CFIUS Proposed Rules Target Critical Technology, Sensitive Personal Data And Real Estate

On September 17, 2019, the Department of the Treasury issued long-awaited proposed rules implementing many of the provisions of the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA"), which substantially expanded the jurisdiction of the Committee on Foreign Investment in the United States ("CFIUS") to conduct national security reviews of foreign investment in the United States.

The proposed rules were issued in two parts: 31 CFR Part 800 - Provisions Pertaining to Certain Investments in the United States by Foreign Persons and 31 CFR Part 802 - Provisions Pertaining to Certain Transactions in the United States by Foreign Persons Involving Real Estate. CFIUS already had the authority review any control transaction by a foreign person in respect to U.S. businesses to determine the potential impact on the national security of the United States. Under the Part 800 Rule, CFIUS's jurisdiction has been expanded to also cover certain non-controlling investments in U.S. business that (i) are involved with "critical technologies", (ii) own, operate, manufacture or supply or provide services to "critical infrastructure" or (iii) that collect or maintain "sensitive personal data", in each case, if such investments afford foreign persons certain rights (as described below). Under the Part 802 Rule, CFIUS will also have the jurisdiction to review certain "covered real estate transactions" if the relevant real estate is in close proximity to U.S. military installations or sensitive U.S. government facilities, or within or part of an airport or a maritime port.

On the one hand, the proposed rules greatly expand CFIUS's jurisdiction to review a wide range of foreign investments in U.S businesses and real estate. On the other hand, the proposed rules show some restraint on the part of CFIUS by limiting the instances where mandatory CFIUS filings are required.

The comment period for the proposed rules is open until October 17, 2019, and, in accordance with FIRRMA, the rules are required to be finalized no later than February 13, 2020. Below are key takeaways from the proposed rules.

1. The Pilot Program (including mandatory filings) remain in place

   The proposed rules do not alter the interim "Pilot Program" rules (31 CFR Part 801) issued on October 11, 2018. Until further notice, or until the Pilot Program expires in February 2020 if not extended, investments subject to the Pilot Program will continue to be subject to potential mandatory CFIUS filings.

   Under the Pilot Program, a mandatory filing regime was created for certain foreign investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop certain "critical technologies" if such transaction: (i) could result in a foreign person controlling such business, (ii) affords a foreign person with access to "material non-public technical information" regarding such business (information necessary to design, fabricate, develop, test produce or manufacture critical technologies), (iii) affords a foreign person with membership or observer rights on the board of such business or (iv) affords a foreign person the right to involvement in the substantive decision-making of such business with respect to the relevant critical technology. Critical technologies include: (a) defense services and articles controlled by the International Traffic in Arms Regulations, (b) items controlled by the Export Administration Regulations for reasons related to national security, chemical and biological weapons proliferation, nuclear nonproliferation, missile technology, regional stability, or surreptitious listening, (c) specially designed nuclear components, parts and technology and (d) select agents and toxins, in each case, used in or developed for any of the twenty-seven sensitive industries enumerated under the Pilot Program rule (please see our October 31, 2018 alert for the complete list of industries), and also include certain "emerging and foundation technologies" controlled under the Export Control Reform Act. The rules defining "emerging and foundational technologies" are expected by year end, and are likely to include categories such as biotechnology, artificial intelligence, additive manufacturing (including 3-D printing), navigation and timing (including self-driving car technology), microprocessor technology, robotics and quantum computing. When the final list of "emerging and foundation technologies" is released, it will be immediately relevant, as they will automatically be incorporated into the definition of critical technologies.

   Under the Pilot Program, indirect participation in such investments by a foreign person as a limited partner of a private investment fund generally does not trigger a mandatory CFIUS filing if: (i) the fund is exclusively managed by a general partner (or equivalent) that is not the foreign person, (ii) neither the foreign person nor the advisory board of the fund has certain control rights with respect to the fund, including, the ability to control investment decisions or participate in the substantive decision making of the fund regarding companies in which the fund is invested, or the ability to unilaterally select or remove the general partner (or equivalent) and (iii) the foreign person does not have access to "material non-public technical information" regarding the applicable company.

2. The proposed rules maintain CFIUS's jurisdiction to review control investments

   Whether an investment fund organized in a non-U.S. jurisdiction is itself a foreign person (including by virtue of its general partner being organized in a non-U.S. jurisdiction and/or one or more of its control persons not being a U.S. national), or the involvement of investment professionals who are not U.S. nationals in the investment activities of an investment fund could cause a mandatory CFIUS filing, remains a fact-specific analysis.

   The proposed regulations maintain CFIUS's broad jurisdiction to review for national security reasons any investment in any U.S. business (referred to as, "covered control transactions" in the proposed rules) where a foreign person obtains "control" of the U.S. business. The term control is broadly defined (generally, the power to determine, direct or decide important matters of the business) and could be triggered even where the foreign investor holds a small minority stake in the business (if for example, the investor retains the right to dismiss senior executives, terminate significant contracts or select new business lines).

3. The proposed rules expand CFIUS's jurisdiction to review non-control investments in TID U.S. Businesses

   CFIUS's jurisdiction has been expanded to cover certain non-controlling equity investments in U.S. businesses that (i) are involved with "critical technologies", (ii) own, operate, manufacture or supply or provide services to "critical infrastructure" that is so vital to the United States that the incapacity or destruction of such systems or assets would have debilitating impact on national security or (iii) that collect or maintain "sensitive personal data" that may be exploited in a manner that threatens to harm national security (a "TID U.S. Business"). Any such direct or indirect foreign investment in a TID U.S. Business (referred to as a "covered investment" in the proposed rules) is subject to CFIUS's jurisdiction if such investment affords a foreign person:

   access to "material non-public technical information"; membership or observer rights on the board of such business; or rights to involvement, other than through voting shares, in the "substantive decision-making"1 of such business. Critical Technologies. The criteria for determining a "critical technology" U.S. business is unchanged from the Pilot Program, except that for purposes of potentially being a TID U.S. Business, there is no requirement that relevant business uses the "critical technology" in one of the enumerated twenty-seven sensitive pilot program industries. Critical Infrastructure. A "critical infrastructure" investment is generally an investment in a U.S. business that owns, operates, manufactures or supplies or provides services (referred to as "functions related to critical infrastructure" in the proposed rules) to critical infrastructures, including, certain defense industrial base sectors, telecommunications, energy, transportation, financial services and public water and waste systems. The proposed rules provide an appendix (reproduced at the end of this Alert) that sets forth the combinations of the twenty-eight categories of "critical infrastructures" and "functions related to critical infrastructure" that potentially constitute a TID U.S. Businesses. Sensitive Personal Data. A "sensitive personal data" investment is generally an investment in a U.S. businesses that maintains or...