New Articles

7th National Conference on CFIUS

cfius

7th National Conference on CFIUS

The American Conference Institute is pleased to announce the 7th National Conference on CFIUS taking place virtually on April 20-21, 2021! Attend to ensure deal success amidst expanded scrutiny of foreign investments in Technology, Infrastructure, Data and Real Estate. Plus, obtain government insights from the U.S. Department of Justice, U.S. Department of Defense, U.S. Department of Defense Trusted Capital, Delegation of the European Union to the United States, Embassy of Australia to the United States, and the U.K. Department for International Trade (DIT).

2021 CONFERENCE HIGHLIGHTS include:

-A 360 Degree View of Today’s CFIUS Landscape 1 Year Post-FIRRMA Implementation

-Interactive Think-Tank with CFIUS Alumni: Addressing FIRRMA Pressure Points and Challenges

-Examining New Rules on CFIUS Mandatory Filings: Implications for Critical Technology Investments and the Interplay with Recently Issued Export Control Reform

-Updating Your Mitigation Approach to New and Evolving CFIUS Requirements and Trends

-Managing the New Enforcement Regime and the Uptick in Investigations of “Non-Notified” Transactions

-How CFIUS’s Expanded Jurisdiction Over Sensitive Data is Affecting Deal Reviews, Deal Flows and Mitigation Approaches

-And More!

View the Full Agenda and List of Distinguished Speakers and Register Today!

SAVE 10% off registration with Global Trade Magazine Code: D10-858-858GX08.

Online: http://bit.ly/2MfLrL1

Email: customerservice@americanconference.com

Phone: 1-888-224-2480

CFIUS

New CFIUS Regulations Formally Implemented: What Your Business Needs to Know

The Committee on Foreign Investment in the United States (CFIUS or the Committee) is an interagency government committee authorized to review, modify, and block foreign acquisitions of or investments in U.S. businesses that could adversely affect U.S. national security.

In 2020, new regulations went into effect that broadened the scope of foreign investment transactions subject to review by the Committee. Historically, CFIUS national security reviews were limited to transactions that could result in a foreign investor obtaining “control” of a U.S. business. However, the scope of transactions subject to potential CFIUS review has been expanded, and now includes certain non-controlling foreign investments in U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data of U.S. citizens. In addition, CFIUS has instituted new mandatory filing requirements for specific types of foreign investment in U.S. critical technology companies.

It is now more important than ever for non-U.S. companies doing business with or investing in the U.S. to understand how their business can be impacted by the revised CFIUS regulations. If a non-U.S. company is considering buying or investing in a U.S. business, conducting an assessment of potential CFIUS risks and obligations must be included in the due diligence process. To assist with this assessment, below is an overview of CFIUS, as well as a breakdown of the key CFIUS regulatory changes implemented in 2020 that stand to impact your business.

Committee on Foreign Investment in the United States (CFIUS)

CFIUS is chaired by the U.S. Department of Treasury and has the authority to review any transaction by or with a foreign person which could result in control (or in certain non-controlling interests) of a U.S. business by a foreign person. This includes proposed or completed mergers, acquisitions, or takeovers by foreign governments, foreign entities, and those controlled by foreign governments and entities. When CFIUS has jurisdiction over a proposed transaction, parties can voluntarily notify the Committee of the transaction and its terms. CFIUS is authorized to commence reviews unilaterally, but it rarely uses this power.

Foreign investors often seek to file for CFIUS approval voluntarily because once a transaction is cleared by the Committee, it qualifies for a “safe harbor” and is generally considered cleared indefinitely, thereby eliminating CFIUS-related risks. On the other hand, if CFIUS does not clear a particular transaction prior to its closing, there is a chance that the Committee will unilaterally initiate an investigation and ultimately require divestiture of the foreign party, potentially even years after the transaction has closed.

If CFIUS determines that a covered transaction presents a national security risk, it has the authority to impose certain mitigating conditions before allowing the deal to proceed, and may also refer the transaction to the President, who has sole authority to block a proposed transaction or unwind a completed transaction. However, U.S. Presidents have rarely used their power to block transactions because CFIUS generally enters into mitigation agreements with the parties to high-risk transactions in order to alleviate any identified national security concerns.

If CFIUS opposes a foreign investment or acquisition, and mitigating measures cannot be implemented by the transacting parties, it is often the case that the foreign investor withdraws the deal prior to CFIUS escalating its recommendation to the President. While to date only five investments have ever been blocked by a President, numerous proposed transactions have been withdrawn by the parties involved to avoid the risk of having the transaction formally blocked.

CFIUS has become much more active in recent years, particularly under the Trump administration, where the Committee reviewed 697 transactions between 2017 and 2019. Recent high-profile examples include the following:

-In 2017, President Trump blocked the acquisition of Lattice Semiconductor Corp. by the Chinese investment firm Canyon Bridge Capital Partners due to national security and intellectual property concerns.

-In 2018, President Trump blocked the acquisition of U.S. telecommunications equipment company Qualcomm by the Singapore microchip maker Broadcom.

-In 2019, CFIUS raised concerns over Beijing Kunlun Company’s investment in Grindr LLC, an online dating site, over concerns of foreign access to personally identifiable information of U.S. citizens. The Chinese firm subsequently divested itself of Grindr.

-In 2020, President Trump announced plans to ban the popular social media platform TikTok based on its ownership by Chinese technology company ByteDance and its potential access to sensitive personal data of U.S. citizens. CFIUS and ByteDance are still in the process of negotiating the terms of prospective mitigating measures that would allow TikTok to continue its U.S. operations.

Changing Landscape: Foreign Investment Risk Review Modernization Act

In recent years, there has been a push for CFIUS reform by government officials who viewed the process as inadequate to face modern geopolitical threats to U.S. businesses and technologies posed by foreign direct investments into U.S. companies – particularly from Chinese foreign investment. This led to the passing of the broad CFIUS reform legislation known as the Foreign Investment Risk Review Modernization Act (FIRRMA) in August 2018.

FIRRMA was designed to expand the scope of foreign investment reviews conducted by the Committee, and overhauled the CFIUS review process to more effectively address modern U.S. national security concerns. The revised CFIUS regulations provided for in FIRRMA formally took effect in February 2020.

Historically, CFIUS reviews have been based on voluntary notice submissions by parties to a covered transaction. Only transactions that involved foreign control and that raised national security concerns would be filed by the transacting parties with the Committee for approval. Under FIRRMA, the Committee now also has the authority to review non-controlling “covered investments” by a foreign person in a U.S. critical technology, critical infrastructure or sensitive personal data company. These “TID Businesses” (i.e., U.S. Technology, Infrastructure and Data companies) include companies that engage in one of the following activities:

-Produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;

-Owns, operates, manufactures, supplies or services critical infrastructure; or

-Maintains or collects sensitive personal data (e.g., health or financial data) of U.S. citizens that may be exploited in a manner that threatens national security.

A “covered investment” includes circumstances where a foreign investor obtains:

-Access to material non-public technical information;

-Membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on that body; or

-Any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure.

CFIUS has also instituted new mandatory filing requirements involving inbound investment in U.S. companies involved with “critical technology.” When FIRRMA was initially implemented, filings became mandatory for certain transactions involving U.S. critical technology businesses that were included among 27 specified industries identified by their North American Industry Classification System (NAICS) codes.

However, beginning in October 2020, CFIUS implemented a new rule tying the “critical technology” definition to U.S. export control regulations. Now, filing a declaration with CFIUS is mandatory for covered transactions involving a U.S. business that “produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies” where a “U.S. regulatory authorization” would be required for the export, re-export, or transfer of such critical technologies to the foreign investor. Accordingly, having a clear understanding of U.S. export control classification regimes and licensing requirements, including those promulgated under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), is now a significant component of any CFIUS analysis.

In addition, FIRRMA added mandatory filings requirements for certain types of foreign government investment. If a foreign government holds a “substantial interest” in a foreign investor that in turn obtains a “substantial interest” in a TID Business, a CFIUS filing is now mandatory. This filing requirement is triggered when a foreign government holds at least a 49% (direct or indirect) interest in the foreign investor, whereas a foreign person will obtain a “substantial interest” in a TID Business if it seeks to obtain at least a 25% (direct or indirect) interest. In such scenarios, the parties must file a mandatory declaration with CFIUS at least 30 days prior to the transaction’s closing.

Global Impact

In terms of global impact, U.S. businesses and foreign investors previously unfamiliar with the CFIUS filing process, or that were previously outside the jurisdiction for a covered transaction, will now have to analyze the potential implications of a mandatory or voluntary CFIUS filing when considering even passive forms of foreign investment. This includes businesses ranging from health care companies, telecommunications companies, technology start-ups, related infrastructure industries, venture capital funds, emerging technology companies and manufacturers, and any company that maintains or can access sensitive U.S. consumer personal or health data.

Robust due diligence on proposed foreign investments will be more important than ever to ensure compliance with any mandatory CFIUS requirements. This will result in cross-border deals becoming much more time-consuming processes that will require significant scrutiny and attention to detail when drafting contractual rights afforded to foreign investors. Importantly, this will also require increased “up-stream” due diligence on any proposed non-U.S. investor’s corporate structure and ultimate ownership.

The business decision that a potential non-U.S. investor will need to make regarding which type of filing (if any) should be made with CFIUS is based on factors such as the complexity of the transaction, the working relationship between the parties, the national security implications and risk-level of the U.S. business, the likelihood of a successful resolution with CFIUS, the economy of legal resources, the evolving definition of what constitutes a “national security concern,” and current CFIUS enforcement priorities.

_______________________________________________________________

Alan Enslen and Julius Bodie are attorneys at law firm Baker Donelson, they can be reached at aenslen@bakerdonelson.com and jbodie@bakerdonelson.com. Jiri Mestecky, Takanori Nakajima and Yunosuke Hirano are are attorneys at Kitahama Partners. They can be reached at JMestecky@kitahama.or.jp, TNakajima@kitahama.or.jp and YHirano@kitahama.or.jp.

foreign global trade logistics

The Proposed Expansion of Mandatory Foreign Investment Filings During the Pandemic

In the midst of the pandemic, the Committee on Foreign Investment in the United States (“CFIUS”) has proposed several revisions to its regulations (“Regulations”) that change when short-form filings (called “declarations”) are required with respect to covered foreign investments of U.S. businesses which work with critical technology [2]. What is most significant for foreign investors is that the proposed rules expand the mandatory declaration and required CFIUS review to include critical technology transactions that range well beyond the 27 industries originally designated by CFIUS – to cover all sectors of the economy [3].

The raison d’etre for this proposed CFIUS rule change is not entirely clear. While the modification largely reads as being technical in nature, CFIUS does, however, observe that other, unspecified “national security considerations” are involved. Thus, a reasonable inference from current circumstances is that CFIUS seeks the ability during the Covid-19 crisis to review acquisitions by China in a broader range of business sectors in order to assess in advance the national security risk, if any, in situations where financially struggling U.S. firms with innovative dual-use technology might be more willing than before to consider such investments as a lifeline.

Interested parties in the business community should note public comments are due by June 22, 2020.

The Proposed Expansion of Mandatory Filings for Critical Technology Transactions

By way of background, under the existing Regulations, a mandatory declaration is required for transactions involving certain U.S. businesses that: 1) produce, design, test, manufacture, fabricate, or develop one or more “critical technologies”; and 2) use the critical technology in specified ways in one or more of 27 specified industries. Significantly, under the revisions, CFIUS eliminated the second prong of the requirement – i.e., the nexus to 27 industries, and refocused the requirement instead on companies that have critical technology that would require certain export licenses or other authorizations to export, re-export, transfer (in-country) or retransfer the critical technology to certain transaction parties and foreign persons in the ownership chain.

CFIUS indicates that the new focus of the mandatory filing requirement on export control requirements for critical technologies “leverages the national security foundations of the established export control regimes, which require licensing or authorization in certain cases based on an analysis of the particular item and end-user, and the particular foreign country for export, re-export transfer (in-country) or retransfer.” 85 Fed. Reg. 30894.

While that is true enough, in fact, the existing standard already is based on the export control standards. The term “critical technology” was and still is, defined as technologies that are subject to export controls (i.e., articles or services on the U.S. Munitions List, items on the Commerce Department’s Control List, and other specialized lists)[4]. Now, in addition to being subject to export controls (e.g., on one of the enumerated lists of controlled items), the technology must specifically be subject to a licensing requirement.

In effect, CFIUS has doubled down on export controls as the criteria for mandatory filing – the item must be on a controlled list and a license must be required for the particular foreign acquirer that is a party to the transaction.

The Significance of the Proposed Change in Mandatory Filing Requirement

Is this licensing requirement a meaningful distinction for foreign investors? While many of the items on these export control lists do require licenses or other authorizations for export, this is not necessarily the case for the export of all items to all countries for all uses. On some lists (e.g., the Munitions Lists), every article and service requires a license for export to all locations. On others (notably the Commerce List, the main list of “dual-use” technologies), items controlled are only licensable for certain countries and certain purposes to certain end-users, as designated on the list.

Overall, however, the universe of items on controlled lists versus those on the lists where licenses are required probably aren’t all that different – i.e., the range of mandatory filings is not very meaningfully limited by this change. Notably, for certain near-peer competitor countries like China and Russia, the distinction is particularly limited. Indeed, for these countries, many items on the Commerce List will require licenses in any event. Moreover, since China is under a U.S. arms embargo in place for many years, any export of an article or service on the Munitions List would certainly require a license (which would not be granted).

In any event, even if the new nexus to export license requirements narrows somewhat the class of critical technology transactions subject to mandatory declarations, this change is undoubtedly more than offset by the elimination of the required nexus to the 27 specified industries. Under the proposal, foreign acquisition of any U.S. business – regardless of what industry it works in – would require a mandatory declaration where the business utilizes critical technology provided that certain export licenses or other authorizations would be required to export such items to the foreign acquiring party.

On balance, this change is significant. It broadens the scope of the mandatory filing requirement to a wide variety of acquisitions involving critical technology applications from medical devices to commercial vehicles to a wide range of high tech sectors. Foreign investors thus would need to be considerably more diligent in considering the CFIUS risk with respect to structuring a broader range of these acquisitions.

Why the Expansion of the Mandatory Filing Requirement?

Why the expansion of mandatory declarations and does it relate to the pandemic?  CFIUS offers only vague explanations – noting its further consideration of public comments made in prior rulemakings, the Committee’s additional experience assessing mandatory declarations, and “other,” unnamed, national security considerations” [5].

One very possible set of such “national security considerations” is to afford CFIUS the ability to investigate a considerably broader range of transactions involving China where any critical technology requiring a license is involved. Since many dual-use items on the Commerce Control List and everything on the Munitions List do require licenses for China, the expansion of jurisdiction would be significant – as it applies without regard to the industry where the critical technology is used.

The logic of this expanded approach would be that, under Chinese laws and policies on civil-military fusion, any Chinese company, regardless of industry, could be required to divert the critical technology it is acquiring to the state sector for military use. Thus, it arguably makes sense for CFIUS to seek to examine these technology deals across the board.

This action also would be consistent with a range of other recent Administration actions during the Covid-19 crisis – from restrictions on participation in the U.S. bulk-power infrastructure to additional export control restrictions on Huawei – all of which appear to be focused on limiting U.S. high tech engagement with China.

Why now? The pandemic has raised the specter of foreign firms from potential adversaries buying sensitive assets at steep discounts. Numerous European governments are very focused on protecting sensitive assets against distress buying.  In this context, recent comments by Ms. Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, suggest concern that during the pandemic smaller U.S. companies that support the aerospace and defense sector could experience “significant financial fragility” and therefore be more vulnerable to acquisition by potential adversaries [6]. She also noted the prospect of “nefarious” acquisitions involving the use of shell companies during the pandemic and indicated a desire for CFIUS to have more authority to address these situations. Thus, it just may be that the proposed revision to the Regulations is an effort to address this felt DoD need.

______________________________________________________________

A partner in Eversheds-Sutherland, a global law firm, Mr. Bialos [1] previously served as Deputy Under Secretary of Defense for Industrial Affairs and co-chairs the firm’s Aerospace and Defense practice.

_______________________________________________________________

References

[1] A partner in Eversheds-Sutherland, a global law firm, Mr. Bialos previously served as Deputy Under Secretary of Defense for Industrial Affairs and co-chairs the firm’s Aerospace and Defense practice.

[2] 85 Fed. Reg. 30893 (setting forth amendments to 31 C.F.R. §800). The mandatory filing requirements were established pursuant to the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).  The proposed amendments also make clarifying changes with respect to mandatory declarations in transactions involving foreign States. Specifically,  section 800.244 of the Regulations (see 85 Fed. Reg 30898) would, among other things, change the definition of “substantial interest” with respect to transactions where a general partner, managing member or the equivalent is involved, to clarify that the foreign state’s interest is only relevant it applies only where a general partner, managing member, or equivalent “primarily directs, controls or coordinates the activities” of the entity that is the acquiring party.  In effect, this change narrows to a limited extent the range of transactions with foreign government involvement where a mandatory declaration is required.

[3] CFIUS accomplishes this expansion through a series of technical amendments to the Regulations: Section 800.254 (defining U.S. “regulatory authorization” to refer to the types of export licenses that require mandatory declarations); section 800.256 (introducing the concept of “voting interest” to include foreign persons in the ownership chain that would need to be analyzed from an export control standpoint to determine if a license would be required to transfer the technology in question to that party); and 800.401 (which re-scopes the mandatory declaration requirement for critical technology transactions).  See 85 C.F.R. 30895-8.

[4] 31 c.f.r. § 800.215.

[5] 85 Fed. Reg. 3894.

[6] See Transcript, Press Briefing of Ellen Lord, Undersecretary of Defense (A&S) Ellen Lord on COVID-19 Response Efforts (April 30, 2020).   Available at: https://www.defense.gov/Newsroom/Transcripts/Transcript/Article/2172171/undersecretary-of-defense-as-ellen-lord-holds-a-press-briefing-on-covid-19-resp/

CFIUS

Treasury Proposes Filing Fees for CFIUS Voluntary Notices

On Monday, March 9, 2020, the U.S. Department of the Treasury (“Treasury Department”) published a proposed rule in the Federal Register establishing a tiered filing fee system for parties filing voluntary notices with the Committee on Foreign Investment in the United States (“CFIUS”). The proposed rule accompanies other recently implemented regulations issued by the Treasury Department that implement the Foreign Investment Review Modernization Act of 2018 (“FIRRMA”), effective since February 13, 2020.  We have previously summarized the FIRRMA implementing regulations here and here.

FIRRMA expanded the scope of transactions subject to CFIUS review and modernized the review process. FIRRMA also authorized CFIUS to collect filing fees up to the lesser of 1 percent of the value of a transaction or $300,000. The proposed rule establishes a fee structure intended, according to the Treasury Department, to “not discourage filings and…allow parties to continue the practice of determining whether to file a voluntary written notice based on an evaluation of the facts and circumstances of the transaction.” The fees were set to only be a small proportion of the value of any transaction, in order to avoid discouraging voluntary filings. Under the proposed fee structure, the required fees are in proportion to the value of the transaction, as follows:

The same fee structure applies to both foreign investments under Part 800 and real estate transactions under Part 802. Fee requirements are only in place for voluntary CFIUS notices, however, and there are no filing fees for declarations or for unilateral reviews of transactions self-initiated by CFIUS. Accordingly, parties for whom the filing fee would be particularly burdensome, or parties engaged in low-risk transactions, can take advantage of the mandatory or voluntary declarations authorized by CFIUS under Parts 800 and 802.

The proposed rule requires parties to pay the fee at the time a notice is filed, so parties must calculate the total value of a transaction prior to filing. To calculate the value of a transaction, parties should include “the total value of all consideration that has been or will be paid in the context of the transaction by or on behalf of the foreign person who is a party to the transaction, including cash, assets, shares or other ownership interests, debt forgiveness, services, or other in-kind consideration.” Because transactions often include consideration paid in securities or non-cash assets, the rule provides the following guidance:

-Value on national securities exchange: value is calculated based on the closing price on the national securities exchange on which the securities are primarily listed on the trading day immediately prior to the date the parties file a notice with CFIUS. If the security was not traded the day prior to the date of filing, then the last published closing price will apply.

-Non-cash assets, interests, or services or other in-kind consideration:  value is calculated based on the fair market value as of the date the parties file the notice.

-Lending transaction: value is calculated based on the cash value of the loan or other similar financing arrangement.

-Conversion of contingent equity interest previously acquired by a foreign person: value is calculated including the consideration that was paid by or on behalf of the foreign person to initially acquire the contingent equity interest in addition to any other consideration.

-Real estate leases: value is calculated by the sum of fixed payments to be paid by the foreign person over the term of the lease; variable payments that depend on an index or rate over the term of the lease, measured by using the index or rate as of the date of the filing of the notice; and any non-cash or in-kind consideration to be provided by the lessee to the lessor over the term of the lease, as reasonably determined as of the date of the notice.

In light of the calculation requirements, the proposed rule also adjusts the content requirements for joint voluntary notices, requiring parties to provide the value of the transaction and the methodology used to calculate the value, along with the applicable fee.

Because parties are required to pay applicable fees at the time the notice is filed, CFIUS is authorized to delay its review until and unless the fee has been paid. In general, CFIUS will not require parties to submit double payments if it requires parties to withdraw and re-file a notice, absent a material change to the transaction or a material inaccuracy or omission in the initial filing. The proposed rule also allows for fee refunds in certain limited circumstances.

CFIUS will refund the filing fee if it later determines that the notified transaction is not a covered transaction, and it may issue partial refunds if parties can demonstrate that they paid a higher filing fee than required by the tiered fee structure. Notably, CFIUS has not indicated that it will refund the filing fees if a transaction is blocked.  Although CFIUS is also authorized to waive fees, it may only do so under “extraordinary circumstances relating to national security,” and the proposed rule states that it anticipates infrequent partial or total waivers.

The proposed fee schedule has not yet gone into effect, and it will only apply after the Treasury Department publishes its final rule.  Interested parties have until April 8, 2020, to submit comments on the proposed rule. Specifically, the Treasury Department has solicited comments from the public “on the impact of the proposed tiered fixed-fee structure and whether additional tiers or additional features should be considered.”

______________________________________________________________

By Ryan Fayhee, Roy (Ruoweng) Liu, Alan G. Kashdan, Tyler Grove and Sydney Stringer at Hughes Hubbard & Reed LLP

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

foreign investment

New Foreign Investment Restriction Regulations Cement CFIUS Reform

One of the emerging focal points of the U.S.-China trade war involves the implementation of updated foreign investment restrictions in key U.S. industries. 

On September 17, 2019, the Department of the Treasury issued proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), legislation that sought to reform and expand the scope of foreign investment reviews conducted by the Committee on Foreign Investment in the United States (CFIUS). CFIUS, an inter-agency committee chaired by the Treasury Department with the authority to review, modify and potentially reject certain types of foreign investment that could adversely affect U.S. national security, has undergone a significant overhaul during the past year in the wake of FIRRMA becoming law in August 2018. It is now more vital than ever that companies understand how their business can be affected by the updated CFIUS regulations when they are seeking or negotiating a merger, acquisition, real estate investment or even a non-controlling investment from a foreign investor.

Typically, CFIUS reviews are voluntary and are conducted for merger or acquisition transactions where a non-U.S. company or a foreign government-controlled entity obtain a controlling interest in a U.S. company. If CFIUS determines that a covered transaction presents a national security risk, it has the authority to impose certain mitigating conditions before allowing the deal to proceed and can refer the transaction to the President for an ultimate decision. 

However, FIRRMA updated and expanded the scope of CFIUS jurisdiction to authorize reviews of additional types of non-controlling foreign investments based on the type of U.S. company involved. The implementing regulations proposed in September 2019 are set to take effect February 13, 2020, and while the CFIUS reform regulations are motivated by concerns directly related to China, the impact of FIRRMA will be felt globally and the new rules will not be tied to or affected by impending trade negotiations. U.S. businesses, particularly those involved in critical technologies, real estate, infrastructure and data collection or maintenance, must take heed of how the updated rules will affect their global business decisions moving forward.

New Regulations for TID Companies Effective February 2020

Effective February 13, 2020, CFIUS will be authorized to review “covered control transactions,” (all foreign acquisitions resulting in direct control in a U.S. business, which CFIUS already had jurisdiction over), as well as non-controlling “covered investments” by a foreign person in a U.S. critical technology, critical infrastructure or sensitive personal data company. The new rules refer to these as “TID U.S. Businesses” (Technology, Infrastructure and Data), or to be more specific, a company that engages in one of the following categories of activity: 

-produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;

-owns, operates, manufactures, supplies or services critical infrastructure; or

-maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

“Critical technologies” include defense articles or defense services under the International Traffic in Arms Regulations, certain nuclear-related products regulated by the Nuclear Regulatory Commission Controls and certain technologies on the Commerce Control List under the Export Administration Regulations. In addition, “critical technologies” will include certain “emerging technologies” that are yet to be defined, and the Commerce Department’s Bureau of Industry and Security is currently reviewing at least 17 technology areas that are anticipated to result in new controls (including bio-tech, artificial intelligence, microprocessors, positional navigation and timing technology, quantum computing and additive manufacturing (3D printing)). 

“Critical infrastructure” includes key industry subsectors such as telecommunications, utilities, energy and transportation. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target products or services to sensitive populations (including U.S. military members and federal national security employees); (ii) collect or maintain such data on at least one million individuals; or (iii) have a business objective to collect such data on greater than 1 million individuals and such data is an integrated part of the U.S. business’s primary product or service. The categories of data include types of financial, geolocation and health data. 

Non-Controlling Covered Investments

Under the new regulations, CFIUS will be authorized to review non-controlling covered investment in TID U.S. Businesses. A “covered investment” includes scenarios where a foreign investor obtains:

-access to material non-public technical information;

-membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on that body; or

-any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure.

Filing a CFIUS declaration for a non-controlling covered investment will remain a largely voluntary process, and parties will be able to file a notice or submit a short-form declaration notifying CFIUS of a covered investment in order to receive a potential “safe harbor” letter (after which CFIUS in most scenarios will not initiate a review of a transaction). 

However, if a foreign government holds a “substantial interest” in the foreign investor that obtains a “substantial interest” in a TID U.S. Business, a CFIUS filing will be mandatory. The updated regulations provide that a foreign government is considered to have a substantial interest in the foreign investor if it holds a 49% direct or indirect interest, whereas a foreign person will obtain a substantial interest in a TID U.S. Business if it obtains at least a 25% direct or indirect interest. CFIUS is also authorized to mandate declarations for transactions involving certain types of critical technology companies. 

The proposed rules also include a “white list” provision providing CFIUS the authority to designate certain “excepted investors” and “excepted foreign states” that may be eligible for an exclusion in connection with non-controlling covered investments. 

Global Impact: How Does This Affect My Business? 

The most important practical effect of the updated regulations is the breadth of U.S. companies standing to be impacted or affected by new foreign investment restrictions. U.S. businesses and industries that have previously never had to consider filing a CFIUS declaration, including healthcare companies, tech start-ups, related infrastructure industries, venture capital funds, emerging technology companies and manufacturers, and any company with access to sensitive consumer data, will now have to contemplate the implications of a CFIUS review when considering even passive foreign investment. Robust due diligence on potential investors will be more important than ever to ensure compliance with both mandatory and voluntary CFIUS declaration filings. Cross-border deals will be a costlier and more time-consuming process that will require acute attention to detail when drafting the contractual rights afforded to foreign investors. 

If you have any questions about the impact of the updated CFIUS regulations or how they may affect your company, please contact a member of Baker Donelson’s Global Business Team for additional information.

___________________________________________________________________

Joe D. Whitley is a shareholder at Baker Donelson, chair of the Firm’s Government Enforcement and Investigations Group and former General Counsel at the Department of Homeland Security. He can be reached at jwhitley@bakerdonelson.com

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com