On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018. CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies. While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies. CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors. CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing.
Executive Order 14083 (the “EO”) identifies U.S. technological sectors that deemed fundamental to U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, and agricultural security technologies. The EO notably does not expand or constrain the scope of CFIUS’ review authorities. Additionally, it does not change existing CFIUS processes or its legal jurisdiction. Rather, the EO enumerates the national security factors set forth under CFIUS’s authorizing statute, the Defense Production Act of 1950, and orders CFIUS to consider the following for a given transaction:
- Effects on the resilience of critical U.S. supply chains that may have national security implications, including those outside of the defense industrial base.
- Effects on U.S. technological leadership in areas affecting U.S. national security.
- Industry investment trends that may have consequences for a given transaction’s impact on U.S. national security.
- Cybersecurity risks that threaten to impair national security.
- Risks to U.S. persons’ sensitive data.
The EO directs CFIUS to consider not only the specific technological capabilities and/or digital assets of the target U.S. business in a given transaction but also the aggregate business activities of the acquirer. The EO reflects concerns that firms critical to U.S. supply chains may be under foreign ownership. Moreover, the EO reflects concerns that advances in technology, combined with access to large data sets, may enable data holders to de-anonymize or re-identify individuals in what once was unidentifiable data. This concern regarding otherwise innocuous datasets was previously discussed in the first-ever Treasury Conference on CFIUS held in June of 2022.
The EO is broadly applicable to U.S. companies in the technology sector and those companies which collect data from individuals as part of their business practices. These companies should carefully review this Executive Order to determine whether or not to file with CFIUS as part of an investment or M&A transactions with non-U.S. parties. The parties may need to disclose the target company’s current data privacy and security of policies and those policies that will be in place post-closing as part of the filing process.