The National Security and Investment Act 2021 introduces a major new screening regime for transactions and deals. It has a broad scope, applying to the acquisition of corporate and unincorporated entities, as well as ownership of and the right to use assets.

As we prepare for the Act's commencement on 4 January 2022, we consider how it applies to transfers and licensing of intellectual property rights, knowhow and confidential information.

What does the Act require and how will it operate?

The Act introduces a free-standing national security regime, independent of the UK merger control framework. A new unit within the Department for Business, Energy and Industrial Strategy, the Investment Security Unit (ISU), will assess deals that are either notified to it or have come to its attention.

The screening power has two limbs: a mandatory obligation to notify (pre-completion) deals falling within key sectors; and a 'call-in' power that allows the Secretary of State (through the ISU) to examine any deal he "reasonably suspects…has given rise to or may give rise to a risk to national security."

The Act will apply to certain investments in targets active in the UK or with a connection to activities carried out in the UK. The target may be an entity or an asset, with the latter defined broadly as encompassing "ideas, information or techniques which have industrial, commercial or other economic value."

This gives the new regime ample scope to screen deals involving software, technology and intellectual property rights. This includes transfer of ownership and licensing arrangements.

(See our previous posts on the operation of the mandatory regime and the call-in power.)

Which sectors are covered by the mandatory regime?

There are 17 sectors identified as raising potential national security concerns, and in which the mandatory notification requirement will apply to the acquisition of entities:

  • advanced materials;
  • advanced robotics;
  • artificial intelligence;
  • civil nuclear;
  • communications;
  • computing hardware;
  • critical suppliers to government;
  • critical suppliers to the emergency services;
  • cryptographic authentication;
  • data infrastructure;
  • defence;
  • energy;
  • engineering biology;
  • military and dual-use technologies;
  • quantum technologies;
  • satellite and space technologies;
  • transport.

The definitions of the entities within these sectors that will be caught are set out in draft secondary legislation, which the Government expects to make later this year.

When might the Act apply?

The mandatory obligation is triggered if the buyer:

  • acquires at least 25% of the shares or voting rights in the target entity; or
  • acquires the ability to secure or block the passage of resolutions governing the entity’s affairs.

The Government's call-in power in relation to the acquisition of an entity (whether or not within the 17 identified sectors) is available in the same circumstances, and also where a person gains the ability to materially influence the policy of an entity.

In connection with assets, the call-in power is available where a buyer acquires a right or interest allowing that person to use the asset or direct its use (or to use or direct it to a greater extent). The asset need not fall within any of the 17 key sectors, though if it does (or is closely related to one) then the risk of a deal being called in will be higher.

Though the Act will not come into force until 4 January 2022, the Government will be able to exercise the call-in power in relation to acquisitions of control that took place on or after 12 November 2020.

How does the Act apply to patents, software, knowhow and other IP?

IP rights will be affected by the mandatory notification obligation where they are acquired by gaining control of an entity covered by the secondary legislation mentioned above. Many of the 17 key sectors are interconnected with IP and knowhow, including entities operating in supply chains or that are ancillary to production.

For example, the definition of 'advanced materials' covers a range of composites, semiconductors, and nanotechnologies. Entities will fall within this definition if they produce or develop these technologies or capabilities, or undertake activities that enable production, e.g. any process used in the manufacture or application of these advanced materials.

Some key sectors do have qualifying criteria excluding technologies that could not credibly be considered a national security threat. Advanced robotics is a key sector, but the definition expressly excludes robotic systems readily available for purchase by consumers, or industrial automation systems, with basic sensors or cognitive ability.

Despite some opposition, the Government has included a distinct sector category for artificial intelligence, describing technologies that identify objects, people and events as higher risk since they are "inherently dual-use".

In certain sectors, a target that is active in the supply chain for the production or use of sensitive technology may trigger the mandatory obligation. In its response to the consultation on the scope of the mandatory notification regime, the Government was explicit that the focus of the computing hardware definition is preventing the loss of intellectual property within the supply chain to hostile actors. Similarly, the advanced materials definition covers those companies producing and developing technologies, and those which are supplying or exploiting IP.

Aside from the mandatory regime, the call-in power also gives the Government a broad remit over intellectual property assets. The legislation specifically provides that the Act can apply to assets including:

  • trade secrets;
  • databases;
  • source code;
  • algorithms;
  • formulae;
  • designs;
  • plans;
  • drawings and specifications;
  • software.

There is no minimum value or turnover threshold below which a deal can avoid being assessed. If the buyer acquires control over the asset, and the Secretary of State reasonably suspects that this creates risk to national security, the deal may be called-in. If national security concerns are then identified, the Government will have a broad power to remedy any national security concerns, including by ordering divestment of the acquired asset, placing controls on its use, requiring that it still be made available to others, or dictating that only specified personnel may control or access it.

What about IP licences?

A licence that gives the acquirer the ability to use or direct the use of a sensitive IP asset (including the ability to exploit, alter, manipulate or dispose of the asset) may be subject to a Government assessment.

For example, investors might establish a company to commercialise a patented technology, under exclusive licence from the patent-holder. If the patent had potential national security implications, the licensee gaining the ability to use the technology would potentially be subject to a call-in under the Act.

Conversely, a licence that confers preferential but not exclusive access to a technology, even if beyond that enjoyed by the wider public, seems less likely to result in a call-in unless the technology is so sensitive (e.g. IP relating to key defence capabilities) that access alone would give rise to concerns.

The Government White Paper that preceded the Act was clear that the acquisition of technology should not become a 'route' to undermining security.

For example, if a key UK energy provider used data servers that run on specialist computer code, provided by a third party, then a party acquiring control over the code (for example, obtaining an exclusive licence to use the underlying IP rather than buying the entity that owns it) could use the code in a manner prejudicial to the UK’s national security, such as cutting off the energy provider's access or manipulating the code to disrupt the supply of energy.

Another example would be a third party getting a licence to access and use the source code of software used by air traffic controllers. This would raise concerns if the third party could potentially identify vulnerabilities in the underlying code and use these to monitor or interfere with others' use of the software. This example also raises questions about the use of source code escrow arrangements for such software.

In such circumstances deals may well be called-in for review, if not necessarily in Government remedial action. A key consideration would no doubt be the identity of the licensee, including whether it was a national of, or otherwise connected to, a foreign state – particularly a hostile one – notwithstanding that nationality is not mentioned expressly in the Act itself.

The Act's extraterritorial reach – where the asset in question is IP then, unlike moveable property, it does not necessarily have to be used in connection with activities in the UK – may be problematic in relation to IP licences. The Government can, at its discretion, decide there is a sufficient nexus between the IP rights and a UK national security concern to exercise its jurisdiction. This may be complicated if the licence holder or licensee is incorporated outside of the UK, or the IP rights are governed by foreign law.

What about knowledge transfer agreements and spin-outs by universities?

The Government has issued guidance on the Act for the higher education and research-intensive sectors, which confirms that agreements through which a person gains control over a university or research organisation's IP assets will be covered by the Act's call-in power. This may be achieved through an exclusive or non-exclusive licence to those assets, or as part of a collaborative agreement involving (examples specifically given in the guidance):

  • contract or sponsored research;
  • sponsoring a research position (for example, a chair); or
  • sponsoring a research theme.

Notably, the guidance states that an investment at a pre-commercial stage would still be caught by the Act if the investor was entitled to all IP later generated from the research.

Donations that result in no commercial value to the donor, and no ability to control the use to which IP resulting from the donation might be put, would not be caught by the Act.

If a university sets up a separate entity to commercialise its IP, any future sale of that entity will be subject to the mandatory notification regime if the IP in question means the entity falls within one of the 17 key sectors.

What do I need to do if I think my transaction may be in-scope?

If your transaction is a notifiable acquisition under the mandatory regime, and it would complete on or after 4 January 2022, you must notify it and obtain clearance prior to closing. Deals that do not comply will be deemed void. Even if the deal would complete before 4 January, it may be sensible to consider making the ISU aware of any deal that would otherwise require notification, given the possibility of a retrospective call-in.

The same goes for deals involving potentially sensitive assets – from 4 January it will be possible to seek pre-approval to ensure deals are not called in and blocked post-completion, but the ISU is already engaging with parties who want to check their deals will not subsequently be called-in.

What can I do to prepare?

  • Assess whether any of the target's activities could create a mandatory obligation to obtain pre-closing clearance.
  • Ascertain whether the IP rights relate to a key sector or activity under the mandatory notification regime, which would significantly increase the risk of an asset transfer or licensing arrangement being called in.
  • From a risk perspective, consider whether to voluntarily notify the deal to the ISU, informally in advance of 4 January or formally thereafter.
  • Once the parties have an agreed position, include appropriate warranties and conditions in the transaction documents.