Given the definition of “sensitive data” under the draft rules, insurance companies, especially those insuring government personnel; biotech, health care and health technology companies; and those with data-driven business models are likely to be swept up, experts said. The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that “may be exploited in a manner that threatens to harm national security,“ according to the text of the draft regulations.
“This will be a big thing for companies that are data-centric,” said David Hanke, a partner at Arent Fox in its international trade and national security practice. “More thinking and planning on their part will be needed up-front to understand the potential risks.”
The draft rules were issued by the U.S. Department of the Treasury last month as part of a huge package of proposed regulations implementing the Foreign Investment Risk Review Modernization Act, which was enacted last year with bipartisan support in Congress. They expand the scope of reviews by CFIUS, the interagency panel chaired by the Department of the Treasury secretary that examines investment in U.S. companies for potential national security risks, which historically centered mainly on military and strategic-related technologies and infrastructure.
Lawyers said the draft regulations would require companies and their lawyers to think carefully about how to structure deals involving sensitive data, such as whether to allow foreign investors to provide input into certain types of decisions, or to play roles that could trigger CFIUS’s jurisdiction, and whether it would be prudent to voluntarily file for a CFIUS review even when one is not mandatory. Agencies such as the Defense and Justice departments increasingly are reviewing deal announcements for potential conflicts, one said.
Brian Egan, a partner at Steptoe & Johnson LLP in Washington, D.C., said, “We are going to see more clients who inadvertently undergo investments where they don’t realize this new CFIUS requirement could be triggered. We are going to have more after-the-fact questions from companies that didn’t know an investment was within CFIUS’s jurisdiction, and just got a letter from CFIUS and ask, ‘What do we do?’ This will lead to more filings with CFIUS.”
The draft rules were released on Sept. 17 with a shorter-than-usual 30-day comment period during which stakeholders can make written statements about the rulemaking’s impact. Final regulations will be issued early next year.
The 300-plus-page document, which had an additional 135-page section on draft rules governing real estate transactions, lays out a definition under FIRRMA of “sensitive personal data,” which is different from, but overlaps, personally identifiable information, or PII, referenced in other federal statutes. There are 11 expansive categories of data covered in the regulation.
But the law is narrowly tailored to cover only transactions with specific features, such as where a foreign person gets a board seat, or is involved in substantive decision-making about how a U.S. company will use the personal data, Hanke said.
Some recent examples of transactions that prompted CFIUS reviews where sensitive data was an issue include:
- China Oceanwide Holdings Group Co. Ltd.‘s acquisition of Genworth Financial Inc., which CFIUS approved last year with mitigation, and which received necessary approvals from state regulators but has not yet closed with the deadline extended until Dec. 31.
- Beijing Kunlun Tech Co. Ltd.’s agreement in May to divest from the gay dating app Grindr under orders from CFIUS with a June 2020 deadline, which was a rare example of the committee ordering the unwinding of a completed deal. Kunlun acquired the app, which includes geolocation data and HIV status data, between 2016 and 2018 without submitting an application for review to the panel, according to Reuters.
- CFIUS’s demand that Fosun International Ltd. divest from Wright USA, an Ironshore Inc. unit that served federal employees and law enforcement personnel, as a condition of receiving approval for its $1.83 billion bid for full ownership of the private equity-backed property and casualty insurer in 2015. Ironshore ultimately was sold off to Liberty Mutual Holding Co. in 2017.
Under the draft regulations, CFIUS jurisdiction is expanded to include review of not just controlling investments by foreign investors, but also minority, noncontrolling investments in certain businesses that the agencies deem of interest to national security. “It has brought CFIUS more into the mainstream of equity investment than it was when I was in the Treasury Department several years ago,” Egan said.
They introduce a mandatory filing requirement for transactions where a foreign government has a “substantial interest” in a foreign entity that acquires a “substantial interest” in a U.S. technology, infrastructure or data business.