Final CFIUS Regulations Impact Foreign Non-Control Investment Transactions Involving Critical Technologies/Infrastructure or Sensitive Data
In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (FIRRMA) to modernize the Committee on Foreign Investment in the United States (CFIUS). CFIUS is chaired by the Secretary of the Treasury and is empowered to review certain transactions involving foreign investment in the U.S. that may affect national security. On January 23, 2020, the U.S. Department of the Treasury (“Treasury”) released final regulations that implement FIRRMA.
Prior to the enactment of FIRRMA, the authority of CFIUS to conduct national security reviews of foreign investment in the U.S. was generally limited to “control” investments by “foreign persons” in U.S. businesses (with such terms defined under applicable statutes and regulations). Under the regulations implementing FIRRMA, which take effect on February 13, 2020, CFIUS now has within its purview, among other things, non-controlling foreign investments in U.S. businesses that: (a) develop critical technologies, (b) own, operate, manufacture, supply or provide services to critical infrastructure; or (c) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.
CFIUS review should be a relevant consideration in shaping foreign investments in U.S. companies. Today, as “every company is a technology company,” it is possible that foreign investments involving technology, communications, media, mobile systems, advertising, e-commerce, social media and other internet-based business or data-intensive industries may fall under CFIUS’s jurisdiction. Indeed, last year, CFIUS’s scrutiny compelled a Chinese company to sell its majority stake in dating app Grindr and agree to avoid sending any sensitive user data to China.
Parties involved in foreign investments in U.S. businesses must be aware of the issue of CFIUS review.