This article was originally featured as a business transactions advisory on on October 7, 2019. Our editors have chosen to feature this article here for its coinciding subject matter.

On September 17, 2019, the Department of the Treasury issued two Proposed Rules intended to implement changes made by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) to the Defense Production Act of 1950 (DPA).

FIRRMA (1) expanded the authority of the Committee on Foreign Investment in the United States (CFIUS) to review not just foreign investment control transactions that may affect a national security interest in a traditional sense, but also certain non-controlling investments by foreign persons in U.S. businesses involving critical technology, critical infrastructure, or sensitive personal data; (2) broadened the reach of CFIUS review to include certain transactions with foreign persons involving real estate in close proximity to U.S. military and other sensitive national security facilities; and (3) modernized CFIUS’s review process, including the addition of abbreviated submission and review procedures. The Proposed Rules are designed to implement these changes.

The Proposed Rules leave in place the Pilot Program Interim Rules adopted in October 2018, immediately following the enactment of FIRRMA. CFIUS is continuing to assess the scope of the Pilot Program based on comments it has received from industry, and will address those comments when it issues its final rules.

The new Proposed Rules build on, and add to, the Pilot Program by introducing new concepts and terms relating to "Covered Control Transactions," "Covered Investments," and "TID U.S. Businesses." While the Proposed Rules resolve some of the questions raised by FIRRMA and the Pilot Program Interim Rules, they leave unanswered other highly important issues, such as the scope of the term "critical technologies," a pivotal point in deciding whether foreign investment transactions should be submitted to CFIUS for review.

The Department published the Proposed Rules in the Federal Register on September 24, 2019, and is receiving written comments until October 17, 2019.

Non-Controlling Investments and Real Estate Transactions

The Proposed Rules are intended to provide the business and investment communities with clarity on the types of U.S. businesses covered under FIRRMA’s new authority to review certain foreign investments. Both of the Proposed Rules conform to FIRRMA’s requirement that CFIUS conduct a risk-based analysis in reviewing covered transactions, which must include an assessment of the "threat," "vulnerabilities," and "consequences to national security" related to the transaction.

The first of the Proposed Rules provides much needed clarity on the non-controlling investments by foreign persons that fall under CFIUS jurisdiction. The second of the Proposed Rules addresses certain real estate transaction with foreign persons that are subject to CFIUS jurisdiction.

Unfortunately, the Proposed Rules do little to resolve the continuing uncertainty regarding the definition and reach of the FIRRMA-introduced concept of "critical technologies." Nor do they address FIRRMA’s direction to CFIUS to impose potentially significant filing fees on requests for review, or indicate how the Pilot Program Interim Rules that went into effect in October 2018 may be modified.

Presumably, some or all of these issues will be addressed in the final implementing regulations that are required to become effective no later than February 13, 2020.

Rule 1. New definitions expand the reach of FIRRMA to include non-passive investments in "Critical Infrastructure" and "Sensitive Personal Data"

Under FIRRMA, certain non-controlling or minority investments that previously were not subject to CFIUS jurisdiction are now covered if: (1) a foreign person makes an investment in (2) certain types of U.S. businesses that (3) afford the foreign person access to material non-public information in the possession of, management rights in, or involvement in the decision-making of the U.S. Business.

The Proposed Rule does not fully address the first and third factors, but does provide significant additional clarity on the second factor regarding the types of U.S. businesses affected.

Certain Types of U.S. Businesses

The Proposed Rule provides CFIUS jurisdiction over both "covered control transactions" and "covered investments." While CFIUS continues its jurisdiction over all foreign acquisitions resulting in control of a U.S. business, the proposed regulations would also include certain non-passive, non-control investments if the investment is in a "TID U.S. business," which is a CFIUS-created term for a "Technology, Infrastructure, and Data" U.S. business.

If the investment is through a limited partnership and is indirect, it is not a covered investment if the rights of the foreign investor are sufficiently limited.

Critical technologies

The Proposed Rule maintains FIRRMA’s focus on foreign investments in U.S. businesses possessing “critical technologies,” and carries forward FIRRMA’s definition of the term. However, one important category of critical technologies that is included in FIRRMA’s definition of that term – so-called “emerging and foundational technologies” – is not defined by either FIRRMA, the DPA, the Proposed Rule or the Export Control Reform Act of 2018 (ECRA) (where the term was first introduced), and is subject to an ongoing rulemaking proceeding being conducted by the U.S. Department of Commerce.

Thus, for the time being, foreign investors, and U.S. targets of such investment, are left to speculate about what U.S. businesses will be deemed by CFIUS to possess critical technologies.

Covered investment critical infrastructure

The Proposed Rule updates the definition of “critical infrastructure” consistent with the language of FIRRMA, and introduces a new approach for identifying the subset of critical infrastructure deemed to constitute a covered investment. Under this new scheme, to be a covered investment, the U.S. Business must provide: (1) a certain function, with respect to (2) a certain type of critical infrastructure.

Appendix A to the Proposed Rule lists both relevant functions and types of critical infrastructure. The concept of “function” is new, but can be seen as implementing the language of FIRRMA, which states that CFIUS has jurisdiction over investments by a foreign person in a U.S. business that “owns, operates, manufactures, supplies or services critical infrastructure.”

Appendix A is important because it provides definitions that apply solely to the determination of whether an investment in a certain type of critical infrastructure U.S. business is covered. Appendix A therefore does not modify the definition of critical infrastructure as it applies to CFIUS’s jurisdiction more broadly over control transactions.

Sensitive personal data

FIRRMA expands CFIUS’s jurisdiction to include covered investments by a foreign person in a U.S. Business that maintains or collects sensitive personal data of U.S. citizens that “may be exploited in a manner that threatens to harm national security.” The Proposed Rule provides a detailed definition of sensitive personal data to avoid overinclusion that could have a chilling effect on beneficial foreign investment in the growing number of companies that collect or maintain personal data.

The definition identifies both (1) categories of data and (2) specific uses of the data. Specifically, categories of data would be deemed to be sensitive personal data only if the U.S. business: (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.

The “targets or tailors” and “greater than one million” language is intended to narrow the definition to include only those U.S. businesses most likely to have sensitive data from sensitive populations. The definition further defines “personal identifier” and “identifiable data” to exclude anonymized data, and also excludes encrypted data, so long as the data cannot be de-anonymized or de-encrypted.

Importantly, this definition includes all genetic information and carves out data pertaining to a U.S. Business’s own employees. It also specifically addresses credit reporting agencies, personal insurance applications, health-related data, non-public electronic communications (such as from an e-mail or chat service providers), geolocation data, biometric identification services, and personnel security clearance services or issuers of government identification.

Foreign Person

The Proposed Rule addresses FIRRMA’s requirement that its expanded jurisdiction apply only to certain categories of foreign persons, but it fails to provide much clarity and implementation may be delayed. It adopts a list-based approach that ultimately will identify certain “excepted foreign states” eligible for exclusion in connection with covered investments but not covered control transactions.

CFIUS has not yet published a list of such countries, and has suggested that the list will be very limited, at least initially. The Proposed Rule describes the test that will be applied in deciding which countries will be “white-listed”.

Even as to countries included on the list of excepted foreign states, there will be further limitations on the types of “excepted foreign investors” from such countries who may qualify, with consideration being given to a company’s organizational structure, board of directors and other factors.


The Proposed Rule confirms certain procedural aspects of the review process. It maintains the largely voluntary process for filing a notice, either by short-form declaration, which must be reviewed within 30 days following submission, or by long-form notice, which now has a 45-day review period.

As under the Pilot Program, there are some circumstances in which filing a declaration for a transaction is mandatory. For example, there is a mandatory declaration requirement for specified covered transactions where a foreign government has a “substantial interest,” which is defined as where the foreign government’s interest in the foreign acquirer/investor is 49 percent or more, and the ownership interest that the foreign person is acquiring in a TID U.S. business is 25 percent or more.

The Proposed Rule also confirms that the “safe harbor,” created after filing a notice upon which CFIUS has concluded action, applies with equal force to declarations on which CFIUS has concluded action. However, because CFIUS is not required to make a final determination on the basis of a declaration, in order to timely obtain the safe harbor it may be best to file a traditional long-form notice.

The Proposed Rule also provides modest updates to the penalties and damages provisions, allowing for imposition of civil penalties for material misstatements, omissions, or certifications and for violations of a material provision of a mitigation agreement or other condition. It also allows for the inclusion of a liquidated damages clause in a mitigation agreement.

Rule 2. Transactions Involving Real Estate

This Proposed Rule describes the types of real estate transactions that are subject to CFIUS’s jurisdiction under FIRRMA, which include certain (1) purchases, leases and concessions (2) through which a foreign person is afforded certain “property rights” with respect to (3) “covered real estate”.

Covered Real Estate

The Proposed Rule defines “covered real estate” by tying specific categories of sites, such as military installations, maritime ports, airports and other sensitive locations, to the proximity of the real estate involved in the transaction. Appendix A to the rule lists the names and locations of certain military installations and other sensitive locations covered by the rule, but does not list other facilities or properties of the U.S. Government that are sensitive for national security reasons and may also be covered.

Depending on the nature of the facility involved, the analysis will consider whether the target real estate is in “close proximity” (defined as within one mile) or “extended range” (defined as up to 99 miles).

Property rights

For the purchase or lease by, or concession to, a foreign person of covered real estate, the transaction must afford to the foreign person at least three of the following rights with respect to the property: (1) to have physical access to the property; (2) to exclude others from physical access to the property; (3) to improve or develop the property; or (4) to attach fixed or immovable structures to the real estate.

Excepted real estate transaction

The Proposed Rule also defines exceptions to the general rule described above by enumerating specific types of transactions excluded from CFIUS jurisdiction. Similar to the rule for foreign persons discussed above, the Proposed Rule makes certain country-specific exceptions through use of the defined terms “excepted real estate investor,” “excepted real estate foreign state,” and “minimum excepted ownership.”

It also excepts certain types of transactions, including urban clusters, housing units, retail trade, commercial office space, and American Indian and Alaska Native lands.

Voluntary Filing

Unlike the first Proposed Rule, there is no mandatory filing requirement for real estate transactions. Parties may file a notice or declaration notifying CFIUS of a covered real estate transaction in order to potentially qualify for a “safe harbor” letter.