The Situation: The Committee on Foreign Investment in the United States ("CFIUS," or the "Committee") recently published draft regulations implementing the Foreign Investment Risk Review Modernization Act ("FIRRMA"), which impact biotechnology and life sciences businesses.
The Result: CFIUS will enjoy greater authority to review transactions involving biotechnology and life sciences companies due to an increased focus on export controls of certain biotechnology, sensitive personal data of U.S. citizens, and real estate transactions.
Looking Ahead: Parties to transactions between foreign investors and U.S. companies that operate within the biotechnology and life sciences sector should carefully consider the potential ramifications of foreign investment.
For many biotechnology and life sciences companies, the national security review process is a new concept. The Committee has a mandate to protect U.S. national security, and the president is authorized to prohibit a proposed transaction or require a foreign person to divest its entire interest in a U.S. business for reasons related to "national security," a phrase that is broadly construed. Most companies are unaware of these facts, unless the company has already experienced a review by, or received an inquiry from, the Committee related to receipt of foreign capital. Fortunately, the Committee "clears" or approves the vast majority of all transactions it reviews. However, when CFIUS identifies national security concerns associated with an investment, companies may not understand the nature of the government's concerns and may find themselves choosing between either accepting government-imposed mitigation measures or simply walking away from a proposed deal.
National security concerns are not limited only to the U.S. defense industrial base. Instead, national security concerns have expanded in recent years to various other sectors of the U.S. economy, such as healthcare (including biotechnology and life sciences), financial, agriculture, and social media companies.
Biotechnology and life sciences companies are an essential part of the U.S. economy and the ability to raise capital and participate in cross-border collaboration is typically viewed as critical to achieving goals and the overall financial success of the company. However, CFIUS will be closely scrutinizing companies that operate within this sector and identifying certain instances where foreign investments in biotechnology and life sciences companies raise national security concerns.
CFIUS recently published draft regulations that will govern how the Committee will operate going forward (which we discussed in more detail in our Commentaries, "Facing FIRRMA: Expanded CFIUS Jurisdiction Over Real Estate Transactions," and "Facing FIRRMA: Proposed Regulations Expand Scope of CFIUS National Security Review Process"). Some of the Committee's concerns related to foreign investments in biotechnology and life sciences are captured in the proposed regulations, and below we discuss a few key items that biotechnology and life sciences companies should consider when negotiating for foreign capital.
Certain Foreign Investments May Soon Require Notification
Last November, CFIUS introduced a pilot program that requires mandatory notifications for certain controlling and non-controlling investments in U.S. businesses that produce "critical technologies." The pilot program remains in effect under the recent draft regulations, but CFIUS is considering whether changes should be made to the pilot program as part of the final rules.
Previously, most transactions involving U.S. biotechnology and life sciences companies did not fall within the contours of the mandatory pilot program because they lacked the requisite "critical technology." For example, only certain chemicals, biological agents, or other sensitive materials that are highly controlled under the Export Administration Regulations ("EAR"), the Select Agent Program, or the International Traffic in Arms Regulations ("ITAR") were considered "critical technologies."
However, the pilot program framework, if left unchanged, could capture more biotechnology deals because it includes a placeholder for a new class of "critical technology" referred to as "emerging and foundational technology." The U.S. Department of Commerce, Bureau of Industry and Security ("BIS") is currently evaluating whether cutting-edge technologies in the biotechnology and life sciences sector, among others, require stronger export controls, including those in the fields of nanobiology, synthetic biology, genomic and genetic engineering, and neurotech. If so, certain foreign investments in U.S. companies that produce, design, test, manufacture, fabricate, or develop these technologies will require a mandatory notification to CFIUS. Failure to properly notify the Committee could potentially have significant financial consequences, including a fine for up to the value of the transaction.
Companies With Sensitive Personal Data, Such as Genetic Information, Will Face Additional Scrutiny
Under the proposed rules, CFIUS's jurisdiction is being expanded from its historic focus on controlling investments to include even noncontrolling investments by a foreign person in a U.S. business that maintains or collects sensitive personal data of U.S. citizens, which "may be exploited in a manner that threatens to harm national security."
Specifically, CFIUS would now have jurisdiction over controlling and non-controlling investments by foreign persons in a U.S. business that collects certain sensitive personal data that includes "identifiable data" if that U.S. business: (i) "targets or tailors" its products or services to sensitive U.S. government personnel or contractors; (ii) maintains or collects such data on more than one million individuals; or (iii) demonstrates a business objective to maintain or collect such data on more than one million individuals, and such data is an "integrated part" of the U.S. business’s primary products or services.
The proposed rules define "identifiable data" as data that can be used to distinguish or trace an individual's identity, including through the use of any personal identifier (i.e., name, physical address, email address, social security number, phone number, or other information that identifies a specific individual). Notably, aggregated data or anonymized data is considered "identifiable data" if any party to the transaction has or will have the ability to disaggregate or de-anonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual’s identity. Identifiable data does not include encrypted data, unless the U.S. business that maintains or collects the data has the means to de-encrypt it to distinguish or trace an individual’s identity.
Additionally, CFIUS will have expanded jurisdiction over U.S. businesses that collect or maintain records relating to a U.S. citizen’s genetic information, such as a genetic test, or individual or family disease or disorder history, regardless of whether the genetic information meets the criteria of (i)-(iii) described above. Biotechnology and life sciences companies might collect this type of sensitive personal data. Under the proposed rules, CFIUS will now be authorized to review both controlling and certain noncontrolling transactions involving companies that possess this type of information.
Consider Carefully Where You Build Your Next Facility
Traditionally, the U.S. real estate sector has largely operated outside of CFIUS's jurisdiction, but the draft regulations have considerably expanded CFIUS's authority. While there is no mandatory filing requirement for real estate transactions under the proposed rules, CFIUS will be able to evaluate real estate transactions involving foreign-owned or foreign-controlled businesses at airports, maritime ports, or near a list of identified government locations.
Thus, biotechnology and life sciences companies should consider whether CFIUS could review a real estate lease or acquisition transaction and, before agreeing to any terms, may wish to voluntarily and pre-emptively seek approval for such a transaction if, for example, the real estate is located in close proximity (i.e., one mile) of sensitive military bases, even in urban areas, or within the extended range (i.e., within 100 miles) of certain U.S. government sites in rural areas. Without CFIUS approval, for example, a foreign-owned biotechnology company that is leasing office space or a warehouse could find CFIUS performing a post-closing review of the lease and requiring the company to vacate the location for reasons related to national security. Depending on how CFIUS wields its new authority, and how aggressively it pursues transactions that are not voluntarily notified to CFIUS, the Committee's actions could introduce uncertainty in real estate markets in growing cities near military bases.
Three Key Takeaways
- Certain investments in biotechnology and life sciences companies many require notification to CFIUS prior to closing, and companies should consult with experienced counsel when negotiating deals with foreign investors early in the life of the deal. Failure to properly notify the Committee could result in significant financial penalties.
- Biotechnology and life sciences companies with sensitive personal data, including genetic information of U.S. citizens, should carefully consider the source of foreign funds before accepting new investments.
- Companies should evaluate CFIUS's jurisdiction over certain real estate transactions and consider whether to voluntarily seek pre-emptive review by CFIUS to avoid any later disruption of a proposed lease or acquisition of real estate.