Brian Egan and David Hanke/courtesy photos

Proposed regulations for national security reviews of deals involving foreign investments in U.S. companies that store large amounts of "sensitive personal data" will likely mean scrutiny of many more transactions than before, lawyers said.

Given the definition of "sensitive data" under the draft rules, insurance companies—especially those insuring government personnel; biotech, healthcare, and health technology companies; and those with data-driven business models—are likely to be swept up, experts said. The law expands jurisdiction of the Committee on Foreign Investment in the U.S. (CFIUS) over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security," according to the text of the draft regulations.

"This will be a big thing for companies that are data-centric," said David Hanke, a partner in the international trade and national security practice at Arent Fox. "More thinking and planning on their part will be needed up front to understand the potential risks."

The draft rules were issued by the U.S. Department of the Treasury last month as part of a huge package of proposed regulations implementing the Foreign Investment Risk Review Modernization Act (FIRRMA), which was enacted last year with bipartisan support in Congress. They expand the scope of reviews by CFIUS, the interagency panel chaired by the Treasury Secretary that examines investment in U.S. companies for potential national security risks, which historically centered mainly on military and strategic-related technologies and infrastructure.

Lawyers said the draft regulations would require companies and their lawyers to think carefully about how to structure deals involving sensitive data, such as whether to allow foreign investors to provide input into certain types of decisions or to play roles that could trigger CFIUS's jurisdiction, and whether it would be prudent to voluntarily file for a CFIUS review even when one is not mandatory. Agencies such as the Defense and Justice Departments increasingly are reviewing deal announcements for potential conflicts, one said.

Brian Egan, a partner at Steptoe & Johnson LLP in Washington, D.C., said, "We are going to see more clients who inadvertently undergo investments where they don't realize this new CFIUS requirement could be triggered. We are going to have more after-the-fact questions from companies that didn't know an investment was within CFIUS's jurisdiction and just got a letter from CFIUS and ask, 'What do we do?' This will lead to more filings with CFIUS." 

The draft rules were released on Sept. 17 with a shorter-than-usual 30-day comment period during which stakeholders can make written statements about the rule-making's impact. Final regulations will be issued early next year.

The 300-plus-page document, which had an additional 135-page section on draft rules governing real estate transactions, lays out a definition under FIRRMA of "sensitive personal data," which is different from, but overlaps, personally identifiable information (PII), which is referenced in other federal statutes.

There are 11 expansive categories of data covered in the regulation, but the law is narrowly tailored to cover only transactions with specific features, such as where a foreign person gets a board seat or is involved in substantive decision-making about how a U.S. company will use the personal data, Hanke said.   

Some recent examples of transactions that prompted CFIUS reviews where sensitive data was an issue include:  

• China Oceanwide Holdings Group Co. Ltd.'s acquisition of Genworth Financial Inc., which CFIUS approved last year with mitigation, and which received necessary approvals from state regulators but has not yet closed, with the deadline extended until December 12.
• Beijing Kunlun Tech Co. Ltd.'s agreement in May to divest from the gay dating app Grindr under orders from CFIUS with a June 2020 deadline, which was a rare example of the committee ordering the unwinding of a completed deal. Kunlun acquired the app, which includes geolocation and HIV status data, between 2016 and 2018 without submitting an application for review to the panel, according to Reuters.
• CFIUS's demand that Fosun International Ltd. divest from Wright USA, an Ironshore Inc. unit that served federal employees and law enforcement personnel, as a condition of receiving approval for its $1.83 billion bid for full ownership of the private equity-backed property and casualty insurer in 2015. Ironshore ultimately was sold off to Liberty Mutual Holding Co. in 2017.

Under the draft regulations, CFIUS jurisdiction is expanded to include review of not just controlling investments by foreign investors, but also minority, noncontrolling investments in certain businesses that the agencies deem of interest to national security. "It has brought CFIUS more into the mainstream of equity investment than it was when I was in the Treasury Department several years ago," Egan said.

They introduce a mandatory filing requirement for transactions where a foreign government has a "substantial interest" in a foreign entity that acquires a "substantial interest" in a U.S. technology, infrastructure, or data business.

Definition of Sensitive Data Under Draft Rules

A U.S. business that keeps or collects personal information on U.S. citizens would qualify as a technology, infrastructure, or data business covered by the FIRRMA if the data includes genetic information, or if the data is in one of 10 categories of identifiable data that can be used to establish a U.S. citizen's identity and the business tailors products or services to the military or sensitive U.S. government agencies or intends to maintain data on more than 1 million individuals. 

Categories of data covered by the proposed regulations include PII that could be used to determine financial distress, consumer credit reports, physical health and mental health data, geolocation data, biometric enrollment data, and data concerning U.S. government personnel security clearances. Identifiable information includes names, addresses, email addresses, Social Security Numbers, and phone numbers or other unique identifiers. Genetic information is a separate category.

The rules don't cover data that is a matter of public record such as court records or data collected by U.S. businesses on their own employees unless they are government contractors holding U.S. government security clearances. 

CFIUS lawyers said the new rules under FIRRMA aren't likely to end with a change of administrations, as could be the case with some trade tariff and sanctions-related work. But they expect that some rules would be amended and updated over time as the agencies receive feedback. The sensitive-data rules are most likely to be updated regularly because the nature of data and its uses change quickly, said Hanke, who was a staff architect of the legislation as a professional staff member in the U.S. Senate.

From: CorporateCounsel