On September 17, 2019, in connection with its efforts to strengthen and modernize the Committee on Foreign Investment in the United States (CFIUS), the U.S. Department of the Treasury issued proposed regulations to comprehensively implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and to better address national security concerns arising from certain investments and real estate transactions.

The proposed regulations leave intact existing CFIUS authority to review transactions that will result in foreign “control” of a U.S. business, but dramatically expand the Committee’s authority to review non-controlling investments in U.S. businesses and certain real estate transactions.

The Committee will not only retain its pilot program authority to review non-controlling investments by foreign persons in U.S. “critical technologies,” CFIUS jurisdiction will now include review of non-controlling foreign investment in U.S. businesses involving “critical infrastructure” and “sensitive personal data." The proposed regulations also expand CFIUS jurisdiction to include review of certain real estate purchases or leases by, or concessions to, foreign persons regarding sites in or nearby certain sensitive locations.

The public comment period on the proposed regulations will close on October 17, 2019, and final regulations will become effective no later than February 13, 2020.

The basics

The anticipated implementing regulations follow the August 13, 2018, enactment into law of FIRRMA, a bipartisan effort to strengthen the existing CFIUS review process.

FIRRMA expands the scope of CFIUS jurisdiction and requires implementing regulations to become effective. On November 10, 2018, as authorized under FIRRMA, CFIUS launched a pilot program that only implemented narrow provisions of FIRRMA by expanding the scope of CFIUS review to include certain non-controlling foreign investments in U.S. companies involved in “critical technology” and by requiring mandatory declarations for such investments. Under the new proposed regulations, the Treasury Department seeks to comprehensively implement FIRRMA. Key takeaways from this proposed comprehensive implementation are set forth below. 

  • More mandatory filings

For the first time, certain filings by foreign government-affiliated investors will be mandatory. Specifically, filing a declaration for a transaction will be mandatory for certain covered transactions that result in the acquisition of a substantial interest in a “TID U.S. business,” as described below, by a foreign person in which a foreign government has a substantial interest. The term “substantial interest” is defined as a voting interest, direct or indirect, of 25 percent or more by a foreign person in a U.S. business and a voting interest, direct or indirect, of 49 percent or more by a foreign government in a foreign person.

  • Scope of CFIUS review expanded to include non-controlling investments in technology, infrastructure, and data, or “TID U.S. businesses"

A TID U.S. business:

  1. Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies, mirroring the existing pilot program;
  2. Performs certain functions related to critical infrastructure; or
  3. Maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.

Specifically, CFIUS will be authorized to review an investment, direct or indirect, by a foreign person in the TID U.S. Business that affords the foreign person:

  • Access to any material nonpublic technical information in the possession of the TID U.S. business;
  • Membership or observer rights on the board of directors or equivalent governing body of the TID U.S. business or the right to nominate an individual to a position on the board of directors or equivalent governing body; or
  • Any involvement, other than through voting of shares, in substantive decisionmaking of the TID U.S. business regarding—
    • the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business;
    • the use, development, acquisition, or release of critical technologies;or
    • the management, operation, manufacture, or supply of critical infrastructure. 
  • CFIUS will review a range of investments related to “critical infrastructure”

Covered investments related to critical infrastructure will include investments in a U.S. business that performs specified functions—owning, operating, manufacturing, supplying, or servicing—with respect to certain types of critical infrastructure across subsectors such as telecommunications, utilities, energy, and transportation. The subset of covered physical and virtual systems and assets and applicable functions is identified in an appendix to the proposed regulations.

  • CFIUS will reach companies dealing in sensitive personal data 

“Sensitive personal data” is defined to include 10 categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to sensitive populations, including U.S. military members and employees of federal agencies involved in national security, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. Sample categories include health, financial, and geolocation data, among others, and relate to types of data of U.S. citizens that may be exploited in a manner that threatens national security. 

  • Certain real estate transactions subject to voluntary review

Covered real estate transactions will include the purchase or lease by, or a concession to, a foreign person of certain real estate in the United States that affords the foreign person three or more of the following property rights: to physically access; to exclude; to improve or develop; or, to affix structures or objects. Covered real estate transactions focus on transactions in or around certain airports, maritime ports, military installations, and geographic areas as identified by the Treasury Department in an annex to the regulations and as identified by the Department of Transportation. There will be no mandatory filing requirement for real estate transactions.

  • Narrow exceptions to foreign persons available

The proposed regulations provide three new defined terms, “excepted investor,” “excepted foreign state,” and “minimum excepted ownership.” These operate together to exclude from CFIUS’s jurisdiction covered investments by certain foreign persons who meet certain criteria establishing sufficiently close ties to certain foreign states. The criteria are strict, and notably, the regulations do not except these persons from control transactions previously subject to CFIUS jurisdiction. Investments from all foreign persons will remain subject to CFIUS’s jurisdiction over transactions that could result in foreign control of a U.S. business.

  • Declaration forms available to all parties 

To date, declarations (as opposed to a formal written notice) have only been available – and mandatory – for investments in critical technology that fall under CFIUS’s interim pilot program. Once implemented, the regulations will allow parties to any proposed covered transaction to submit a five-page declaration in lieu of a written notice, whether the transaction involves real estate, non-controlling investments, or control. Consistent with the pilot program, within 30 days after the declaration is submitted, CFIUS may either request the parties file a written notice; invite the parties to submit a written notice; initiate a unilateral review of the transaction; or clear the transaction.

  • More to come

The Treasury Department will publish separate proposed regulations regarding CFIUS filing fees at a later date. In addition, once the proposed regulations become final by February 2020, the Treasury Department anticipates that it will periodically review, and as necessary, make changes to the regulations in order to keep up with the pace of technological development, the evolving use of data, and the evolving national security landscape.