- FIRRMA would significantly expand CFIUS jurisdiction.
- Mandatory filing would be required in some cases.
- Parties that protect and maintain personal information are likely to face more scrutiny.
As we have described in recent blog posts in March 2018, January 2018 and October 2017, a rash of proposed transactions have not survived the Committee on Foreign Investment in the United States (CFIUS) process. Most notably, as we described here, in March 2018, President Trump announced that he would not allow Singapore-based Broadcom to acquire U.S.-based Qualcomm, a rival chipmaker.
The president made his decision based on the recommendation of CFIUS, the U.S. government’s inter-agency committee that reviews transactions that could result in control of a U.S. business by a foreign person in order to determine if the transaction would have an effect on the national security of the United States.
Congress Proposes Bi-Partisan CFIUS Reform Bill
Perhaps reflecting the increase in deals that are not surviving CFIUS scrutiny, Congress has tried to get in on the act with legislation to expand CFIUS’s mandate. In November 2017, a bipartisan group in Congress proposed the Foreign Investment Risk Review Modernization Act of 2017 (FIRRMA). Both the Senate and House passed their versions of the bill in June 2018. It is possible the bill could reach President Trump in August 2018. It seems likely the president will sign the bill into law soon after receiving it.
There are some differences between the Senate and House bills, which are now being consolidated in committee. Though we cannot say with certainty what the final bill will provide for, we expect it to include the following elements, each of which would alter how CFIUS operates.
- Filings and Timelines: FIRRMA contemplates an abbreviated “declaration” filing that would be mandatory for certain transactions covered by the law. In addition, the potential review period would increase from 75 days to 120 days (or slightly less under the House version of the bill), and CFIUS would be authorized to assess and collect filing fees for any covered transaction. At present, it is not necessary to pay a fee to make a CFIUS filing.
- Definitions: FIRRMA would expand the types of transactions CFIUS is authorized to review. Depending on the version of the bill that is passed, this could extend CFIUS review to joint ventures, minority investments in “critical technology” or infrastructure companies, and real estate transactions near military bases or other sensitive government facilities. The definition of “critical technology” could also be expanded to give CFIUS the authority to review proposed investments that involve emerging technology that is or could be important to U.S. national security.
In addition, FIRRMA would establish a new definition for countries of “special concern.” It remains to be seen how the final version of FIRRMA will define that term, but it is likely that such countries could include those against which the United States imposes economic sanctions, arms embargoes, or other export or trade restrictions.
- National Security Factors: FIRRMA is likely to expand the number of national security factors that CFIUS must assess in its review of investments. Factors are likely to include the investor’s history of compliance with U.S. law, U.S. cyber vulnerabilities, and the potential that the transaction could create risk of exposure of U.S. individuals’ personal data.
Reform May Reinforce Existing CFIUS Practice
Although some believe that FIRRMA will radically alter CFIUS, many of the proposed features of FIRRMA may simply reflect CFIUS’s current practices. As referenced above, CFIUS has already reviewed and refused to approve a transaction involving transfers of personal information (Moneygram). In addition, FIRRMA’s reference to “countries of special concern” may simply codify already heavy scrutiny of investments from China, Russia and the Middle East.
Companies that Handle Personal Information Should Prepare for CFIUS Changes
It remains to be seen what version of FIRRMA will pass. What is clear is that it will almost certainly expand CFIUS’s mandate. While some of the expansion will largely reflect the way CFIUS currently operates, there will undoubtedly be new types of investments, in new industries, that are made subject to CFIUS review. Particularly for businesses that handle personal information – retail, finance and health – CFIUS scrutiny may become a new reality.