foreign entity acquired a direct or indirect interest in a U.S. business. FIRRMA significantly expands the scope of CFIUS’s jurisdiction and its ability to reach a broader set of “covered transactions.” Interestingly, the final version of FIRMMA did not contain many of the provisions that were initially introduced, the most critical of which would have given CFIUS jurisdiction over outbound licensing agreements and joint ventures. Rather, additional controls will be implemented through the broad expansion of CFIUS’s ability to review foreign investments and a major overhaul of export controls, as discussed below.
Specifically, FIRRMA provides CFIUS authority to review a broad category of non-controlling “investments” by a foreign person in an entity that: (i) owns, operates, manufactures, supplies, or services critical infrastructure; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or (iii) maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.
“Other Investments” Involving Critical Technologies, Infrastructures, and Sensitive Personal Data
FIRRMA provides CFIUS jurisdiction to review a broad category of non-controlling “other investments” that grant the foreign investor: (i) access to any “material nonpublic technical information” of a U.S. business; (ii) membership or observer rights on the board of directors (or equivalent) of a U.S. business, or the right to nominate a person to such a board; or (iii) any involvement, other than through voting of shares, in substantive decision-making of a U.S. business regarding sensitive personal data, critical technologies, or critical infrastructure. While the term “other investments” is defined by legislation, it is subject to further refinements through CFIUS regulations.
Generally speaking, FIRRMA permits CFIUS to review such “other investments” in three instances: when the investment involves (a) critical infrastructure, (b) critical technologies, or (c) sensitive personal data of U.S. citizens.
Passive Limited Partners
Prior to FIRRMA’s passage, acquisitions of less than 10% for purposes of passive investments generally fell outside the scope of CFIUS’s jurisdiction (though, in practice, CFIUS construed the term “passive investments” narrowly). Now, a passive minority investment may be included within the scope of CFIUS’s jurisdiction in a formal sense: any investment involving critical infrastructure, critical technologies, or sensitive personal data, passive or otherwise, may fall within the scope of CFIUS’s jurisdiction, as long as it includes the “other investment” factors enumerated above (namely, access to material nonpublic technical information, membership or observer rights on the board of directors, or involvement in substantive decision-making of a U.S. business).
Enhanced Export Control Regime on Emerging Technologies
Designation of “Emerging and Foundational Technologies”
The 2019 NDAA also resulted in the passage of the ECRA, which, as mentioned, requires the President and the Secretaries of Commerce, Defense, Energy, State, and the heads of other relevant agencies to engage in an interagency process to identify “emerging and foundational technologies” that “are essential to the national security of the United States.” While such technologies are not specifically identified by the legislation, it is widely expected that they will include those related to artificial intelligence, autonomous vehicles, navigation, robotics, and 3D printing, many of which currently are not subject to any specific export licensing requirements. In designating such technologies, participating agencies are required to take into account a range of information, including:
Additionally, the designation of any “emerging and foundational technology” must be subject to a notice and comment period, meaning that the government must provide public notice of a pending designation and industries and the public must be given an opportunity to provide comments.
Licensing and Export Controls for “Emerging and Foundational Technologies”
The Secretary of Commerce, as head of the agency primarily charged with enforcement of the Export Administration Regulations (“EAR”), will determine the levels of control and export licensing requirements for such designated emerging and foundational technologies. At a minimum, a license will be required to export these technologies to countries subject to an arms embargo (such as China), though other country-specific licensing requirements could also be imposed.
In considering license requests, the ECRA directs the Department of Commerce to take into account intelligence “regarding any threat to the national security of the United States posed by the proposed export, reexport, or transfer” of the technology. In processing export license applications that involve “a joint venture, joint development agreement, or similar collaborative arrangement,” the Department of Commerce may require the applicant to identify foreign persons participating in the arrangement, as well as “any foreign person with significant ownership interest in a foreign person participating in the arrangement.”
The ECRA bars the Department of Commerce from imposing export controls on certain items that are already exempt from sanctions controls, such as donations of humanitarian aid and certain types of information materials. In addition, the ECRA also clarifies that the Department of Commerce is not required to impose licensing requirements for certain types of transactions, including:
By relying on the Department of Commerce’s export control regulations rather than CFIUS to protect U.S. national security interests with respect to U.S. technology exports, FIRRMA builds upon both the existing regulatory regime of the EAR and the expertise of the Department of Commerce (in consultation with other relevant agencies) to evaluate licensing considerations.
Real Estate Transactions
In addition to CFIUS’s expanded scope of review discussed above, FIRRMA expands the scope of “covered transactions” to include foreign purchases or leases of U.S. real estate that either (1) is located within or will function as part of an air or maritime port, or (2) is in close proximity (as defined in regulations to be issued by CFIUS) to a sensitive U.S. military installation or another U.S. government facility or property, if the property “could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property” or “could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.”
This provision serves to codify a common practice of the Committee, but it could cause increased scrutiny of foreign investments in real estate that are in proximity to locations where sensitive U.S. data (both personal and government) is stored. FIRRMA does provide an express exemption for the lease or purchase of (i) a single “housing unit” or (ii) real estate in “urbanized areas” (as such terms are defined by the Census Bureau), except as otherwise prescribed by CFIUS in its implementing regulations.
Review Periods Extended
FIRRMA extends the period of time that CFIUS may take to review a proposed transaction before a refiling is required. Prior to FIRRMA’s passage, CFIUS was given 30 days for an initial review of a proposed transaction and was given the option to take an additional 45 days to conduct an additional investigation. If CFIUS did not complete its review of the proposed transaction within this 75-day time period, the filing entity was forced to withdraw and refile its application.
FIRRMA extends the initial review period to 45 days and maintains the optional 45-day investigation period. Additionally, the legislation allows CFIUS to extend an investigation by 15 days in the event of exceptional circumstances. As a result, FIRRMA extends the potential review period process by 30 days, and CFIUS may now take up to 105 days to review a proposed transaction before the filing entity is forced to withdraw and refile.
Many of the operational provisions of FIRRMA will not become effective until the earlier of 18 months or 30 days after CFIUS publishes implementing regulations in the Federal Register. Additionally, the specifics and mechanics of many reforms were delegated by Congress to CFIUS, which will implement the reforms through regulations.
Declarations (Filings “Light”)
Notwithstanding the expanded scope of CFIUS’s review, FIRRMA grants some regulatory relief in the form of a streamlined, “light” filing, known as a “declaration.” A party planning to conduct a transaction potentially within CFIUS’s scope may opt to submit such a declaration, expected to be no more than five pages in length, that would allow CFIUS to determine whether a formal filing with the Committee is required or whether the party may proceed with the transaction without such a filing. In effect, declarations allow for the possibility of obtaining CFIUS approval without going through the burdensome full notification process.
FIRRMA mandates declarations (or, at the party’s election, submission of a full written notice) in some instances. While FIRRMA requires CFIUS to prescribe regulations specifying what transactions will require a declaration, the legislation requires declarations to be filed at a minimum in the event of the acquisition of a substantial interest in a U.S. business that relates to critical infrastructure, critical technology, or personal data of U.S. citizens when the acquiring entity is a foreign person in which a foreign government has a direct or indirect substantial interest.
Notwithstanding this, the legislation specifies that a declaratory filing is not required under either of the following circumstances:
Deadline on Acceptance of Filings
In the event a transacting party submits a stipulation that the transaction is a covered transaction, CFIUS must provide comments on a draft or formal written notice no later than 10 business days after the date the notice is submitted. This particular provision is significant because it signals Congress’s attempt to streamline filings and provide for a more predictable review process.
FIRRMA permits CFIUS to assess and collect a filing fee, in an amount determined in its discretion. The fee may not exceed the lesser of (a) 1% of the transaction value or (b) $300,000, an amount that will be adjusted annually by the Committee by regulation. CFIUS’s assessment of a transaction’s filing fee must take into account (a) the effect of the fee on small business concerns; (b) the Committee’s expenses associated with filings; (c) the effect of the fee on foreign investment; and (d) any other appropriate considerations.
Finally, FIRRMA allows CFIUS to conduct pilot programs implementing any provisions of the new legislation that did not become effective upon enactment. Such a program will provide filing entities with additional resources to test and establish a working process for foreign investments in the United States.
©1996-2019 Morrison & Foerster LLP. All rights reserved.