Dealing with New US Regulations That Sharply Increase the Risk of Investing in Critical Technology

by Donald Gross

Last October, the US Government greatly expanded its protection of critical American technologies by requiring companies that are negotiating foreign investments in technologies controlled by US export laws to report pending transactions to the Committee on Foreign Investment in the United States (CFIUS).

Most companies investing in US technologies don’t realize just how drastic a change this was because they understandably think of an “export” as simply consisting of transporting a product or service overseas so it can be utilized by a customer living there.

The actual definition of an “export” under applicable US law is far broader than that – and violations of the rules can easily trigger investigations and audits, resulting in severe penalties for unwitting foreign companies and investors.

When a US subsidiary or affiliate of a foreign company in the US communicates with an executive of the parent company located overseas, it engages in ”exporting” and can violate US law and regulations by doing any of the following:

• Emailing or faxing software or technical information
• Giving access to software or technical information in file transfer protocol (FTP) sites or other means of shared electronic downloads
• Discussing technical information over the phone
• Engaging in in-person meetings where software or technical information is likely to be discussed
• Discussing or demonstrating technical capabilities during trade shows
• Conducting facility tours or showing video of a facility tour where technical data can be seen or accessed by a company executive based overseas
• Storing technical data on servers or network systems where it can be accessed by parent company executives

If a foreign company from China, Europe or other countries is making a major investment in US critical technologies, it should adopt the prudent approach of planning to institute “safeguards” through a technology control plan that protects the technology under US law. 

Without these safeguards in place, the US Government can impose criminal penalties of up to 20 years imprisonment and $1 million in fines for each violation.  Civil monetary penalties can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater.  Violators can also suffer denial of their export privileges.

Through a technology control plan, companies can establish safeguards that prevent unauthorized access to sensitive technical data by:

• Clearly identifying technology used or created by the target company as well as electronic and physical locations where the technology is maintained
• Determining the export classifications and licensing requirements for all identified technologies
• Securing all technical data so that only authorized company personnel can obtain access
• Creating and disseminating to employees a manual that describes the company’s specific operational controls and procedures for safeguarding, handling and marking sensitive technical data
• Establishing ongoing tracking of access to controlled technology
• Obtaining authorization from the US Commerce Department and US Department of State for any release of controlled technical data to foreign persons
• Ensuring that any departing employees return any technical data before leaving the company and lose access to this data following their departure.

Donald Gross is managing partner of Donald Gross Law and special counsel to VCL Legal in Washington, DC. He provides expert legal advice and assistance to client companies that need to comply with strict CFIUS, export control, sanctions, US Customs and FCPA regulations. He draws on decades of experience in private law practice as well as public service at the US State Department, US Arms Control Agency, and White House national security council.