• China’s investment in targets controlled by third country can be captured under EO
• EO expands CFIUS’s definition of sensitive personal data
• A deal could simultaneously trigger CFIUS and the EO
• Healthcare deals come under the spotlight
• Data transfer restrictions increase workload for companies, investors

The new Executive Order (EO) signed by US President Biden on 28 February aiming to prevent the bulk transfer of sensitive personal data of US citizens to countries of concern could extend regulatory scrutiny of Chinese investment in the US beyond the Committee on Foreign Investments in the US (CFIUS), China-based lawyers told this news service.

Mergers, acquisitions and stake investments (both controlling and noncontrolling) by Chinese companies and their overseas subsidiaries with US companies are all likely to be captured under the new regulatory regime so long as there exists a possibility that the Chinese entity will gain access to sensitive personal data of US citizens, they said.

Under the new framework, sensitive personal data or “covered data” includes geolocation, biometric, health, human ‘omic and financial information, as well as personal identifiers, according to an advanced notice of proposed rulemaking (ANPRM) published by the Department of Justice (DoJ) following the EO.

The EO is expected to have a bearing on China’s outbound investment in the US in a wide range of sectors including TMT (technology, media and telecommunications), artificial intelligence, mapping and navigation, autonomous driving and intelligent vehicles, healthcare, cloud computing (including infrastructure-as-a-Service, Platform-as-a-Service, or Software-as-a-Service), network infrastructure, among others, due to their involvement in sensitive personal data, said Aaron Zhou, partner at Han Kun Law Offices, who specializes in cross-border M&A transactions and pharmaceutical/healthcare-related transactions.

Contractual arrangements in investment agreements where the Chinese party explicitly agrees not to access the data obtained by the US party would not exempt deals from being covered by the EO, said Rachel Li, equity partner at Zhong Lun Law Firm, who specializes in China-related cross-border M&A transactions and data compliance, citing the ANPRM.

Furthermore, Chinese outbound investment in a US company ultimately controlled by a third country could also fall within the EO’s influence in the event the target obtains bulk US-sensitive personal data, Li noted.

The EO will cover deals by Chinese entities that are 50% or more directly or indirectly owned by Chinese companies, said Menghao Dai, a partner at King & Wood Mallesons specializing in export control and economic sanctions. The 50% threshold is less strict than the 25% threshold on a similar concept of “foreign entity of concern” in other US legislation, such as the proposed interpretive rule released by the Department of Energy “Interpretation of Foreign Entity of Concern”, which provides a clearer interpretation of the concept used in the Inflation Reduction Act (that refers to the Bipartisan Infrastructure Law’s definition for “foreign entity of concern”) and The CHIPS and Science Act, Dai said, although it remains subject to future adjustments by the DoJ.

Passive investments such as purchasing publicly trading securities, investment in index funds, mutual funds, exchange-traded funds, and pure capital contribution as a limited partner to a pooled investment fund could be excluded from the regulatory regime, as per the ANPRM. Investments that give the Chinese company less than a de minimis threshold (yet to be determined by DoJ) in total voting and equity interests in a US company, and that do not give the Chinese company rights beyond standard minority shareholder protections also have a chance to be excluded, the ANPRM reads.

After the EO, the DoJ will publish a proposed rule within 180 days while soliciting one or two rounds of public comment, Dai said. The program will not come into force until the effective date set in the final rule and will not apply retroactively, the ANPRM reads.

Acquisitions of US companies by Chinese buyers saw a five-year peak in 2021, but have dropped precipitously since then.

Source: Dealogic

Broader than CFIUS

The new regulatory regime will function differently from a CFIUS review, Li at Zhong Lun noted. It will be a set of requirements, which deal parties are obliged to comply with, instead of the case-by-case review approach taken by CFIUS, Li added. Although certain transactions can be permitted to proceed based on general or specific licenses issued by DoJ, the ANPRM reads.

Notably, the US government has already started to assess national security risks related to foreign access to US sensitive personal data brought about via transactions in the Foreign Investment Risk Review Modernization Act (FIRRMA) reform to CFIUS in 2018, as reported. There is a mandatory notification of acquisitions of businesses involved in critical technologies, critical infrastructure, or sensitive personal data. Notification can be made through a short-form declaration or a full-fledged notice.

Source: CFIUS 2022 Annual Report to Congress; Buyers from Hong Kong and China; Covers Congressional Year, running from September to August

A deal could simultaneously trigger compliance obligations under both the EO and the CFIUS regime, lawyers said. According to the ANPRM, the DoJ will cede jurisdiction on the new regulatory regime only if CFIUS initiates a formal review and imposes mitigating measures, Zhou at Han Kun noted.

However, the EO and ANPRM’s regulatory regime will cover a broader range of investment agreements, especially considering that the EO expands the definition of sensitive personal data ironed out by the CFIUS regulations. And it would impose additional regulatory requirements and restrictions on top of CFIUS for certain cases, Zhou said.

The EO’s scope of “human ‘omic data” is likely to go beyond human genetic data, which is CFIUS’s current definition, to include other medical profile data such as epigenomic data, proteomic data, transcriptomic data, microbiomic data, and metabolomic data. The bulk threshold on the volume of sensitive personal data contemplated by the DoJ also might go below the one million individuals standard for CFIUS to as low as 100 individuals or 1000 individuals for certain categories of sensitive data, an article by Linklaters pointed out.

As for sectoral focus, the CFIUS reviews have been focused on the financing, information and services industries in past years, based on an analysis of CFIUS’s annual reports. But, after the implementation of the EO, investment by Chinse enterprises in the US healthcare sector is expected to capture increasing regulatory interest from the US authorities, Zhou at Han Kun cautioned.

Licensing deals, especially license-in deals and collaborations in the healthcare sector might be subject to regulations under the EO and ANPRM, since there may be outbound transfer of sensitive personal data of US citizens to China in certain scenarios such as clinical trials and pharmacovigilance, Zhou analyzed.

A US-based CFIUS lawyer said that the EO of 28 February is a continuation of a series of regulatory measures by the Biden administration to curtail US mergers with China. But its actual implementation and range of impact could be influenced by the US presidential election later this year, he said.

If President Biden is reelected, it will be business as usual and at least some sense of predictability, the US lawyer said. Donald Trump is a wildcard and if he succeeds in winning another term, all bets are off on what the relationship between the US and China will look like and be like.

The new EO’s impact is broad, Li at Zhong Lun said, but this does not mean deals are completely infeasible. Deal parties can implement compliance and auditing programs to meet the regulatory requirements, Li said. There is “no need to panic now”, she said, noting the regulations are still in the drafting stage and may be subject to further changes.

Data dilemma

In recent years, sensitive data and the potential harm to national security is a theme echoed by both China and US, evident by the US scrutiny of Chinese companies such as Bytedance’s TikTok, Tencent’s WeChat, and surveillance camera-maker Hikvision, and China’s enforcement actions related to Didi Global’s US listing and the promulgation of a series of rules to regulate outbound data transfers.

In addition to M&A deals, the EO will also have a significant impact on the daily operation of multinationals. Autonomous driving start-ups and life sciences companies are among the most concerned, Dai with KWM said. Some Chinese pharmaceutical companies rely on purchasing clinical data from US data brokers for research and development of new drugs and medical devices, and this business practice could be constrained by the EO, he said.

Data transfer restrictions and concerns in both China and the US have made cross-border data transfer arrangements increasingly challenging, said Kai Zhan, international partner at Yuanda Winston, who specializes in export control and data compliance. Chinese companies who wish to explore the US market are left with no choice but to set up overseas data centers and regional headquarters and to separate domestic from overseas operations, Zhan said. But whether the US government’s concerns could be assuaged by such a separation arrangement remains questionable, Dai said.

After all, a bilateral mechanism of data transfer relies on a certain degree of mutual trust between governments, Zhan said.

Lacking which, it will be more difficult than ever for companies to design and build a data governance structure that makes business sense and provides a level of comfort for both governments, he said.