Treasury Releases Proposed FIRRMA Regulations
The Treasury Department released its proposed regulations for the Foreign Investment Risk Review Modernization Act of 2018, granting expanded authorities to the Committee on Foreign Investment in the United States, Treasury said in a Sept. 17 press release.
Treasury also released a fact sheet and a set of frequently asked questions to go along with the regulations, which are split into two parts. The first part introduces regulations that would implement FIRRMA’s changes to CFIUS’s jurisdiction “with respect to transactions that could result in foreign control of any U.S. business.” The second part covers new authority by CFIUS to review certain U.S. real estate transactions. Public comments on the regulations are due Oct. 17, and the final regulations will take effect no later than Feb. 13, 2020, Treasury said.
The fact sheet covers the changes proposed under the regulations, including an expansion of CFIUS’s jurisdiction to cover foreign investment transactions and which types of investments can be reviewed.
The regulations allow CFIUS to review investments related to U.S. businesses that are involved with “critical technologies, critical infrastructure or sensitive personal data.” The regulations define critical technologies as items subject to U.S. export controls, including items subject to not-yet-released controls on emerging and foundational technologies. The regulations also allow CFIUS to review transactions related to businesses that perform “specific functions ... with respect to critical infrastructure across subsectors,” including in the fields of “telecommunications, utilities, energy and transportation.”
CFIUS may also review transactions of businesses that maintain “sensitive personal data” of U.S. citizens “that may be exploited in a manner that threatens national security.” The proposed rule, mindful of national security as well as the potential for a "chilling effect" on beneficial foreign investment, focuses on the data sensitivity, and identifies specific “sensitive personal data” only if the U.S. business targets products or services to “sensitive populations,” such as military members or certain federal government workers; maintains or collects such data on at least 1 million people; or has a “demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.” The categories of data covered include financial, geolocation, health data, genetic information and others, the regulations say.