Treasury Finalizes Significant Expansion of Foreign Investment Rules

January 17, 2020

On Monday, January 13, 2020, the U.S. Department of the Treasury (Treasury) issued final regulations to implement the Foreign Investment Risk Review Modernization Act (FIRRMA), a law that significantly expands the jurisdiction and operational mandate of the Committee on Foreign Investment in the United States (CFIUS). Effective February 13, 2020, the final regulations include important changes to the proposed rules regarding the expansion of CFIUS’s jurisdiction to include certain real estate transactions and certain non-controlling, non-passive investments in Critical Technology, Critical Infrastructure, and Sensitive Personal Data (TID) U.S. businesses. 

Treasury published the new regulations in two parts:

• Provisions pertaining to certain investments in the United States by Foreign Persons:These regulations replace the current CFIUS regulations at part 800 of title 31 of the Code of Federal Regulations.
• Provisions pertaining to certain transactions by Foreign Persons involving real estate in the United States:These regulations establish a new part 802 of title 31 of the Code of Federal Regulations.

Broadly, the final regulations implement CFIUS’s new authority under FIRRMA to: (1) review certain non-controlling, non-passive investments in “TID U.S. businesses”; (2) require mandatory filings for “substantial” investments in TID U.S. businesses by a foreign person in which a foreign government has a “substantial” interest; and (3) review a broad swath of real estate transactions. The following provides an overview of the new regulations.

Expansion of Transactions Subject to CFIUS Jurisdiction

Consistent with the proposed rule, the final regulations implement CFIUS’s authority under FIRRMA to review certain non-controlling, non-passive investments, direct or indirect, by a foreign person in an unaffiliated TID U.S. business that afford the foreign person one or more of the following:

• access to any material nonpublic technical information in the possession of the TID U.S. business;
• membership or observer rights on the board of directors or equivalent governing body of the TID U.S. business, or the right to nominate an individual to a position on the board of directors or equivalent governing body; or
• any involvement, other than through voting of shares, in substantive decision-making of the TID U.S. business regarding —
  • the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the TID U.S. business;
  • the use, development, acquisition, or release of critical technologies; or
  • the management, operation, manufacture, or supply of critical infrastructure.

It is important to note that even if the foreign person gains the aforementioned rights or access as a result of the investment, only transactions involving TID U.S. businesses are subject to these new provisions. Such businesses include the following:

• A U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
• A U.S. business that owns, operates, manufactures, supplies, or services critical infrastructure; or
• A U.S. business that maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

Critical Technologies

Consistent with the proposed rule, the final rule defines “critical technologies” subject to CFIUS’s expanded authority to review non-controlling, non-passive investments by a foreign person to include the following:

• Defense articles or services set forth in the International Traffic in Arms Regulations (ITAR);
• Certain items included on the Commerce Control List (CCL) set forth in the Export Administration Regulations (EAR);
• Nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);
• Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);
• Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and
• Emerging and foundational technologies to be controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (ECRA).^[1]

Critical Infrastructure

With respect to CFIUS’s authority to review non-controlling, non-passive investments by a foreign person in U.S. critical infrastructure, the final rule defines “covered investment critical infrastructure” as the “systems and assets, whether physical or virtual,” that are specifically identified in an appendix to the final rule. Such “covered investment critical infrastructure” includes certain IP networks; telecommunications and information services; submarine cable systems and facilities; data centers; satellite systems; facilities that manufacture certain specialty metals, carbon, alloy, or armor steel plate; electricity, oil, and gas facilities; securities exchanges; facilities that serve military installations; technology service providers; airports; maritime ports; and public water systems. Because a U.S. business must “own, operate, manufacture, supply, or service” critical infrastructure in order for an investment in such a business to be treated as a “covered investment,” the appendix also identifies the specific functions that the U.S. business must perform in order to qualify as a “TID U.S. business” with respect to the particular covered investment critical infrastructure at issue.

Sensitive Personal Data

The final regulations define “sensitive personal data” subject to CFIUS’s authority to review non-controlling, non-passive investments by a foreign person to include certain “identifiable data” (described below) and certain genetic information. In a major revision to the proposed rule, however, only “the results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data” will be considered “sensitive personal data.” In response to comments from industry, the final rule “recalibrates this provision…in two ways: first, by focusing the definition on ‘genetic tests’ as that term is defined in the Genetic Information Non-Discrimination Act of 2008 (GINA); and second, by limiting the coverage of the rule to identifiable data.”

“Identifiable data” refers to data that can be used to distinguish or trace an individual’s identity, including through the use of a “personal identifier,” such as a name, physical address, email address, social security number, phone number, or “other information that identifies a specific individual.” The final rule clarifies that aggregated data or anonymized data will be treated as identifiable data “if any party to the transaction has, or as a result of the transaction will have, the ability to disaggregate or deanonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual’s identity.” Identifiable data does not include encrypted data “unless the U.S. business that maintains or collects the encrypted data has the means to de-encrypt the data so as to distinguish or trace an individual’s identity.”

Identifiable data will be treated as “sensitive personal data” if:

(1) it is maintained or collected by a U.S. business that (a) targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof; (b) has maintained or collected such data on more than one million individuals at any point over the preceding 12 months; or (c) has a demonstrated business objective to maintain or collect such data on more than one million individuals and such data is an integrated part of the U.S. business’s primary products or services; and

(2) it falls within any of the following categories:

• Data that could be used to analyze or determine an individual’s financial distress or hardship;
• The set of data in a consumer report, unless such data is obtained from a consumer reporting agency for certain identified purposes and such data is not substantially similar to the full contents of a consumer file;
• The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
• Data relating to the physical, mental, or psychological health condition of an individual;
• Non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business’s products or services if a primary purpose of such product or service is to facilitate third-party user communications;
• Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;
• Biometric enrollment data, including facial, voice, retina/iris, and palm/fingerprint templates;
• Data stored and processed for generating a state or federal government identification card;
• Data concerning U.S. government personnel security clearance status; or
• The set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust.

Excepted Investors and Countries

The final rule limits the application of CFIUS’s jurisdiction over non-controlling “covered investments” and certain real estate transactions by certain foreign persons, defined as “excepted investors” with close ties to certain “excepted foreign states.” The Committee has initially identified the United Kingdom, Australia, and Canada as excepted foreign states “due to aspects of their robust intelligence-sharing and defense industrial base integration mechanisms with the United States.”

Mandatory Declarations

The final rule retains the mandatory filing requirements for covered transactions involving critical technologies. CFIUS, however, intends to issue a notice of proposed rulemaking that would revise the mandatory declaration requirement regarding critical technology to eliminate reliance upon North American Industry Classification System (NAICS) codes and, instead, base this mandatory filing regime upon export control licensing requirements. The final rule also exempts certain transactions from the critical technology mandatory declaration requirement, including certain transactions:

• Made by an “excepted investor” (as described above);
• Made by an entity subject to a Foreign Ownership Control or Influence (FOCI) mitigation agreement;
• Involving the acquisition of certain encryption technology; or
• Made by an investment fund managed exclusively by, and ultimately controlled by, U.S. nationals.

Also consistent with the proposed rule, the final regulations establish a second mandatory filing requirement for certain investments involving the acquisition of a “substantial interest” in a TID U.S. business (which the regulations define as a direct or indirect voting interest of at least 25%) by a foreign person in which a foreign government (including a provincial government) holds a “substantial interest” (defined as a direct or indirect voting interest of at least 49%). Importantly, the final rule clarifies that in determining whether a foreign government holds a “substantial interest” in an investment fund context, the committee will look only at a foreign government’s interests in the general partner (or equivalent) because that is the entity typically responsible for the day-to-day decisionmaking of the investment fund.

Investment Fund Acquisitions

The final rule clarifies that an indirect investment by a foreign person in a TID U.S. business through an investment fund that affords the foreign person (or a designee of the foreign person) membership as a limited partner or equivalent on an advisory board or a committee of the fund will not be considered a covered investment with respect to the foreign person if the following criteria are met:

(1) The fund is managed exclusively by a general partner, a managing member, or an equivalent;

(2) The foreign person is not the general partner, managing member, or equivalent;

(3) The advisory board or committee does not have the ability to approve, disapprove, or otherwise control (i) investment decisions of the investment fund; or (ii) decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested;

(4) The foreign person does not otherwise have the ability to control the investment fund, including, without limitation, the authority

(i) to approve, disapprove, or otherwise control investment decisions of the investment fund;

(ii) to approve, disapprove, or otherwise control decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested; or

(iii) to unilaterally dismiss, prevent the dismissal of, select, or determine the compensation of the general partner, managing member, or equivalent;

(5) The foreign person does not have access to material nonpublic technical information as a result of its participation on the advisory board or committee; and

(6) The investment does not afford the foreign person any of the access, rights, or involvement specified in the definition of “covered investment.”

Real Estate Transactions

The final rule significantly expands CFIUS’s jurisdiction to include certain real estate transactions involving foreign persons when the U.S. real estate is either (1) located within, or will function as part of, an airport or maritime port, or (2) in close proximity to a U.S. military installation or another U.S. government facility or property that is sensitive for reasons relating to national security. Although CFIUS has reviewed and even opposed a number of transactions involving real estate prior to the final rule, the expansion of CFIUS’s jurisdiction is significant because it allows CFIUS to review real estate transactions even where the transaction does not involve a foreign investment in a U.S. business.

The final rule defines “covered real estate transactions” to include any purchase or lease by, or concession to, a foreign person of any “covered real estate” (discussed in greater detail below) that affords the foreign person at least three of the following four property rights:

• The right to physically access the real estate;
• The right to exclude others from physical access to the real estate;
• The right to improve or develop the real estate; or
• The right to attach fixed or immovable structures or objects to the real estate.

Covered real estate transactions also include any “change in the rights that a foreign person has with respect to covered real estate in which the foreign person has an ownership or leasehold interest or concession arrangement” if that change could result in the foreign person having at least three of these property rights. A “concession” refers to “an arrangement, other than a purchase or lease, whereby a U.S. public entity grants a right to use real estate for the purpose of developing or operating infrastructure for a covered port.”

The rule defines “covered real estate” to include real estate that is either (1) located within, or will function as part of, a “covered port” as identified by the Department of Transportation or (2) located within a specified geographic range of certain military installations and other U.S. government facilities or properties that are sensitive for national security reasons. To assist parties in determining whether real estate falls within the latter category, the names and locations of the relevant military installations are listed in an appendix to the rule.

The applicable geographic ranges are as follows:

• Within one mile of any military installation or another facility or property of the U.S. government identified in part 1 or part 2 of the appendix;

• Within 100 miles of the Army combat training centers; major range and test facility base activities; and military ranges owned by the U.S. Navy or U.S. Air Force, or joint forces training centers located in certain states as identified in part 2 of the appendix;

• Within the same county or other geographic area of the active Air Force ballistic missile fields identified in part 3 of the appendix; and

• Within any part of U.S. Navy offshore range complexes and offshore operating areas identified in part 4 of the appendix within the limits of the “territorial sea” of the United States.

The rule identifies a number of “excepted real estate transactions” that will not be treated as “covered real estate transactions” subject to part 802. In response to comments, the final rule expands upon the list of excepted transactions to include exceptions related to transactions at covered ports for “foreign air carriers” with an appropriate security program accepted by the Department of Homeland Security and retail businesses engaged in the sale of consumer goods or services to the public.

Other Provisions

The regulations for the first time define “principal place of business” by employing the “nerve center” test used by U.S. courts to evaluate federal diversity jurisdiction. An entity's principal place of business is particularly relevant to determining whether an entity may be treated as foreign for CFIUS purposes. Specifically, the rule defines “principal place of business” as “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” Treasury has published this provision as an interim final rule and is seeking written comments on this definition.

The final rule does not implement CFIUS’s new authority to assess and collect filing fees for covered transactions. Rather, Treasury will publish a separate proposed rule implementing this authority. Under FIRRMA, filing fees may not exceed the lesser of $300,000 or 1% of the value of the transaction.

The final rule expands CFIUS’s incremental acquisitions rule to any acquisition of additional interest or change in rights of a foreign person that previously acquired direct control as a result of a covered control transaction for which CFIUS has concluded all action on the basis of a declaration. The rule notes that if a foreign person did not acquire control of the U.S. business in the prior transaction, then a subsequent, incremental acquisition may be a new covered transaction.

Wiley has an unparalleled ability to assist clients on investments that raise national security concerns. Our team has direct experience within government managing the CFIUS process and here at Wiley assisting clients on CFIUS reviews. We have more than two decades of experience handling matters involving national security, including CFIUS, export controls, Team Telecom, and the Defense Counterintelligence and Security Agency (DCSA), and have counseled clients in transactions that involve nearly every industry sector subject to CFIUS review. Please reach out to any of the attorneys listed on this alert should you have any questions about the new regulations implementing FIRRMA.

^{[1] The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published an Advanced Notice of Proposed Rulemaking last year seeking comment on criteria for identifying “emerging technologies” under ECRA. BIS is expected to issue proposed regulations governing emerging technologies this spring and to initiate a separate rulemaking with respect to foundational technologies later this year. Any technologies that BIS identifies as emerging or foundational technologies will be treated as critical technologies for CFIUS purposes.}