The National Security and Investment Bill (the Bill) is currently making its way through the legislative process in the House of Lords. It is not yet in force – however, if enacted in its current form it will be relevant to transactions entered into or otherwise completing on or after 12 November 2020, which could be called-in for review after the new regime enters into force.
The main focus of the Bill is on corporate M&A transactions – certain acquisitions of entities active in 17 “sensitive” sectors (many of which are heavily focused on technology and innovation, such as artificial intelligence, or critical infrastructure / services, such as communications) will require mandatory notification and approval before they can be implemented. Our briefing covering the mandatory notification regime is available here: The UK’s new NSI regime: What do you need to know? There will also be a voluntary notification regime for other types of transactions, which could also be called-in for review if not voluntarily notified. In this briefing, we focus on acquisitions of intangible property (including intellectual property rights licensing transactions), which are among the transactions subject to the voluntary notification regime.
In broadening the application of the new regime to cover acquisitions of rights and interests in intangible property, the Government appears to acknowledge that:
- The traditional view of critical national infrastructure as being only physical infrastructure is outdated.
- Intangible rights may need to be scrutinised from a national security perspective, since licensing arrangements (rather than solely control of votes, shares or material influence in an entity) could give rise to national security risks.
What does this briefing cover?
In this briefing we consider the following in relation to intangible property and the voluntary notification regime:
- The key aspects of the voluntary notification regime in relation to intangible property.
- The “call-in” power.
- What constitutes a “trigger event” in relation to intangible property.
- The scope of a “national security” risk.
- Some examples of in-scope acquisitions of intangible assets.
- The practical application of the voluntary regime.
- Actions businesses should be taking now.
The key aspects of the voluntary notification regime in relation to intangible property
The headline points to note are:
- Acquisitions of rights and interests in certain intellectual property rights (including certain licensing arrangements) will be caught under the voluntary notification regime and may be called-in for review if the Secretary of State considers that the transaction may give rise to a national security risk.
- If the transaction is not voluntarily notified, the Secretary of State could call-in the transaction for review up to five years after completion (or, if earlier, up to six months after they become aware of the transaction).
- The voluntary notification regime is not limited to the 17 sectors expressly caught by the mandatory regime, so the Secretary of State could call-in transactions in other sectors raising potential national security concerns (provided there is a relevant “trigger event”).
- “National security risk” is deliberately undefined to provide the Government with maximum flexibility – the potential breadth of application could create uncertainty and no safe harbours are currently proposed.
- Only time will tell what transactions the Secretary of State is likely to call-in once the Bill is enacted and how this will impact upon transactions concerning intangible assets in practice.
In what follows, we consider some of these aspects in more detail.
The call-in power
As mentioned above (and explained in more detail in our briefing, The UK’s new NSI regime: What do you need to know?), the Bill sets out a mandatory and suspensory notification regime in respect of certain M&A transactions. Even where the mandatory notification regime does not apply, there is a voluntary notification regime and the Secretary of State will be able to call-in relevant transactions where they reasonably suspect that a “trigger event” has given rise to, or may give rise to, a national security risk.
Transactions that are notified (under the mandatory or voluntary regime) will be subject to an initial assessment resulting in the transaction either being cleared or, if there are potential national security concerns, called-in for a full assessment. Transactions within the voluntary regime that are not notified but are nonetheless called-in will proceed straight to a full assessment.
A call-in notice therefore initiates a full national security assessment – which could result in the Secretary of State imposing remedies or even blocking the transaction if national security concerns are ultimately found. The Secretary of State will have the power in this regard to make orders they reasonably consider necessary and proportionate for the purpose of preventing, remedying or mitigating the risk to national security (and will also be able to issue interim orders they reasonably consider necessary and proportionate to prevent or reverse pre-emptive action, or to mitigate its effects, pending the outcome of their review). However, a full assessment could alternatively result in the transaction being cleared without remedies if no concerns are ultimately found.
The types of qualifying trigger events are expansive, and what qualifies as a “national security risk” is undefined and therefore extremely broad. We consider each of these issues in turn.
What constitutes a trigger event in relation to intangible property?
One of the key points to note is the significant expansion of the types of transactions that will be covered by national security reviews:
- Going beyond mergers and acquisitions caught under the existing regime under the Enterprise Act 2002 (which will fall away when the Bill comes into effect), the Bill also captures a wide range of transactions, including the “gaining of control” of intangible assets, namely, “ideas, information or techniques which have industrial, commercial or other economic value, including certain intellectual property rights such as trade secrets, databases, source code, algorithms, formulae, designs, plans drawings and specifications and software”.
- The Bill contemplates not only acquisitions of ownership rights and interests, but also other means of gaining control, such as through licensing arrangements for use (including exploitation, alteration, manipulation, disposal or destruction) or an ability to direct or control how the intangible asset is used by third parties.
- Gaining control will also include scenarios where the acquirer is able to use the asset, or direct or control how it is used, to a greater extent than before the acquisition.
- There are no generally applicable financial thresholds.
- The nexus to the UK is very limited – acquisitions of rights and interests in intangible assets overseas could be subject to the regime if they are used in connection with activities carried on in the UK or the supply of goods or services to persons in the UK.
The new regime will apply to all acquisitions completing on or after 12 November 2020 (the day after publication of the Bill). The policy driver for giving the legislation retrospective effect is to negate the risk of parties pushing through, prior to enactment, transactions that would otherwise be subject to the regime.
As made clear in the Government’s November 2020 response to its 2018 White Paper, the purpose of expanding the regime to the acquisition of assets is to close a loophole that could be otherwise exploited – since parties could seek to acquire an interest in an entity’s national security sensitive asset(s) rather than acquiring votes, shares or material influence in the entity itself.
The scope of a “national security” risk
All transactions captured by the regime are potentially subject to the risk of an order being made imposing remedies where the Secretary of State is satisfied, on the balance of probabilities, that a risk to “national security” has arisen from the relevant trigger event or would arise from the trigger event if carried into effect.
The need for a definition of “national security” (and a proposed draft definition) has been debated in the House of Lords. As noted by Lord Callanan, the Parliamentary Under-Secretary of State, Department for Business, Energy and Industrial Strategy (BEIS) (the department that will be responsible for administering the power), the current draft of the Bill is deliberately vague in its lack of a definition for “national security”:
The Bill does not set out the circumstances in which national security is or may be considered at risk. That reflects long-standing Government policy to ensure that national security powers are sufficiently flexible to protect the nation. National security risks are multi-faceted and constantly evolving. What may not constitute a risk today may do so in future.
The ability of the Secretary of State to safeguard national security would be limited if the Bill set out the circumstances in which national security is, or may be considered to be, at risk. By defining what national security is, we would, of course, also define what it is not. This could have grave implications and deliberately show hostile actors where the Government could not intervene. It would also have unintended consequences for other national security legislation.
Although the Bill provides for the Secretary of State to publish a statement that sets out how the Secretary of State expects to exercise their power to give a call-in notice (and a draft of such a “Statement of Policy Intent” has already been published), the only obligation on the Secretary of State in relation to such statement with respect to a call-in notice is to “have regard” to this.
In other words, the fact that a transaction clearly falls outside the published statement will provide no safe harbour.
Similarly, the voluntary notification regime is not limited to the 17 sectors expressly caught by the mandatory regime. Those sectors are relevant in that they are sectors where the Secretary of State considers that trigger events are more likely to give rise to a risk to national security, but the call-in power is not limited to such sectors, meaning the Secretary of State could call-in transactions in other sectors.
The current draft Statement of Policy Intent suggests that the following are the focus areas for the Secretary of State:
- The target risk – which concerns the nature of the target and whether it is in an area of the economy where the Government considers risks more likely to arise (for example, the 17 mandatory sectors; national infrastructure sectors defined by the Centre for the Protection of National Infrastructure; advanced technology; military and dual-use technologies; and direct suppliers to Government and the Emergency Services).
- The trigger event risk – which concerns the type and level of control being acquired and how this could be used in practice (for example, the ability to corrupt processes or systems, to conduct espionage through unauthorised access to sensitive information or to gain inappropriate leverage through exploitation of investments).
- The acquirer risk – which concerns the national security concerns related to a specific acquirer (for example, where an acquirer has affiliations to hostile parties).
Some examples in-scope acquisitions of intangible assets
Examples of acquisitions of intangible assets contemplated by the Government in its 2018 White Paper and the draft Statement of Policy Intent include:
- Custom or specialist code used to operate data servers for an energy provider – on the basis that this could be manipulated by monitoring or extracting the data on the server, for example, or by deliberately causing the failure of the service on which the energy providers depend;
- Source code of a computer program used by UK air traffic control operators – on the basis that a party that acquires from the licensor the right to access and use this code may be able to identify vulnerabilities in the programs used to monitor and communicate with aircraft in the UK;
- Designs and associated rights in a unique drone technology with a military application; and
- A communications app which may be the sole or a primary reason for a new business existing – given as an example of an asset that may be integral to the activities of a “sensitive entity” (presumably referring to an entity within one of the 17 mandatory sectors).
Although the first three examples set out above have clear relevance to national security, the fourth example is not so clear-cut. While the Government would presumably be concerned about transactions concerning a communications app that could give a third party the ability to intercept communications between, or to harvest personal data in relation to, UK users of the app, this may not be the limit of the Government’s potential concerns.
During Parliamentary debate the Under-Secretary of State for BEIS stated that “sales of software products to consumers by a software company would not be caught by the regime, but – this is important – it would not prevent a transaction involving the software company selling the underlying code base supporting that software to a buyer acting in a professional capacity from the possibility of call-in under the regime, where that might give rise to a national security risk.” If, then, the deliberate intention is that the regime could apply even to transactions concerning the acquisition of control in relation to consumer software, the potential scope of the regime is very broad indeed and raises questions such as to how the acquisition of control in relation to common enterprise software would be treated under the regime if that software is being used within UK Government, for example.
The practical application of the voluntary regime
The Secretary of State will be able to exercise their call-in power no later than five years after the relevant trigger event takes place or (if earlier) no later than six months after they become aware of the trigger event. The draft Statement of Policy Intent indicates that coverage of the transaction in a national news publication may be sufficient for the Secretary of State to be deemed to have notice.
A seller or acquirer can notify the Secretary of State about a trigger event. If the notification meets the requirements as to sufficiency and form, once accepted, this will trigger a 30 working day review period in which the Secretary of State must either:
- Issue a “call-in” notice if the Secretary of State reasonably suspects that the trigger event has given rise to, or may give rise to, a national security risk – the transaction will then proceed to a full national security assessment lasting another 30 working days but extendable by a further 45 working days and such voluntary period the parties agree; or
- Clear the transaction to proceed by notifying each relevant person that no further action will be taken.
Ostensibly, the incentive for making a voluntary notice is for parties to gain certainty that a transaction will not be called-in for review, potentially many months or even years after the relevant trigger event, and national security orders imposed – which could be particularly disruptive given the lapse of time.
BEIS has stated that it believes that there will be around 1,000 to 1,830 transactions notified each year, with 70 to 95 transactions called-in for a full national security assessment. However, we think the number of transactions notified and reviewed could be significantly higher, given the broad scope of the new regime and the risks related to transactions being called-in after completion.
The types of orders and remedies available are not specified in the Bill in its current form and, if imposed, are therefore likely to broad ranging. The Government’s response to the 2018 White Paper indicates that likely remedies are those contemplated in the White Paper, i.e. remedies such as imposing restrictions on access to confidential information, intellectual property transfer, compliance and monitoring, staff and (as a last resort) unwinding of the relevant transaction. Clearly any of these remedies could have significant adverse commercial and legal implications for the parties involved, as well as on others in any supply chain dependent on them.
Actions businesses should be taking now
It remains to be seen how the enactment of the Bill will play out in respect of intangible asset transactions. It is anticipated that the Government will be more likely to intervene in a broad range of transactions under the new regime than has been the case under the existing national security provisions in the Enterprise Act 2002.
The Government is clearly attuned to the role that intangible assets could play in national security risks in the future. That is apparent from recent reports of enforcement notices being sent to UK academics for breaches of separate legislation (the Export Control Order 2008 (as amended)) for alleged unlicensed export of security sensitive intellectual property rights to China.
What does this mean for businesses? Parties entering into applicable transactions in respect of intangible property should consider whether their transaction is at risk of a call-in. Given the new regime will apply to transactions on or after 12 November 2020, parties should already be considering this. This assessment may not be clear-cut, and will require legal advice based on the particular scenario.
If there is such a risk of call-in, the affected parties may need to take a number of steps. Depending on the facts, and subject to appropriate legal advice, these may include:
- Contractually documenting how the risk will be addressed by them (for example, contractual conditions precedent/subsequent, notification and co-operation obligations, etc).
- Making a voluntary notification to ensure that the risk is mitigated.
- Providing for what is to happen commercially, operationally and contractually (to the extent permitted by law) if the transaction is impacted by orders or remedies under the Bill.