Published on:

CFIUS and Critical Technologies: Implications for the Biotechnology and Life Sciences Sector

The COVID-19 pandemic has generated a renewed focus on biotechnology and life sciences companies. Non-U.S. investors need to be aware of the potential that the Committee on Foreign Investment in the United States (CFIUS) may have jurisdiction to review, and possibly disallow certain investments in U.S. companies. In particular, new rules enacted this year expand CFIUS jurisdiction to include non-controlling investments in certain U.S. businesses dealing in “critical technologies,” which includes certain products and technologies in the biotechnology sector. Moreover, the COVID-19 pandemic has resulted in the expansion of biotech-type businesses that might be considered sensitive from a national security perspective even if they do not rise to the level of “critical technologies,” which could trigger mandatory CFIUS filings. CFIUS risk assessments will be an important part of any transaction involving foreign investors in the biotech sector.

What is CFIUS?
CFIUS is the U.S. interagency committee responsible for reviewing acquisitions and investments in U.S. businesses by non-U.S. entities or persons for their potential impact on national security. CFIUS jurisdiction has historically been limited to transactions in which a non-U.S. entity or person obtains “control” over a “U.S. business.” However, new CFIUS rules effective February 13, 2020, permanently expanded CFIUS jurisdiction to include certain non-controlling investments involving U.S. businesses that:

  • Produce, design, test, manufacture, fabricate or develop “critical technologies”;
  • Own, operate, manufacture, supply, or service “critical infrastructure”; or
  • Maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.

CFIUS refers to such businesses as “TID U.S. Businesses” (Critical Technologies, Critical Infrastructure, and Sensitive Personal Data).

Critical Technologies Explained
Critical technologies include, among other things, (i) export controlled items under the International Traffic in Arms Regulations (ITAR), (ii) export controlled items under the Export Administration Regulations (EAR) that are controlled for reasons relating to national security, chemical and biological weapons proliferation, and regional stability, amongst other reasons, (iii) certain agents and toxins covered by the Select Agents Regulations, and (iv) emerging and foundational technologies that are controlled under section 1758 of the Export Control Reform Act of 2018 (ECRA).

Emerging and foundational technologies have not yet been defined, but will be determined by an interagency process. This process will consider both public and classified information, as well as information from the Emerging Technology Technical Advisory Committee and CFIUS. Once identified, controlled technologies may include certain items falling within the categories of biotechnology, including nanobiology, synthetic biology, genomic and genetic engineering, and neurotechnology; artificial intelligence and machine learning technology; quantum information and sensing technology; 3D printing; and robotics. Under ECRA, emerging and foundational technologies are those that are essential to U.S. national security.

Many pathogens, toxins and biological processing equipment are export controlled under the EAR and are thus considered “critical technologies.” This includes certain:

  • Human and animal pathogens and toxins, including bacteria, viruses and fungi;
  • Biological processing equipment, such as fermenters, centrifugal separators, protective equipment (but not latex gloves and surgical masks), bioreactors and crossflow filtration equipment;
  • Toxins; and
  • Genetic elements and genetically modified organisms.

The Commerce Department has provided guidance stating that the SARS-CoV-2 virus, the underlying virus that causes COVID-19, is not export-controlled under the EAR. However, SARS-CoV pathogens, which bear a genetic similarity to the virus that causes COVID-19, are export-controlled and companies that test them may be “TID U.S. Businesses.”

Critical Infrastructure
CFIUS outlines 28 categories of critical infrastructure and the related “functions” for each type of infrastructure. Examples include certain aspects of telecommunications, data centers, manufacturers of chemical weapons antidotes, and airports and maritime ports. This category of “TID U.S. Business” is less likely to be of concern to biotechnology companies.

Sensitive Personal Data
“Sensitive personal data” refers to identifiable data that is maintained or collected by a U.S. business on greater than one million U.S. citizens at any point in the preceding year, in one of several categories, including but not limited to:

  • Data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
  • Data relating to the physical, mental or psychological health condition of an individual;
  • The results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data;
  • Biometric enrollment data including facial, voice, retina/iris, and palm/fingerprint templates; and
  • Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, a vehicle GPS, another onboard mapping tool, or a wearable electronic device.

Consequently, many U.S. biotech companies may be “TID U.S. Businesses” due to their maintaining or collecting “sensitive personal data” of U.S. citizens. In 2019, CFIUS forced a Chinese owner to divest its majority interest in a Massachusetts-based health tech startup, PatientsLikeMe, due to concerns that the company had maintained health care data on U.S. citizens.

CFIUS Implications
Many U.S. biotech companies are “TID U.S. Businesses” either because they are involved in “critical technologies” or because they maintain or collect “sensitive personal data” of U.S. citizens. Foreign investors should keep these rules in mind when contemplating investments in U.S. biotech companies.

Although filing with CFIUS is typically voluntary, there is a mandatory filing requirement if the U.S. business’ critical technology is used in or designed specifically for certain industries identified by their North American Industry Classification System code, including Research and Development in Biotechnology (except Nanobiotechnology): NAICS Code 541714. New mandatory filing requirements also exist for certain investments by foreign state-owned investors in a “TID U.S. Business.”

Regardless of whether a company is considered a “TID U.S. Business,” acquisitions of controlling interests in biotech companies should be examined to determine whether a voluntary CFIUS filing is advisable.

CFIUS may appear daunting to investors who have not gone through the review process before. In particular, investors in the biotechnology sector should be aware of the new rules expanding CFIUS jurisdiction to include non-controlling investments that previously were not subject to review. Our CFIUS and transactional lawyers regularly assist clients with navigating the CFIUS process, while structuring the transaction to maximize the deal objectives.