Bloomberg Law
Sept. 18, 2019, 8:34 PM

ANALYSIS: Proposed CFIUS Reform Regulations: A First Look

Grace Maral Burnett
Grace Maral Burnett
Legal Analyst

Yesterday’s foreign investment proposals from the committee on Foreign Investment in the U.S. (CFIUS) provide some insight into areas of government concern. They suggest that the U.S. Government has set its sights on reviewing more real estate transactions and taking a more tailored approach to data-centric businesses, while considering country-specific exemptions for the first time. Because of the broad reach of this initial (and as yet incomplete) package of proposals, we may see significant stakeholder comments before these regulations are finalized.

The much-anticipated proposed regulations will implement FIRRMA, the Foreign Investment Risk Review Modernization Act of 2018, last fall’s CFIUS reform legislation. At over 300 pages in length, this initial package of proposed regulations was released on Tuesday, September 17, 2019. Comments are due on October 17, 2019.

The proposed regulations go a long way toward filling in many of the legislative gaps left by FIRRMA. But they also venture into uncharted territories—in some instances, completely changing direction from Treasury’s previous interpretations of FIRRMA, such as the proposal to exempt certain countries altogether for certain types of transactions. They also include several conspicuous “TBDs” and blanks to be filled.

The proposed regulations published yesterday are contained in a 184-page document (proposed rules to be codified at 31 CFR part 800), and they would implement the majority of FIRRMA’s provisions. They do not cover (1) the new extension of CFIUS jurisdiction to certain real estate transactions, which is covered in a separate, 135-page document published yesterday (proposed rules to be codified at 31 CFR part 802); (2) CFIUS’s new authority to charge filing fees; and (3) the authority of CFIUS to mandate that parties file short declarations (no longer than 5 pages) for certain critical technologies transactions.

A New Detailed Definition for “Sensitive Personal Data”

Last year’s FIRRMA legislation expands review to include investments that involve broad categories of personal data. They include “investments by a foreign person in an unaffiliated U.S. business that maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens to harm national security.”

The proposed regulations acknowledge concerns about the sweeping nature of this expansion, stating that the proposed rules are aimed at “minimizing any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected.”

The solution offered is a detailed and narrowed definition of “sensitive personal data” which would include data held by a U.S. business that: (a) “targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) “maintains or collects such data on greater than one million individuals” or (c) “has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.”

Genetic information, “as defined pursuant to the regulations implementing HIPAA”, is also specifically covered by the definition, and data pertaining to a U.S. business’ own employees is carved out from the definition. The proposed rules also elaborate on various categories of data and their inclusion or exclusion from the definition of “sensitive personal data”, including, among others, data collected by: consumer reporting agencies, mobile mapping applications and GPS services, biometric identification services, and the processing of government personnel security clearances.

The more specific and narrowed definition of sensitive personal data provides more specificity to potentially impacted transactions and may narrow the range of U.S. businesses potentially subject to CFIUS review.

Separate Rulemaking for Real Estate

One of the key expansions of CFIUS jurisdiction brought by FIRRMA was to cover certain real estate transactions in which the location of the real estate renders it a national security risk. As a consequence, even purchases of undeveloped land are potentially covered by CFIUS review. The proposed real estate transactions rules, covered in separate and concurrent regulations to be codified at 31 CFR part 802, signal the inception of a brand new, and distinct, area of foreign investment review in the U.S., and this change is described in the proposed rules:

“The Department of Treasury determined that the technical and procedural aspects of CFIUS’s review of transactions involving real estate are sufficiently distinct from those related to control transactions and covered investments to warrant separate rulemaking.” (Proposed rules to be codified at 31 CFR part 800 at p. 9).

Covered real estate transactions would include two main categories: (1) real estate “described by its relation to airports and maritime ports”, and (2) real estate “described by its relation to U.S. military installations and other facilities or properties of the U.S. Government that are sensitive for national security reasons.” Real estate transactions are not subject to the mandatory declaration requirement but the proposed rules would allow the submission of voluntary short-form declarations for real estate transactions.

A New List of Countries: “Excepted Foreign States”

Repeated in several FAQs published by Treasury on its website prior to the issuance of the proposed regulations was some version of the following question: “To whom does the new legislation apply? Is it country-specific?” The answer every time was that there were no country-wide exemptions. Specifically, in Treasury’s FIRRMA FAQ’s published at some time following the enactment of FIRRMA (Treasury’s FAQs are undated documents), the answer was:

“Like prior CFIUS legislation, FIRRMA does not single out any specific country. CFIUS’s authorities may be applied to address the national security risks posed by foreign investment in the United States, regardless of where the investment originates.”

The proposed rules just released indicate that CFIUS is proposing a different direction.

The proposed regulations create new country specifications for covered investments including a new term, “excepted foreign state.”

“Excepted foreign states” are countries “included in a defined group of eligible foreign states, which will be separately published on the Department of Treasury website” and which have been determined by a super-majority of CFIUS member agencies, based on “factors that will be made available on the Department of Treasury website,” to have established “a robust process to assess foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security.” (Proposed rules to be codified at 31 CFR part 800 at p.25).

The proposed regulation also contains a definition of “excepted investor” that ties the exemption to ultimate beneficial ownership, looking at such factors as place of incorporation and corporate nationality, and requires substantial connections to the exempt location.

In other words, the proposed rules provide for carving out investments from certain, yet-to-be-determined, countries from the definition of covered investments. This incomplete proposal, which lacks the countries to be exempted and the criteria for including them, raises the question of whether stakeholders can make meaningful comments on this issue.

Critical Technologies Pilot Program Declarations are TBD

Nearly a year after the passage of the FIRRMA legislation, Treasury is still in the process of considering comments on the interim rules governing the Critical Technologies Pilot Program, which were enacted on October 11, 2018. The new mandatory filing requirements were expected to be fully laid out in the proposed regulations. Yesterday, Treasury reported in the background section of the proposed regulations that it is still considering “the scope of mandatory declarations for covered transactions involving critical technologies” and “welcomes comments on the retention of the mandatory declaration aspect of the Pilot Program.”

The implementation of the pilot program over the past ten months has most likely provided new insight into and raised new questions as to how the regulations on mandatory filings should be formulated. Nonetheless, this lack of clarity and certainty will continue to impact cross-border acquisitions and investment.

According to the proposed rules, Treasury plans to address the issue of whether mandatory filings will be required for critical technologies investments in the final rules, which are due in February of 2020.

New Terminology: Covered Investments, TID Businesses, Covered Control Transactions

A theme in the new proposed regulations is the creation of new terms to refer to key concepts contained in FIRRMA—an effort that would make it much easier to understand and apply the rules. The proposal would use the term “covered investments” instead of “other investments” when referring to CFIUS’s new jurisdiction under FIRRMA to review certain non-controlling investments in U.S. critical infrastructure, critical technology, or personal data.

Similarly, a new dichotomy of transaction types would juxtapose “covered investments” with “covered control transactions,” which are the “classic” CFIUS transactions involving a foreign person or entity taking control of a U.S. target business.

For the purposes of discussing covered investments, the proposed rules also significantly lift a semantic burden by creating the term “TID U.S. Business” to refer to investment in a target businesses that may render a transaction a covered investment. TID stands for “Technology, Infrastructure, and Data,” and refers to the three types of target industries and assets that are part of the definition of a covered investment.

Critical Infrastructure & Critical Technologies Defined

The proposed regulations include an appendix, at page 177 of part 800, entitled “Covered investment critical infrastructure and functions related to covered investment critical infrastructure” containing 28 enumerated categories of “covered investment critical infrastructure.” The supplementary information in the proposed rules state that “the subset of critical infrastructure identified in appendix A is not intended to alter the definition of “critical infrastructure” as used in any other regulatory regime or context.”

“Critical technologies” under the proposed rules, would be defined as capturing “emerging and foundational technologies” controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (“ECRA”) and any changes to ECRA would be automatically incorporated into the definition of “critical technologies” for the purposes of CFIUS covered investments.

New Review Periods

For non-real estate transactions covered by 31 CFR part 800, CFIUS is proposing a 45-day review of filed notices (longer than the previous period allowed) and may in “extraordinary circumstances” grant one 15-day extension to that period. For the short form declaration filings, CFIUS has 30 days to perform its review.

The review periods for real estate transactions covered by 31 CFR part 802 are significantly longer for notices filed: 45 days plus an additional 45 days in the event of a “follow-on investigation,” plus a one-time 15 day extension in “extraordinary circumstances;” this means that a potentially covered real estate transaction may take up to 105 days for CFIUS to review. For real estate transaction short-form declarations, CFIUS is allowed 30 days to perform its review.

Filing Fees TBD

As for filing fees, CFIUS is still “still considering how to implement this authority” and “will publish a separate proposed rule regarding fees at a later date.” (Proposed rules to be codified at 31 CFR part 800 at p. 10)

30-Day Comment Period

As of this writing, the proposed regulations had not yet been published in the Federal Register. The stated comment period for the proposed regulations ends on October 17, 2019. The proposed regulations state that all comments submitted electronically via the website will be made public and that the Treasury is considering holding a public teleconference regarding the proposed rules. Final rules are due to be made effective no later than February 13, 2020.