Draft CFIUS Rules on Personal Data Mean 'More Thinking and Planning' for Data Risks

Proposed regulations for national security reviews of deals involving foreign investments in U.S. companies that store large amounts of "sensitive personal data" will likely mean scrutiny of many more transactions than before, lawyers said.

Given the definition of "sensitive data" under the draft rules, insurance companies, especially those insuring government personnel; biotech, health care and health technology companies; and those with data-driven business models are likely to be swept up, experts said. The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security," according to the text of the draft regulations.

"This will be a big thing for companies that are data-centric," said David Hanke, a partner at Arent Fox in its international trade and national security practice. "More thinking and planning on their part will be needed up-front to understand the potential risks."

The draft rules were issued by the U.S. Department of the Treasury last month as part of a huge package of proposed regulations implementing the Foreign Investment Risk Review Modernization Act, which was enacted last year with bipartisan support in Congress. They expand the scope of reviews by CFIUS, the interagency panel chaired by the Department of the Treasury secretary that examines investment in U.S. companies for potential national security risks, which historically centered mainly on military and strategic-related technologies and infrastructure.

Lawyers said the draft regulations would require companies and their lawyers to think carefully about how to structure deals involving sensitive data, such as whether to allow foreign investors to provide input into certain types of decisions, or to play roles that could trigger CFIUS's jurisdiction, and whether it would be prudent to voluntarily file for a CFIUS review even when one is not mandatory. Agencies such as the Defense and Justice departments increasingly are reviewing deal announcements for potential conflicts, one said.

Brian Egan, a partner at Steptoe & Johnson LLP in Washington, D.C., said, "We are going to see more clients who inadvertently undergo investments where they don't realize this new CFIUS requirement could be triggered. We are going to have more after-the-fact questions from companies that didn't know an investment was within CFIUS's jurisdiction, and just got a letter from CFIUS and ask, 'What do we do?' This will lead to more filings with CFIUS." 

The draft rules were released on Sept. 17 with a shorter-than-usual 30-day comment period during which stakeholders can make written statements about the rulemaking's impact. Final regulations will be issued early next year.

The 300-plus-page document, which had an additional 135-page section on draft rules governing real estate transactions, lays out a definition under FIRRMA of "sensitive personal data," which is different from, but overlaps, personally identifiable information, or PII, referenced in other federal statutes. There are 11 expansive categories of data covered in the regulation.  

But the law is narrowly tailored to cover only transactions with specific features, such as where a foreign person gets a board seat, or is involved in substantive decision-making about how a U.S. company will use the personal data, Hanke said.   

Some recent examples of transactions that prompted CFIUS reviews where sensitive data was an issue include:  

• China Oceanwide Holdings Group Co. Ltd.'s acquisition of Genworth Financial Inc., which CFIUS approved last year with mitigation, and which received necessary approvals from state regulators but has not yet closed with the deadline extended until Dec. 12.
• Beijing Kunlun Tech Co. Ltd.'s agreement in May to divest from the gay dating app Grindr under orders from CFIUS with a June 2020 deadline, which was a rare example of the committee ordering the unwinding of a completed deal. Kunlun acquired the app, which includes geolocation data and HIV status data, between 2016 and 2018 without submitting an application for review to the panel, according to Reuters.
• CFIUS's demand that Fosun International Ltd. divest from Wright USA, an Ironshore Inc. unit that served federal employees and law enforcement personnel, as a condition of receiving approval for its $1.83 billion bid for full ownership of the private equity-backed property and casualty insurer in 2015. Ironshore ultimately was sold off to Liberty Mutual Holding Co. in 2017.

Under the draft regulations, CFIUS jurisdiction is expanded to include review of not just controlling investments by foreign investors, but also minority, noncontrolling investments in certain businesses that the agencies deem of interest to national security. "It has brought CFIUS more into the mainstream of equity investment than it was when I was in the Treasury Department several years ago," Egan said.

They introduce a mandatory filing requirement for transactions where a foreign government has a "substantial interest" in a foreign entity that acquires a "substantial interest" in a U.S. technology, infrastructure or data business.

Definition of Sensitive Data Under Draft Rules

A U.S. business that keeps or collects personal information on U.S. citizens would qualify as a technology, infrastructure or data business covered by the FIRRMA if the data includes genetic information; or if the data is in one of 10 categories of identifiable data that can be used to establish a U.S. citizen's identity and the business tailors products or services to the military or sensitive U.S. government agencies or intends to maintain data on more than 1 million individuals. 

Categories of data covered by the proposed regulations include PII that could be used to determine financial distress, consumer credit reports, physical health and mental health data, geolocation data, biometric enrollment data and data concerning U.S. government personnel security clearances. Identifiable information includes names, addresses, email addresses, Social Security numbers and phone numbers or other unique identifiers. Genetic information is a separate category.

The rules don't cover data that is a matter of public record such as court records, or data collected by U.S. businesses on its own employees unless they are government contractors holding U.S. government security clearances. 

CFIUS lawyers said the new rules under FIRRMA aren't likely to end with a change of administrations, as could be the case with some trade tariff and sanctions-related work. But they expect that some rules would be amended and updated over time as the agencies receive feedback. The sensitive data rules are most likely to be updated regularly because the nature of data and its uses change quickly, said Hanke, who was a staff architect of the legislation as a professional staff member in the U.S. Senate.

The lawyers also said high demand for lawyers with expertise in the formerly niche field probably would continue as a result of increased need to file applications with the committee.

"It is likely that as law firms see more demand, we are going to make sure we have the resources to meet those demands and it seems like there is no sign that demand is going to go down anytime soon," said Egan, who most recently served as a State Department legal adviser in the Obama administration and joined Steptoe in 2017.

Hanke said lawyers with direct experience with CFIUS will have an advantage because the confidentiality rules surrounding the secretive agency mean there is "no book of precedent" and the committee's proceedings are not widely discussed.

"You have to have direct experience to understand the thought processes," he said.