On July 12 the German federal government adopted important amendments (the amendments) to the German Foreign Trade and Payments Ordinance (the Ordinance), allowing for wider control of foreign corporate takeovers with a view to enhancing the protection of companies that are active in security-sensitive areas and that provide critical infrastructure.
Under the Ordinance, the Federal Ministry for Economic Affairs and Energy can scrutinize, and eventually prohibit or restrict, an acquisition of a shareholding of at least 25 percent in a German company by a non-EU investor if such acquisition endangers Germany's public order or security.
Prompting this initiative by the German government are increasing activities by Chinese investors to acquire, or at least attempt to acquire, German companies active in security-sensitive areas. In light of these and other significant recent direct investments of foreign companies, and given the ever-increasing importance of supply-relevant key infrastructure, the federal government adopted the amendments to the Ordinance.
I. Focus on Companies Functioning in Security-Sensitive Areas and Providing Critical Infrastructure
In the amendments, the federal government has specified in which cases “an endangerment for the public order or security of Germany” exists. The Ordinance now defines the following cases and key industries as generally posing risks, thereby giving rise to scrutiny
- Companies that operate critical infrastructure
Negative impacts on companies that operate critical infrastructures can have far-reaching social and economic consequences. To determine which companies can be regarded as operating critical infrastructures and are thus subject to scrutiny under the Ordinance, the federal government makes reference to German legislation that already names the following critical infrastructures: energy, information technology, telecommunications, transport, health, water, nutrition, finance and insurance
- Companies that manufacture software for critical infrastructures
Cyber-attacks on critical infrastructure can have extremely harmful consequences for society, government and economy, and therefore for the state's ability to act. The federal government regards manufacturers of key IT applications as particularly relevant to security because they specifically develop or alter IT applications that meet the needs of companies that operate critical infrastructures. The acquisition of the manufacturers of IT applications by non-EU companies risks the loss of security-relevant information about the operation of critical infrastructure and may cause a lack of trustworthy alternatives.
- Companies that are entrusted with telecommunications surveillance measures (such as wiretapping), or that manufacture or have knowledge about technical equipment for the implementation of these measures
German law provides for the possibility of telecommunications surveillance such as wiretapping for law enforcement purposes and for the prevention of serious crimes. Because of their relevance to fundamental rights, these measures are allowed only under strict conditions. The involvement and contribution of companies in this regard are especially relevant to security, as information obtained using these measures can be of system-relevant significance for the security of Germany, in particular if violent offences endangering the state are imminent. Therefore, the federal government regards the availability of trustworthy and long-term technical providers as crucial. With the amendments, the German government therefore intends to prevent these companies from becoming a focus of foreign intelligence services.
- Companies that operate cloud computing services
The acquisition of a company that operates cloud computing services can also be especially relevant for security, for example, if the company to be acquired can access server farms of certain critical operators in the area of, e.g., energy, water, information technology, telecommunications or health. In this regard, operators of cloud computing services potentially have unlimited access to system-relevant personal data (e.g., data for identification purposes, medical data, bank account data, passwords) and factual data (e.g., geographic data, data regarding patents or products used by the state for security reasons) belonging to the operators of critical infrastructure. The federal government sees the failure to scrutinize the acquisition of companies that operate cloud computing services as risking access to and subsequent use of these data by foreign governments, potentially acting through the involvement of a private investor. The inclusion in the Ordinance of the acquisition of these companies is in line with recent EU legislation imposing security requirements on cloud computing services.
- Companies that are authorized to provide components or services of the telematics (electronic data transmission) infrastructure according to German social security law
The federal government regards companies covered by this provision as having a preeminent position regarding the security of the German health system, the protection of safe communication in this regard and the public security of Germany. The telematics infrastructure is a critical infrastructure with strategic significance for the functioning of the health system, especially regarding communication. An acquisition by non-EU investors could therefore jeopardize the trustworthiness and functionality of system-relevant IT within the health system. Furthermore, inappropriate use of the infrastructure could lead to a disruption of the system and subsequently to a widespread breakdown of the provision of healthcare in Germany.
II. Further Amendments Regarding Scope and Procedure
Besides these amendments, the German government has implemented into the German Foreign Trade and Payments Ordinance the following further amendments regarding scope and procedure:
- Notification obligation
Regarding the critical companies, the amendments introduce a written notification obligation in cases of acquisition of a shareholding of at least 25 percent in a German company by a non-EU investor. The notification obligation is triggered by the conclusion of a contract creating obligations. This rule extends the notification obligation to the acquisition of companies in the aforementioned civil economic sectors that are especially relevant for security. The rule is intended to guarantee a timely awareness of the competent scrutinizing authority, i.e., the Federal Ministry for Economic Affairs and Energy.
- Review period generally extended from two to four months
The German government has extended the review period from two to four months because of both an increasing number of acquisitions and the greater complexity of the cases. The extension of the review period also is intended to ensure the involvement of all substantively affected bodies.
- Clarification regarding indirect acquisitions
The amendments provide for clarification that indirect acquisitions are subject to the same scrutiny as direct acquisitions by, e.g., submitting the indirect acquirer to the same notification obligation or obligation to submit documentation about the acquisition.
- Additional scrutiny in particular security-sensitive areas
Additionally, the amendments ensure greater scrutiny in areas that are particularly security-sensitive, which now include additional companies that develop or manufacture certain key enabling technologies in the defense sector, such as sensor technology or technology for electronic warfare.
III. Developments at the EU Level
Besides its national rules, Germany, together with France and Italy, had already raised concern at the EU level about non-EU investors buying European key technologies, and had launched an initiative to effect changes in EU laws. In particular, the national leaders had called for reciprocity and therefore for non-discriminatory treatment of non-EU companies in relation to EU companies, which face barriers when they try to invest in non-EU countries. Upon this initiative, EU member states, at the conclusion of the European Council meeting of June 22-23, called on the European Commission “to swiftly agree on modern, WTO-compatible trade defense instruments, which will reinforce the ability of the EU to effectively tackle unfair and discriminatory trade practices and market distortions.
The objectives of the new German legislation are to ensure fair competition and, certainly, to tighten control over the acquisition of German companies by non-EU investors. However, the new legislation and further regulations could, as industry associations have already rightly noted, jeopardize trade and especially block investments. Hopefully this is not a step that will be followed by others in escalating restrictions to free international trade in general.