New Foreign Investment Restrictions in Tech, Infrastructure and Data

By Nevena Simidjiyska, Co-Chair, International Trade Group at Fox Rothschild LLP

Starting Feb. 13, 2020, U.S. companies in tech, infrastructure and data seeking minority or controlling foreign investment will require approval from the Committee on Foreign Investment in the United States (CFIUS) before closing certain transactions.

The change stems from the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which was signed into law by President Donald Trump in 2018, expanding CFIUS’ jurisdiction to review certain foreign acquisitions of and investments in U.S. businesses on the grounds of national security. On Jan. 13, the U.S. Department of the Treasury issued final regulations to implement FIRRMA (the Regulations). A summary of the new regulations and key takeaways follows.

What U.S. Companies and Foreign Investors Need to Know

Key Takeaways:

  • CFIUS has the authority to review certain minority foreign investments in U.S. businesses in critical technology, critical infrastructure and sensitive personal data of U.S. citizens.
  • Fund managers will have to ensure that their fund documents do not trigger a CFIUS review if they provide foreign limited partners with certain governance rights and access to certain nonpublic information.
  • CFIUS filings are now mandatory for certain foreign acquisitions where a foreign government holds a substantial interest in the foreign party as well as for investments in companies involved in certain critical technology industries.
  • Certain investors from Australia, the United Kingdom and Canada are exempt.
  • Filers will have the option to file a “short form” declaration rather than a full blown filing for all transactions. CFIUS will review such declarations within 30 days of receipt.
  • CFIUS has authority to review the purchase or lease of certain U.S. real estate by a foreign person.
  • The new Regulations will have a significant impact on investment in large segments of U.S. technology. CFIUS will also require more information in its determination, including the U.S. business’ critical technology, government contracts and data-gathering practices.

Which Foreign Investments Are Covered

CFIUS will continue to have jurisdiction over transactions that could result in foreign “control” of a U.S. business that raise national security concerns. National security continues to be interpreted broadly to include technologies such as semiconductor, AI, biotech, robotics, big data, analytics, and microprocessor technology as well as infrastructure such as systems and assets in the telecommunications, energy, financial services, transportation, water, critical manufacturing and defense industrial sectors.  National security also covers aspects of cybersecurity and even pharmacy and agriculture, among others. As before, national security is not defined and will continue to be a fluid concept determined under the sole discretion of CFIUS. The “control” level authority remains unchanged from CFIUS’ historical jurisdiction.

Under the Regulations, CFIUS now also has jurisdiction to review “covered investments” in any “TID U.S. Business” (short for Technology, Infrastructure and Data). A transaction falls under CFIUS jurisdiction if it satisfies both the “covered investment” and the “TID U.S. Business” prongs.

First Prong: Covered Investments — direct or indirect investment by a foreign person (other than an excepted investor discussed further below) in a TID U.S. Business (as defined below) that could not result in foreign control of the U.S. business, but affords the foreign person any of the following:

  • Access to any material nonpublic technical information in the possession of the TID U.S. Business.
  • Membership or observer rights on the board of directors or equivalent governing body of the TID U.S. Business or the right to nominate an individual to a position on the board of directors or equivalent governing body.
  • Any involvement, other than through voting of shares, in substantive decision-making of the TID U.S. Business regarding either (1) the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the TID U.S. Business; (2) the use, development, acquisition, or release of critical technologies; or (3) the management, operation, manufacture, or supply of critical infrastructure.

As such, if a foreign investor acquires a non-controlling interest in a TID U.S. Business but obtains one of the above-listed rights, the investment would be a “covered investment” and may require a CFIUS filing.

Second Prong: TID U.S. Business — a U.S. business that:

  • Produces, designs, tests, manufactures, fabricates or develops one or more critical technologies
  • Performs certain functions with respect to critical infrastructure


  • Maintains or collects, directly or indirectly, sensitive data of U.S. citizens

Critical Technology

Critical Technology includes:

  • Items controlled under the International Traffic in Arms Regulations and included on the United States Munitions List.
  • Certain items controlled under the Export Administration Regulations and included on the Commerce Control List.
  • Certain nuclear-related materials.
  • Select agents and toxins regulated under the Select Agents and Toxins Regulations.
  • Emerging and foundational technologies controlled pursuant to the Export Control Reform Act.

The Department of Commerce will define “emerging and foundational” technologies that constitute “critical technology” pursuant to the Export Control Reform Act (ECRA), and is expected to publish those definitions in the coming weeks.

Critical Infrastructure

The Regulations also grant CFIUS the authority to review non-controlling investments in U.S. businesses that perform specified functions relating to particular categories of critical infrastructure.

The Regulations currently list 28 systems and assets that constitute critical infrastructure.  These include certain internet protocol networks, internet exchange points, submarine cable systems, electric generation and transmission assets, oil refineries and pipelines, LNG terminals, exchanges registered under the Securities Exchange Act, air and maritime ports and public water systems, but more may be added in the future. A full list of the current categories is included below as Schedule II of this alert. The covered functions are generally limited to owning, operating, or manufacturing such critical infrastructure. Therefore, if a U.S. business both performs the identified functions and such functions pertain to critical infrastructure, CFIUS would have jurisdiction to review even non-controlling investments in that U.S. business.  A U.S. business must meet both of these prongs for CFIUS to have jurisdiction to review non-controlling investments in that U.S. business.

Sensitive Personal Data

One of the most important changes under the Regulations is CFIUS’s new authority to review covered investments that relate to U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens to harm national security.

The Regulations grant CFIUS the authority to review non-controlling investments in U.S. businesses that maintain or collect, directly or indirectly, “sensitive personal data,” which is defined fairly narrowly to include only certain categories of “identifiable data” and the results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data. Data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research is excluded.

“Identifiable data” includes “data that can be used to distinguish or trace an individual’s identity, including through the use of any personal identifier.” Identifiable data does not include:

  • Aggregated data or anonymized data (unless a party has the ability to disaggregate or de-anonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual’s identity).
  • Encrypted data (unless the U.S. business “has the means to de-encrypt the data so as to distinguish or trace an individual’s identity”).

Identifiable data is only deemed to be “sensitive personal data” if it meets both of the following requirements: (1) it falls within one of the ten designated categories of information listed below, and (2) it is maintained or collected by a U.S. business in three specific circumstances listed below:

Categories of Information

  • Financial data that could be used to analyze or determine an individual’s financial distress or hardship.
  • A set of data in a consumer report, as defined pursuant to 15 U.S.C. § 1681a, subject to exceptions.
  • A set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance or life insurance.
  • Data relating to the physical, mental or psychological health condition of an individual.
  • On-public electronic communications (e.g., email, messaging, chat communications) between or among users of a U.S. business’s products or services if a primary purpose of such product or service is to facilitate third-party user communications.
  • Geolocation data collection by positioning systems, cell phone towers, or WiFi access points (including mobile applications, vehicle GPS, other onboard mapping tools or wearable electronic devices).
  • Biometric enrollment data, including facial, voice, retina/iris and palm/fingerprint templates.
  • Data stored and processed for generating a state or federal government identification card.
  • Data concerning U.S. government personnel security clearance status.
  • Set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust.

Information is Maintained or Collected in One of the Following Circumstances

  • The U.S. business targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security or homeland security responsibilities (or personnel and contractors thereof).
  • The U.S. business has maintained or collected covered data on greater than 1 million individuals at any point over the 12 months preceding the earliest of the completion date of the transaction or the date of filing of a written notice or submission or a declaration to CFIUS (unless the U.S. business can demonstrate that at the time of the completion date of the transaction it did not have and will not in the future have the capability to maintain and collect any covered data within one or more of the above categories on more than one million individuals).
  • The U.S. business has demonstrated a business objective to maintain or collect covered data in one or more of the categories listed above on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.

Importantly, Sensitive Personal Data Does Not Include

  • Data maintained or collected by a U.S. business concerning its employees (unless the data pertains to employees of U.S. government contractors who hold U.S. government personnel security clearances)
  • Data that is a matter of public record (e.g., court records or other government records) that are generally available to the public.

Transactions That Are Exempt From CFIUS Review

The regulations provide the following exemptions from CFIUS jurisdiction:

Excepted Foreign Countries: The regulations incorporate a new exemption for certain investments by individuals or entities from excepted foreign states. Currently, the only excepted foreign states are Australia, Canada and the United Kingdom, based on these countries’ robust intelligence-sharing and defense integration with the U.S. The list will be updated periodically, however, and we do not anticipate significant expansion.

This is an important exception. Its benefits, however, are somewhat limited because it does not apply to traditional control transactions covered by CFIUS. Also, not all foreign parties from these three countries qualify as excepted investors. They must meet certain additional requirements and must not have been subject to any adverse action by CFIUS or certain other U.S. government agencies.

Additional Interest Acquired: If a foreign person or any of its wholly owned subsidiaries previously acquired “control” in a U.S. company and submitted a CFIUS filing that was approved, and such foreign person acquires an additional interest, the additional interest acquisition will not require approval.

Lending Transactions: A loan or a similar financing arrangement by a foreign person does not generally constitute a covered transaction. A loan that provides financial or governance rights characteristic of an equity investment, however, may constitute a covered transaction.

Indirect Investments Through Investment Funds: If a foreign person invests indirectly in a TID U.S. Business through an investment fund that gives the foreign person membership as a limited partner or equivalent on an advisory board or a committee of the fund, that alone will not trigger CFIUS jurisdiction, provided all of the following conditions are met:

  • The fund must be managed exclusively by a general partner, managing member or equivalent (GP) who is not a foreign person.
  • The advisory board or committee must not have the ability to approve or control investment decisions of the fund or decisions made by the GP related to entities in which the fund is invested.
  • The foreign person must not otherwise have the ability to control the investment fund, including authority to approve or control investment decisions of the fund, decisions made by the GP related to entities in which the fund is invested, or dismiss, prevent dismissal of, select or determine the compensation of the GP.
  • The foreign person must not have access to material nonpublic technical information as a result of his/her participation on the advisory board or committee.
  • The investment does not afford the foreign person any rights that trigger a “covered investment.”

Under a currently proposed rule, an organization organized under the laws of a foreign state whose “principal place of business” is in the U.S. is not a foreign entity. The proposed rule defines principal place of business as the primary location where an entity’s management directs, controls or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled or coordinated by, or on behalf of, the general partner or equivalent. Once implemented, this new definition will help investment funds that are organized abroad but managed by general partners located in the U.S. potentially avoid CFIUS jurisdiction.

CFIUS Filings  Mandatory vs. Voluntary

Mandatory Filings

  • Filings are mandatory in two instances:
  • Foreign Government Substantial Interest – A CFIUS filing will be mandatory for “control” transactions as well as for “covered investments” that involve a “TID U.S. Business” that results in the acquisition of a substantial interest (defined as 25% or greater voting interest) by a foreign person in which a foreign government (other than the U.K., Australia, or Canada) has a substantial interest (defined as 49% or greater voting interest). For funds and partnerships, a foreign government is deemed to have a “substantial interest” if it holds either 49% of the interest in the general partner or has 49% of the limited partner voting interest. If the foreign person, however, has a general partner or equivalent, the foreign government will be considered to have a substantial interest in the entity only if the government holds 49% or more of the interest in the general partner or equivalent.
  • Critical Technology – The regulations implement a modified version of the critical technology Pilot Program that has been in effect since 2018. The Pilot Program granted CFIUS jurisdiction over and mandated a filing for controlling investment as well as minority covered investments in 27 industries that involve critical technology, identified by North American Industry Classification System (NAICS) code. A list of the 27 industries can be found at the bottom of this alert. CFIUS stated, however, that it expects to replace the Pilot Program system based on NAICS code with a system based on export control licensing requirements.
  • Changes in a foreign party’s existing rights can also be subject to CFIUS jurisdiction and may trigger the mandatory filings above.
  • Parties that are subject to the mandatory filing requirement can choose whether to submit a declaration (the shorter filing) or a full notice.
  • Failure to submit a mandatory filing may result in a penalty of up to the greater of $250,000 per violation or the value of the transaction.

Voluntary Filings

  • CFIUS filings remain voluntary in all circumstances other than the foreign government investment and critical technology investments described above.
  • All real estate-related CFIUS filings also remain voluntary (unless they also fall under the foreign government investment or critical technology investment categories above).

Filing Type  Long-Form Notice or Short-Form Declaration

The regulations offer two types of filings for both mandatory and voluntary filings — the full notice filing that has been used historically and a “declaration” filing that is a significantly shorter, much abbreviated version of the full notice filing. Parties can choose which type of filing to submit for both mandatory and voluntary filings.

The advantage of the short form declaration in voluntary filings is that it is much easier to complete and CFIUS will provide a response within 30 days of receiving the declaration. The disadvantage is that CFIUS may choose not to take final action pursuant to a declaration filing or can request a full-blown, standard long-form review. Many Pilot Program declarations filed were pushed into the standard review process, which actually resulted in a longer overall review process. As such, parties with more complex transactions will want to consider filing a notice rather than declaration. The declaration will be best suited for parties with a long history of CFIUS clearances and transactions that are unlikely to trigger national security issues.

The advantage of a full-blown notice is that CFIUS will provide a definitive response. The downside is the amount of time and information that goes into completing the filing and the waiting period of up to 130 days..

Covered Real Estate Transactions

The regulations expand CFIUS’s jurisdiction to include certain “covered real estate transactions” involving:

  • The purchase or lease by, or concession to, a foreign person of “covered real estate,” that affords the foreign person at least three of the following four rights:
    • Physical access to the real property
    • Right to exclude individuals from accessing the real property
    • Right to improve or develop the real property
    • Right to affix structures or objects to the real property
  • A change in the rights that a foreign person has with respect to “covered real estate” in which the foreign person has an ownership or leasehold interest or concession arrangement if that change could result in the foreign person having at least three of the above qualifying property rights


  • Any other transaction, transfer, agreement or arrangement designed or intended to evade or circumvent the application of the CFIUS regulations related to real estate

Assuming the transaction at issue involves “covered real estate,” any combination of three of the foregoing rights is sufficient under the regulations to trigger CFIUS jurisdiction, regardless of whether the rights are exercised (or shared among multiple parties). Moreover, a transaction may qualify as a “covered real estate transaction” even where there is no investment in a U.S. business.

Covered Real Estate  includes real estate that is located within, or will function as part of, certain airports or maritime ports, or is located within:

  • Close proximity (i.e., one mile from the outer boundary) of specified military installations, facilities, or properties the U.S. government set forth in part 1 or part 2 of Schedule III to this alert below
  • Extended range (i.e., 100 miles outward from the outer boundary or, where applicable, located within the limits of the territorial sea of the U.S.) of specified military installations set forth in part 2 of Schedule III to this alert below
  • Any county or other geographic area identified in connection with specified military installations set forth in part 3 of Schedule III to this alert below
  • Any part of the specified military installations set forth in part 4 of Schedule III to this alert below to the extent located within the limits of the territorial sea of the U.S.

Covered Real Estate Transactions Filing Requirements. The regulations do not impose a mandatory filing requirement on covered real estate transactions. As such, CFIUS filings remain voluntary. CFIUS, however, also continues to hold the right to unwind a transaction after closing if it has national security implications and was not submitted to CFIUS for review.

Exceptions to CFIUS Jurisdiction

The regulations incorporate exceptions to CFIUS jurisdiction over covered real estate transactions based on the nationality of the foreign investor and the minimum excepted ownership, consistent with the rules on financial investments described above. The regulations also exempt certain types of real estate transactions that involve urban clusters (with exceptions), single housing units, foreign air carriers, retail or consumer goods and services, commercial space in a multi-unit building if the foreign person holds less than 10% of the square footage of the building and constitutes less than 10% of the tenants in the building, and Alaskan native and American Indian real estate.

Schedules 1-3: Covered Investment Critical Technology, Covered Investment Critical Infrastructure, Covered Real Estate

If you have questions about this alert or how FIRRMA may affect your business, please contact Nevena Simidjiyska at 215.299.2093 or, Paul Edelberg at 212.878.7911 or, Elizabeth Hodgson at 610.458.2990 or, or any member of Fox Rothschild’s International Trade Group.

Additional Information