On September 17, 2019, the Department of the Treasury issued long-awaited proposed rules implementing many of the provisions of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), which substantially expanded the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS”) to conduct national security reviews of foreign investment in the United States.

The proposed rules were issued in two parts: 31 CFR Part 800 – Provisions Pertaining to Certain Investments in the United States by Foreign Persons and 31 CFR Part 802 – Provisions Pertaining to Certain Transactions in the United States by Foreign Persons Involving Real Estate. CFIUS already had the authority review any control transaction by a foreign person in respect to U.S. businesses to determine the potential impact on the national security of the United States. Under the Part 800 Rule, CFIUS’s jurisdiction has been expanded to also cover certain non-controlling investments in U.S. business that (i) are involved with “critical technologies”, (ii) own, operate, manufacture or supply or provide services to “critical infrastructure” or (iii) that collect or maintain “sensitive personal data”, in each case, if such investments afford foreign persons certain rights (as described below). Under the Part 802 Rule, CFIUS will also have the jurisdiction to review certain “covered real estate transactions” if the relevant real estate is in close proximity to U.S. military installations or sensitive U.S. government facilities, or within or part of an airport or a maritime port.

On the one hand, the proposed rules greatly expand CFIUS’s jurisdiction to review a wide range of foreign investments in U.S businesses and real estate. On the other hand, the proposed rules show some restraint on the part of CFIUS by limiting the instances where mandatory CFIUS filings are required.

The comment period for the proposed rules is open until October 17, 2019, and, in accordance with FIRRMA, the rules are required to be finalized no later than February 13, 2020. Below are key takeaways from the proposed rules.

1. The Pilot Program (including mandatory filings) remain in place

The proposed rules do not alter the interim “Pilot Program” rules (31 CFR Part 801) issued on October 11, 2018. Until further notice, or until the Pilot Program expires in February 2020 if not extended, investments subject to the Pilot Program will continue to be subject to potential mandatory CFIUS filings.

Under the Pilot Program, a mandatory filing regime was created for certain foreign investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop certain “critical technologies” if such transaction: (i) could result in a foreign person controlling such business, (ii) affords a foreign person with access to “material non-public technical information” regarding such business (information necessary to design, fabricate, develop, test produce or manufacture critical technologies), (iii) affords a foreign person with membership or observer rights on the board of such business or (iv) affords a foreign person the right to involvement in the substantive decision-making of such business with respect to the relevant critical technology. Critical technologies include: (a) defense services and articles controlled by the International Traffic in Arms Regulations, (b) items controlled by the Export Administration Regulations for reasons related to national security, chemical and biological weapons proliferation, nuclear nonproliferation, missile technology, regional stability, or surreptitious listening, (c) specially designed nuclear components, parts and technology and (d) select agents and toxins, in each case, used in or developed for any of the twenty-seven sensitive industries enumerated under the Pilot Program rule (please see our October 31, 2018 alert for the complete list of industries), and also include certain “emerging and foundation technologies” controlled under the Export Control Reform Act. The rules defining “emerging and foundational technologies” are expected by year end, and are likely to include categories such as biotechnology, artificial intelligence, additive manufacturing (including 3-D printing), navigation and timing (including self-driving car technology), microprocessor technology, robotics and quantum computing. When the final list of “emerging and foundation technologies” is released, it will be immediately relevant, as they will automatically be incorporated into the definition of critical technologies.

Under the Pilot Program, indirect participation in such investments by a foreign person as a limited partner of a private investment fund generally does not trigger a mandatory CFIUS filing if: (i) the fund is exclusively managed by a general partner (or equivalent) that is not the foreign person, (ii) neither the foreign person nor the advisory board of the fund has certain control rights with respect to the fund, including, the ability to control investment decisions or participate in the substantive decision making of the fund regarding companies in which the fund is invested, or the ability to unilaterally select or remove the general partner (or equivalent) and (iii) the foreign person does not have access to “material non-public technical information” regarding the applicable company.

2. The proposed rules maintain CFIUS’s jurisdiction to review control investments

Whether an investment fund organized in a non-U.S. jurisdiction is itself a foreign person (including by virtue of its general partner being organized in a non-U.S. jurisdiction and/or one or more of its control persons not being a U.S. national), or the involvement of investment professionals who are not U.S. nationals in the investment activities of an investment fund could cause a mandatory CFIUS filing, remains a fact-specific analysis.

The proposed regulations maintain CFIUS’s broad jurisdiction to review for national security reasons any investment in any U.S. business (referred to as, “covered control transactions” in the proposed rules) where a foreign person obtains “control” of the U.S. business. The term control is broadly defined (generally, the power to determine, direct or decide important matters of the business) and could be triggered even where the foreign investor holds a small minority stake in the business (if for example, the investor retains the right to dismiss senior executives, terminate significant contracts or select new business lines).

3. The proposed rules expand CFIUS’s jurisdiction to review non-control investments in TID U.S. Businesses

CFIUS’s jurisdiction has been expanded to cover certain non-controlling equity investments in U.S. businesses that (i) are involved with “critical technologies”, (ii) own, operate, manufacture or supply or provide services to “critical infrastructure” that is so vital to the United States that the incapacity or destruction of such systems or assets would have debilitating impact on national security or (iii) that collect or maintain “sensitive personal data” that may be exploited in a manner that threatens to harm national security (a “TID U.S. Business”). Any such direct or indirect foreign investment in a TID U.S. Business (referred to as a “covered investment” in the proposed rules) is subject to CFIUS’s jurisdiction if such investment affords a foreign person:

  1. access to “material non-public technical information”;
  2. membership or observer rights on the board of such business; or
  3. rights to involvement, other than through voting shares, in the “substantive decision-making”1 of such business.

    Critical Technologies. The criteria for determining a “critical technology” U.S. business is unchanged from the Pilot Program, except that for purposes of potentially being a TID U.S. Business, there is no requirement that relevant business uses the “critical technology” in one of the enumerated twenty-seven sensitive pilot program industries.

    Critical Infrastructure. A “critical infrastructure” investment is generally an investment in a U.S. business that owns, operates, manufactures or supplies or provides services (referred to as “functions related to critical infrastructure” in the proposed rules) to critical infrastructures, including, certain defense industrial base sectors, telecommunications, energy, transportation, financial services and public water and waste systems. The proposed rules provide an appendix (reproduced at the end of this Alert) that sets forth the combinations of the twenty-eight categories of “critical infrastructures” and “functions related to critical infrastructure” that potentially constitute a TID U.S. Businesses.

    Sensitive Personal Data. A “sensitive personal data” investment is generally an investment in a U.S. businesses that maintains or collects “identifiable data” (generally, data that can be used to identify a person of a type falling within one of the ten categories set forth below) of more than one million people, or tailors its product to U.S. executive branch or military personnel. The applicable “identifiable data” categories generally include: (i) data that could be used to determine a person’s financial distress, (ii) data contained in a consumer report (unless limited data is obtained from a consumer reporting agency for purposes described in the Fair Credit Reporting Act), (iii) data contained in insurance applications, (iv) data that relates to a person’s physical, mental or psychological well-being (i.e. health information), (v) non-public electronic communications, including, email messaging, or chat communications between or among users of a U.S business’ products or services (if the U.S. business is providing communications platforms used by third parties), (vi) geolocation data, (vii) biometric enrollment data (e.g., facial, voice, retina and fingerprints), (viii) data stored and processed for generating state and federal identification cards, (ix) data concerning U.S. government personnel security clearance and (x) data in an application for U.S. government security clearance. Genetic information constitutes “sensitive personal data”, regardless of the amount of data collected or maintained, who the business targets or if it falls within one of the ten categories set forth above. The proposed regulations expressly exclude information that an employer may maintain with respect to its own employees.

4. Investment fund exception for “covered investments” in TID U.S. Businesses

Similar to the Pilot Program, the proposed rules contain an exception for indirect “covered investments” of foreign persons in a TID U.S. Businesses through a private investment fund. The criteria for determining if this exception applies are the same criteria utilized by the Pilot Program investment fund exception (described above).

5. New mandatory filings only applies to a narrow category of transactions

Under the proposed rules, a mandatory CFIUS filing is only required if a foreign person acquires a 25% or more of the voting interests in a TID U.S. Business and, in turn, a foreign government holds 49% or more of the voting interests in that foreign person (referred to as “substantial interest” in such TID U.S. Business in the proposed rules). As discussed above, the mandatory filing requirements of the Pilot Program relating to “critical technology” U.S. businesses remain in effect. Outside of these transactions, under the proposed rules, CFIUS filings would remain voluntary.

6. The proposed rules explain how FIRRMA applies to real estate

Certain transactions involving real estate where the transaction could result in a foreign person controlling a U.S. business have always been subject to CFIUS’s jurisdiction. Recognizing that real estate transactions implicate different concerns and different review procedures than M&A transactions, CFIUS opted to conduct a separate rule-making solely for real estate transactions that do not necessarily involve the acquisition of an operating business. Under the proposed rules CFIUS will have jurisdiction over the purchase or lease by, or concession to, a foreign person of “covered real estate” if the foreign person obtains three or more of the following property rights: (i) the right to physical access, (ii) the right to exclude others, (iii) the right to improve or develop the property or (iv) the right to attach fixed or immovable objects. Covered real estate generally includes real estate that is physically within or functionally a part of an airport or a maritime port, or close to U.S. military installations and other sensitive government facilities. CFIUS appears to be concerned with, among other things, the ability of foreign persons to collect intelligence and the risk of exposing sensitive activities. For certain military facilities, real estate within a 100-mile radius will come under the new rule. The proposed rules provide for certain exceptions related to single housing units, retail trade and food services, commercial office space, the extension of a mortgage or similar financing for a foreign person to acquire “covered real estate” and real estate within urban areas of urbanized clusters. Though real estate acquisitions will not require mandatory filings, parties should be aware that gaining access or other property rights may trigger CFIUS jurisdiction and interest, depending on the facility and the nature and nationality of the buyer.

7. The “White List”

The proposed rules will also introduce a list of “excepted foreign states” whose investors may be exempt from CFIUS’s expanded non-control TID U.S. Business and real estate transaction jurisdiction. At least two-thirds of the voting members of CFIUS must agree to add a foreign state to this list. Countries on the list must maintain a robust process to analyze foreign investments for national security risks and facilitate coordination with the Unites States on matters relating to investment security. Given these requirements the list is expected to be quite narrow. In a stakeholder’s meeting on September 27, 2019, Thomas Feddo, the newly appointed Assistant Secretary for Investment Security, said the list of “excepted foreign states” should be available by early 2020, and that the exemption would be available immediately – giving the designated countries a two year grace period to implement satisfactory foreign investment review programs.

In order for a specific investor (referred to as an “excepted investor” in the proposed rules) to qualify for the exception, such investor generally would need to be (i) a foreign national of such foreign state, (ii) a foreign government of such foreign state or (iii) a foreign entity that is organized and has its principal place of business in the United States or such foreign state, all members of its board of directors (or similar body) must be citizens of the United States or such foreign state and all investors with equity interests of 5% or more in such entity must be citizens of the United States or such foreign state. If the above criteria cease to be true within three years from the completion date of the transaction, CFIUS may assert its jurisdiction over the previously exempted transaction. Under the proposed rules, a similar “excepted real estate investor” exemption has been proposed with respect to real estate transactions, though Treasury has said that the list of excepted foreign states for real estate transactions may not be identical to the list of excepted foreign states for TID transactions.


The proposed rules greatly expand CFIUS’s jurisdiction to review a wide-range of transactions involving foreign investment in U.S technology, infrastructure and data businesses, and the purchase or lease by, or a concession to, a foreign person of sensitive U.S. real estate. However, as discussed above, other than with respect certain foreign government investing in TID U.S. Businesses (and the Pilot Program mandatory filings remaining in effect), the proposed rules have not expanded the types of transactions requiring a mandatory CFIUS filing, and thus CFIUS filings are expected to largely remain voluntary. We will provide updates on any developments as the proposed rules proceed through the rule-making process and into their final forms. In the meantime, we expect CFIUS will monitor and examine a wide range of foreign investment in U.S. businesses where national security concerns could be implicated.