In this edition of our Spotlight series, we welcome David Plotinsky to discuss key issues that technology lawyers and professionals should keep in mind regarding tech transactions, foreign investment, and review by the Committee on Foreign Investment in the United States (CFIUS).
David is a partner in Morgan Lewis’s Telecommunications, Media, and Technology practice who advises clients in connection with government national security review processes for foreign investment, including by CFIUS. His practice also focuses on trade, information, and communications technology and services, and critical and emerging technology. In his prior role as the acting chief of the US Department of Justice’s (DOJ) Foreign Investment Review Section, which is housed in the DOJ’s National Security Division, David led the section’s work on cases before CFIUS; cases before the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (CAFPUSTSS, more commonly known as Team Telecom); and compliance and enforcement matters arising from CFIUS and Team Telecom cases.
David, we are excited to welcome you to our Tech & Sourcing blog! CFIUS sounds scary for any tech lawyer, so let’s jump straight to the point. How can a tech lawyer determine whether the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) will apply to their transaction?
First and foremost, if the tech lawyer isn’t also a CFIUS lawyer, he or she should make sure to consult with a colleague who is! Especially since the enactment of FIRRMA, the implementing regulations have become increasingly complex, and transactions need to be closely evaluated to determine whether they fall under CFIUS’s expanded jurisdiction.
A lot of people understand by now that when a foreign company acquires a controlling stake in a US business, that will potentially trigger CFIUS review. But outside the CFIUS bar, there may be less familiarity with the new FIRRMA provisions that extend CFIUS jurisdiction to certain non-controlling but non-passive investments, which may include joint ventures. Especially if your transaction involves critical technology, critical infrastructure, sensitive personal data, or real estate, it will be important to consult with a colleague who can figure out whether FIRRMA applies.
Another important question to answer at the outset is whether, even if CFIUS does have jurisdiction, a filing is voluntary or mandatory. Under FIRRMA, a mandatory filing is required for certain transactions involving critical technology, and for transactions in which certain foreign states have a substantial interest in the acquirer. And if a filing is voluntary, the next step is to determine whether CFIUS is likely to have an interest in the transaction, which would generally indicate that either a full filing or a short-form declaration is prudent to avoid CFIUS potentially pulling in the transaction post-closing—which could be costly, or even catastrophic, for a company.
Certainly for transactions involving high-tension countries, such as China and Russia, a voluntary filing will generally be advisable. That’s not to say a case involving even Chinese investment can’t get cleared by CFIUS—and in fact, at DOJ, my team and I worked on plenty of cases that cleared even with Chinese investment. However, you should certainly anticipate that those transactions may take longer to clear CFIUS—often, they need to be withdrawn and refiled because the 90-day statutory clock runs out—and you should also anticipate fairly stringent mitigation measures, including potentially severe restrictions on governance related to Chinese entities.
In addition, for transactions involving any sort of sensitive personal data—and the bar is pretty low these days for what data is considered sensitive by the US government—it’s likely CFIUS will take an interest in the transaction and that a voluntary filing may be warranted.
What are the key issues that a tech lawyer should know about FIRRMA?
I’m going to start by emphasizing what I noted above: data is a huge deal. I’ve seen a lot of transactions where the company’s actual business wasn’t the issue for CFIUS—it was the data the company incidentally collected in the course of doing its business. So if you’re a tech lawyer, just think of all the types of data your company may collect, and imagine how CFIUS might assess that your data could be exploited by a foreign adversary. Easy example: If you have a tech client, that client may have a mobile app, and if that client has an app, that app probably geolocates. Depending on the size and nature of the client’s customer base, the US government is probably going to be concerned about any possibility that a foreign adversary could track the location of US persons.
Something else to keep an eye on if you’re a tech lawyer: As part of the definition of “critical technology,” FIRRMA included “emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018.” The Department of Commerce initiated a rulemaking proceeding to identify emerging and foundational technologies, and public comments were due in the fall of 2020—so now that we’re here in 2022, I have to believe that at some point before too long we’ll see what Commerce has come up with, and that will be important both for export control lawyers and for CFIUS lawyers.
Finally, it’s important for a tech lawyer to also think like a compliance lawyer, because in my experience, CFIUS mitigation agreements are becoming increasingly complex. Especially for data cases, but for other types of cases too, in my time leading DOJ’s foreign investment review work, I dealt with many cases for which my team needed to come up with novel, and often complicated, mitigation measures to sufficiently address the national security risk we had identified with a transaction. For a company, signing on to that type of mitigation may very well be worth it in order to close a deal, and that’s fine, but you need to understand—and make your client understand, including at the C-Suite level—what you’re signing up for, so that everyone is prepared to devote the necessary resources toward compliance. Otherwise, your client may wind up being noncompliant, even inadvertently, and then you need to worry about government enforcement actions.
We thank David for sharing his thoughts and insights regarding technology transactions, foreign investment issues, and CFIUS.