New CFIUS Regulations
On February 13, 2020, the Department of the Treasury implemented rules for the Foreign Investment Risk Modernization Act of 2018 (FIRRMA) to expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS). Under the new regulations, TID businesses, or businesses with critical technologies, critical infrastructure, or sensitive personal data, have been declared particularly prone to national security risk. U.S. companies that have maintained or demonstrated a business objective to maintain identifiable information for greater than one million individuals are considered a sensitive personal data TID business. Sensitive personal data is defined as: (a) financial data, (b) consumer reports, (c) health insurance data, (d) physical/mental/psychological health data, (e) non-public messaging data, and (f) geolocation data. Collection of all of the foregoing data could have serious national security implications if a hostile foreign investor tried to invest in or purchase a U.S. data company.
However, under the new rules, not all foreign TID investors would be subject to CFIUS scrutiny. If a foreign entity is based inside an “excepted foreign state” and qualifies as an “excepted investor,” then CFIUS would not require mandatory filings. The Department of the Treasury identified Australia, Canada, and the U.K. as excepted foreign states. An excepted investor is defined as a citizen of an excepted foreign state, a member of an excepted foreign state’s government, or a foreign entity organized within an excepted foreign state that meets certain criteria. The criteria for a foreign entity requires that (1) the principle place of business in an excepted foreign state or U.S., (2) at least 75% of the board are U.S. nationals or citizens of one or more excepted state, (3) anyone with over a 10% interest must be a U.S. citizen/entity or excepted foreign state citizen/entity, and (4) at least a 50% interest is controlled by a U.S. citizen/entity or an excepted foreign state citizen/entity if the stock is traded on a U.S. or excepted foreign state stock exchange¾the interest amount goes up to 80% if the stock is not primarily traded in the U.S. or excepted foreign state. Therefore, any Australian, Canadian, or U.K. company that satisfies the excepted investor qualifications is exempt from mandatory declarations. (Companies that do not qualify as excepted investors would be required to file a mandatory declaration for obtaining a “substantial interest” in a U.S. TID business.) A substantial interest is defined as purchasing a 25% or more voting interest on the part of a foreign person or a 49% or more voting interest on the part of a foreign government.
Issues with The New Exception
As a result of these new regulations, a Canadian, Australian, or U.K. company with predominantly foreign board members and ownership could be exempt from CFIUS scrutiny. Even though affording long-standing allies such an exception might seem benign, companies from these countries—such as Cambridge Analytica—have abused private data before.
This adjustment in FIRRMA could allow other companies to acquire already collected data from U.S. companies. Let’s imagine a U.K. company that wants to expeditiously obtain the sensitive personal data of 5 million U.S. citizens to generate political data by purchasing a relatively new start-up app. Then that company uses that political data to best tailor political advertisements to swing voters, thereby trying to interfere in the U.S. election. The power of sensitive personal data in U.S. elections is largely uncharted waters. Therefore, the Department of the Treasury should allow CFIUS to exercise its expanded jurisdiction in TID businesses until more research allows for a categorical exception in excepted foreign states.