- Recent DOJ ADA Web Accessibility Guidance Creates Compliance Questions, not Answers
- New Presidential Directive for Foreign Investment Reviews of U.S. Technology and Data Companies
- FTC Launches “Commercial Surveillance and Data Security” Rulemaking
- Cybersecurity Disclosures Required by the SEC’s Recently Proposed Rules
- The Future is Now: Data Subject Requests in 2023
- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- September 2022
- August 2022
- June 2022
- May 2022
- April 2022
- March 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- April 2020
- March 2020
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018. CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies. While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies. CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors. CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing.
Executive Order 14083 (the “EO”) identifies U.S. technological sectors that deemed fundamental to U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, and agricultural security technologies. The EO notably does not expand or constrain the scope of CFIUS’ review authorities. Additionally, it does not change existing CFIUS processes or its legal jurisdiction. Rather, the EO enumerates the national security factors set forth under CFIUS’s authorizing statute, the Defense Production Act of 1950, and orders CFIUS to consider the following for a given transaction:
- Effects on the resilience of critical U.S. supply chains that may have national security implications, including those outside of the defense industrial base.
- Effects on U.S. technological leadership in areas affecting U.S. national security.
- Industry investment trends that may have consequences for a given transaction’s impact on U.S. national security.
- Cybersecurity risks that threaten to impair national security.
- Risks to U.S. persons’ sensitive data.
The EO directs CFIUS to consider not only the specific technological capabilities and/or digital assets of the target U.S. business in a given transaction but also the aggregate business activities of the acquirer. The EO reflects concerns that firms critical to U.S. supply chains may be under foreign ownership. Moreover, the EO reflects concerns that advances in technology, combined with access to large data sets, may enable data holders to de-anonymize or re-identify individuals in what once was unidentifiable data. This concern regarding otherwise innocuous datasets was previously discussed in the first-ever Treasury Conference on CFIUS held in June of 2022.
The EO is broadly applicable to U.S. companies in the technology sector and those companies which collect data from individuals as part of their business practices. These companies should carefully review this Executive Order to determine whether or not to file with CFIUS as part of an investment or M&A transactions with non-U.S. parties. The parties may need to disclose the target company’s current data privacy and security of policies and those policies that will be in place post-closing as part of the filing process.
Angela Gamalski is a regulatory compliance attorney who is a member of the firm’s Corporate Department. She advises firm clients regarding a variety of trade and international regulatory and transactional matters. Her areas of ...