CFIUS is the U.S. inter-agency committee responsible for reviewing foreign acquisitions and investments in U.S. businesses (“covered transactions”) for their potential impact on national security. Historically, “covered transactions” have been limited to transactions where a “foreign person” obtains "control" of a "U.S. business."
Effective February 13, 2020, new CFIUS rules entered into effect implemented the Foreign Investment Risk Review Modernization Act (FIRRMA) and expanded CFIUS’ jurisdiction to certain non-controlling investments involving a “TID U.S. Business.” TID U.S. Businesses include those that produce, design, test, manufacture, fabricate, or develop “critical technologies.” These include:
Examples of the industries that may trigger a mandatory filing include Computer Storage Device Manufacturing, Electronic Computer Manufacturing, Semiconductor and Related Device Manufacturing, and Research and Development in Nanotechnology and Biotechnology.
Effective February 13, 2020, new CFIUS rules entered into effect implemented the Foreign Investment Risk Review Modernization Act (FIRRMA) and expanded CFIUS’ jurisdiction to certain non-controlling investments involving a “TID U.S. Business.” TID U.S. Businesses include those that produce, design, test, manufacture, fabricate, or develop “critical technologies.” These include:
- Export controlled items under the U.S. export control laws, such as the International Traffic in Arms Regulations (ITAR) and most controlled items under the Export Administration Regulations (EAR).
- Emerging and foundational technologies, once identified by the Commerce Department, which may include certain types of technologies such as biotechnology, artificial intelligence and machine learning technology, quantum information and sensing technology, 3D printing, and robotics.
- Own, operate, manufacture, supply, or service “critical infrastructure”:
- This includes owners and operators of certain energy facilities, data centers, telecommunications infrastructure, satellite services, and utilities.
- Maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.
- This includes financial data, consumer reports, insurance information, health information, messaging communications, geolocation data, biometric enrollment data, security clearance data, and genetic information.
- Many industries and companies may collect sensitive personal data falling into one or more of the above categories, including various technology applications, hotel management software, social medial companies, government contractors, etc.
Although CFIUS review is typically a voluntary process, filing with CFIUS can be mandatory for certain investments. Specifically, mandatory filings are required where:
- A foreign person in which a foreign government owns a substantial interest acquires a substantial interest in a TID U.S. Business; or
- The U.S. business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies utilized in or designed specifically for use in one of several industries identified by its North American Industry Classification System (NAICS) code.
Examples of the industries that may trigger a mandatory filing include Computer Storage Device Manufacturing, Electronic Computer Manufacturing, Semiconductor and Related Device Manufacturing, and Research and Development in Nanotechnology and Biotechnology.
In recent years, CFIUS has exercised its authority more frequently than in the past to block transactions or order divestitures. Affected transactions have included acquisitions by Chinese companies of businesses that maintain or collect sensitive personal data, including hotel management software providers, health technology startups, and online dating platforms. Accordingly, it is advisable that companies accepting investments from foreign persons be familiar with CFIUS’ rules and understand the national security risks of the transaction.