On January 17, the U.S. Treasury Department issued final rules implementing the Foreign Investment Risk Review Modernization Act (“FIRRMA”), which expanded and clarified the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS”) (an additional final rule regarding real estate transactions was published the same day and will be the subject of an additional alert). These final rules, which are effective on February 13, 2020, generally reflect the rules that were proposed in September 2019. However, the final rules include some marginal changes and provide significant additional context and examples.
The primary jurisdictional expansion in FIRRMA is CFIUS jurisdiction over certain non-controlling investments in technology, infrastructure, and data U.S. businesses (“TID U.S. businesses”), including U.S. businesses that: 1) produce, design, test, manufacture, fabricate, or developed a “critical technology”; 2) own, operate, manufacture, supply, or service “critical infrastructure”; or 3) maintain or collect “sensitive personal data” of U.S. citizens.
The final rules maintain the pilot program mandatory declaration concept for critical technology investments, with a few changes (including by moving the rules from 31 C.F.R. Part 801 to 31 C.F.R. Part 800). For example, the final rules include the following exceptions from the mandatory filing requirements: 1) transactions involving excepted investors (excepted investors include a foreign national who is a national of one or more “excepted foreign states,” among other specified entities); 2) transactions involving encryption technologies that qualify for license exception ENC under 15 C.F.R. Part 740 of the Export Administration Regulations; 3) entities that are already subject to a foreign ownership, control, or influence mitigation agreement pursuant to the National Industrial Security Program regulations; and 4) transactions involving investment funds managed by a U.S. general partner, managing member, or equivalent that is either not a foreign person or is ultimately under U.S.-person control; among other exceptions. “Critical technology” includes technology controlled for export under the International Traffic in Arms Regulations, Export Administration Regulations, or is designated as an emerging or foundational technology, among other related controls. Further, the final rule anticipates a future rulemaking that changes the jurisdictional hook from industry designations determined by reference to NAICS codes to a focus on export control requirements.
The final rules also modified some of the proposed rules’ treatment of “sensitive personal data.” The treatment of genetic information as a subset of sensitive personal data has generally become more permissive in the final rule by stating that covered genetic information must be “identifiable data,” or traceable to a specific individual.
Finally, broad exceptions are available to “excepted foreign states” and “excepted investors.” Beginning on the effective date, Australia, Canada, and the United Kingdom will qualify as excepted foreign states, and qualifying investors from those countries are free from FIRRMA’s broadened jurisdiction related to non-controlling investments. This list may expand in the future.
These final rules expand and substantially complicate CFIUS jurisdictional analysis. The regulations include significant detailed guidance regarding the rules’ interpretation and implementation, which often limits what appears to be very general applicability. Further, certain aspects of FIRRMA implementation remain incomplete (including the ultimate scope of “critical technologies”), even after this final rule, and CFIUS acknowledges in the rulemaking that periodic review and amendment of these rules will be appropriate. Accordingly, careful review and analysis of the new rules is vital when assessing potential transactions from a CFIUS perspective.

CFIUS Publishes Final FIRRMA Rules Reflecting Minor Changes and Exceptions to Expanded Jurisdiction