FIRRMA directed the U.S. Department of the Treasury (“Treasury”), as the chair of CFIUS, to issue regulations that, among other things, address national security concerns arising from foreign investment in U.S. businesses with critical technologies, critical infrastructure, and personal data (referred to in the proposed regulations as “TID U.S. businesses”). The proposed CFIUS regulations implement these provisions of FIRRMA by (i) defining what constitutes a TID U.S. business and (ii) expanding CFIUS’s jurisdiction to include not only transactions that result in control of a TID U.S. business, but also “covered investments” that give a foreign person certain rights with respect to a TID U.S. business (together referred to as “covered transactions”). Life Sciences businesses who maintain or collect, directly or indirectly, sensitive personal data of U.S. citizens might fit the definition of a TID U.S. business and will benefit from learning more about these regulations.
The major takeaways from the proposed TID U.S. business regulations are:
- Risk-Based Analysis: Long-time CFIUS practitioners have heard the refrain that CFIUS undertakes a risk-based analysis of transactions presented for review, examining the threat, vulnerabilities, and consequences to U.S. national security of a particular action. The proposed regulations now articulate these specific elements of the analysis that form the basis for CFIUS’s review of a notified transaction.
- CFIUS Filings Mandatory for Some But Not All TID U.S. Business Covered Transactions: The CFIUS pilot program that became effective in November 2018 requires the submission of a declaration (or full CFIUS notice) for covered transactions involving pilot program U.S. businesses, and this program will remain in effect at least until the final FIRRMA-implementing regulations are published. The proposed regulations do not impose a mandatory CFIUS filing for a covered transaction involving a TID U.S. business (outside the current pilot program’s requirements), unless a foreign government has a “substantial interest” in the acquiring party (more to come on this issue in the next alert in our series).
- Critical Technologies Definition Unchanged: The proposed regulations contain the same definition for critical technologies in effect under the current pilot program. A key component of the critical technologies definition will take effect once the U.S. Department of Commerce (“Commerce”) issues regulations defining the scope of “emerging and foundational technologies.” Commerce took the first step in this process in November 2018 by issuing an Advanced Notice of Proposed Rulemaking identifying and requesting comments on the categories of emerging technologies to be covered. Commerce officials’ most recent informal statements indicate that proposed new regulations may be forthcoming before year-end.
- Critical Infrastructure for Covered Investments Defined by Form and Function: Appendix A to the proposed regulations sets forth 28 categories of critical infrastructure (Column 1) and specific functions related to each critical infrastructure category (Column 2). Only a U.S. business that performs one of the specified functions listed in Column 2 of Appendix A with respect to the infrastructure listed in Column 1 is a TID U.S. business for purposes of a critical infrastructure covered investment.
- Expanded (and Evolving) Definition of Sensitive Personal Data: FIRRMA expands CFIUS’s jurisdiction to include covered investments by a foreign person in a U.S. business that maintains or collects sensitive personal data of U.S. citizens that “may be exploited in a manner that threatens to harm national security.” To implement this provision, the proposed rule sets forth a detailed definition of “sensitive personal data” that includes not only traditional personal information (e.g., name, address, telephone number), but also health, financial, behavioral, and genetic information. The proposed regulations note that CFIUS anticipates periodically revising this definition (along with other aspects of the regulations).