skip to main content
Overview
Toggle Button Open

December 14, 2022

Client Alert

By: Chris Griner, Shannon Reaves, Tom Firestone, Christopher R. Brewster, Gregory Jaeger, Andrew J. Astuno, Erin Bruce Iacobucci

Earlier this year, President Biden issued Executive Order (“EO”) 14083, which, for the first time, provided presidential direction on factors that must be considered by the Committee on Foreign Investment in the United States (“CFIUS”) when it evaluates the national security implications of foreign investments. Transactions found to threaten U.S. national security may be blocked by the president unless the threat can and will be mitigated to the satisfaction of CFIUS and the president.

Among other things, the EO requires that the Committee consider whether a covered transaction involves the transfer of U.S. persons’ sensitive data “to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, and whether the foreign person has relevant third-party ties that have sought to exploit such information or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.”[1]

Of particular concern are investments involving U.S. businesses that have access to “United States persons' health, digital identity, or other biological data and any data that could be identifiable or de-anonymized, that could be exploited to distinguish or trace an individual's identity in a manner that threatens national security.” Also of concern are businesses that have “access to data on sub-populations in the United States [e.g., persons holding security clearances] that could be used by a foreign person to target individuals or groups of individuals in the United States in a manner that threatens national security.”[2] Note that CFIUS is concerned with risk – so the fact that a company has never experienced the loss of data, while important, does not avoid review if the company holds or generates data that could be exploited to threaten U.S. national security.

Concern over the impact of a transaction on U.S. persons’ sensitive personal data is rooted in the Foreign Investment Risk Review Modernization Act (“FIRRMA”) and its implementing regulations, which expanded CFIUS review beyond takeovers and acquisitions to include certain non-controlling foreign investments in U.S. businesses that provide the investor any involvement (other than through voting shares) in “substantive decision-making of the U.S. business regarding [among other things] …the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens generated, maintained or collected by the U.S. business” that could be exploited in a manner that threatens national security. Such investments are subject to CFIUS’s mandatory filing rules (unless the foreign acquirer is an “excepted investor”[3]). Additionally, any non-controlling investment in a U.S. business involved in “sensitive personal data,” as set forth below, is subject to CFIUS’s mandatory filing rules if the acquirer, as a result of the transaction, obtains any membership or observer rights on, or the right to nominate members to, the board of directors overseeing the U.S. business.[4]

The term “sensitive personal data” includes 10 categories of data maintained or collected by U.S. businesses that (i) “target or tailor” products or services to (for example) U.S. military members and employees of U.S. Government agencies with national security responsibilities, (ii) collect or maintain data on one million or more persons, or (iii) have a demonstrated business objective to maintain or collect data on over one million individuals as an “integrated part of the U.S. business’s primary products or services.” The categories include, among others, financial, geolocation, and health data.

As noted, the first area of focus is the U.S. business – the target – and EO 14083 makes clear that foreign investments in U.S. businesses that collect or maintain sensitive personal data of U.S. persons will always be candidates for potential CFIUS review. The law is also clear that the scope of review extends well beyond government contractors or firms operating in the traditional defense sectors to include any firms that collect or maintain significant amounts of sensitive personal data, a category that may include (among others) insurance carriers, financial institutions, and health care providers.

Several recent CFIUS cases involving personal data concerned investments well outside the traditional defense sector:

  • Dating App Beijing Kunlun Tech (China)/Grindr. In 2019, CFIUS ordered Beijing Kunlun Tech Co. Ltd. (“Kunlun”) to sell its interest in Grindr LLC, a popular dating application focused on the LGBTQ community. The divestment reportedly was prompted by concerns over Kunlun’s access to sensitive personal data from Grindr users – such as location, sexual preferences, HIV status and messages exchanged via the Grindr app.[5]
  • Medical Data iCarbonX (China)/PatientsLikeMe. Also in 2019, CFIUS and the Trump administration pressured Chinese-based iCarbonX to divest its majority stake in PatientsLikeMe, an online service that helps patients find people with similar health conditions.[6]
  • Hotel Booking Beijing Shiiji Information Technology Co., Ltd. (China)/StayNTouch, Inc. In 2020, President Trump issued an Executive Order ordering the Chinese company Beijing Shiji Information Technology Co., Ltd. (“Shiji”) to divest its 2018 investment in StayNTouch, Inc., a U.S. company providing a cloud-based property management system for hotels to help track reservations and room inventory.[7] It appears likely that concern centered on Shiji’s potential access to a large database of personal and financial information.
  • Financial Data Ant Financial (China)/MoneyGram International Inc. In 2017 MoneyGram International, Inc., the person-to-person cash transfer firm, agreed to merge with a subsidiary of Ant Financial, part of the Alibaba Group (“ANT”), a Chinese multinational technology firm. After CFIUS refused to clear the transaction, the parties abandoned efforts at approval, with ANT reportedly paying a termination fee of $30 million.[8]
  • Social Media ByteDance (China)/Musical.ly In 2017, Musical.ly, a social media app that allowed users to create music videos of themselves lip syncing popular songs, was sold to Chinese technology company ByteDance and rebranded as the hugely popular app TikTok. Its widespread use elevated concerns about the possibility of user data (including location) being made available to the Chinese government.[9] Citing threats of data collection and political censorship, in August of 2020 President Trump issued an Executive Order banning any U.S. person subject to the jurisdiction of the United States from transacting with ByteDance or any of its subsidiaries.[10] A subsequent E.O. required TikTok to be sold to a U.S. corporation to prevent a nationwide ban. This order has since been revoked by the Biden Administration as of June 2021[11] and the fate of TikTok remains unresolved at this writing, although recent reports suggest the U.S. government may be content with TikTok making significant changes to its data security and governance procedures so as to avoid a sale.[12]

The second factor considered by CFIUS is the threat presented by the foreign investor (including third parties to whom the investor might transfer data). All foreign investors are not alike, and CFIUS will be more concerned about transactions that involve foreign nations that have a fraught relationship with the United States – or parties that have a history of engagement in industrial espionage. It is important to note that security measures that may be put in place (e.g., firewalls and independent, U.S. third-party managers) are measures that may be proposed (or imposed) as mitigation – but they will not avoid CFIUS review. The fact that a company has strong security measures already in place, and a history of compliance, will definitely be an argument for approval – but it will not avoid CFIUS review

As noted above, in cases where CFIUS or the Administration believes that the national security risk is significant, mitigation may not be available at all. In the ANT transaction, the parties reportedly offered a mitigation proposal to assuage concerns over Chinese access to data that could be used to identify U.S. citizens and their transactions – but were not successful.[13]

The key takeaways here are that CFIUS now has and will exercise the authority to review an extraordinarily broad array of transactions that implicate the personal data of U.S. persons – and that investors whose transactions do not survive CFIUS review can pay a high price in transaction costs, breakup fees, and the shattering of business plans.

It is essential for foreign investors to do a full and frank assessment of the prospects of CFIUS review when considering investment in the United States – and for U.S. firms considering foreign suitors to assess not only the likelihood of CFIUS review, but also the risks to the transaction presented by individual potential foreign investors. Many transactions that go through CFIUS review are approved, especially transactions involving investors from countries closely allied with the United States. But success depends on proper planning. Even investments from allied countries will still require review. In all cases, when foreign investors show up – and personal data is at risk – CFIUS wants to know who’s knocking at the door – and who’s ringing the bell.[14]


[1] See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/15/fact-sheet-president-biden-signs-executive-order-to-ensure-robust-reviews-of-evolving-national-security-risks-by-the-committee-on-foreign-investment-in-the-united-states/ (“Risks to U.S. persons’ sensitive data;” September 22, 2022.) (Emphasis added.)

[2] Id. (“Additional Factors to be Considered;” September 22, 2022.) (Emphasis added.)

[3] See: excepted investor requirements at: 31 C.F.R. § 800.219(a)(3).

[4] See: 31 C.F.R. § 800.401(c)(1), amended October 2020.

[5] See: https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-cfius-scrutiny-forces-chinese-sale-of-grindr (April 2019).

[6] See: https://news.yahoo.com/forced-sale-patientslikeme-founder-frets-083004025.html?guccounter=1 (May 2019).

[7] See: https://trumpwhitehouse.archives.gov/presidential-actions/order-regarding-acquisition-stayntouch-inc-beijing-shiji-information-technology-co-ltd/ (March 2020).

[8] See: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).

[9] See: https://www.csis.org/analysis/tiktok-running-out-time-understanding-cfius-decision-and-its-implications (September 2020)

[10] See: https://www.federalregister.gov/documents/2020/08/11/2020-17699/addressing-the-threat-posed-by-tiktok-and-taking-additional-steps-to-address-the-national-emergency (Aug. 6, 2020).

[11] See: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (June 2021).

[12] See: https://www.reuters.com/technology/tiktok-inching-toward-us-security-deal-avoid-sale-nyt-2022-09-26/ (September 2022). (Global: See should be in Itals)

[13] See again: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).

[14] Apologies to Paul McCartney and Wings.

December 14, 2022

Client Alert

By: Chris Griner, Shannon Reaves, Tom Firestone, Christopher R. Brewster, Gregory Jaeger, Andrew J. Astuno, Erin Bruce Iacobucci

Earlier this year, President Biden issued Executive Order (“EO”) 14083, which, for the first time, provided presidential direction on factors that must be considered by the Committee on Foreign Investment in the United States (“CFIUS”) when it evaluates the national security implications of foreign investments. Transactions found to threaten U.S. national security may be blocked by the president unless the threat can and will be mitigated to the satisfaction of CFIUS and the president.

Among other things, the EO requires that the Committee consider whether a covered transaction involves the transfer of U.S. persons’ sensitive data “to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, and whether the foreign person has relevant third-party ties that have sought to exploit such information or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.”[1]

Of particular concern are investments involving U.S. businesses that have access to “United States persons' health, digital identity, or other biological data and any data that could be identifiable or de-anonymized, that could be exploited to distinguish or trace an individual's identity in a manner that threatens national security.” Also of concern are businesses that have “access to data on sub-populations in the United States [e.g., persons holding security clearances] that could be used by a foreign person to target individuals or groups of individuals in the United States in a manner that threatens national security.”[2] Note that CFIUS is concerned with risk – so the fact that a company has never experienced the loss of data, while important, does not avoid review if the company holds or generates data that could be exploited to threaten U.S. national security.

Concern over the impact of a transaction on U.S. persons’ sensitive personal data is rooted in the Foreign Investment Risk Review Modernization Act (“FIRRMA”) and its implementing regulations, which expanded CFIUS review beyond takeovers and acquisitions to include certain non-controlling foreign investments in U.S. businesses that provide the investor any involvement (other than through voting shares) in “substantive decision-making of the U.S. business regarding [among other things] …the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens generated, maintained or collected by the U.S. business” that could be exploited in a manner that threatens national security. Such investments are subject to CFIUS’s mandatory filing rules (unless the foreign acquirer is an “excepted investor”[3]). Additionally, any non-controlling investment in a U.S. business involved in “sensitive personal data,” as set forth below, is subject to CFIUS’s mandatory filing rules if the acquirer, as a result of the transaction, obtains any membership or observer rights on, or the right to nominate members to, the board of directors overseeing the U.S. business.[4]

The term “sensitive personal data” includes 10 categories of data maintained or collected by U.S. businesses that (i) “target or tailor” products or services to (for example) U.S. military members and employees of U.S. Government agencies with national security responsibilities, (ii) collect or maintain data on one million or more persons, or (iii) have a demonstrated business objective to maintain or collect data on over one million individuals as an “integrated part of the U.S. business’s primary products or services.” The categories include, among others, financial, geolocation, and health data.

As noted, the first area of focus is the U.S. business – the target – and EO 14083 makes clear that foreign investments in U.S. businesses that collect or maintain sensitive personal data of U.S. persons will always be candidates for potential CFIUS review. The law is also clear that the scope of review extends well beyond government contractors or firms operating in the traditional defense sectors to include any firms that collect or maintain significant amounts of sensitive personal data, a category that may include (among others) insurance carriers, financial institutions, and health care providers.

Several recent CFIUS cases involving personal data concerned investments well outside the traditional defense sector:

  • Dating App Beijing Kunlun Tech (China)/Grindr. In 2019, CFIUS ordered Beijing Kunlun Tech Co. Ltd. (“Kunlun”) to sell its interest in Grindr LLC, a popular dating application focused on the LGBTQ community. The divestment reportedly was prompted by concerns over Kunlun’s access to sensitive personal data from Grindr users – such as location, sexual preferences, HIV status and messages exchanged via the Grindr app.[5]
  • Medical Data iCarbonX (China)/PatientsLikeMe. Also in 2019, CFIUS and the Trump administration pressured Chinese-based iCarbonX to divest its majority stake in PatientsLikeMe, an online service that helps patients find people with similar health conditions.[6]
  • Hotel Booking Beijing Shiiji Information Technology Co., Ltd. (China)/StayNTouch, Inc. In 2020, President Trump issued an Executive Order ordering the Chinese company Beijing Shiji Information Technology Co., Ltd. (“Shiji”) to divest its 2018 investment in StayNTouch, Inc., a U.S. company providing a cloud-based property management system for hotels to help track reservations and room inventory.[7] It appears likely that concern centered on Shiji’s potential access to a large database of personal and financial information.
  • Financial Data Ant Financial (China)/MoneyGram International Inc. In 2017 MoneyGram International, Inc., the person-to-person cash transfer firm, agreed to merge with a subsidiary of Ant Financial, part of the Alibaba Group (“ANT”), a Chinese multinational technology firm. After CFIUS refused to clear the transaction, the parties abandoned efforts at approval, with ANT reportedly paying a termination fee of $30 million.[8]
  • Social Media ByteDance (China)/Musical.ly In 2017, Musical.ly, a social media app that allowed users to create music videos of themselves lip syncing popular songs, was sold to Chinese technology company ByteDance and rebranded as the hugely popular app TikTok. Its widespread use elevated concerns about the possibility of user data (including location) being made available to the Chinese government.[9] Citing threats of data collection and political censorship, in August of 2020 President Trump issued an Executive Order banning any U.S. person subject to the jurisdiction of the United States from transacting with ByteDance or any of its subsidiaries.[10] A subsequent E.O. required TikTok to be sold to a U.S. corporation to prevent a nationwide ban. This order has since been revoked by the Biden Administration as of June 2021[11] and the fate of TikTok remains unresolved at this writing, although recent reports suggest the U.S. government may be content with TikTok making significant changes to its data security and governance procedures so as to avoid a sale.[12]

The second factor considered by CFIUS is the threat presented by the foreign investor (including third parties to whom the investor might transfer data). All foreign investors are not alike, and CFIUS will be more concerned about transactions that involve foreign nations that have a fraught relationship with the United States – or parties that have a history of engagement in industrial espionage. It is important to note that security measures that may be put in place (e.g., firewalls and independent, U.S. third-party managers) are measures that may be proposed (or imposed) as mitigation – but they will not avoid CFIUS review. The fact that a company has strong security measures already in place, and a history of compliance, will definitely be an argument for approval – but it will not avoid CFIUS review

As noted above, in cases where CFIUS or the Administration believes that the national security risk is significant, mitigation may not be available at all. In the ANT transaction, the parties reportedly offered a mitigation proposal to assuage concerns over Chinese access to data that could be used to identify U.S. citizens and their transactions – but were not successful.[13]

The key takeaways here are that CFIUS now has and will exercise the authority to review an extraordinarily broad array of transactions that implicate the personal data of U.S. persons – and that investors whose transactions do not survive CFIUS review can pay a high price in transaction costs, breakup fees, and the shattering of business plans.

It is essential for foreign investors to do a full and frank assessment of the prospects of CFIUS review when considering investment in the United States – and for U.S. firms considering foreign suitors to assess not only the likelihood of CFIUS review, but also the risks to the transaction presented by individual potential foreign investors. Many transactions that go through CFIUS review are approved, especially transactions involving investors from countries closely allied with the United States. But success depends on proper planning. Even investments from allied countries will still require review. In all cases, when foreign investors show up – and personal data is at risk – CFIUS wants to know who’s knocking at the door – and who’s ringing the bell.[14]


[1] See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/15/fact-sheet-president-biden-signs-executive-order-to-ensure-robust-reviews-of-evolving-national-security-risks-by-the-committee-on-foreign-investment-in-the-united-states/ (“Risks to U.S. persons’ sensitive data;” September 22, 2022.) (Emphasis added.)

[2] Id. (“Additional Factors to be Considered;” September 22, 2022.) (Emphasis added.)

[3] See: excepted investor requirements at: 31 C.F.R. § 800.219(a)(3).

[4] See: 31 C.F.R. § 800.401(c)(1), amended October 2020.

[5] See: https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-cfius-scrutiny-forces-chinese-sale-of-grindr (April 2019).

[6] See: https://news.yahoo.com/forced-sale-patientslikeme-founder-frets-083004025.html?guccounter=1 (May 2019).

[7] See: https://trumpwhitehouse.archives.gov/presidential-actions/order-regarding-acquisition-stayntouch-inc-beijing-shiji-information-technology-co-ltd/ (March 2020).

[8] See: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).

[9] See: https://www.csis.org/analysis/tiktok-running-out-time-understanding-cfius-decision-and-its-implications (September 2020)

[10] See: https://www.federalregister.gov/documents/2020/08/11/2020-17699/addressing-the-threat-posed-by-tiktok-and-taking-additional-steps-to-address-the-national-emergency (Aug. 6, 2020).

[11] See: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (June 2021).

[12] See: https://www.reuters.com/technology/tiktok-inching-toward-us-security-deal-avoid-sale-nyt-2022-09-26/ (September 2022). (Global: See should be in Itals)

[13] See again: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).

[14] Apologies to Paul McCartney and Wings.