- Introduction
New rules that became final on February 13, 2020 dramatically expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS). Where CFIUS was once concerned only with transactions that would result in foreign control of a U.S. business, the Committee’s authority now extends to non-controlling investments in a broad range of U.S. businesses involved with critical technology, critical infrastructure, or sensitive personal data – collectively denominated “TID U.S. businesses” – as well as in certain real estate.[1]
The new rules significantly affect foreign investment in hi-tech (including social media), biotech, health care, finance, insurance, and critical infrastructure, among other sectors. And they make it essential for foreign investors (and U.S. targets) to know the U.S. export classification of the target’s technology – even if the target does not engage in any export activity.
Further, because the rules apply to both direct and indirect foreign investment, CFIUS issues can arise in the context of investments from funds with foreign limited partners, or U.S. companies controlled by foreign persons, or foreign investments into a foreign company that has a U.S. subsidiary.
Parties who fail to seek CFIUS approval where applicable do so at their peril: the Committee can not only recommend blocking of proposed transactions, but also unwinding of completed investments/acquisitions. More commonly, the Committee will propose mitigation conditions restricting foreign investor/acquiror rights, such as rights to participate in substantive decision-making or to access the target’s intellectual property.
While notification to CFIUS is at the parties’ discretion in many cases (subject to the risk of unwinding/forced mitigation if notification is not made), CFIUS notification is mandatory when the investment will result in a significant foreign government interest, and when the target develops, produces, or tests certain export-controlled and other sensitive technology – a category that goes well beyond obviously sensitive military technology and captures a much wider range of commercial technologies than many investors realize. Where filing is mandatory, failure to comply can lead not only to unwinding or imposition of mitigation conditions, but also penalties of value of the transaction or $250,000, whichever is greater.
II. Triggers for CFIUS jurisdiction
At a high level, CFIUS jurisdiction turns on two pivots: (1) the rights the foreign investor will receive; and (ii) the kind of business or real estate into which the investment is being made. Table 1 summarizes these triggers.
[Insert Table 1]
III. How hi-tech, biotech, health care, finance, and insurance investments are captured
Two terms are key to understanding why the new rules are so significant for the hi-tech, biotech, health care, finance, and insurance sectors: (1) “critical technologies” and (2) “sensitive personal data of U.S. citizens.”
- Critical Technologies
The term “critical technologies” means technologies that are subject to certain U.S. export controls, specifically: items on the United States Munitions List (USML); items on the Commerce Control List (CCL) pursuant to multilateral regimes (including reasons relating to national security, chemical and biological weapons, nuclear nonproliferation, or missile technology), or based on unilateral controls (regional stability, surreptitious listening, or emerging and foundational technology); nuclear-related items covered by 10 CFR 110 or 810; and select agents and toxins covered by 7 CFR 331, 9 CFR 121, or 42 CFR 73.
In practice, these controls apply to a wide range of technologies, well beyond what many investors may think of as sensitive tech: for example, “critical technologies” include software that uses encryption for data protection purposes, and lentiviral packaging plasmids commonly used in biomedical research that contain the G gene from the Vesicular Stomatatis Virus (VSV).
If a U.S. business designs, develops, produces, fabricates, manufactures, or tests critical technologies, CFIUS jurisdiction will exist for controlling investments and may very well also exist for non-controlling investments (depending on the rights the foreign investor will acquire). Therefore, it is essential for investors to know the export classification of a target’s technology. That in turn means extra steps in due diligence. Investors should be aware that accurate determination of export classification can be complex, and may result in substantial delay if a target has never engaged in export activities and therefore never identified the export classification of its technology. The technology of a target’s U.S. subsidiaries may also need to be evaluated.
- Sensitive Personal Data
The term “sensitive personal data of U.S. citizens” includes the following categories:
|
|
|
|
|
|
|
|
|
|
|
|
While this list sounds, and is, sweeping, the definition is subject to some important limits, including the following:
- The data must be identifiable, and not a matter of public record.
- Data collected or maintained by a business concerning its employees does not count, except with respect to employees of U.S. government contractors with personnel security clearances.
- Genetic test results derived from federal government databases and routinely made available to private parties for research are excluded.
- Except with respect to genetic test results, data that falls into the categories above does not count as sensitive unless the target either:
- targets or tailors goods or services to U.S. executive branch agencies, contractors, or employees with military, intelligence, national security, or homeland security responsibilities; or
- has collected or maintained, or has a demonstrated business objective to collect or maintain, data on 1 million individuals (not necessarily all U.S. citizens).
Even with the limitations described above, this definition of sensitive personal data sweeps in all kinds of U.S. businesses that may never even have dreamt that a committee like CFIUS exists.It is also critical to note that CFIUS will have jurisdiction where the U.S. business collects or maintains the relevant kind of data directly or indirectly.As a result, as examples embedded in the rules make clear, if a business outsources collection or storage of sensitive personal data within the scope of the definition to a subsidiary or a third party provider, both the business and the subsidiary or provider will be considered TID U.S. businesses and will need to consider CFIUS issues with respect to direct or indirect foreign investment.See 31 CFR 800.248, Examples 11-12.
IV. Mandatory filings, and exemptions
In most cases, notification to CFIUS is a voluntary process, subject to the risk of unwinding/forced mitigation if notification is not made but the Committee develops concerns about the transaction. However, the new rules make prior notification to CFIUS mandatory in two circumstances:
- If the foreign investment will result in an interest of 25% or more by a foreign person in which a foreign government other than UK, Canada or Australia has a 49% or greater interest; and
- If the foreign investment target designs, develops, produces, fabricates, manufactures, or tests “critical technologies” that it either (ii) specifically designed for, or (ii) uses in connection with its activities in, one of 27 industries specified in 31 CFR Appendix B.[2]
The rules provide several significant exemptions from the mandatory filing requirements, which we have summarized in Table 2.
[Insert Table 2]
The exemption for “excepted investors” (31 CFR 800.219) merits some additional examination. While it sounds promising, in practice it is rather limited, because:
- It applies only to non-controlling investments in TID U.S. businesses; control transactions remain subject to CFIUS jurisdiction even if the foreign party qualifies as an “excepted investor.”
- The category “excepted investor” is defined by reference to “excepted foreign states,” of which there are currently only three: the U.K., Australia, and Canada.
- The exemption requires satisfaction of a complex set of nationality-related conditions, as set out in Table 3. While these criteria may workable for individual investors, it will likely be difficult to gather the necessary information with respect to corporate investors.
[Insert Table 3]
V. Navigating the jurisdictional maze
The new rules are complex (occupying over 200 pages in the Federal Register) and impossible to summarize in just a couple of pages. The full text of the rules can be found here and (for real estate transactions) here. But to assist in orienting investors and their counsel to the new landscape, we offer the following flow chart.
For more information on the new CFIUS rules and advice on whether and how to seek CFIUS approval for a covered transaction, please contact Tahlia Townsend or David Hall of Wiggin and Dana’s International Trade Compliance practice.
Insert Flow Chart
|
Glossary of additional terms |
|
Control: The power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest or otherwise (e.g., board representation, proxy voting, contractual arrangements) to determine, direct, or decide “important matters affecting an entity,” such as: disposition of assets; reorganization/merger/dissolution; closing/relocation/alteration of facilities; major expenditures/investments; issuance of debt/equity; approval of operating budget; selection of new ventures; entry into/termination of significant contracts; appointment or dismissal of officers, senior managers, or general partner; appointment or dismissal of employees with access to sensitive technology; policies/procedures from handling non-public technical, financial or other proprietary data; amendment of organizational documents with respect to the foregoing matters. Excludes standard minority shareholder protections, i.e., the right to purchase an additional interest in an entity to prevent dilution, and the power to prevent: the sale or pledge of all or substantially all of the assets of an entity or a voluntary filing for bankruptcy or liquidation; contracts with majority investors or their affiliates; guaranteeing of the obligations of majority investors or their affiliates; change of existing legal rights or preferences of a particular class of stock held by minority investors; or amendment of the Articles of Incorporation other organizational documents regarding such matters. See 31 CFR 800.208. |
|
Genetic tests: “An analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes,” but “does not mean – (i) an analysis of proteins or metabolites that does not detect genotypes, mutations, or chromosomal changes; or (ii) an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition that could reasonably be detected by a health care professional with appropriate training and expertise in the field of medicine involved.” 42 U.S.C. 300gg-91(d)(17). |
|
Substantive decision-making: Decision-making on significant matters such as: (1) Pricing, sales, and specific contracts, including the license, sale, or transfer of sensitive personal data to any third party, including pursuant to a customer, vendor, or joint venture agreement; (2) Supply arrangements; (3) Corporate strategy and business development; (4) Research and development, including location and budget allocation; (5) Manufacturing locations; (6) Access to critical technologies, covered investment critical infrastructure, material nonpublic technical information, or sensitive personal data, including pursuant to a customer, vendor, or joint venture agreement; (7) Physical and cyber security protocols, including the storage and protection of critical technologies, covered investment critical infrastructure, or sensitive personal data; (8) Practices, policies, and procedures governing the collection, use, or storage of sensitive personal data, including: (i) The establishment or maintenance of, or changes to, the architecture of information technology systems and networks used in collecting or maintaining sensitive personal data; or (ii) Privacy policies and agreements for individuals from whom sensitive personal data is collected setting forth parameters regarding whether and how sensitive personal data may be collected, maintained, accessed, or disseminated; or (9) Strategic partnerships.” Excludes “strictly administrative decisions.” See 31 CFR 800.245. |
[1] A portion of the rules involving non-controlling investments in certain U.S. businesses that deal in critical technologies was implemented as a pilot program beginning in October 2018. But the new rules go much further.
[2] According to official commentary accompanying the new rules, the Treasury Department intends to revise the rule for mandatory declarations in the context of critical technology by replacing the test based on industry codes with a test based on “export control licensing requirements.” 85 FR 3112, 3121 (January 17, 2020). However, no proposed rule articulating this change has yet been published.
