On January 13, 2020, the US Department of Treasury (“Treasury”) issued two final rules (the “Final Rules”) implementing the Foreign Investment Risk Review Modernization Act (“FIRRMA”). The Final Rules expand the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS”) to review non-controlling foreign investments in a US business involving critical technology, critical infrastructure, or sensitive personal data (a “TID US Business”).
Under the Final Rules, CFIUS may review covered transactions related to any U.S. business that “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security,” which is the third category of a TID US Business.
The term “sensitive personal data” refers to
(I) “identifiable data” that is maintained or controlled by the U.S. business that
targets or tailors products or services to certain national security-focused agencies or military departments of the U.S. government with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof,
has maintained or collected an identifiable data on greater than one million individuals at any point over a 12-month period, or
has a demonstrated business objective to maintain or collect any identifiable data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.
in which, “identifiable data” means any data within 10 specific categories, including, financial data, the set of data in a consumer report, the set of data in an application for health insurance, data relating to the physical, mental, or psychological health condition of an individual, non-public electronic communications, geolocation data, biometric enrollment data, data stored and processed for generating a state or federal government identification card, or data concerning U.S. government personnel security clearance status or the set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust.
(II) the results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data. Such results do not include data derived from databases maintained by the U.S. government and routinely provided to private parties for purposes of research.
The term “sensitive personal data” does not include, (a) data maintained or collected by a U.S. business concerning the employees of that U.S. business, unless the data pertains to employees of U.S. government contractors who hold U.S. government personnel security clearances; or (b) data that is a matter of public record, such as court records or other government records that are generally available to the public.
The Final Rules became effective on February 13, 2020.