Proposed New Rules Implementing CFIUS Reforms
Committee on Foreign Investment in the United States (CFIUS) inbound investment national security review expanding to certain non-controlling foreign investments in critical technology, critical infrastructure, and sensitive personal data, as well as to certain real estate transactions.
The U.S. Treasury Department published proposed rules in the Federal Register on Sept. 24, 2019, concerning changes to the review process for foreign investment conducted by the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency committee that assists the president in reviewing mergers, acquisitions, and foreign investment by or with foreign persons and deciding whether such foreign investment transactions should be approved, altered, or even blocked due to national security concerns.
The proposed rules are to implement parts of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), enacted in August 2018, to modernize CFIUS – the last reform of CFIUS had been more than a decade ago. Some FIRRMA reforms came into effect immediately upon the act’s enactment and were implemented by the U.S. Treasury’s Interim Rule published in the Federal Register on Oct. 11, 2019. A pilot program was also enacted by Interim Rule published in the Federal Register on the same date and came into effect on Nov. 10, 2019. The pilot program applies to transactions, including certain non-controlling investments, in a limited number of enumerated critical technologies. The pilot program, for the first time in CFIUS’ history, requires a mandatory notice filing to CFIUS.
If adopted, the two proposed rules would implement FIRRMA’s other reforms, expanding CFIUS jurisdiction. One proposed rule implements CFIUS expanded jurisdiction to cover non-controlling investment transactions involving certain critical technologies, critical infrastructure, and sensitive personal data. A second proposed rule implements CFIUS expanded jurisdiction to cover certain real estate transactions. The public comment period ends on Oct. 17, 2019 and pursuant to FIRRMA, final implementing regulations need to be enacted by Feb. 13, 2020. These proposed rules do not modify the pilot program, which remains in place.
Real Estate Transactions
Previously, CFIUS jurisdiction with respect to real estate acquisitions was limited to those transactions that would result in a foreign person having control of a business entity engaged in interstate commerce in the United States. The proposed rule implements FIRRMA’s expansion of CFIUS jurisdiction to include certain real estate transactions involving the purchase or lease by a foreign person of public or private real estate, a substantial set of new regulations to be codified at 31 CFR § 802.
Covered Real Estate Transactions.
The proposed rule introduces the new terms “covered real estate” and “covered real estate transaction.” The definition of covered real estate identifies specific types of real estate that might result in a covered real estate transaction, including airports and maritime ports, real estate associated with military installations or with U.S. government sites sensitive for reasons related to national security and, to varying degrees, the real estate around such ports and government sites. With respect to airports and maritime ports, covered real estate includes all real estate that will function as part of the port. Around military sites and sensitive government sites, covered real estate includes real estate in “close proximity,” or within one mile from the boundary of the facility, as well as real estate within an “extended range” of such site, including those that could reasonably provide a foreign person the ability to collect intelligence or otherwise expose U.S. national security activities. “Extended range” is defined as the area that extends 100 miles from the site. The term “real estate” includes not just land but structures attached to land. A covered real estate transaction requires a purchase or lease by, or a concession to, a foreign person of covered real estate, such that the person has at least three of the four property rights in the real estate: to access, to exclude others, to improve/develop, and to attach fixed structures or objects.
Like the implementing rule for non-real estate transactions, this rule also enumerates certain types of transactions, along with specific examples, that will be exempt from CFIUS oversight. Included on that list is the purchase of a single “housing unit” such as an apartment or home, an exception for certain real estate investments in urbanized areas, and those transactions involving “excepted real estate investors.” This class of excepted investors will be excepted the same way as excepted foreign investors in non-controlling investments discussed below. There are no mandatory filings for real estate transactions. Parties to such a transaction may decide whether to voluntarily file a notice or a shorter declaration. Parties to a real estate transaction are cautioned to consider whether a transaction not classified as a covered real estate transaction might still be subject to CFIUS jurisdiction as a covered investment.
Critical Technologies, Critical Infrastructure, and Sensitive Personal Data
The other proposed rule implementing FIRRMA adds new types of covered transactions that are subject to CFIUS jurisdiction. While previously limited to transactions in which a foreign person could acquire control of a U.S. business, the proposed rule expands the scope of CFIUS jurisdiction by including non-controlling foreign investments in U.S. businesses that involve the following:
Use, development, acquisition, or release of critical technology;
Management, operation, manufacture or supply of critical infrastructure; and
Use, development, acquisition, safekeeping or release of sensitive personal data.
Technology, Infrastructure, Data U.S. Businesses.
The proposed regulations introduce a new term, “TID U.S. businesses,” which is an acronym for Technology, Infrastructure and Data, clarifying the three types of target industries and assets that may constitute a covered investment, i.e., a non-controlling investment subject to CFIUS jurisdiction. The regulations further clarify the type of access or involvement with a non-controlling investment that could give rise to a covered investment including:
Access to material non-public technical information in the possession of the U.S. business;
Membership or observer rights on the board of directors (or equivalent body) of the U.S. business; or
Any involvement other than voting of shares in substantive decision-making regarding certain actions related to the TID U.S. business’ critical technologies, critical infrastructure, or sensitive personal data.
The proposed regulations define critical technologies as including defense articles and services whose export is regulated by the International Traffic in Arms Regulations (ITAR), certain categories of dual-use items whose export is regulated by the Export Administration Regulations (EAR), certain nuclear facilities and equipment, certain select agents and toxins, and certain emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018 (ECRA). See our alert here about the interagency process to define emerging technologies.
The proposed regulations define critical infrastructure as involving areas such as telecommunications or information services; utilities such as electric, oil, water and gas; and certain airports and maritime ports. Notably, not every business related to critical infrastructure will be considered covered. An appendix enumerates the specific critical infrastructure and the specific functions a business must perform in connection with the critical infrastructure to be considered subject to CFIUS jurisdiction as a critical infrastructure TID U.S. business.
Sensitive Personal Data.
The proposed regulations define personal data broadly to include 10 categories, including financial information, consumer reporting agency data, geolocation data, biometric data and genetic information, as defined by HIPAA. But, in order to minimize the chilling effect on foreign investment because most companies collect some type of personal data, the regulations focus not only on the sensitivity of the data but also on the sensitivity of the population about whom the data is collected. Personal data only falls within the definition of “sensitive personal data” if the U.S. business collecting the data:
Targets U.S. government personnel or contractors with certain sensitive national-security-related responsibilities;
Maintains or collects the data on more than 1 million people over the past 12 months; or
Has a demonstrated business objective to maintain or collect such data on more than 1 million people, and the data is an integrated part of the business’ primary products or services.
In addition, data that a U.S. business collects on its own employees and data that is a matter of public record is carved out from the definition of sensitive personal data.
Clarifications on Investment Funds.
The proposed regulations include specific clarifications for investment fund transactions. If a foreign person has a non-controlling investment in a TID U.S. business as a limited partner where the fund is controlled by a domestic general partner, such investment will not be subject to CFIUS, even if the foreign person is given a role on an advisory committee of the fund, provided that certain criteria are met.
Excepted Foreign Investors in Non-Controlling Investments.
The proposed rule provides that certain foreign investors may receive preferential treatment by being exempt from the expanded jurisdiction of CFIUS over non-controlling investments. An investor may be “excepted” if the investor is the foreign government of an excepted state or if the investor is from, or has substantial connections with, “excepted foreign states.” CFIUS will identify in the future. CFIUS will first publish a short list of eligible states. These states will be eligible to be designated as “excepted states” by CFIUS once they satisfy certain national security criteria CFIUS will also publish in the future. Excepted foreign states will not be approved until two years after the effective date of the final rule.
CFIUS Process Changes.
The proposed rule also includes some process changes. The option to submit a short-form declaration rather than a more extensive notice has been extended to covered transactions. At this time, a short-form declaration is available only for the pilot program. CFIUS will have 30 days to review short-form declarations rather than the 45 days to review a notice. These declarations remain mandatory in the pilot program for certain transactions involving certain U.S. businesses that develop critical technologies. The proposed rule would mandate a filing when a foreign government has a substantial interest in the foreign investor, though such submission is not required with respect to investments by qualified investment funds. In either case, parties of a covered transaction could elect to file a full notice instead. The proposed rule states that a separate rule will address filing fees that FIRRMA authorized CFIUS to assess. FIRRMA authorizes a fee of up to $300,000 or 1 percent of the transaction, whichever amount is less.
While these are proposed rules and subject to modification after the period of public comments, they remain the best available guidance on how CFIUS will consider foreign investment transactions.
 Foreign Investment Risk Review Modernization Act of 2018, Subtitle A of Title XVII of Public Law 115-232, 132 Stat. 2173, amending section 721 of the Defense Production Act of 1950 (DPA).
 Provisions Pertaining to Certain Investments in the United States by Foreign Persons, 84 Fed. Reg. 50,174 (proposed Sept. 24, 2019) (to be codified at 31 CFR Part 800).
 Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States, 84 Fed. Reg. 50,214 (proposed Sept. 24, 2019) (to be codified at 31 CFR Part 802).