Proposed CFIUS Law Will Impose New Export Controls on US Businesses
The Foreign Investment Risk Review Modernization Act of 2017 (S. 2098/H.R. 4311, FIRRMA for short) was introduced in Congress to reform the national security review of foreign acquisitions of US businesses by the Committee on Foreign Investment in the United States (CFIUS or the Committee). However, FIRRMA extends well beyond this purpose of reviewing acquisitions by giving CFIUS authority over technology transfer transactions – both export and domestic.
The proposed legislation will give CFIUS authority over a US business’ technology transfers both to an organization outside the US and to a US organization that is “controlled” by a non-US person. As a result, every company that produces military or controlled dual-use items will need to consider CFIUS review for foreign anddomestic technology transfer transactions. This aspect of the proposed legislation is troubling because it establishes a duplicate government approval process, requires review of technology transfer that the existing export control agencies have determined not to require a license, and imposes a new level of “know your customer” due diligence to understand the ownership of a US recipient.
Further, organizations that develop innovative and emerging technologies also must consider CFIUS review, even though their technology is not controlled for export purposes. Over the last 20 years, the most innovative technologies (e.g., various artificial intelligence [AI] applications, information security and encryption technology, nanotechnology, etc.) have been developed, not by the US government or government-sponsored research, but by purely commercial companies – and, in particular, small venture-backed commercial start-ups in Silicon Valley and other technology hubs around the country. However, while many of these emerging technologies may not be listed with an Export Control Classification Number (ECCN) on the Commerce Control List (CCL), they may require CFIUS review under the proposed legislation. As to these decontrolled technologies, including EAR99 technologies, not only does this proposed increase in CFIUS authority add another export control authority in addition to current controls, but it would also create oversight over their transfer. Such a proposal stands to negatively impact US innovation and, indirectly, its technology advantage.
Current Scope of CFIUS and Export Control Agencies
Under the current CFIUS implementing statute, Section 721 of the Defense Production Act of 1950, CFIUS has authority over “covered transactions,” which are defined as the acquisition of “control” by a “foreign person” over a “US business.” CFIUS authority is thus limited to only certain foreign investments in the US that meet this definition. Currently, Section 721 does not give CFIUS authority over technology transfers between US and foreign persons (i.e., exports) or domestic technology transfers. Review of exports are left to other executive agencies that have the expertise to evaluate the transfer and to determine the impact on national security, foreign policy and other policy and releasability considerations.
The transfer of technology by a US business is subject to US export controls: the Export Administration Regulations (EAR), administered by the US Department of Commerce, Bureau of Industry and Security (BIS), and the International Traffic in Arms Regulations (ITAR), administered by the US Department of State, Directorate of Defense Trade Controls (DDTC). Under the EAR and the ITAR, a license, approved agreement, exception or exemption is required to export controlled technology to a foreign person, whether within or outside the US. The requests for approval submitted to these agencies are reviewed by government personnel who understand the technology, policy considerations and releasability guidelines, typically involving review by the Department of Defense, Defense Technology Security Administration and, in appropriate cases, stakeholders in the Armed Services, Department of State, the Intelligence Community and others.
Expansion of CFIUS Authority Over Already Regulated Export Activities
FIRRMA would expand the definition of a covered transaction, and thus CFIUS’s authority, to include the following: any contribution “of both intellectual property and associated support” to a foreign person as part of “any type of arrangement” if the US business “produces, trades in, designs, tests, manufactures, services, or develops one or more critical technologies, or a subset of such technologies” (i.e., a “Critical Technology Company”).
Essentially, FIRRMA empowers CFIUS – as a new export licensing agency – to conduct an interagency review of all covered technology transfers. In addition, FIRRMA would give CFIUS authority to exempt “identified countries,” under its discretion, from this new authority. Accordingly, CFIUS will create the equivalent of a license exception for certain countries, possibly similar to an EAR license exception (e.g., license exceptions for Country Group B Shipments [GBS] or Strategic Trade Authorization [STA]).
The proposed legislation also leaves much open to CFIUS interpretation. What exactly qualifies as an “arrangement” or “contribution” is not clear, but FIRRMA’s description of these concepts seems extremely broad. For example, the legislation states that arrangements include any contribution “other than through ordinary customer relationship … such as a joint venture.” However, this language would likely include joint development agreements, technology licenses and other joint collaborations and initiatives. FIRRMA would thus give CFIUS authority over almost any technology transfer involving foreign persons that fall outside of ordinary course buy/sell transactions by a US company that falls within the broad definition of a Critical Technology Company.
Because CFIUS is an interagency body, technical reviews are often carried out by its member agencies – such as the Department of Commerce (through BIS). As a result, a CFIUS review of a transfer of controlled technology under FIRRMA would likely be handled by the same export control agency that would handle it outside of the CFIUS process, duplicating the regulatory review of such transfers. Alternatively, CFIUS could have other agency members handle the review of a technology transfer, but such a scenario would likely result in inefficiencies and inconsistent results, as the institutional expertise on technology transfers resides with the export control agencies. So, under either scenario involving a CFIUS review of already controlled technologies, the result is either duplicative or inefficient and inconsistent.
Deals by Every US Company Operating in Controlled Technologies Will Be Subject to CFIUS Review
The definition of a Critical Technology Company includes any company dealing in already controlled technologies. This includes any company dealing in Defense Articles or Defense Services under the ITAR or dealing in certain technologies on the CCL under the EAR. The EAR covered technologies include ECCNs on the CCL that are controlled for any of the following reasons: national security, chemical and biological weapons proliferation, nuclear nonproliferation, missile technology, regional stability, surreptitious listening, as well as certain agents and toxins and if controlled pursuant to multilateral regimes. Also included are nuclear-related products regulated by the Nuclear Regulatory Commission Controls.
However, unlike the existing export controls regime, which triggers a licensing requirement based on the technology to be exported, the CFIUS review proposed by FIRRMA would be triggered by the type of company engaged in the technology transfer. That is, every technology transfer by a Critical Technology Company is potentially subject to CFIUS review, even if the technology being transferred is not a critical technology. Accordingly, a decontrolled technology transfer (e.g., EAR99 technology) by a Critical Technology Company could be subject to CFIUS review under the proposed legislation.
Deals by US Companies In Emerging Technologies Will Be Subject to CFIUS Review
FIRRMA adds to the current definition of critical technology by including the concept of “emerging technologies,” defined under FIRRMA as any technology that CFIUS deems “essential for maintaining or increasing the technological advantage of the US over countries of special concern with respect to national defense, intelligence, or other areas of national security, or gaining such an advantage over such countries in areas where such an advantage may not currently exist.” (Emphasis added.)
This definition under FIRRMA would give CFIUS discretionary authority to deem certain technologies that are not listed on the US Munitions List, CCL or any other list, as emerging technologies. Indeed, under FIRRMA, CFIUS is the arbiter as to which technologies are “emerging technologies.” As a result, any US organization with new or innovative technology will need to consider seeking CFIUS clearance for its transfer of technology if the technology has a potential military or intelligence application, or simply provides and advantage over some country of “special concern” (to be defined in CFIUS’s discretion).
Domestic Technology Transfers Will Be Subject to CFIUS Review
FIRRMA would establish a new form of government approval for domestic technology transfers. Currently, under the ITAR and EAR a business organized to do business in the US is a US person. This is true even if the company is partly or wholly owned by a non-US person. There are numerous examples of US companies that are vital to our defense industrial base and critical infrastructure of the US but are foreign owned in whole or in part. Under FIRRMA, these US companies would be treated as foreign persons, and transfers of technology of the type described above would be subject to CFIUS clearance. That is because for CFIUS purposes a “foreign person” includes any entity that is directly or indirectly “controlled” (a concept broadly interpreted beyond majority holdings to include minority holdings or special voting rights) by a foreign person.
FIRRMA Adds an Additional Layer to “Know Your Customer” Due Diligence
The treatment of a US company as a foreign person for the purpose of transferring technology adds an entirely new compliance burden on US companies. Now, prior to making even a domestic technology transfer, a US company must undertake diligence to know if there is, or could be, foreign control of the recipient. Because of the broad concept of “control” for CFIUS purposes, companies would need to determine whether the recipient organization has even small foreign ownership interests. Over 10% voting interest is often considered controlling by CFIUS standards, and CFIUS will even find control when there is less than 10% foreign voting interest coupled with other indicia of control.
Current export compliance knows your customer measures are not structured to identify triggering foreign interests in a CFIUS context. Not only will many companies need to revamp their internal controls, but additional compliance resources will also certainly be required to address the proposed changes.
FIRRMA Will Chill Cross-border Cooperation and Innovation and Will Deprive Our Military of the Best Technologies and Solutions
The FIRRMA changes discussed herein appear to be based on outdated concepts of US technological dominance. FIRRMA will likely be a tremendous setback in the efforts made through export control reform to improve US competitiveness and innovation and US military access to the best technologies and capabilities. The historical narrative of US export control reform was strengthening controls around a smaller set of items. However, the driving force was to avoid the trend of non-US industry becoming “ITAR free” because of the extraterritorial impact of the ITAR on non-US business. This is a reality that was learned all too well in the space industry after commercial communications satellites were moved to ITAR, resulting in the assisted development of a European satellite industry.
While the proposed legislation is certainly well intended, we expect that the changes will have a chilling effect on future technology transfer and cooperative arrangements to develop and extend critical existing technologies, and perhaps, more importantly, to advance and fund new emerging technologies.
The proposed CFIUS authority over any arrangement, collaboration or venture involving technology transfers presents a realistic chill to US innovation. This expansive oversight creates an obstacle to US businesses that can wall off the US technology sector from the benefits of global competition and collaboration. These expansions have already raised concerns among US technology companies that operate globally, with one leading technology company stating that FIRRMA would turn CFIUS into a “super export control agency.” Our concern is that FIRRMA in its proposed structure will do more to harm US national security interests in the long run than it will to protect them.
 Statements by Christopher Padilla, Vice President for Government and Regulatory Affairs, IBM Corporation, testifying before the Senate Banking, Housing, and Urban Affairs Committee, January 18, 2018.