Draft CFIUS Rules on Personal Data Mean 'More Thinking and Planning' for Data Risks
The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security."
October 08, 2019 at 03:00 AM
8 minute read
The original version of this story was published on Corporate Counsel
Proposed regulations for national security reviews of deals involving foreign investments in U.S. companies that store large amounts of "sensitive personal data" will likely mean scrutiny of many more transactions than before, lawyers said.
Given the definition of "sensitive data" under the draft rules, insurance companies, especially those insuring government personnel; biotech, health care and health technology companies; and those with data-driven business models are likely to be swept up, experts said. The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security," according to the text of the draft regulations.
"This will be a big thing for companies that are data-centric," said David Hanke, a partner at Arent Fox in its international trade and national security practice. "More thinking and planning on their part will be needed up-front to understand the potential risks."
The draft rules were issued by the U.S. Department of the Treasury last month as part of a huge package of proposed regulations implementing the Foreign Investment Risk Review Modernization Act, which was enacted last year with bipartisan support in Congress. They expand the scope of reviews by CFIUS, the interagency panel chaired by the Department of the Treasury secretary that examines investment in U.S. companies for potential national security risks, which historically centered mainly on military and strategic-related technologies and infrastructure.
Lawyers said the draft regulations would require companies and their lawyers to think carefully about how to structure deals involving sensitive data, such as whether to allow foreign investors to provide input into certain types of decisions, or to play roles that could trigger CFIUS's jurisdiction, and whether it would be prudent to voluntarily file for a CFIUS review even when one is not mandatory. Agencies such as the Defense and Justice departments increasingly are reviewing deal announcements for potential conflicts, one said.
Brian Egan, a partner at Steptoe & Johnson LLP in Washington, D.C., said, "We are going to see more clients who inadvertently undergo investments where they don't realize this new CFIUS requirement could be triggered. We are going to have more after-the-fact questions from companies that didn't know an investment was within CFIUS's jurisdiction, and just got a letter from CFIUS and ask, 'What do we do?' This will lead to more filings with CFIUS."
The draft rules were released on Sept. 17 with a shorter-than-usual 30-day comment period during which stakeholders can make written statements about the rulemaking's impact. Final regulations will be issued early next year.
The 300-plus-page document, which had an additional 135-page section on draft rules governing real estate transactions, lays out a definition under FIRRMA of "sensitive personal data," which is different from, but overlaps, personally identifiable information, or PII, referenced in other federal statutes. There are 11 expansive categories of data covered in the regulation.
But the law is narrowly tailored to cover only transactions with specific features, such as where a foreign person gets a board seat, or is involved in substantive decision-making about how a U.S. company will use the personal data, Hanke said.
Some recent examples of transactions that prompted CFIUS reviews where sensitive data was an issue include:
- China Oceanwide Holdings Group Co. Ltd.'s acquisition of Genworth Financial Inc., which CFIUS approved last year with mitigation, and which received necessary approvals from state regulators but has not yet closed with the deadline extended until Dec. 12.
- Beijing Kunlun Tech Co. Ltd.'s agreement in May to divest from the gay dating app Grindr under orders from CFIUS with a June 2020 deadline, which was a rare example of the committee ordering the unwinding of a completed deal. Kunlun acquired the app, which includes geolocation data and HIV status data, between 2016 and 2018 without submitting an application for review to the panel, according to Reuters.
- CFIUS's demand that Fosun International Ltd. divest from Wright USA, an Ironshore Inc. unit that served federal employees and law enforcement personnel, as a condition of receiving approval for its $1.83 billion bid for full ownership of the private equity-backed property and casualty insurer in 2015. Ironshore ultimately was sold off to Liberty Mutual Holding Co. in 2017.
Under the draft regulations, CFIUS jurisdiction is expanded to include review of not just controlling investments by foreign investors, but also minority, noncontrolling investments in certain businesses that the agencies deem of interest to national security. "It has brought CFIUS more into the mainstream of equity investment than it was when I was in the Treasury Department several years ago," Egan said.
They introduce a mandatory filing requirement for transactions where a foreign government has a "substantial interest" in a foreign entity that acquires a "substantial interest" in a U.S. technology, infrastructure or data business.
|Definition of Sensitive Data Under Draft Rules
A U.S. business that keeps or collects personal information on U.S. citizens would qualify as a technology, infrastructure or data business covered by the FIRRMA if the data includes genetic information; or if the data is in one of 10 categories of identifiable data that can be used to establish a U.S. citizen's identity and the business tailors products or services to the military or sensitive U.S. government agencies or intends to maintain data on more than 1 million individuals.
Categories of data covered by the proposed regulations include PII that could be used to determine financial distress, consumer credit reports, physical health and mental health data, geolocation data, biometric enrollment data and data concerning U.S. government personnel security clearances. Identifiable information includes names, addresses, email addresses, Social Security numbers and phone numbers or other unique identifiers. Genetic information is a separate category.
The rules don't cover data that is a matter of public record such as court records, or data collected by U.S. businesses on its own employees unless they are government contractors holding U.S. government security clearances.
CFIUS lawyers said the new rules under FIRRMA aren't likely to end with a change of administrations, as could be the case with some trade tariff and sanctions-related work. But they expect that some rules would be amended and updated over time as the agencies receive feedback. The sensitive data rules are most likely to be updated regularly because the nature of data and its uses change quickly, said Hanke, who was a staff architect of the legislation as a professional staff member in the U.S. Senate.
The lawyers also said high demand for lawyers with expertise in the formerly niche field probably would continue as a result of increased need to file applications with the committee.
"It is likely that as law firms see more demand, we are going to make sure we have the resources to meet those demands and it seems like there is no sign that demand is going to go down anytime soon," said Egan, who most recently served as a State Department legal adviser in the Obama administration and joined Steptoe in 2017.
Hanke said lawyers with direct experience with CFIUS will have an advantage because the confidentiality rules surrounding the secretive agency mean there is "no book of precedent" and the committee's proceedings are not widely discussed.
"You have to have direct experience to understand the thought processes," he said.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Effective Remedy'?: DOJ Unveils Corrective Action Plan in Google Search Monopoly Case
3 minute readFTC Goes After AI Tool That Has Capability to Mass Produce Fake Reviews
6 minute readAgency Leaders Accept They Must Use Existing Law to Regulate Artificial Intelligence
4 minute readTrending Stories
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Who Got The Work
Attorneys from Cadwalader, Wickersham & Taft and Pryor Cashman have entered appearances for Diageo Americas Supply d/b/a Ciroc Distilling Co. and Sony Songs, a division of Sony Music Publishing, respectively, in a pending lawsuit. The case was filed Sept. 10 in New York Southern District Court by the Bloom Firm and IP Legal Studio on behalf of Dawn Angelique Richard. The plaintiff, who performed as a member of producer Sean 'Diddy' Combs girl group Danity Kane and later his band, Diddy - Dirty Money, claims that she was financially exploited by Combs and subjected to inhumane working conditions. Among other violations, Richard claims that Combs required group members to remain at his residences and studios, deprived them of adequate food and sleep and forced them to rehearse for 36 to 48 hours without breaks. The case, assigned to U.S. District Judge Katherine Polk Failla, is 1:24-cv-06848, Richard v. Combs et al.
Who Got The Work
Mathilda McGee-Tubb and Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, as well as Jesse W. Belcher-Timme of Doherty, Wallace, Pillsbury & Murphy, have stepped in to defend Peter Pan Bus Lines in a pending consumer class action. The suit, filed Sept. 4 in Massachusetts District Court by Hackett Feinberg PC and KalielGold PLLC, accuses the defendant of charging undisclosed 'junk fees' on top of ticket prices during checkout. The case, assigned to U.S. District Judge Mark G. Mastroianni, is 3:24-cv-12277, Mulani et al v. Peter Pan Bus Lines, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250