Brian Egan and David Hanke/courtesy photos

Proposed regulationsfor national security reviews of deals involvingforeign investments in U.S. companiesthat store large amounts of "sensitive personal data" willlikely mean scrutiny of many moretransactions than before, lawyers said.

Given the definition of"sensitive data" under the draftrules, insurancecompanies—especially those insuring governmentpersonnel; biotech,healthcare, and health technology companies; and thosewith data-driven business models—are likely to be swept up, expertssaid. The law expands jurisdiction of the Committee on ForeignInvestment in the U.S. (CFIUS) over transactions involvingbusinesses with data on individuals that "may be exploited in amanner that threatens to harm national security," according to thetext of the draft regulations.

"This will be a big thing forcompanies that are data-centric," said David Hanke, apartner in the internationaltrade and national security practice at Arent Fox. "More thinkingand planning on their part will be needed up front to understandthe potential risks."

The draft rules were issued bythe U.S. Department of the Treasury last month as part of ahuge package ofproposed regulations implementing the Foreign Investment Risk ReviewModernization Act (FIRRMA), which was enacted last year withbipartisan support in Congress. They expand the scope of reviews byCFIUS, the interagency panel chaired by the Treasury Secretary thatexamines investment in U.S. companies for potential nationalsecurity risks, which historically centeredmainly on military and strategic-related technologies andinfrastructure.

Lawyers said the draftregulations would require companies and their lawyers to thinkcarefully about how to structure deals involving sensitive data,such as whether to allow foreign investors to provide input intocertain types of decisions or to play roles that could triggerCFIUS's jurisdiction, and whether it would be prudent tovoluntarily file for a CFIUS review even when one is notmandatory. Agencies such as the Defense and JusticeDepartments increasingly are reviewing deal announcements forpotential conflicts, one said.

Brian Egan, a partner atSteptoe & JohnsonLLP in Washington,D.C., said, "We are going to see more clients who inadvertentlyundergo investments where they don't realize this new CFIUSrequirement could be triggered. We are going to have moreafter-the-fact questions from companies that didn't know aninvestment was within CFIUS's jurisdiction and just got a letterfrom CFIUS and ask, 'What do we do?' This will lead to more filingswith CFIUS." 

The draft rules werereleasedon Sept. 17 with ashorter-than-usual 30-day comment period during which stakeholderscan make written statements about the rule-making's impact.Final regulations will be issued early nextyear.

The 300-plus-page document, whichhad an additional 135-page section on draft rulesgoverning real estatetransactions, lays out adefinition under FIRRMA of "sensitive personal data," which isdifferent from, but overlaps, personally identifiable information (PII),which is referenced in other federal statutes.

There are 11 expansive categoriesof data covered in the regulation, but the law is narrowly tailoredto cover only transactions with specific features, such as where aforeign person gets a board seat or is involved in substantivedecision-making about how a U.S. company will use the personaldata, Hanke said.   

Some recent examples oftransactions that prompted CFIUS reviews where sensitivedata was an issue include:  

• ChinaOceanwide Holdings Group Co. Ltd.'s acquisition of GenworthFinancial Inc., which CFIUS approved last year withmitigation, and whichreceived necessary approvals from state regulators but has not yetclosed, with the deadlineextended until December 12.
• BeijingKunlun Tech Co. Ltd.'s agreement in May to divest from the gaydating app Grindr under orders from CFIUS with a June 2020deadline, which was a rare example of the committee ordering the unwinding of acompleted deal. Kunlun acquired the app, which includes geolocationand HIV status data, between 2016 and 2018 without submitting anapplication for review to the panel, according to Reuters.
• CFIUS'sdemand that Fosun InternationalLtd. divest fromWright USA, an Ironshore Inc. unit that served federal employeesand law enforcement personnel, as a condition of receiving approvalfor its $1.83 billion bid for full ownership of the privateequity-backed property and casualty insurer in 2015. Ironshoreultimately was sold off to Liberty Mutual Holding Co. in2017.

Under the draft regulations, CFIUS jurisdiction isexpanded to include review of not just controllinginvestments by foreign investors, but also minority, noncontrollinginvestments in certain businesses that the agencies deem ofinterest to national security. "It has broughtCFIUS more into the mainstream of equity investment than it waswhen I was in the Treasury Department several years ago," Egansaid.

They introduce amandatory filing requirement for transactions where a foreigngovernment has a "substantial interest" in aforeign entity that acquiresa "substantial interest" in aU.S. technology, infrastructure, or data business.

Definition of Sensitive Data Under Draft Rules

A U.S. business that keeps orcollects personal information on U.S. citizens would qualify as atechnology, infrastructure, or data business covered by the FIRRMAif the data includesgeneticinformation,or if the data is in one of 10 categories ofidentifiable data that can be usedto establish a U.S. citizen's identity and thebusiness tailors products or services to the militaryor sensitive U.S. governmentagencies orintends to maintaindata on more than 1 millionindividuals. 

Categories of data covered by theproposed regulations include PII that could be used to determinefinancial distress, consumer credit reports, physical health andmental health data, geolocation data, biometric enrollment data,and data concerning U.S. government personnel security clearances.Identifiable information includes names, addresses, emailaddresses, Social Security Numbers, and phone numbers or otherunique identifiers. Genetic information is a separatecategory.

The rules don't cover data thatis a matter of public record such as court records or datacollected by U.S. businesses on their own employees unless they aregovernment contractors holding U.S. government securityclearances. 

CFIUS lawyers said thenew rules under FIRRMA aren't likely to end with a change ofadministrations, as could be the case with some trade tariff andsanctions-related work. But they expect that some rules wouldbe amended and updated over time as the agenciesreceive feedback. The sensitive-data rules are most likely to beupdated regularly because the nature of data and its uses changequickly, said Hanke, who was a staff architect of the legislationas a professional staff member in the U.S. Senate.

From: CorporateCounsel