Companies outside the U.S. contemplating purchases of U.S. business (and potential U.S. acquisition targets) are continuing to parse the Department of the Treasury’s two proposed regulations continuing implementation of the Foreign Investment Risk Review Modernization Act (“FIRRMA”). The proposed rules change the Committee’s jurisdiction and certain procedures related to the national security reviews undertaken by the Committee on Foreign Investment in the United States (“CFIUS”). These proposed regulations provide additional clarity regarding how CFIUS intends to implement the FIRRMA amendments. When implemented, these regulations will formally expand CFIUS jurisdiction – but will also formalize current CFIUS practice in most respects. Implementation is scheduled to occur on or before February 13, 2020. 
Jurisdiction over non-controlling investments
Traditionally, CFIUS exercised jurisdiction over investments that result in the “control” of a non-U.S. person over a U.S. business. After FIRRMA implementation, CFIUS will have jurisdiction over certain investments that do not result in control by a non-U.S. person. Specifically, CFIUS will have jurisdiction over non-controlling investments if the investment is in a specific company type, and if it affords the investor specific, enumerated rights.
The draft regulations identify several company types that satisfy the first part of the test. The first type is a business that produces or otherwise deals in certain “critical technologies.” A separate statute 
authorizes the Department of Commerce to identify these critical technologies. Although the Department of Commerce did identify examples of these technologies in a 2018 rulemaking, that process is not yet complete.
The second type is a business that maintains or otherwise deals in sensitive personal data of U.S. persons. The scope of sensitive personal data is likely to be very broad in practice, but must be able to be used to identify a person by a “personal identifier.” There are limited exceptions that include anonymized data. In practice, financial firms, insurance firms, firms collecting medical information, and firms in industries that collect similar types of personal identifier information, including certain internet and media firms, are very likely to fall within this type of company.
The final type is a business that owns, operates, manufactures, or otherwise performs a function specified in the regulations in critical infrastructure, which includes infrastructure that, if incapacitated, would have a “debilitating impact” on U.S. national security. Examples of such “covered investment critical infrastructure” includes certain internet protocol networks; certain internet exchange points; certain submarine cable systems and facilities; satellite systems that provide services directly to the U.S. Department of Defense or a related component; certain specialty metals and carbon, alloy, and armor steel plates; systems related to the storage of electric energy comprising the bulk-power system; and several others.
The draft regulations specify that, to satisfy the second part of this test, the foreign investor must gain access to certain enumerated rights. These enumerated rights include access to material, non-public, technical information, which includes information that provides information regarding critical infrastructure, or provides information regarding critical technology; membership or observer rights on the U.S. company’s board of directors; and any involvement, outside of voting rights provided by shareholding, in substantive decision making processes.
Mandatory filing types
Traditionally, notifications of acquisitions and investments were made to CFIUS on a voluntary basis. FIRRMA authorizes CFIUS to subject certain types of transactions to a mandatory filing structure. This expanded jurisdiction will apply to certain transactions that involve “critical technology,” as defined under the regulations, and certain transactions involving foreign governments.
The expanded jurisdiction regarding critical technology was initially rolled out in the Pilot Program prior to these draft regulations, which identified 27 specific technologies subject to the rules. These draft regulations do not alter the Pilot Program, though we do expect that the final version of the regulations will include information about the Pilot Program.
Further, any transaction resulting in a foreign government obtaining a “substantial interest” in a critical technology, critical infrastructure, or personal data company is subject to a mandatory filing. In general, if the foreign government owns at least a 49 percent voting interest in the foreign person acquiring the U.S. business, and the foreign person is acquiring at least 25 percent of the U.S. business, that would qualify as a substantial interest.
Putting the mandatory filing provisions aside, in general, the proposed FIRRMA implementing regulations codify, rather than expand, the current jurisdiction already exercised by CFIUS in practice. The rulemaking is a clear indication, however, that CFIUS intends to continue to review non-U.S. investments in critical infrastructures and technologies. Moreover, other aspects of FIRRMA – including those related to the imposition of penalties – suggest a more proactive CFIUS going forward.
Currently, the proposed regulations are in a notice and comment period, and there are likely to be some changes in the final rules. However, the basic outline of the changes are unlikely to change substantially.
The Export Control Reform Act of 2018, which was also part of the broader National Defense Authorization Act package that included FIRRMA, is this authority.