The U.S. Treasury Department has recently issued new regulations for review concerning the Committee on Foreign Investment in the United States (CFIUS). CFIUS reviews transactions implicating national security concerns. The Fact Sheet concerning the new proposed regulations from the U.S. Treasury Department states:
FIRRMA Provisions on Non-Controlling Investments
FIRRMA expands CFIUS’s jurisdiction beyond transactions that could result in foreign control of a U.S. business to also include a non-controlling investment, direct or indirect, by a foreign person that affords the foreign person:
access to any material nonpublic technical information in the possession of the U.S. business; membership or observer rights on the board of directors or equivalent governing body of the U.S. business or the right to nominate an individual to a position on the board of directors or equivalent governing body; or any involvement, other than through voting of shares, in substantive decisionmaking of the U.S. business regarding— the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business; the use, development, acquisition, or release of critical technologies; or the management, operation, manufacture, or supply of critical infrastructure.
This new authority only applies to a non-controlling investment in a U.S. business that: produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; owns, operates, manufactures, supplies, or services critical infrastructure; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.
FIRRMA also requires that CFIUS prescribe regulations that further define the term “foreign person” in the context of non-controlling investments by specifying criteria to limit its applicability over certain categories of foreign persons.
Key Aspects of the Proposed Regulations Regarding “Covered Investments”
Types of investments covered: Non-controlling investments that afford a foreign person certain access, rights, or involvement in certain U.S. businesses (referred to as “covered investments”).
Largely a voluntary process: Process remains largely voluntary, where parties may file a notice or submit a short-form declaration notifying CFIUS of a covered investment in order to receive a potential “safe harbor” letter (after which CFIUS does not initiate a review of a transaction except in certain limited circumstances). In some circumstances, filing a declaration for a transaction is mandatory. In particular, FIRRMA creates a mandatory declaration requirement for specified covered transactions where a foreign government has a “substantial interest”. Additionally, FIRRMA authorizes CFIUS to mandate declarations for covered transactions involving certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies.
U.S. businesses covered: The new provisions on covered investments only apply to investments in U.S. businesses involved in specified ways with critical technologies, critical infrastructure, or sensitive personal data—referred to as “TID U.S. businesses” for technology, infrastructure, and data.
Critical technologies: CFIUS may review transactions related to U.S. businesses that design, test, manufacture, fabricate, or develop one or more critical technologies. “Critical technologies” is defined to include certain items subject to export controls and other existing regulatory schemes, as well as emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018.
Critical infrastructure: CFIUS may review transactions related to U.S. businesses that perform specified functions—owning, operating, manufacturing, supplying, or servicing—with respect to critical infrastructure across subsectors such as telecommunications, utilities, energy, and transportation, each as identified in an appendix to the proposed regulations.
Sensitive personal data: CFIUS may review transactions related to U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to sensitive populations, including U.S. military members and employees of federal agencies involved in national security, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of financial, geolocation, and health data, among others. Genetic information is also included in the definition regardless of whether it meets (i), (ii), or (iii).
Foreign person and excepted investor: The regulations create an exception from “covered investments” for certain foreign persons defined as “excepted investors” based on their ties to certain countries identified as “excepted foreign states,” and their compliance with certain laws, orders, and regulations. The regulations do not except these persons from control transactions previously subject to CFIUS jurisdiction; investments from all foreign persons remain subject to CFIUS’s jurisdiction over transactions that could result in foreign control of a U.S. business.
FIRRMA Provisions on Real Estate Transactions
In FIRRMA, Congress authorized CFIUS to review “the purchase or lease by, or a concession to, a foreign person of private or public real estate that”
“is, is located within, or will function as part of, an air or maritime port…”
“is in close proximity to a United States military installation or another facility or property of the United States Government that is sensitive for reasons relating to national security;”
“could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property; or”
“could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.”
Pursuant to FIRRMA, this authority does not extend to “a single ‘housing unit.’” This authority also does not apply to “real estate in ‘urbanized areas’ . . . except as otherwise prescribed by [CFIUS] in regulations in consultation with the Secretary of Defense.” (emphasis added)
FIRRMA directs CFIUS to “prescribe regulations to ensure that the term “close proximity” refers only to a distance or distances within which the purchase, lease, or concession of real estate could pose a national security risk.”
FIRRMA also requires that CFIUS prescribe regulations that further define the term “foreign person” for real estate transactions by specifying criteria to limit its applicability over certain categories of foreign persons.
The full text of the regulations is available, here.