UK: UK Government Introduces Lower National Security Merger Review Thresholds

Under new measures coming into force on 11 June, the UK government will have greater powers to intervene in mergers that potentially raise national security concerns due to the target's involvement in military and dual-use technologies and certain categories of advanced computer technology. Such transactions will be reviewable by the government on public interest grounds if the target: (i) has UK revenues of only £1 million; or (ii) has a UK share of supply exceeding 25%. This is a significant change from the current regime, under which a transaction is reviewable only if the target has UK revenues of more than £70 million or if it leads to an increment in the parties' combined share of supply of 25% or more.

The new thresholds are the first tangible output from the government's ongoing review that raise potential national security concerns. That review arose from concerns within government over the extent to which the UK's historical openness to foreign investors might make it vulnerable to emerging national security threats that the current regime would not catch.

Having identified the emerging threat of cyber attacks on the UK's critical national infrastructure, including by foreign intelligence agencies, the review noted that the existing jurisdictional limits on government intervention appeared to be insufficient to catch acquisitions of companies that controlled technology that could facilitate such attacks. In particular, they did not catch the acquisition of companies with very low turnovers, which are likely to include precisely the highly innovative companies that may be developing the sorts of technologies that, in the wrong hands, could raise national security concerns.

Intended as a short-term measure, the changes to these limits for transactions raising national security concerns are due to be followed by more far-reaching changes, including potentially the introduction of a mandatory filing regime to enable the review of all transactions involving foreign investors for national security issues.

This article will consider the new regime in more detail and its implications for business.

Current regime

The UK operates a voluntary notification regime for mergers that may raise competition concerns. This means that there is no requirement to notify qualifying mergers to the Competition and Markets Authority (CMA). Rather, the CMA has jurisdiction to investigate a qualifying merger on its own initiative, or in response to a complaint.

A merger will qualify for a competition review by the CMA if two or more enterprises have ceased to be distinct (or will be, once the transaction is implemented) and at least one of the following thresholds is met:

• the target's UK turnover is more than £70 million (the Turnover Test); or
• the merger would result in the creation or enhancement of a share of supply of goods or services of 25% or more in the UK, or in a substantial part of the UK (the Share of Supply test).

In cases where a merger has an EU dimension, which is determined by the parties' turnover, the European Commission (Commission), rather than the CMA, will currently investigate the impact of the transaction on competition. Member State governments retain the ability to review the impact of such mergers on specified public interest grounds, which include national security. (At the time of writing, the impact of Brexit on this process remains unclear.)

UK government ministers can launch parallel public interest reviews of qualifying mergers (referred to as 'intervention') in specified circumstances. Under the existing regime, apart from a narrow category of transactions involving defence contractors or media companies, government can launch a public interest intervention only if the transaction: (i) qualifies as a merger (i.e. it does not involve a greenfield investment or the acquisition of 'bare assets', such as intellectual property rights); (ii) raises specific public interest considerations; and (iii) meets the threshold for a regular competition review (whether by the CMA or the Commission).

Specified public interest considerations currently cover national security (including public security); financial stability (prudential regulation in European mergers); and media plurality.

To date, there have been 12 public interest interventions since the current merger control regime was introduced in 2003, seven of which were on national security grounds. The initial assessment of transactions for potential national security concerns is undertaken by government departments and the UK security agencies, rather than the CMA. Given the inherently sensitive subject matter, such assessments take place in private, under the coordination of the government's Investment Security Group. Once an intervention has been triggered, the procedure is largely public, albeit government ministers remain responsible for key decisions and key details may be excluded from public disclosure.

Sectors covered

The new thresholds apply to any acquisition of control or material influence over a "relevant enterprise", which is defined as a business that is active in either "military and dual-use technologies" or "advanced technology".

Military and dual-use technologies

The new regime will catch qualifying acquisitions of businesses that:

• develop or produce 'restricted goods', meaning "goods, software or information" that are subject to export control; or
• hold information that is "capable of use in connection with the development or production of restricted goods".

Categories of restricted goods are set out in various export control lists, many of which reflect the UK's international export control obligations. As such, it should be reasonably straightforward to identify products that fall within this category. The government has advised companies that are unsure whether this is the case for their products to use its online Goods Checker Tool. In addition, the government has said that it will endeavour to provide "clear, informal (non-binding) advice" as quickly as possible.

Advanced technology

The government's primary concern in this area appears to be the scope for hostile actors to use advanced technology to take control over connected products, which may be widely dispersed in homes, businesses, public institutions or utilities, to cause harm to businesses, critical national infrastructure or other public services. The potentially wide variety of such threats means that defining the scope of relevant technologies is somewhat complex.

The government's original Green Paper focused on "advanced technology", which it proposed defining as comprising "multi-purpose computing hardware" and "quantum based technology".

The new legislation provides a more detailed definition of activities that will be caught under this heading. Specifically, these comprise:

• the ownership, creation or supply of intellectual property relating to the functional capability of:
• • computer processing units;
  • the instruction set architecture for such units; or
  • computer code that provides low level control for such units;
  • the design, maintenance or provision of support for the secure provisioning or management of:
  • 'roots of trust'¹ of computer processing units;
  • computer code that provides low level control for such units; and
• research, development, production or the supply of services related to:
• quantum computing or simulation;
• quantum imaging, sensing, timing or navigation;
• quantum communications; and
• quantum resistant cryptography.

These terms are defined with a high degree of technical specificity. For example, quantum timing is defined by the legislation as "utilising certain properties of quantum mechanics, including measurements of suspensions of atoms or ions, to provide a timing signal with a resolution or sensitivity that is beyond what is possible in non-quantum devices or systems".

As can be seen from the above, the new regime covers a wide range of technology businesses, including those involved in chip design, the design of Internet of Things products and connected home devices and the development of certain types of security products and services, including the design of firmware with cryptographic functionality.

The regime also covers companies that are involved in all stages of the quantum computing development process, including the creation of intellectual property, as well as companies supplying quantum technology components or offering services (such as consultancy advice or data analysis) which use quantum-based technology.

It is not necessary that the target is actually involved in producing such products – ownership of relevant IP is sufficient.

Additional thresholds

Even if the target of a transaction is within the scope of the new rules, it does not necessarily follow that the transaction will be reviewable under the new rules. Importantly, the expanded regime will continue to apply only to qualifying mergers, which arise where one business acquires control or material influence over another business. While the boundaries are somewhat blurred, a passive minority investment in a relevant enterprise should not be caught by the new regime. While the acquisition of IP rights in isolation should also be outside the scope of the regime, the inclusion of additional assets or personnel would be likely to take a transaction across the line.

As noted above, provided a transaction involving the acquisition of a relevant enterprise counts as a merger, it will be reviewable under the new rules if the target enterprise:

• generates UK revenues of more than £1 million; or
• holds a UK share of supply of over 25%.

This indicates that acquisitions of businesses that are purely involved in research and development activities that as yet generate no income should not be caught. The very low level of the new UK turnover threshold for transactions involving relevant enterprises does mean that a large number of transactions may still be caught by the new regime. While only a small number of such transactions may raise actual national security concerns, the new regime introduces the potential for scrutiny of such transactions that did not exist before.

Conclusion

The application of the new rules is potentially uncertain, given the range and complexity of the technology covered. The government has published draft guidance to assist companies in determining whether their activities fall with within these defined sectors and has provided an email address to enable parties to seek guidance on whether their products come within the scope.

It is important to bear in mind that transactions falling within the scope of the new rules will not be subject to any additional notification requirements. The CMA does not expect mergers that are brought within the scope of the UK merger control regime purely as a result of these changes to raise competition-related concerns. As a result, the risk of a competition review by the CMA has not increased.

The changes do broaden the universe of deals that are at risk of government intervention on national security grounds. Indeed, this is their specific purpose.

Potential buyers of UK-based technology companies will therefore need to undertake an assessment to determine whether their targets are within the scope of the new regime. If they are, then an informal notification to government may be advisable.

Such a notification provides the government with the information necessary to establish whether national security concerns arise and, where possible, to enable government officials to provide comfort that there will be no ministerial intervention. Notification to government for a national security assessment will remain distinct from any merger notification that the parties may choose to make to the CMA for a competition assessment and there will be no need to notify the CMA purely on the grounds that the parties have made a national security notification to government.

It will inevitably take some time for the regime to bed down and for companies and their advisers to assess the risk of intervention in individual cases and the analysis will be highly fact-specific.

In the meantime, the consultation period for the government's longer-term proposals ended on 9 January 2018. It is anticipated that the government will progress the scope of those proposals in a White Paper later this year. It is therefore highly likely that we will see further changes to the UK merger control regime in the near future.

Footnote

1 Roots of trust are defined in the legislation as hardware, firmware or software components that are inherently trusted to perform critical security functions (including, for example, cryptographic key material bound to a device that can identify the device or verify a digital signature to authenticate a remote entity).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.