Executive Order Clarifies Focus and Five Factors for Future CFIUS Reviews
President Biden issued Executive Order (EO) 14083 on September 15, 2022, establishing five factors for reviews by the Committee on Foreign Investment in the U.S. (CFIUS), and areas of heightened scrutiny for transactions impacting the U.S. supply chain, cybersecurity, sensitive personal data, agricultural production, and Section 1758 technologies.
Driven by eroding economic and geopolitical conditions, the U.S. and its primary trading partners have continued to expand the regulation of foreign direct investment. EO 14083 and an earlier EO in May both invoked the Defense Production Act (DPA) with resulting foreign direct investment implications.
As background, businesses involved in the U.S. defense industrial base have been protected from foreign direct investment by CFIUS – but changes to U.S. laws and regulations on foreign direct investment have expanded the protections beyond the traditional U.S. defense industry. The Foreign Investment Risk Review Modernization Act (FIRRMA) expanded CFIUS to protect businesses engaged in critical technologies, critical infrastructure, and sensitive personal data. FIRRMA was intended to close gaps in national security review risks and resulted in expanded CFIUS coverage and powers. Subsequent changes to U.S. foreign direct investment regulations have further impacted U.S. businesses engaged in critical technologies, critical infrastructure, and sensitive personal data.
Factors for Review
EO 14083 further advances U.S. foreign direct investment protections by requiring that CFIUS specifically consider five factors in its national security reviews, namely impacts to U.S.:
- Supply chains, including but not limited to the defense industrial base, derived in part from EO 14017 regarding America’s Supply Chains.
- Cybersecurity defenses and protections, both commercial and governmental
- Sensitive personal data of U.S. citizens, including access by foreign actors
- Industry segments from cumulative foreign investments or investment trends
- Technological leadership in microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaption technologies, and significantly the advanced clean energy, climate adaptation technologies, critical rare earth materials, and significantly – “elements of the agriculture industrial base that have implications for food security” – based on Export Control Reform Act (ECRA) / FIRRMA Section 1758 covered technologies.
New Areas of Impact
Foreign investment trends in U.S. industry segments
EO 14083 references industries and industry segments that “are fundamental to U.S. technological leadership and therefore national security.” Based on guidance in the EO, CFIUS will now be required to assess a covered transaction in the context of other investments in the relevant industry or industry segment. In doing so, CFIUS will likely review proposed transactions in the context of previous cleared and proposed transactions in the same industry segment, in order to determine if collectively the transactions could cumulatively result in the transfer of Section 1758 technologies in key industries or otherwise harm national security. As a result, parties considering a transaction, like CFIUS, will need to take industry trends and transactions into account – not just the specific proposed transaction.
Cybersecurity defenses and protections
The White House has previously emphasized the importance of cybersecurity. And FIRRMA identified “cybersecurity vulnerabilities” as a relevant factor for CFIUS. Now EO 14083 more specifically identifies the nature of vulnerabilities that CFIUS should guard against. Some of these are familiar themes: critical infrastructure (already a prong for CFIUS jurisdiction); the defense industrial base; national security priorities (from EO 14028); and critical energy infrastructure, such as smart grids (similar to the Department of Energy’s “100-day plan”). But the order specifies two new types of intrusions, which may echo news items from recent years. First, CFIUS should consider transactions’ effects in giving a foreign person capability to affect the “confidentiality, integrity, or availability of United States communications.” Second, it should try to foresee activity designed to “interfere with United States elections.” It remains to be seen how broadly those factors could reach. Still, because cybersecurity was already a factor under FIRRMA, it is likely that this specific development represents a refinement, not a sharp change of direction.
Sensitive personal data of U.S. citizens
Under FIRRMA, CFIUS should consider exposure of “personally identifiable information.” But EO 14083 recognizes that “personally identifiable” is a moving target. New technology and more data allow previously anonymous datasets to be de-anonymized. The order also broadens the historical focus on individuals. Instead, it talks about exploiting data to target “individuals or groups” — it even loosens the kind of data to include “data on sub-populations.” If your company keeps data on U.S. individuals or “sub-populations” — however well anonymized — then expect that CFIUS will consider whether your data could be used (including in combination with other data) to undermine national security. Combined with the refined specification of cybersecurity vulnerabilities, this could lead to some previously unexpected decisions by CFIUS.
Agriculture Industrial Base
White House guidance notes the EO does not expand CFIUS jurisdiction and should be read in the context of existing authority. However, the EO expressly included “elements of the agriculture industrial base that have implications for food security” – not otherwise expressly addressed by CFIUS regulation or FIRRMA. Given that CFIUS has already been focused on most of the other factors highlighted in the EO, perhaps the most significant impact of EO 14083 is its implication to the U.S. agriculture industry. It is not surprising that there are national security implications to U.S. food production and supply, particularly based upon recent past shortages and projections of further shortages in the future. What is surprising is that FIRRMA provided for the application of CFIUS to food production via the DPA – as invoked by the recent EO. Nonetheless, the EO specific reference to the “agriculture industrial base” is likely best assessed in the context of pending legislation proposing to address foreign investment in U.S. agriculture.
The proposed Foreign Adversary Risk Management Act (the “FARM” Act) would expand the CFIUS definition of “critical infrastructure” to include agricultural production facilities and real estate, i.e., the U.S. agricultural supply chain. Similar bills, such as, the Food is National Security Act, have been proposed to include U.S. agriculture under CFIUS. The inclusion of “…agriculture industrial base…” in the EO 14083 may be a foreshadowing of the expansion of CFIUS reviews to foreign investment in U.S. agricultural production or products via the FARM Act or otherwise.
Statutory authority for the coverage of the U.S. agriculture industrial base can be derived from CFIUS jurisdiction over “critical infrastructure” created by FIRRMA. Appendix A to the FIRRMA regulations define “Critical Infrastructure” facilities and functions to be “Covered Transactions” under CFIUS. Additionally, Title III of the DPA “allows the President to provide economic incentives to secure domestic industrial capabilities essential to meet national defense and homeland security requirements.” The DPA was invoked by President Biden in May 2022 to addresses the U.S. infant formula shortage, and in EO 14083 to address national security threats to the U.S. supply chain, cybersecurity, sensitive personal data, Section 1758 technologies, and the “agriculture industrial base.” What is not widely known is that U.S. companies can be subject to CFIUS review for a period of 60 months following a presidential evocation of the DPA. FIRRMA Appendix A provides in part “… that has been funded, in whole or in part, by […] (a) Defense Production Act of 1950 Title III program …..” The FIRRMA definition of “covered transactions” also specifically includes “(d) Any other transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent the application of section 721.”
Concluding Observations
U.S. companies covered by the Defense Production Act are subject to CFIUS review and can remain subject to CFIUS review for a period of 60 months following the receipt of any DPA funding.
EO 14083 reinforces the need for U.S. businesses to be mindful of changes in U.S. regulations applicable to foreign ownership, control, or influence – the need for early diligence of any transaction involving international investment – and to carefully assess the implications of accepting funding under the DPA and jurisdiction of CFIUS beyond the U.S. defense industry.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.
David Vance Lucas is a member of Bradley’s Intellectual Property and Cybersecurity and Privacy practice groups and leads the firm’s International and Cross Border team. Much of David’s experience was accumulated as general counsel for a multinational technology company. He now advises both U.S. and foreign clients on the harmonized application of U.S., UK, and European laws, as well as CFIUStication™ of FDI diligence and disclosures.
Andrew Tuggle’s practice focuses on intellectual property, cybersecurity, and international trade. He guides clients through government regulations of cybersecurity, exports, and cross-border transactions. He also helps clients protect their innovations through patents, trademarks, and trade secrets.