What Changes to Foreign Investment Laws Mean for the Technology Industry

ChatGPT did not write this article. We could soon see disclaimers like this on top of legal articles and blog posts, not so much because disclaiming is what lawyers do every other hour, but because artificial intelligence is at an inflection point with its newest progeny from OpenAI. To clarify: this article was written by human beings.

The beta version of ChatGPT that has “broken the internet” is trained on data up to 2021. So while its large language model can ace bar exams, give relationship advice and write rhyming poems about project management, it still takes lawyers who are humans (there is the AI kind too, one that even argues in courts) to unpack Canada’s Bill C-34 – National Security Review of Investments Modernization Act, tabled in the House of Commons by the Minister of Innovation, Science and Industry, on December 7, 2022 (the “Bill”). The Bill makes significant amendments to the national security review regime under the Investment Canada Act (“ICA”), the federal legislation that provides for the federal government’s review of foreign investments in Canada on criteria that include “net benefit” to the economy. The last significant amendment to the ICA was in 2009, when the review thresholds for the acquisition of control of a Canadian business were progressively increased.

The Bill is “country agnostic,” as Minister François-Philippe Champagne called it, even as he readily admits it is the result of changing geopolitical realities (read: security threats from China and Russia by way of cyberattacks, transfer or acquisition of Canadian intellectual property, etc.). In November last year, the federal government ordered three Chinese companies to divest their minority holdings in three public Canadian lithium mining companies, following a “multi-step national security review process.” Earlier, in March 2022, Ottawa issued a policy statement urging foreign investors and Canadian businesses to review their investment plans to “identify any potential connections to Russian investors and entities that may be involved in both controlling and minority investments.” The Annual Report 2021-2022 of Innovation, Science and Economic Development Canada reports that, out of a total of 12 investment proposals that were put through national security review, six were from China and four were from Russia.

The Bill will clearly have an impact on Canada’s critical minerals sector, but this article examines its impact on certain technology sectors, such as artificial intelligence, cybersecurity, quantum computing, other sensitive technologies and anything that involves personal data. Notably, three out of the six Chinese investment proposals in 2021-2022 were in the sectors of “data processing, hosting, and related services” and “computer systems design and related services” (as classified by the North American Industry Classification System codes).

ICA in Brief

The ICA is a complex piece of legislation. A detailed examination of the ICA is out of scope of this article, but in summary, it applies to investments by non-Canadians to establish a new Canadian business or to acquire direct or indirect control of an existing Canadian business. “Non-Canadians” are those who are not citizens, permanent residents, a Canadian government, or an entity that is Canadian-controlled. “Canadian business” is a business carried on in Canada that has a place of business in Canada, individual(s) who are employed or self-employed in connection with the business, and assets in Canada used to conduct the business.

Foreign investments could be subject to one of three processes:

(i) notification to be made to the Investment Review Division of the federal government’s Department of Innovation, Science and Economic Development. This can be filed any time before implementing the investment or within 30 days after;

(ii) economic review by the government, based on “net benefit to Canada,” of investments that meet certain financial thresholds. The thresholds vary depending on whether the investment is direct or indirect, is in a “cultural business,” whether the investor is a state-owned enterprise of a World Trade Organization member state, or a national of a specified free trading partner, etc.;

(iii) national security review, if the government considers the investment to be injurious to national security. As of August 2, 2022, foreign investors can file a voluntary pre-closing notification for investments that may raise national security concerns and are not otherwise required to be notified under the ICA.

The ICA inherited much of the review process from its predecessor, the Foreign Investment Review Act of 1973 (“FIRA”), but narrowed the range of reviewable investments and toned down the scope of the “benefit” test. The Conservative government, led by then-prime minister Brian Mulroney, repealed FIRA in 1984 in wake of widespread disapproval within and outside Canada for its arbitrary and opaque review process, imposition of unreasonable conditions on foreign investors, and failure to address provincial interests. The ICA, too, has seen its fair share of brickbats over the years for similar and other reasons, including for being used as a vehicle for politicking and economic protectionism.

The Proposed Amendments

The key amendments in the Bill are:

1. Requirement to notify certain investments prior to their implementation in prescribed business sectors: Investors are to file a pre-implementation notification for investments in a Canadian business engaged in a “prescribed business activity,” a term to be defined in regulations. The purpose is to provide the government early visibility on investments that bear a risk of foreigners’ access to sensitive assets, intellectual property or trade secrets. Time periods for filing notifications are yet to be defined.
2. New powers for the Minister of Innovation, Science and Industry (“Minister”):

   The Minister, in consultation with the Minister of Public Safety, can:

   1. extend security reviews of investments under section 25.3 of the ICA without getting an order from the Governor in Council in the multi-step process. Section 25.3 provides for the national security review process;
   2. impose interim conditions on an investment during the national security review. If an investment is approved to proceed, an interim condition may either be converted to a permanent undertaking or removed, as appropriate, upon expiry of the review period.

      The Minister can also:

   3. accept binding undertakings from investors to minimize the “potential national security injury.” These undertakings could include federal government approval to create “approved corporate security protocols to safeguard information and access to a site – such as details on cybersecurity, visitor logs, etc.”; and
   4. disclose information about an investor to allies (for example, the other Five Eyes countries: the United States, United Kingdom, Australia and New Zealand) to support their foreign investment review and national security assessments, on terms and conditions that the Minister deems appropriate. This takes the lid off the privilege and confidentiality of investor-specific information.
3. Increased penalties for non-compliance with the ICA: the Bill provides for the authority to update the penalties through regulations in the future. A new penalty for non-compliance with pre-implementation filing requirements is also introduced.
4. New rules for the protection of information during the course of judicial review: The Bill provides for the use of potentially injurious information in judicial review of security review decisions while protecting it from disclosure at the same time. The injurious information can be relied on as evidence in closed proceedings, so as to not adversely affect international relations, national defence or national security.

Impact and Recommendations

There are already concerns that the Bill could stifle foreign capital for technology startups and discourage innovators from setting up shop in Canada. With the new requirement to notify certain investments prior to implementation, the worry that the timelines for closing transactions can be further stretched is not without merit. The average time taken for national security reviews currently is 133 days with the possibility to extend. Companies, particularly technology startups that are looking at expedited capital inflows, should plan for these contingencies of time.

“Prescribed business activity” is yet to be defined, but the Guidelines on the National Security Review of Investments, issued in March 2021, are a straw in the wind. Artificial intelligence, sensing and surveillance, medical technology, biotechnology, quantum science, robotics, autonomous systems and space technology are among those that may be considered sensitive for national security review. In particular, artificial intelligence, robotics and quantum computing intersect with and cut across many industries and sectors, in addition to overlapping with each other. Similarly, sensitive personal information is not technology- or industry-specific. Regulations that define “prescribed business activity” will need to do it with specificity and clarity to avoid overreach and opaque readings.

Perhaps a better approach would be to define the phrase by the kinds of transactions that could invite heightened security scrutiny. For example, the Executive Order (“Order”) issued by U.S. President Joe Biden not long before the Bill was tabled, expressly instructs the Committee on Foreign Investment in the United States – an interagency with representatives from 16 federal departments – to consider foreign investors’ degree of involvement in U.S. supply chains. The Order calls out investments that undermine supply chain resilience (and national security, as a result) through shifts of ownership, rights or control over technologies.

The guidance of July 2022 from the Canadian Centre for Cyber Security – part of the Communication Security Establishment, a key federal security and intelligence agency – outlined a multi-step approach for private sector and government organizations to assess cybersecurity risks in product and service supply chains of Information and Communication Technology. The lawmakers would do well to bake into the definition of “prescribed business activity” the particulars of investment proposals that likely carry these risks.

The Bill aligns Canada’s national security review process with similar regulatory beef-ups in Australia, United Kingdom and the United States for similar reasons. The technology industry will need to grapple with the fact that technological sources of security threats are not restricted to any industry or business purpose anymore (like, say, intelligence or military surveillance software). Transformative technologies that pervade the economy as a whole and drive its growth have the potential for as much, if not greater, security risk.