The New CFIUS: The Committee Issues Proposed Regulations to Implement Expanded Authorities

For over 30 years, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) focused on a narrow subset of M&A transactions and investments. That era is coming to an end. On Tuesday of this past week, CFIUS issued its anticipated proposed final regulations (“Regulations”) to implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). The Regulations chart the path for CFIUS to become the frontline gatekeeper for a broad swath of foreign direct investment in the United States: an authority that will define where individual privacy intersects with national security, how 21st century technologies shape geostrategic power relationships, and the manner in which private enterprise is held accountable for protecting national security. CFIUS also will become an affirmative — rather than punitive — diplomatic and economic weapon in the forthcoming decades’ strategic competition between the United States and China.

The Regulations reflect notable self-restraint in several material respects — a clear effort by the Committee to balance national security concerns with the desire to maintain an open investment policy. While the Regulations are expansive and clearly intended to enable adaptation as risks evolve, they also draw some unusually bright lines that appear intended, among other things, to avoid: (i) over-regulating and restricting capital flows, particularly to smaller businesses; (ii) turning national security agencies into privacy regulators; and (iii) encroaching on domains appropriately occupied by counter-intelligence and other authorities of the U.S. government.

Comments on the Regulations are due October 17. This will be the only formal opportunity for transaction parties and other interested stakeholders and members of the public to help shape the final regulations that will control the new CFIUS process. We want to underscore that such comments will be critically important in establishing the framework that will govern CFIUS going forward. First and foremost, they establish the administrative record against which the final regulations can be understood and assessed. In turn, the comments that are filed — and CFIUS’s response to them in the preamble to the final regulations — will inform how the regulations are interpreted in the future, including potentially in legal challenges to CFIUS actions. Simply by way of example, we have had direct experience where the preamble to the 1994 CFIUS regulations was directly relevant to the disposition of important jurisdictional determinations by the Committee. We accordingly urge our clients and other interested parties to take seriously this opportunity for comment, and to engage in the rulemaking process if their interests warrant. The final regulations are expected to be issued in January 2020, 30 days before they become effective in February 2020.

Our executive summary of the key themes in the Regulations, followed by a more detailed analysis of key provisions, is below.

Executive Summary

On September 17, 2019, the Office of Investment Security of the Department of Treasury, which oversees CFIUS, released two proposed rules: Provisions Pertaining to Certain Investment in the United States, which comprise the primary rulemaking to update and enhance CFIUS regulations as required by FIRRMA; and Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States, which address the new authorities under FIRRMA for CFIUS to review, for the first time, certain greenfield investments in the United States involving real estate. Both proposed rules have a short period for parties to weigh in by providing written comments: just 30 days from the date of issuance, until October 17, 2019.

Together these proposed rules — along with the Critical Technology Pilot Program (“the Pilot Program”) issued last November and certain other resource and process updates that the CFIUS agencies have implemented over the past year — usher in a new era for CFIUS by formalizing the most dramatic reform and expansion of the Committee’s process in its history. The Regulations themselves are dense, totaling over 300 pages, and introduce a profusion of new concepts and terms. Recognizing that there is much to absorb and a short period for comment, we would suggest that the following are the critical takeaways from the Regulations:

1. Don’t Fix What’s Not Broken (from CFIUS’s Perspective) ...

While the regulations provide for new jurisdictional terms and authorities in key areas, CFIUS did not alter historical jurisdictional terms — with one notable exception (discussed below). Specifically, the Regulations preserve the definition of “foreign person” (including “foreign entity”) and “control,” which is defined broadly to mean the power, direct or indirect, whether or not exercised, through the ownership of voting securities, by proxy voting, contractual arrangements, or other means, to determine, direct, or decide matters affecting an entity. Thus, CFIUS preserved its ability to apply the control standard flexibly, depending upon the facts presented by each transaction and CFIUS’s perceptions of national security sensitivities. It also did not address certain ambiguities in the definitions, which are more relevant in a regime that includes mandatory filings (also discussed below). For example, the term “foreign entity” has an exception for entities with a principal place of business in the United States — yet the term “principal place of business” remains undefined.

2. ... But Take the Opportunity to Expand Jurisdiction and Preserve Flexibility

There is, however, one core jurisdictional term that is changed in the Regulations: the important definition of “U.S. business.” As we previously reported, FIRRMA defined “U.S. business” broadly to mean “a person engaged in interstate commerce in the United States.” This goes beyond the historical regulatory definition, which includes a qualifier “but only to the extent of its activities in interstate commerce in the United States.” This has been applied to mean that the assets in the United States, not those outside the United States, are subject to CFIUS jurisdiction. The Regulations codify the FIRRMA definition, which in theory could raise a question as to whether CFIUS would seek to assert jurisdiction over certain business activities located outside the United States, subject to their nexus to interstate commerce. The Regulations add an example that appears to suggest that merely exporting products to the United States will not confer jurisdiction, but that example does not cover the full range of businesses that now could be subject to CFIUS jurisdiction as a consequence of this change.

3. Otherwise Restrained Approach on Expanded Authorities (Except with Respect to Critical Technologies)

The Committee apparently was mindful that FIRRMA’s jurisdictional expansion to certain non-controlling but non-passive investments in businesses involving sensitive personal data and critical infrastructure could be overused. FIRRMA itself left CFIUS with considerable discretion to define, through regulation, “sensitive personal data” and the scope of critical infrastructure businesses subject to the expansion. This raised potential concerns because, in practice, CFIUS has identified national security concerns even with anonymized data and with off-the-shelf software that is utilized in critical infrastructure. Recognizing that applying these concerns to non-controlling transactions could result in a dramatic increase in the number of transactions subject to its authority — with the greatest impact on start-ups — and create considerable uncertainty in transaction planning, the Committee appears to have sought to provide clearer definitions and brighter lines in both the sensitive personal data and critical infrastructure definitions (including by providing a list to govern the critical infrastructure analysis). To be sure, there still is ambiguity in both areas, and businesses with interests in those areas may wish to provide focused comments for improvement. However, overall we were encouraged by the willingness of the Committee to provide clearer roadmaps in these areas. The same is not yet true as it relates to critical technologies: the Committee delayed amending or narrowing the scope of the very broad Pilot Program until the final regulations and specifically noted that it would only address all comments on the Pilot Program in the final regulations.

4. The Real Start of a Dual-Track Filing Process

The Regulations for the first time set forth the details of a process for voluntary declarations, and suggest that CFIUS intends to have a meaningful declaration process. Declarations are shorter form filings, and CFIUS must act on them in 30 days. Going forward, this has the potential to be one of the most consequential aspects of the Regulations: to the extent CFIUS can clear transactions in the streamlined declaration process, it will create a path for transaction parties that have a favorable record with CFIUS, or for transactions where the underlying U.S. assets obviously are benign, to receive a relatively prompt determination (and in some instances legal certainty) at a lower cost, while allowing CFIUS to undertake a more comprehensive review for transactions that merit closer national security review. In other words, CFIUS could develop a regime that aligns with the 30-day review of Hart-Scott-Rodino antitrust reviews in the United States. There will be some inherent challenges in this. The declaration process does not benefit from the same level of in-depth threat assessment from the U.S. intelligence community that full notices receive, and with nine agencies that must achieve consensus, clearing cases in 30 days is more complicated. This too is an area where we recommend parties consider commenting. For example, we see room for enhancing the declaration process to take account of favorable histories with CFIUS and other criteria that would reflect the trustworthiness of acquirors. Ultimately, though, if the declaration process works as it should, the CFIUS process may end up being streamlined for many transactions.

5. No Credit System ...

Consistent with the foregoing, there are several areas where CFIUS could have, but did not, explicitly list factors that would enable more favorable outcomes and timelines in the CFIUS process. Specifically, in addition to resolving cases during the declaration process, CFIUS could indicate — while retaining its ultimate discretion — certain criteria that would weigh favorably in resolving full reviews and investigations during the statutory timelines. More directly, CFIUS had the option of defining “foreign person” for a mandatory declaration in a narrower manner that would account for the demonstrated trustworthiness of investors, but it elected to go a different route (discussed below). Examples of such criteria could include a record of prior CFIUS approvals; compliance with prior CFIUS mitigation agreements; whether the acquiror already operates under mitigation relating to foreign ownership, control or influence (“FOCI”) under U.S. national industrial security regulations governing access to classified information, or if the acquiror is a parent that owns other businesses under FOCI mitigation, and the record of compliance with such mitigation; and whether the acquiror is from a country that is a treaty ally or has a mutual defense agreement with the United States. CFIUS elected not to use these criteria, which may be yet another area for comment.

6. ... And No Black List, But a White List that Can Be Used as a Diplomatic Tool

As noted, FIRRMA allows CFIUS to devise a different definition of “foreign person” to narrow the universe of investors to which the mandatory declaration requirements for investments in the critical technologies, critical infrastructure, and sensitive personal data areas (which the Regulations refer to as “TID”) would apply. To do so, CFIUS could have listed criteria, as noted, or developed a so-called “black list,” such as applying the mandatory requirements to investments from parties that met certain negative criteria or to parties from specific countries. There was debate over such an approach during the development of FIRRMA, with at least some in the business community supporting a black list. CFIUS — correctly, in our view — did not avail itself of such a black list, but it also elected not to have an affirmative list of criteria that would exempt certain parties. Instead, it has developed a concept of “excepted investors,” which is tied to “excepted states” — and which is for the Secretary of Treasury to identify, subject to approval by a two-thirds vote of the Committee (an unprecedented use of a supermajority in the CFIUS process, which otherwise requires unanimous consensus). Further, the regulations indicate that an excepted state must have a foreign investment national security review process that the Secretary determines is akin to CFIUS. The Regulations also make clear that this list of excepted states and investors initially will be very small. Thus, CFIUS will be developing a “white list” for investors from certain countries to receive more favorable treatment, and it allows the Treasury Department and other agencies to leverage this “off-ramp” in CFIUS as a tool in bilateral discussions to press allies to adopt similar processes. Extraordinary.

7. Some Tolerance for Investors with Government Shareholders

The Regulations implement, as directed by FIRRMA, mandatory filings for the somewhat awkwardly-stated acquisition of a “substantial interest” in a U.S. “TID” business (described above) by a foreign entity with a “substantial interest” ownership stake by a foreign government. Many observers wondered whether “substantial interest” would be defined by CFIUS as expansively — or even more expansively — than the concept of “control” already is treated in practice. Recognizing that it would still have authority for voluntary filings and reflecting a caution not to be overly restrictive as it relates to the flow of capital into the U.S., CFIUS demonstrated a comparatively balanced approach: defining “substantial interest” by a foreign government as a 49 percent or greater voting stake, and a “substantial interest” in a target U.S. TID business as a 25 percent or greater voting stake. In setting the bar this high, CFIUS will allow many companies that have foreign government stakes of less than 49 percent to continue to file voluntarily with respect to their TID investments.

8. We Are All Now Real Estate Lawyers ...

Finally, FIRRMA provided CFIUS with the authority to review certain real estate transactions (i.e., sales, leases, and concessions) in close proximity to sensitive U.S. government facilities or which involve air and maritime ports, except for real estate that is a “single housing unit” or that is in “urbanized areas” as defined by the Census Bureau. This authority introduced a new concept into CFIUS’s jurisdiction — the ability to review certain greenfield transactions. It also raised a number of definitional ambiguities and cases of first impression. Recognizing the complexity of this new authority — and its distinction from rules and authorities intended to govern M&A activity — CFIUS (wisely in our view) elected to have a separate rulemaking devoted specifically to the real estate provisions. Here, too, CFIUS tried to provide brighter lines in defining close and extended proximity, and for the first time, it published the list of military installations that the Department of Defense deems to be sensitive, and organized them to a degree in terms of sensitivity. We summarize these points further below but also intend to issue a separate analysis devoted specifically to the real estate rulemaking, given its uniqueness and complexity.

The Regulations present a significant amount of material to absorb, and the foregoing summary and the more detailed analysis below are not intended to be exhaustive; there may be other issues of specific interest to individual parties. If there are such issues of specific interest, parties may wish to consider commenting on them. It is our view that the rulemaking process will be enhanced through comments, and we believe that the Committee truly will welcome the feedback.

With that background, we turn now to a fuller discussion of the Regulations.

Discussion

Core Jurisdictional Terms

The Regulations introduce the term “covered control transaction” to capture its historical approach to jurisdiction. The definition of “covered control transaction” is identical to that of “covered transaction” in the existing regulations, meaning “any transaction that is proposed or pending after August 23, 1988, by or with any foreign person that could result in foreign control of any U.S. business.” Additionally, the Regulations confirm that a “covered control transaction” includes, but is not limited to, “a transaction carried out through a joint venture.”

With respect to the core components of “covered control transactions,” it is clear that CFIUS focused on the new authorities in FIRRMA and generally did not want to alter or yet address its historical approach to jurisdiction. The one exception to this general rule of preserving existing definitions relates to the scope of the “U.S. business” definition.

Control

The definition of “control” in the Regulations has not changed from that of the existing regulations. The term “control” continues to mean “the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.” Nevertheless, the Regulations do add two matters to the list of items that would include “important matters”: namely, the appointment or dismissal of the general partner in a partnership; and the appointment or dismissal of employees with access to critical technology.

Foreign Person/Foreign Entity

“Foreign person” continues to be defined as any foreign national, foreign entity, or foreign government, or any entity controlled by a foreign national, foreign entity, or foreign government. For many businesses, the key term in this definitional approach is “foreign entity.” That continues to be defined as any branch, partnership, group or sub-group, association, estate, trust, corporation or division of a corporation, or organization organized under the laws of a foreign state if either its principal place of business is outside the United States or its equity securities are primarily traded on one or more foreign exchanges. Any entity that demonstrates that a majority of its equity interest is ultimately owned by U.S. nationals, however, is excluded from the definition of “foreign entity.”

Thus, the scope of the definition remains somewhat ambiguous, as the Regulations do not further define “principal place of business” or add any additional exceptions to the “foreign entity” definition, as many in the investment community were hoping it would. A number of U.S. investors — U.S. private equity firms in particular — may use offshore investment fund vehicles for a variety of purposes, including tax efficiency, but those funds are still ultimately controlled by U.S. persons from the United States. These U.S. investors rely on CFIUS recognizing that the principal place of business for the foreign-incorporated investment vehicles is the United States and thus that their transactions are not subject to the Committee’s review. While CFIUS has never challenged a U.S. fund on its determination that its principal place of business is the United States, the lack of explicit definition or exception addressing such a scenario means that the underlying ambiguity regarding what is required to establish a location as an entity’s principal place of business still persists under the Regulations.

U.S. Business

FIRRMA defines “U.S. business” broadly to mean “a person engaged in interstate commerce in the United States.” This goes beyond the current regulatory definition, which includes a qualifier “but only to the extent of its activities in interstate commerce in the United States.” Without the qualifier, CFIUS potentially has the authority to review an acquisition of any business anywhere in the world as long as that business provides goods or services into the United States. CFIUS appears to have attempted to address the breadth of this expansion by providing an example suggesting that a foreign corporation that exports goods to U.S. corporations is not a U.S. business if it has no U.S. assets. This example, however, is limited and ambiguous. It is not clear, for example, whether the following (among others) would be considered U.S. businesses: (i) a foreign company with no U.S. assets that provides services, such as call center services, to U.S. customers; (ii) a software company with no U.S. assets that sells bundled products and services to U.S. customers; or (iii) a company that does not have a branch office, subsidiary, or fixed place of business in the United States, but that directly employs sales personnel in the United States and sells products and services to U.S. customers. Without clarification on this definition, it may be unclear to parties whether CFIUS has jurisdiction to review a transaction, and whether a mandatory filing is required.

Whether this approach on historical jurisdictional terms was a function of capacity (i.e., the agencies did not have the bandwidth both to update existing definitions and to address the new authorities), or comfort (i.e., the agencies believe existing terms are sufficient for true “control” transactions) is unclear. It also is possible, if not likely, that there was a reluctance to seek change without having a formal administrative record that would justify it – including with respect to the U.S. business definition, because FIRRMA itself defined that term. As a result, it is possible that with comments, certain aspects of the core jurisdictional terms could be updated.

Expanded Jurisdiction – Critical Technologies, Critical Infrastructure, and Sensitive Personal Data

FIRRMA provides CFIUS jurisdiction to review a broad category of “other investments,” which include non-controlling investments by a foreign person in companies that deal with critical infrastructure, critical technology, or sensitive personal data of U.S. citizens. Specifically, FIRRMA provided CFIUS with the authority to review any “other investment” in any “unaffiliated” U.S. business that: (i) owns or operates, manufactures, supplies, or services critical infrastructure; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or (iii) maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security. The Regulations refer to such a business as a “TID U.S. Business” for “Technology, Infrastructure, and Data.”

FIRRMA defined “other investment” in the context of TID U.S. businesses to mean any investment, regardless of size, that affords the foreign person: (i) access to any material non-public technical information in the possession of the U.S. business; (ii) board membership or observer rights; or (iii) any involvement in substantive decision making regarding critical infrastructure, critical technologies, or sensitive personal data of U.S. citizens.

There, in turn, are a few foundational definitions to the expanded authorities. They include:

Investment

The existing CFIUS regulations have not defined “investment, ” though they recognized that the acquisition or conversion of “convertible voting instruments” could be a covered transaction under certain circumstances, even before conversion. The Pilot Program regulations did, for the first time, define “investment” for CFIUS purposes, as the acquisition of an equity interest, including contingent equity interest (which was limited to financial instruments that are convertible into equity interests with voting rights). However, there was no qualification put on contingent equity interests; acquisitions of such interests were covered transactions whenever the remaining Pilot Program qualifications were met, regardless of (a) the imminence of conversion, (b) whether conversion was within the control of the acquiring party, and (c) whether the interest and rights to be received upon conversion could be reasonably determined at the time of acquisition of the interest. The Regulations represent an evolution from both of these approaches.

The Regulations include contingent equity interests within the definition of “investment,” but “contingent equity interests” are instruments that are “convertible into, or provide the right to acquire, an equity interest upon the occurrence of a contingency or defined event”; they are no longer limited to interests with voting rights, as under the Pilot Program. Unlike the Pilot Program approach, however, the Regulations bring back the timing and foreseeability considerations in CFIUS’s determination of whether contingent interests will be considered in the Committee’s jurisdictional analysis, as in the current regulations.

Material Nonpublic Technical Information

The Regulations define “material nonpublic technical information” as information that: (i) provides knowledge, know-how, or understanding not available in the public domain, of the design, location, or operation of critical infrastructure, including without limitation vulnerability information such as that related to physical security or cybersecurity; or (ii) is not available in the public domain and is necessary to design, fabricate, develop, test, produce, or manufacture a critical technology, including without limitation processes, techniques, or methods. The italicized language related to physical security and cybersecurity is a clarification of the definition in FIRRMA. As with FIRRMA and the Critical Technology Pilot Program, the definition of “material nonpublic technical information” excludes financial information regarding the performance of an entity.

Notably, there is no definition of “material nonpublic technical information” that appears to apply to a U.S. business that collects or maintains sensitive personal data. Accordingly, a non-controlling investment by a foreign person in a U.S. business that collects or maintains sensitive personal data will only be a “covered investment” if the foreign person is afforded membership or observer rights on the board of directors of the U.S. business, or any involvement in substantive decisionmaking of the U.S. business regarding the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business.

Substantive Decisionmaking

The Regulations define "substantive decisionmaking" as the process through which decisions regarding significant matters affecting an entity are undertaken. The Regulations clarify that strictly administrative decisions are not included and list a significant number of decisionmaking areas that would be included, which cover a wide range of strategic and operational decisions of the U.S. business. These include involvement in decisions related to pricing, sales, and contracts; supply arrangements; corporate strategy and business development; research and development ("R&D"); manufacturing locations; access by customers, vendors, or joint venture partners to critical technologies, covered investment critical infrastructure, material nonpublic technical information, or sensitive personal data (including, e.g., intellectual property licensing); physical and cyber security protocols; practices, policies, and procedures governing the handling of sensitive personal data; and strategic partnerships.

With those definitions as background, the Regulations take the following approach to TID U.S. businesses:

Critical Technologies

The Regulations do not change the definition of critical technologies as it appears in the Pilot Program regulations, nor do they change the Pilot Program in any respect. As noted, CFIUS instead indicated that it will address the Pilot Program in the final rulemaking. Thus, the Regulations still define critical technologies by reference to technology lists maintained by other U.S. regulatory authorities — particularly export control authorities — and encompass technologies that will be added to those lists in the future. Specifically, critical technologies include:

• Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations (“ITAR”) (22 CFR parts 120-130).
• Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (“EAR”) (15 CFR parts 730-774) and controlled: (i) pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or (ii) for reasons relating to regional stability or surreptitious listening.
• Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities).
• Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material).
• Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73.
• Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (which remain to be defined and thus could continue to expand CFIUS’s authority).

Because the Regulations have not altered the Pilot Program, it remains the case that whether mandatory filings need to be made for transactions involving critical technologies still turns, in part, on whether the U.S. business's critical technologies are used in connection with the U.S. business's activities in one of the 27 identified pilot program industries or designed by the U.S. business specifically for use in one of those industries. These industries are currently defined by reference to North American Industry Classification System (“NAICS”) codes; we do not expect the final rule to preserve this association with the NAICS codes, which have proven to be problematic for transaction parties to analyze and unhelpful to the Committee.

Critical Infrastructure

CFIUS has recognized the national security import of “critical infrastructure” since at least the time the Department of Homeland Security joined the Committee, shortly after it was created, in 2003. This was formalized with the enactment of the Foreign Investment and National Security Act of 2007 (“FINSA”), which clarified, as a definitional matter, that “national security” included homeland security and critical infrastructure. FIRRMA fundamentally retained and restated the FINSA definition of critical infrastructure, i.e., “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.” This definition differs from other common U.S. definitions of critical infrastructure, e.g., in the PATRIOT Act, in that it focuses exclusively on national security and excludes other considerations, such as national economic security or national public health or safety. FIRRMA, however, further required CFIUS to limit the application of CFIUS’s expanded jurisdiction over certain non-controlling, non-passive investments to a “subset of critical infrastructure that is likely to be of importance to the national security of the United States” – in essence, a set of “critical critical infrastructure.”

CFIUS is essentially required to implement a dual definition of critical infrastructure; for “control” transactions, the traditional, more expansive definition will apply, but for non-controlling, non-passive investments, the definition must be further limited. The Regulations implement this limitation in two ways.

First, the covered infrastructure is limited to a certain enumerated set of categories laid out in an appendix to the regulations. These include a fairly narrow set of assets in the telecommunications, energy, financial services, transportation, water, critical manufacturing, and defense industrial base sectors.

Second, only U.S. businesses that perform certain functions with regard to that infrastructure are covered, also as described in the appendix. For most of the enumerated infrastructure categories, this is limited to owning, operating, or manufacturing such infrastructure, not supplying or servicing it (except in the case of undersea telecommunications cables and related facilities and certain industrial control systems). It appears that in doing so, CFIUS has attempted to distinguish what infrastructure assets, if compromised, might have the greatest impact on national security and what business functions might be most susceptible to exploitation by a threat actor who has only a non-passive but non-controlling interest in a U.S. business that performs those functions.

Sensitive Personal Data

One of the most anticipated aspects of the Regulations relates to CFIUS’s new authority to review covered investments when they relate to U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that “may be exploited in a manner that threatens to harm national security.” To implement this authority, CFIUS, for the first time, has set forth a definition of “sensitive personal data” in the Regulations. In many respects, the definition is more narrow than we had expected, as well as more narrow than the way in which we have seen sensitive personal data considered by the Committee in practice. While we are not expecting all clients and businesses to be thrilled with the scope, we believe the definition reflects a genuine attempt on the part of the Committee not to regulate unnecessarily capital flowing into start-ups and other businesses that would, at most, be peripherally related to national security. It also reflects ultimately a recognition that personal data is proliferated in the 21^st century.

Specifically, “sensitive personal data” will be limited to “identifiable data” that falls within one of ten categories of data and that is maintained or collected by a U.S. business in three specific circumstances, and, separately, genetic information, as defined pursuant to the regulations implementing the Health Insurance Portability and Accountability Act, that is maintained or collected by a U.S. business in any amount and for any purpose.

The Regulations define “identifiable data” as data that can be used to identify an individual, including through the use of any “personal identifier” such as name, physical address, email address, social security number, or phone number. “Identifiable data” does not include “aggregated data,” “anonymized data,” or “encrypted data,” each of which has been further defined in the Regulations. Specifically, “aggregated data” is defined as data that has been combined or collected in such a way that it cannot be used to identify an individual, and “anonymized data” means data from which all personal identifiers have been completely removed. “Encrypted data” is defined as data to which National Institute of Standards and Technology (“NIST”)-allowed cryptographic techniques have been applied. For the avoidance of doubt, the definition of “identifiable data” clarifies that aggregated data and anonymized data would be identifiable if any party to the transaction is or will be able to disaggregate or de-anonymize the data to trace the identity of an individual. Similarly, encrypted data is identifiable if the U.S. business has the ability to de-encrypt the data.

The ten categories of “identifiable data” are as follows:

1. data that could be used to analyze or determine an individual’s financial distress or hardship, such as bank account statements or detailed financial information included in an application for a home mortgage or credit card, but not including information related to ordinary consumer transactions;
2. the set of data in a consumer report, including an individual’s credit score and/or summaries of debts and payment histories, unless limited data is obtained from a consumer reporting agency for the legitimate purposes described in the Fair Credit Reporting Act;
3. the set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
4. data relating to the physical, mental, or psychological health condition of an individual;
5. non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business’s products or services, only if the U.S. business is providing communications platforms used by third parties;
6. geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;
7. biometric enrollment data including without limitation facial, voice, retina/iris, and palm/fingerprint templates;
8. data stored and processed for generating a state or federal government identification card;
9. data concerning U.S. government personnel security clearance status; and
10. the set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust.

These ten categories of “identifiable data” only constitute “sensitive personal data” if:

1. The U.S. business “targets or tailors” its products or services to sensitive U.S. government personnel or contractors;
2. The U.S. business has maintained or collected such data on greater than one million individuals at any point over the preceding twelve months; or
3. The U.S. business has a demonstrated business objective (e.g., through its statements or actions) to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.

The Regulations include a definition for the term “targets or tailors,” as well as several examples. Specifically, “targets or tailors” is defined as customizing products or services or actively marketing to or soliciting a person or group of persons. Pursuant to the examples provided in the Regulations, if a U.S. business operates a facility on the premises of a U.S. military base, it will be deemed to be targeting or tailoring its products or services. Similarly, if the U.S. business offers a discount solely to uniformed U.S. military personnel, as opposed to public sector employees more broadly, or if the business distributes marketing materials that promote the particular usefulness of its products to military personnel, it will be deemed to be targeting or tailoring under the proposed definition.

Separately, the one-million-individual threshold is higher than what we were anticipating, though importantly it is not limited to information on one million U.S. citizens. One ambiguity with respect to the “demonstrated business objective” language is whether CFIUS will find a difference between companies aspiring to collect data on more than one million individuals versus companies aspiring to grow their user base beyond one million people.

Notably, the Committee has carved out from the definition of “sensitive personal data” any data maintained or collected by a U.S. business concerning its employees, unless the data pertains to employees of U.S. government contractors who hold U.S. government personnel security clearances; or data that is public, such as court records or other government records that are generally available.

The preamble to the Regulations notes that the Committee anticipates periodically revising the Regulations, potentially including revisions to this definition.

Expanded Authorities – Real Estate

The Treasury Department bifurcated the rulemaking process with separate proposed rules on those authorities related to M&A activity, and the new authority for CFIUS to address certain investments in real estate. These are detailed and complex regulations that merit their own stand-alone discussion, and we will provide a separate analysis on that front at a later date. In the meantime, this alert summarizes the real estate authority addressed in the Regulations.

As noted, FIRRMA authorized CFIUS for the first time to review certain real estate transactions involving the purchase of, lease by, or concession to a foreign person of certain U.S. public or private real estate that occurs outside of the context of an acquisition of control of a U.S. business. The Regulations leverage CFIUS’s existing risk-based analysis framework, provisions, and defined terms as well as the concurrent rulemaking, and in that sense, offer a consistent and coherent approach. Importantly, the Regulations also introduce key provisions, defined terms, examples, and a list of relevant geographic sites to address the scope of its new authority to review newly-defined “covered real estate transactions,” along with relevant exceptions.

As expected, a primary focus of the Regulations is CFIUS’s authority to review certain purchases, leases, or concessions relating to “covered real estate,” i.e., real estate that: (i) is located within, or functions as part of, an air or maritime port; (ii) is located within “close proximity” to specific listed U.S. military installations or U.S. government facilities or properties; (iii) is located within the “extended range” specific listed counties or geographic areas identified in connection with specific military installations; or (iv) is located within any part of a specific listed military installation that is located within 12 nautical miles seaward of the U.S. coastline. Notably, “close proximity” is defined as the area extending one mile from the outward boundary of an identified military installation, facility, or property, and the “extended range” is defined as the area that extends 99 miles outward from the outer boundary of close proximity of an identified military installation. A four-part appendix to the Regulations lists specific installations, facilities, properties, and geographic areas for determining whether a transaction involves covered real estate. Other new key defined terms relate to exceptions and include “urbanized area” and “urban cluster,” and proposed provisions clarify those exceptions do not apply where real estate is, is within, or functions as part of, an air or maritime port, or is in “close proximity” to a relevant military installation, facility, or property. Other exceptions exist for single housing units; commercial office space; air and maritime leases and concessions that are restricted to retail trade, accommodation, or food service sector establishments; American Indian and Alaska Native lands; and certain foreign states and investors with close ties to those foreign states to be designated by CFIUS in the future. 

The Regulations also provide that parties seeking CFIUS approval for a covered real estate transaction can file voluntarily, either through a short-form voluntary declaration on a shorter 30-day review timeline or a notice on the existing CFIUS review timeline. The Regulations do not provide criteria for determining whether to file a declaration versus a notice, and because CFIUS may request a voluntary notice after reviewing a voluntary declaration, we expect that parties will need to carefully assess whether to file a declaration or a voluntary notice in the first instance.

Exceptions to Expanded Authorities

As set forth in the preamble to the Regulations:

FIRRMA requires CFIUS to specify criteria to limit the application of FIRRMA’s expanded jurisdiction over other investments to certain categories of foreign persons. The proposed rule addresses FIRRMA’s requirement through three new defined terms, “excepted investor,” “excepted foreign state,” and “minimum excepted ownership,” which operate together to exclude from CFIUS’s jurisdiction covered investments by certain foreign persons who meet certain criteria establishing sufficiently close ties to certain foreign states.

Excepted Foreign States

In what we anticipate will be among the more discussed and controversial aspects of the Regulations, the Regulations would tether an exception from the expanded jurisdiction to the concept of an “excepted state.” Specifically, the Regulations allow the Secretary of Treasury, as Chairperson, to determine that a foreign state is an excepted foreign state if it has established and is effectively utilizing a robust process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security. The Chairperson must have the agreement of two-thirds of the voting members of CFIUS to make this determination. CFIUS plans to make available the factors considered in making this determination on the Department of the Treasury website. The Regulations also state that the Chairperson may rescind a determination of an excepted foreign state if the Chairperson decides, with the agreement of two-thirds of voting members of CFIUS, that a rescission is appropriate.

CFIUS plans to select excepted foreign states from a group of eligible foreign states that CFIUS will designate on the Department of the Treasury website. CFIUS explains in the discussion of the rule that the list of eligible foreign states will be limited because the “excepted foreign state” is a new concept with potentially significant implications for U.S. national security. CFIUS, however, plans to review the list of eligible foreign states in the future and may expand it.

In addition, the preamble to the Regulations indicate that eligible foreign states could be identified upon the effectiveness of the final rule in February 2020, but that CFIUS is considering delaying the effectiveness of the requirement that excepted foreign states have robust foreign investment and national security review processes for two years.

Excepted Investors

The Regulations, in turn, create a category of “excepted investors” based on the definition of “excepted foreign states.” If an investor qualifies as an “excepted investor,” it is not subject to the jurisdictional expansion in unaffiliated TID U.S. businesses from CFIUS's jurisdiction, and there is a similar concept in the Regulations on real estate. CFIUS makes clear in its discussion of the Regulations and the required criteria that the definition of an excepted investor is narrow.

An excepted investor is: (i) a foreign national of an “excepted foreign state” and not a national of a foreign state that is not an excepted foreign state; (ii) a government of an excepted foreign state; or (iii) a foreign entity that meets certain criteria to be sufficiently tied to an excepted foreign state and not to any foreign states that are not excepted foreign states.

There are a number of criteria that a foreign entity must meet to be considered an excepted investor, as described below:

1. it must be organized under the laws of an excepted foreign state or in the United States;
2. it must have its principal place of business in an excepted foreign state or the United States;
3. its board members and observers must be U.S. nationals or nationals of excepted foreign states and not nationals of foreign states that are not excepted foreign states;
4. any foreign person that individually holds, or each foreign person that is part of a group of foreign persons that, in the aggregate, holds, five percent or more of the outstanding voting interest of the entity, holds the right to five percent or more of the profits of the entity, holds the right in the event of dissolution to five percent or more of the assets of such entity, or could exercise control over such entity, must be
   • a foreign national who is a national of an excepted foreign state and not a national of a foreign state that is not an excepted foreign state,
   • a foreign government of an excepted foreign state, or
   • a foreign entity that is organized under the laws of an excepted foreign state and has its principal place of business in an excepted foreign state or the United States; and
5. the minimum excepted ownership of the entity must be held, individually or in the aggregate, by one or more persons each of whom is
   • not a foreign person;
   • a foreign national who is a national of an excepted foreign state and not a national of a foreign state that is not an excepted foreign state;
   • a foreign government of an excepted foreign state; or
   • a foreign entity that is organized under the laws of an excepted foreign state and has its principal place of business in an excepted foreign state or in the United States.

With respect to an entity whose equity securities are primarily traded on an exchange in an excepted foreign state or the United States, the Regulations define “minimum excepted ownership” to mean a majority of its voting interest, the right to a majority of its profits, and the right in the event of dissolution to a majority of its assets. With respect to an entity whose equity securities are not primarily traded on an exchange in an excepted foreign state or the United States, the Regulations define minimum excepted ownership to mean 90 percent or more of its voting interest, the right to 90 percent or more of its profits, and the right in the event of dissolution to 90 percent or more of its assets.

A foreign entity’s parents, if any, must also meet these criteria for the foreign entity to be considered an excepted investor.

Under the Regulations, when determining whether individual ownership interests should be aggregated for the purpose of determining whether a foreign entity is an excepted investor, CFIUS will consider such factors as whether the persons holding the individual ownership interests are related or have formal or informal arrangements to act in concert, whether they are agencies or instrumentalities of the national or subnational governments of a single foreign state, and whether a given foreign person and another foreign person that has an ownership interest in the entity are both controlled by any of the national or subnational governments of a single state.

A foreign person that meets the criteria for an excepted investor is nevertheless not an excepted investor if it or any of its parents or subsidiaries in the five years prior to the completion date of the transaction has violated a U.S. law, regulation, executive order, directive, or license, or has submitted a material misstatement or omission to CFIUS or has violated a CFIUS mitigation agreement, order, or condition.

Treatment of Investment Funds

One subject of considerable debate and discussion during the FIRRMA legislative process was the extent to which the expanded jurisdictional authorities of CFIUS would capture indirect investment by foreign persons through limited partnership and similar interests in investment funds. To address this, FIRRMA included a “special clarification” on investment funds intended to reflect that standard minority limited partnership interests (and the limited rights associated with them) would not, in and of themselves, be sufficient to render investment funds subject to CFIUS’s authorities.

The Regulations address investment funds in the context of investments in TID U.S. businesses. Notably, unlike the language of FIRRMA itself, the Regulations do not require that the general partner or equivalent not be a foreign person, only that the foreign person seeking to avail itself of the exception embodied by the provision not be the general partner or equivalent (in addition to meeting the rest of the provision’s criteria). Therefore, foreign limited partners (“LPs”) in investment funds with foreign general partners could also avail themselves of the exception and thus not be subject to the Committee’s jurisdiction, even if the fund itself may be within the Committee’s jurisdiction if it makes qualifying investments in TID U.S. businesses.

The remaining substantive elements of the provision remain largely the same as the treatment of investment funds in the Pilot Program. In order to qualify for the exception, LPs in the fund need to be fundamentally passive with regard to the operation of the fund and its portfolio investments. That means not having the ability to control the fund, the general partner (including their selection, dismissal, or compensation), or the fund’s investment decisions, whether directly or indirectly, through the authorities of an advisory board. The LP also cannot receive access to material nonpublic technical information, whether directly or through its participation on the advisory board, nor membership or observer rights on the board of directors of the TID U.S. business or any involvement, other than through voting of shares, in substantive decisionmaking of the TID U.S. business. Like FIRRMA and the Pilot Program regulations, the Regulations recognize some categories of decisions that an advisory board can undertake which, while potentially related to certain investment decisions, do not constitute control of such decisions. These include common fund advisory board functions, including waivers of potential conflicts of interest and allocation limitations and similar activities. CFIUS does give itself some flexibility on these matters, however, indicating that it could find such activities to constitute control in “extraordinary circumstances.”

As discussed in greater detail below, the new definition of substantial interest is a significant development for the U.S. private equity and venture capital communities, including the foreign investors that participate as LPs in their funds. The definition indicates that, among other elements as discussed below, any entity in which a foreign government has a substantial interest can participate as an LP in a fund and not be found to hold a substantial interest in that fund unless it holds 49 percent or more of the voting interests of the LPs. While primarily focused on and directly related to foreign government-owned entities, it reflects a broader recognition by the Committee that minority LPs, even those which are state-owned, who possess only standard LP rights are passive and that they should have confidence in being able to deploy their capital into U.S. funds without running afoul of CFIUS.

Finally, as noted above in the discussion of the “foreign entity” definition, that definition remains ambiguous in ways that conceivably could create uncertainty for U.S.-managed funds that avail themselves of tax efficient offshore structures for the funds. While there remains the long-held position that the principal place of business for such funds is the United States, the rulemaking serves as an opportunity to update the "foreign entity" definition and/or define "principal place of business" in a way that would provide greater certainty and clarity. U.S. private equity, venture capital, and other investment firms that deploy foreign capital in their funds may wish to comment on aspects of this definition, including potentially proposing appropriate criteria for determining what constitutes a principal place of business for CFIUS purposes.

Process Impact – The New Declarations

FIRRMA established a framework to broaden the aperture of CFIUS reviews – by conveying the authorities to review the non-controlling, but non-passive investments in TID U.S. businesses and the real estate transactions described above – and to manage the impact on CFIUS and the transaction community by streamlining the CFIUS process through a new shorter form review called declarations. Consistent with these twin objectives – expanding CFIUS’s ability to get visibility into certain deals, but also providing for a shorter and narrower review for transactions that should not raise any national security concern – FIRRMA further created two types of declarations: mandatory declarations for certain covered investments in TID U.S. businesses, and voluntary declarations for other transactions.

While the Pilot Program partially implemented the mandatory declaration process, it applied broadly to all foreign persons and was only applicable to certain investments involving critical technologies; FIRRMA contemplated the prospect for a narrower definition and thresholds tied to foreign government ownership. The voluntary declaration process to date has not been available to transaction parties.

The Regulations, in turn, are notable because: (i) they set forth where CFIUS will establish the mandatory declarations as applied to the critical infrastructure and sensitive personal data businesses; and (ii) establish the voluntary declaration process for the first time. These developments are addressed in order below.

Mandatory Declarations – TID U.S. Businesses

Under FIRRMA and the Regulations, a mandatory declaration will be required for a covered transaction (meaning a covered control transaction or a covered investment) that results in the acquisition of a substantial interest in a TID U.S. business by a foreign person in which a foreign government has a substantial interest.

The Regulations define “substantial interest” to mean a voting interest, direct or indirect, of 25 percent or more by a foreign person in a U.S. business, and a voting interest, direct or indirect, of 49 percent or more by a foreign government in a foreign person. Accordingly, all state owned enterprises (“SOEs”) – as well as entities in which they hold 49 percent or more voting interest – would be required to file with CFIUS when they acquire an interest of 25 percent or more in a TID U.S. business. The Regulations further provide that for limited partnerships, a foreign government will be considered to have a substantial interest if it holds more than 49 percent of the voting interest in the general partner, or 49 percent or more of the “voting interest” of the LPs. Given the limited nature of LP voting interests, there is some ambiguity as to whether a party that holds more than 49 percent of the economic interest in a fund – in the form of LP interest – will be considered to hold a substantial interest in the fund. We note, however, that the term “voting interest” is broadly defined in the Regulations to include “any interest in any entity that entitles the owner or holder of that interest to vote for the election of directors of the entity (or, with respect to unincorporated entities, individuals exercising similar functions) or to vote on other matters affecting the entity.”

Mandatory filings under the Pilot Program must be submitted 45 days prior to the completion date of the transaction. By contrast, mandatory filings that are triggered as a result of foreign government ownership would be required to be filed 30 days before completion of the transaction. Any person who fails to submit a mandatory declaration may be liable for a civil penalty up to $250,000 per violation or the value of the transaction, whichever is greater. The Regulations state that the amount of the penalty imposed for a violation will be based on the nature of the violation. The Regulations do not set a penalty for failure to file a mandatory declaration under the Critical Technology Pilot Program, and the Regulations leave ambiguous whether any penalty would apply separately or jointly to the foreign person and the U.S. business.

The Regulations provide that changes in rights may be transactions subject to CFIUS jurisdiction, and may also trigger mandatory filings. Specifically, the Regulations define “covered transaction” to mean any “change in the rights that a foreign person has with respect to a U.S. business in which the foreign person has an investment, if that change could result in foreign control of the U.S. business.” For example, if a foreign person holds a ten percent ownership interest in a U.S. business, and the foreign person then acquires the right to appoint the Chief Executive Officer and Chief Technical Officer of the corporation, the change in rights is a covered transaction.

Voluntary Declarations

The Regulations align the mandatory declaration process with reviews of voluntary declarations, such that the process should become a standardized, streamlined way to file not only non-controlling, non-passive transactions with CFIUS, but also transactions that should be totally benign from a national security standpoint.

One of the more challenging evolutions in the CFIUS process over the last several years has been the impact of the process on transaction timing. The system had become so overwhelmed with complicated cases from non-traditional investor countries – and so comparatively under-staffed – that as recently as 2017 and 2018, 80 percent of all transactions were proceeding to a second-stage investigation, and the overall timeline for completing a transaction subject to CFIUS review, on average, was easily five to six months (accounting for the time to develop the information for the notice, a very lengthy draft process, and the full investigation cycle). Even transactions where the Committee ultimately did not have concerns routinely took the full investigation period to resolve.

This resulted in acquirors facing a dilemma: take the risk of not filing with CFIUS and, therefore, not receiving the safe harbor of a legal approval, or risk delays in closing that could harm the target business (which is left lingering between signing and closing) and/or allow for an interloper to try to intercede. In turn, there was considerable concern among all constituents – the business community, Congress, and even the agencies themselves – that an expanded CFIUS review could result in further delays in transaction timings.

FIRRMA’s solution to this conundrum was to create a voluntary declaration process. Along with the additional funding for more resources for the Committee, this declaration process, once implemented, should allow certain transaction parties – including those with a long history of clearing CFIUS without mitigation or only light touch mitigation; those that operate in the U.S. under FOCI mitigation; and those with very benign facts but that want the clarity and certainty of a CFIUS review – to avail themselves of a distinct 30-day process without incurring much additional cost or meaningful delay. (Other FIRRMA changes – including requiring CFIUS to provide comments or accept voluntary notices within ten business days from submission of the draft or formal written notice and extending the initial review period from 30 to 45 days (giving the intelligence community more time to produce their threat reports) – also have helped streamline the full review process.)

To its credit, CFIUS also has made clear in the preamble of the Regulations its goal to have the declaration process be a meaningful option for transaction parties. For example, the preamble notes that, to facilitate making declarations, “CFIUS intends to maintain a standard fillable form, making certain modifications to the form for use with respect to different types of transactions,” and the form will be usable for both voluntary and mandatory declarations. And, as noted, the Regulations provide that CFIUS will act on declarations within 30 days of receiving the declaration from the Staff Chairperson. In addition, the Regulations expressly provide that the Staff Chairperson may invite declaration parties to meet with the Committee during the declaration period to discuss and clarify issues. This was already permitted and has been occurring, but the fact that the Regulations make it explicit is important both to underscore the intent of the Committee to make the declaration process fulsome and also to announce to less experienced transaction parties that such meetings are available.

Consistent with FIRRMA and the Pilot Program, upon completion of the declaration review, CFIUS must take one of four actions: (i) request that the parties file a notice; (ii) inform the parties that CFIUS cannot complete action on the basis of the declaration, and that they may file a notice to seek written notification from the Committee that the Committee has concluded all action with respect to the transaction (which in practice also suggests the Committee is unlikely to have concerns); (iii) initiate a unilateral review of the transaction through an agency notice; or (iv) notify the parties that CFIUS has concluded all action.

To set realistic expectations, we expect that there may be some bumps and inconsistent outcomes from the declaration process over at least the first six to 12 months as it gets fully implemented, and both agencies and transaction parties get accustomed to and learn how best to leverage the process. We are optimistic, however, that as precedent in practice develops over time, the declaration process will provide a streamlining for easier transactions.

If you have any questions concerning the material discussed in this client alert, please contact the members of our firm below.