Law & Business Blog

Dealing with New US Regulations That Sharply Increase
the Risk of Investing in Critical Technology

by Donald Gross

Last October, the US Government greatly expanded its protection of critical American technologies by requiring companies that are negotiating foreign investments in technologies controlled by US export laws to report pending transactions to the Committee on Foreign Investment in the United States (CFIUS).

Most companies investing in US technologies don’t realize just how drastic a change this was because they understandably think of an “export” as simply consisting of transporting a product or service overseas so it can be utilized by a customer living there.

The actual definition of an “export” under applicable US law is far broader than that – and violations of the rules can easily trigger investigations and audits, resulting in severe penalties for unwitting foreign companies and investors.

When a US subsidiary or affiliate of a foreign company in the US communicates with an executive of the parent company located overseas, it engages in ”exporting” and can violate US law and regulations by doing any of the following:

  • Emailing or faxing software or technical information
  • Giving access to software or technical information in file transfer protocol (FTP) sites or other means of shared electronic downloads
  • Discussing technical information over the phone
  • Engaging in in-person meetings where software or technical information is likely to be discussed
  • Discussing or demonstrating technical capabilities during trade shows
  • Conducting facility tours or showing video of a facility tour where technical data can be seen or accessed by a company executive based overseas
  • Storing technical data on servers or network systems where it can be accessed by parent company executives

If a foreign company from China, Europe or other countries is making a major investment in US critical technologies, it should adopt the prudent approach of planning to institute “safeguards” through a technology control plan that protects the technology under US law. 

Without these safeguards in place, the US Government can impose criminal penalties of up to 20 years imprisonment and $1 million in fines for each violation.  Civil monetary penalties can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater.  Violators can also suffer denial of their export privileges.

Through a technology control plan, companies can establish safeguards that prevent unauthorized access to sensitive technical data by:

  • Clearly identifying technology used or created by the target company as well as electronic and physical locations where the technology is maintained
  • Determining the export classifications and licensing requirements for all identified technologies
  • Securing all technical data so that only authorized company personnel can obtain access
  • Creating and disseminating to employees a manual that describes the company’s specific operational controls and procedures for safeguarding, handling and marking sensitive technical data
  • Establishing ongoing tracking of access to controlled technology
  • Obtaining authorization from the US Commerce Department and US Department of State for any release of controlled technical data to foreign persons
  • Ensuring that any departing employees return any technical data before leaving the company and lose access to this data following their departure.

Donald Gross is managing partner of Donald Gross Law and special counsel to VCL Legal in Washington, DC. He provides expert legal advice and assistance to client companies that need to comply with strict CFIUS, export control, sanctions, US Customs and FCPA regulations. He draws on decades of experience in private law practice as well as public service at the US State Department, US Arms Control Agency, and White House national security council.

Biden Administration Likely to Support CFIUS Notification of Foreign Investment
in Critical Technologies 

by Donald Gross

The incoming Biden-Harris administration is highly likely to keep in force a recent Treasury Department rule requiring parties that are negotiating foreign investments in any “critical technology” controlled by US export control laws or regulations to report pending transactions to the Committee on Foreign Investment in the United States (CFIUS).

The new rule significantly increases the number of companies across a full range of industries which will be scrutinized by CFIUS and are subject to investigation for their technology transactions – in the fields of biotechnology, life sciences, pharmaceuticals, artificial intelligence, microprocessors, quantum computing, robotics and advanced surveillance technologies, among others.

Until the new rule became effective on October 15, 2020, mandatory filings with CFIUS were required for only two types of narrower transactions.  The first such transaction occurs when a foreign government obtains  a “substantial interest” in a US “Technology, Infrastructure or Data” (TID) business – based on a “foreign person” acquiring a 25 percent or greater voting interest directly or indirectly in a US business where theforeign governmentin turn holds a 49 percent or greater voting interest, directly or indirectly, in that foreign person.

The second type of transaction in which a mandatory CFIUS notification has been required is a foreign investment in companies that produce, design, test or manufacture “critical technologies” if the foreign investor obtains 1) “control” of the US business; 2) any significant governance rights; or 3) business information rights. However, this mandatory notification requirement is only triggered if the technology is used or designed for use  in one of 27 specific industries.

The new rule announced on October 15, 2020 calls for mandatory notification to CFIUS of any investment in a US company involving the development, testing, production or use of any technology which needs a license to export.  Importantly, foreign investors in this controlled technology must notify CFIUS if the foreign investment they seek meets or exceeds the 25 percent voting interest threshold.

The term “export”, for purposes of the rule, includes any sharing of information about the technology with a person who is not a US citizen or US  permanent resident – regardless of whether the technology is ever actually transferred to another country.  

The new Treasury approach is a mechanism for implementing two laws passed with broad bipartisan support to protect sensitive US technology from acquisition by potential adversaries: the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and the Export Control Reform Act of 2018 (ECRA).

The final rule became effective on the same day the Trump administration released its “National Strategy for Critical and Emerging Technologies” which laid out a comprehensive approach for closely monitoring the possible transfer to other countries of cutting-edge technologies that have military or security applications while simultaneously protecting US global technological leadership in a variety of industries.

The Biden-Harris campaign laid out its stance on this issue when it pledged to “take aggressive trade enforcement actions” in a document titled The Biden Plan to Secure the Future is ‘Made in All of America’ by All of America’s Workers:  “From cyberattacks to forced technology transfer to talent acquisition, American ingenuity and taxpayer investments are too often fueling the advances in other nations.”

For parties making investments in a US technology business, it is now essential to determine the export control status of all products, technology and software that are developed or manufactured by that US business. This entails a process of assessing the potential end-users of the technology, ascertaining the applicable licensing requirements, and conducting an export control review.

The assessment process must occur prior to 1) completing the investment transaction, 2) executing a binding written agreement which describes material terms of the transaction, 3) making a public offer to buy shares of a US business or 4) soliciting shareholder proxies for an election to the Board of Directors – whichever is earliest.

It is also necessary to check possible exceptions that would allow sharing information about critical technology with a foreign investor. Exceptions exist if the technology is encrypted, broadly available, or destined for certain allies of the United States – at present, Australia, Canada and the United Kingdom.  If any of these exceptions apply, parties to the investment transaction are not subject to the mandatory CFIUS notice requirement.

The new Treasury rule clearly increases the burden on parties that are negotiating foreign investments in US “critical technology” to exercise the utmost due diligence to ensure they’re cognizant of whether the technology is controlled by the US Government.

Nearly all corporate transactions with foreign investors deserve to undergo CFIUS risk analysis to establish whether the transaction requires a mandatory CFIUS filing and whether CFIUS is likely to investigate.

Taking this prudent approach is far better than simply accepting a high degree of risk that CFIUS or other US export control agencies will impose serious penalties on companies for their violations. Criminal penalties can include up to 20 years of imprisonment and up to $1 million in fines for each violation.  Civil monetary penalties can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater.  Violators can also suffer denial of their export privileges.

Isn’t It Time For Your Business To Get A Legal Check-Up?

by Donald Gross

No matter how successful your business is, it’s a serious mistake to neglect getting a regular legal check-up.

Arrangements that made sense in the past are often no longer optimal for your current operations and they may run afoul of federal, state and local laws and regulations that have changed since the days your company was founded.

After a legal check-up and assessment, you’ll have a far better idea whether specific contracts still make sense – or whether they need to be modified, renegotiated, shortened, extended or terminated to better meet your business needs. 

The advantages to you as a business person are numerous – improving your company’s bottom line, avoiding expensive lawsuits resulting from contractual obligations that conflict with your business objectives, and ensuring your business has the licenses, permits and approvals it needs to stay in full compliance with federal, state and local requirements.

Elements of Your Business that Need a Legal Check-Up  

A comprehensive check-up covers the full legal framework of your business, including the specific areas described below.  Of course, you may want the check-up to focus on just some of the areas about which you have special concerns.  

Legal structure – Should the legal entities your company originally put in place be streamlined, expanded or simplified to facilitate business operations and reduce the risk of liability in the event of a lawsuit?  

General contract provisions – Do your company’s contracts adequately protect confidential information, allow resolution of disputes through mediation or arbitration, clearly identify the rights and responsibilities of the parties, enable your company to extend or shorten the contract term, clarify the legal jurisdiction governing the contract, and enable your company to end the contract, should that become necessary?  

Preventing lawsuits and protecting against liabilities –  Are there “blind spots” or ambiguous provisions in contracts that need to be eliminated or clarified in order to significantly reduce the chance of lawsuits that could expose executives to personal liability?  

Employment agreements – Do your existing agreements reflect the employee’s current role, ensure full compliance with internal company employment policies, and minimize the risk of disputes?

Business consultants and service firms – Do your contracts with consultants and service firms meet your current needs – or should they be modified, upgraded or terminated?

Commercial real estate leases – Are your commercial leases for office, manufacturing, warehousing or retail space fully aligned with your current and projected business needs?

Equipment leases – Does it make sense to renegotiate and improve the terms of your equipment leases to upgrade your operations and achieve cost savings before an automatic renewal kicks in?

Software licenses – Do your software licenses include the latest devices and technologies relevant to your business or do they need to be modified or replaced and their coverage improved? 

Long-term agreements – Has the performance of parties under long-term agreements met all contractual obligations or do the agreements need to be revised to establish new performance milestones?

Inferior performance – If you’ve become dissatisfied with the performance of certain parties, do their shortcomings constitute breach of contract that would establish grounds for termination or a lawsuit?

Licenses and permits –  Does your company have all the licenses and permits it needs to fully comply with federal, state and local laws and regulations – or are there gaps in licensing and permitting that need to be filled?  


It’s tempting to put off a legal check-up until your company is on the receiving end of a lawsuit or you discover that contracts have locked your company into a highly disadvantageous business situation or you realize that once healthy contractual relationships are now preventing you from achieving important business objectives.  

The goal of a legal check-up is to identify problems and implement solutions well before your company operations are negatively impacted by costly legal issues, another party’s shortcomings or contractual disputes.   

If your company is interested, we’re happy to provide you with the knowledge you need to move forward – just contact us for a consultation!

Don has served as an analyst and commentator for:

a Free Consultation