The Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”) now has significant new authority to review the national security implications of foreign investments in U.S. companies that are in possession of sensitive personal data of U.S citizens or involved in “critical” technologies. In addition, a new export-controls rulemaking process will impose restrictions on foreign technology transfers of U.S. businesses involved in “emerging and foundational technologies.” 

These changes came about last month, when President Trump signed into law the Foreign Investment Review Risk Modernization Act of 2018 (“FIRRMA”) as part of the John S. McCain National Defense Authorization Act for 2019 (“2019 NDAA”). Among other things, FIRRMA for the first time expressly codifies CFIUS’s statutory authority to review and take action to address the national security risks posed by a foreign acquirer’s access to sensitive personal data.

FIRRMA is the most important reform to the CFIUS process since 2007 and is expected to have an immediate impact on foreign investors and the U.S. companies they invest in, with enhanced scrutiny of investments in and acquisitions of U.S. technology startup companies.

The key takeaways are:

  1. CFIUS now has jurisdiction over any foreign investment in U.S. businesses involving critical infrastructure, critical technologies, or the collection or possession of sensitive data, which means parties to small and otherwise passive investments in these spaces are no longer exempt from CFIUS jurisdiction and must evaluate whether to notify CFIUS voluntarily;
  2. U.S. businesses in possession of “emerging and foundational technologies” will be subject to new and enhanced licensing requirements to transfer those technologies to foreign persons;
  3. The designation of “emerging and foundational technologies” is subject to a notice and comment period, during which industry and the investment community will have an opportunity to affect the regulatory scope;
  4. Parties to CFIUS-covered transactions may opt to file shorter “declarations” in lieu of a complete notice, which CFIUS will evaluate to determine whether a formal filing is necessary or not. This may expedite the process for less-sensitive transactions;
  5. For the first time, it is mandatory for parties to certain transactions to submit at least a declaration with CFIUS. This applies to investments by foreign persons involving U.S. citizens’ personal data, critical technology, and critical infrastructure where a foreign government has a “substantial interest”; and
  6. FIRRMA permits CFIUS to assess and collect filing fees not to exceed the lesser of 1% of the transaction value or $300,000.

Many of the new legislation’s provisions became effective on enactment, and several of them codify current (and, in some cases, longstanding) CFIUS practices. However, many of FIRRMA’s new provisions, including key definitional terms, will not become effective until CFIUS issues implementing regulations, or no later than 18 months after enactment of the law. In the interim, FIRRMA gives CFIUS tremendous leeway to interpret and apply policies reflecting FIRRMA’s core principles in evaluating the national security threat and vulnerabilities presented by a particular transaction.

Expanded Jurisdictional Scope

Prior to FIRRMA’s enactment, CFIUS had authority to review transactions in which an entity “controlled” (defined very broadly) by a foreign entity acquired a direct or indirect interest in a U.S. business. FIRRMA significantly expands the scope of CFIUS’s jurisdiction and its ability to reach a broader set of “covered transactions.” Interestingly, the final version of FIRMMA did not contain many of the provisions that were initially introduced, the most critical of which would have given CFIUS jurisdiction over outbound licensing agreements and joint ventures. Rather, additional controls will be implemented through the broad expansion of CFIUS’s ability to review foreign investments and a major overhaul of export controls, as discussed below.

Specifically, FIRRMA provides CFIUS authority to review a broad category of non-controlling “investments” by a foreign person in an entity that: (i) owns, operates, manufactures, supplies, or services critical infrastructure; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or (iii) maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

“Other Investments” Involving Critical Technologies, Infrastructures, and Sensitive Personal Data

FIRRMA provides CFIUS jurisdiction to review a broad category of non-controlling “other investments” that grant the foreign investor: (i) access to any “material nonpublic technical information” of a U.S. business; (ii) membership or observer rights on the board of directors (or equivalent) of a U.S. business, or the right to nominate a person to such a board; or (iii) any involvement, other than through voting of shares, in substantive decision-making of a U.S. business regarding sensitive personal data, critical technologies, or critical infrastructure. While the term “other investments” is defined by legislation, it is subject to further refinements through CFIUS regulations.

Generally speaking, FIRRMA permits CFIUS to review such “other investments” in three instances: when the investment involves (a) critical infrastructure, (b) critical technologies, or (c) sensitive personal data of U.S. citizens.

  • FIRRMA defines “critical infrastructure” to include “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.” Unlike FIRRMA’s definition of critical technology (discussed below), the definition of “critical infrastructure” is subject to regulations prescribed by the Committee.
  • FIRRMA limits the definition of “critical technologies” to specific categories of items, including “emerging and foundational technologies” identified pursuant to the Export Control and Reform Act of 2018 (“ECRA”) (discussed below). This means that CFIUS does not independently determine what constitutes a critical technology for purposes of its review. Instead, such critical technologies are designated through an interagency notice and comment process among the President and Secretaries of Commerce, Defense, State, Energy, and the heads of other federal agencies, as appropriate.

Passive Limited Partners

Prior to FIRRMA’s passage, acquisitions of less than 10% for purposes of passive investments generally fell outside the scope of CFIUS’s jurisdiction (though, in practice, CFIUS construed the term “passive investments” narrowly). Now, a passive minority investment may be included within the scope of CFIUS’s jurisdiction in a formal sense: any investment involving critical infrastructure, critical technologies, or sensitive personal data, passive or otherwise, may fall within the scope of CFIUS’s jurisdiction, as long as it includes the “other investment” factors enumerated above (namely, access to material nonpublic technical information, membership or observer rights on the board of directors, or involvement in substantive decision-making of a U.S. business).

Enhanced Export Control Regime on Emerging Technologies

Designation of “Emerging and Foundational Technologies”

The 2019 NDAA also resulted in the passage of the ECRA, which, as mentioned, requires the President and the Secretaries of Commerce, Defense, Energy, State, and the heads of other relevant agencies to engage in an interagency process to identify “emerging and foundational technologies” that “are essential to the national security of the United States.” While such technologies are not specifically identified by the legislation, it is widely expected that they will include those related to artificial intelligence, autonomous vehicles, navigation, robotics, and 3D printing, many of which currently are not subject to any specific export licensing requirements. In designating such technologies, participating agencies are required to take into account a range of information, including:

  • public sources;
  • classified intelligence;
  • information relating to CFIUS reviews;
  • the development of emerging and foundational technologies abroad; and
  • the impact that export controls could have on the development of these technologies in the United States.

Additionally, the designation of any “emerging and foundational technology” must be subject to a notice and comment period, meaning that the government must provide public notice of a pending designation and industries and the public must be given an opportunity to provide comments.

Licensing and Export Controls for “Emerging and Foundational Technologies”

The Secretary of Commerce, as head of the agency primarily charged with enforcement of the Export Administration Regulations (“EAR”), will determine the levels of control and export licensing requirements for such designated emerging and foundational technologies. At a minimum, a license will be required to export these technologies to countries subject to an arms embargo (such as China), though other country-specific licensing requirements could also be imposed.

In considering license requests, the ECRA directs the Department of Commerce to take into account intelligence “regarding any threat to the national security of the United States posed by the proposed export, reexport, or transfer” of the technology. In processing export license applications that involve “a joint venture, joint development agreement, or similar collaborative arrangement,” the Department of Commerce may require the applicant to identify foreign persons participating in the arrangement, as well as “any foreign person with significant ownership interest in a foreign person participating in the arrangement.”

The ECRA bars the Department of Commerce from imposing export controls on certain items that are already exempt from sanctions controls, such as donations of humanitarian aid and certain types of information materials. In addition, the ECRA also clarifies that the Department of Commerce is not required to impose licensing requirements for certain types of transactions, including:

  • ordinary course commercial activities, such as the export of finished items and the provision of associated technology and related services that are generally made available to customers, distributors, or resellers;
  • the export of equipment and the provision of associated technology if the transfer could not result in a foreign person using the equipment to produce critical technologies;
  • the procurement by a U.S. company of goods or services, including manufacturing services, from a foreign entity, so long as the foreign person has no rights to exploit this technology apart from using it to provide the procured goods or services; and
  • contributions and associated support to industry standard-setting organizations, including licenses and commitments to license intellectual property.

By relying on the Department of Commerce’s export control regulations rather than CFIUS to protect U.S. national security interests with respect to U.S. technology exports, FIRRMA builds upon both the existing regulatory regime of the EAR and the expertise of the Department of Commerce (in consultation with other relevant agencies) to evaluate licensing considerations.

Real Estate Transactions

In addition to CFIUS’s expanded scope of review discussed above, FIRRMA expands the scope of “covered transactions” to include foreign purchases or leases of U.S. real estate that either (1) is located within or will function as part of an air or maritime port, or (2) is in close proximity (as defined in regulations to be issued by CFIUS) to a sensitive U.S. military installation or another U.S. government facility or property, if the property “could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property” or “could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.”

This provision serves to codify a common practice of the Committee, but it could cause increased scrutiny of foreign investments in real estate that are in proximity to locations where sensitive U.S. data (both personal and government) is stored. FIRRMA does provide an express exemption for the lease or purchase of (i) a single “housing unit” or (ii) real estate in “urbanized areas” (as such terms are defined by the Census Bureau), except as otherwise prescribed by CFIUS in its implementing regulations.

Review Periods Extended

FIRRMA extends the period of time that CFIUS may take to review a proposed transaction before a refiling is required. Prior to FIRRMA’s passage, CFIUS was given 30 days for an initial review of a proposed transaction and was given the option to take an additional 45 days to conduct an additional investigation. If CFIUS did not complete its review of the proposed transaction within this 75-day time period, the filing entity was forced to withdraw and refile its application.

FIRRMA extends the initial review period to 45 days and maintains the optional 45-day investigation period. Additionally, the legislation allows CFIUS to extend an investigation by 15 days in the event of exceptional circumstances. As a result, FIRRMA extends the potential review period process by 30 days, and CFIUS may now take up to 105 days to review a proposed transaction before the filing entity is forced to withdraw and refile.

Implementing Regulations

Many of the operational provisions of FIRRMA will not become effective until the earlier of 18 months or 30 days after CFIUS publishes implementing regulations in the Federal Register. Additionally, the specifics and mechanics of many reforms were delegated by Congress to CFIUS, which will implement the reforms through regulations.

Declarations (Filings “Light”)

Notwithstanding the expanded scope of CFIUS’s review, FIRRMA grants some regulatory relief in the form of a streamlined, “light” filing, known as a “declaration.” A party planning to conduct a transaction potentially within CFIUS’s scope may opt to submit such a declaration, expected to be no more than five pages in length, that would allow CFIUS to determine whether a formal filing with the Committee is required or whether the party may proceed with the transaction without such a filing. In effect, declarations allow for the possibility of obtaining CFIUS approval without going through the burdensome full notification process.

Mandatory Declarations

FIRRMA mandates declarations (or, at the party’s election, submission of a full written notice) in some instances. While FIRRMA requires CFIUS to prescribe regulations specifying what transactions will require a declaration, the legislation requires declarations to be filed at a minimum in the event of the acquisition of a substantial interest in a U.S. business that relates to critical infrastructure, critical technology, or personal data of U.S. citizens when the acquiring entity is a foreign person in which a foreign government has a direct or indirect substantial interest.

Notwithstanding this, the legislation specifies that a declaratory filing is not required under either of the following circumstances:

  • The transaction involves an investment fund, and (a) the fund is managed exclusively by a U.S. general partner, and (b) a foreign limited partner does not control the general partner or fund investments; or
  • CFIUS determines that “the foreign person demonstrates that the investments of the foreign person are not directed by a foreign government and the foreign person has a history of cooperation with the Committee.”

Deadline on Acceptance of Filings

In the event a transacting party submits a stipulation that the transaction is a covered transaction, CFIUS must provide comments on a draft or formal written notice no later than 10 business days after the date the notice is submitted. This particular provision is significant because it signals Congress’s attempt to streamline filings and provide for a more predictable review process.

Filing Fees

FIRRMA permits CFIUS to assess and collect a filing fee, in an amount determined in its discretion. The fee may not exceed the lesser of (a) 1% of the transaction value or (b) $300,000, an amount that will be adjusted annually by the Committee by regulation. CFIUS’s assessment of a transaction’s filing fee must take into account (a) the effect of the fee on small business concerns; (b) the Committee’s expenses associated with filings; (c) the effect of the fee on foreign investment; and (d) any other appropriate considerations.

Pilot Programs

Finally, FIRRMA allows CFIUS to conduct pilot programs implementing any provisions of the new legislation that did not become effective upon enactment. Such a program will provide filing entities with additional resources to test and establish a working process for foreign investments in the United States.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.