In this edition of our Spotlight series, we welcome David Plotinsky to discuss key issues that technology lawyers and professionals should keep in mind regarding tech transactions, foreign investment, and review by the Committee on Foreign Investment in the United States (CFIUS).
David is a partner in Morgan Lewisâs Telecommunications, Media, and Technology practice who advises clients in connection with government national security review processes for foreign investment, including by CFIUS. His practice also focuses on trade, information, and communications technology and services, and critical and emerging technology. In his prior role as the acting chief of the US Department of Justiceâs (DOJ) Foreign Investment Review Section, which is housed in the DOJâs National Security Division, David led the sectionâs work on cases before CFIUS; cases before the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (CAFPUSTSS, more commonly known as Team Telecom); and compliance and enforcement matters arising from CFIUS and Team Telecom cases.
David, we are excited to welcome you to our Tech & Sourcing blog! CFIUS sounds scary for any tech lawyer, so letâs jump straight to the point. How can a tech lawyer determine whether the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) will apply to their transaction?
First and foremost, if the tech lawyer isnât also a CFIUS lawyer, he or she should make sure to consult with a colleague who is! Especially since the enactment of FIRRMA, the implementing regulations have become increasingly complex, and transactions need to be closely evaluated to determine whether they fall under CFIUSâs expanded jurisdiction.
A lot of people understand by now that when a foreign company acquires a controlling stake in a US business, that will potentially trigger CFIUS review. But outside the CFIUS bar, there may be less familiarity with the new FIRRMA provisions that extend CFIUS jurisdiction to certain non-controlling but non-passive investments, which may include joint ventures. Especially if your transaction involves critical technology, critical infrastructure, sensitive personal data, or real estate, it will be important to consult with a colleague who can figure out whether FIRRMA applies.
Another important question to answer at the outset is whether, even if CFIUS does have jurisdiction, a filing is voluntary or mandatory. Under FIRRMA, a mandatory filing is required for certain transactions involving critical technology, and for transactions in which certain foreign states have a substantial interest in the acquirer. And if a filing is voluntary, the next step is to determine whether CFIUS is likely to have an interest in the transaction, which would generally indicate that either a full filing or a short-form declaration is prudent to avoid CFIUS potentially pulling in the transaction post-closingâwhich could be costly, or even catastrophic, for a company.
Certainly for transactions involving high-tension countries, such as China and Russia, a voluntary filing will generally be advisable. Thatâs not to say a case involving even Chinese investment canât get cleared by CFIUSâand in fact, at DOJ, my team and I worked on plenty of cases that cleared even with Chinese investment. However, you should certainly anticipate that those transactions may take longer to clear CFIUSâoften, they need to be withdrawn and refiled because the 90-day statutory clock runs outâand you should also anticipate fairly stringent mitigation measures, including potentially severe restrictions on governance related to Chinese entities.
In addition, for transactions involving any sort of sensitive personal dataâand the bar is pretty low these days for what data is considered sensitive by the US governmentâitâs likely CFIUS will take an interest in the transaction and that a voluntary filing may be warranted.
What are the key issues that a tech lawyer should know about FIRRMA?
Iâm going to start by emphasizing what I noted above: data is a huge deal. Iâve seen a lot of transactions where the companyâs actual business wasnât the issue for CFIUSâit was the data the company incidentally collected in the course of doing its business. So if youâre a tech lawyer, just think of all the types of data your company may collect, and imagine how CFIUS might assess that your data could be exploited by a foreign adversary. Easy example: If you have a tech client, that client may have a mobile app, and if that client has an app, that app probably geolocates. Depending on the size and nature of the clientâs customer base, the US government is probably going to be concerned about any possibility that a foreign adversary could track the location of US persons.
Something else to keep an eye on if youâre a tech lawyer: As part of the definition of âcritical technology,â FIRRMA included âemerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018.â The Department of Commerce initiated a rulemaking proceeding to identify emerging and foundational technologies, and public comments were due in the fall of 2020âso now that weâre here in 2022, I have to believe that at some point before too long weâll see what Commerce has come up with, and that will be important both for export control lawyers and for CFIUS lawyers.
Finally, itâs important for a tech lawyer to also think like a compliance lawyer, because in my experience, CFIUS mitigation agreements are becoming increasingly complex. Especially for data cases, but for other types of cases too, in my time leading DOJâs foreign investment review work, I dealt with many cases for which my team needed to come up with novel, and often complicated, mitigation measures to sufficiently address the national security risk we had identified with a transaction. For a company, signing on to that type of mitigation may very well be worth it in order to close a deal, and thatâs fine, but you need to understandâand make your client understand, including at the C-Suite levelâwhat youâre signing up for, so that everyone is prepared to devote the necessary resources toward compliance. Otherwise, your client may wind up being noncompliant, even inadvertently, and then you need to worry about government enforcement actions.
We thank David for sharing his thoughts and insights regarding technology transactions, foreign investment issues, and CFIUS.
Gloss