December 14, 2022
Client Alert
By: Chris Griner, Shannon Reaves, Tom Firestone, Christopher R. Brewster, Gregory Jaeger, Andrew J. Astuno, Erin Bruce Iacobucci
Earlier this year, President Biden issued Executive Order (“EO”) 14083, which, for the first time, provided presidential direction on factors that must be considered by the Committee on Foreign Investment in the United States (“CFIUS”) when it evaluates the national security implications of foreign investments. Transactions found to threaten U.S. national security may be blocked by the president unless the threat can and will be mitigated to the satisfaction of CFIUS and the president.
Among other things, the EO requires that the Committee consider whether a covered transaction involves the transfer of U.S. persons’ sensitive data “to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, and whether the foreign person has relevant third-party ties that have sought to exploit such information or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.”[1]
Of particular concern are investments involving U.S. businesses that have access to “United States persons' health, digital identity, or other biological data and any data that could be identifiable or de-anonymized, that could be exploited to distinguish or trace an individual's identity in a manner that threatens national security.” Also of concern are businesses that have “access to data on sub-populations in the United States [e.g., persons holding security clearances] that could be used by a foreign person to target individuals or groups of individuals in the United States in a manner that threatens national security.”[2] Note that CFIUS is concerned with risk – so the fact that a company has never experienced the loss of data, while important, does not avoid review if the company holds or generates data that could be exploited to threaten U.S. national security.
Concern over the impact of a transaction on U.S. persons’ sensitive personal data is rooted in the Foreign Investment Risk Review Modernization Act (“FIRRMA”) and its implementing regulations, which expanded CFIUS review beyond takeovers and acquisitions to include certain non-controlling foreign investments in U.S. businesses that provide the investor any involvement (other than through voting shares) in “substantive decision-making of the U.S. business regarding [among other things] …the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens generated, maintained or collected by the U.S. business” that could be exploited in a manner that threatens national security. Such investments are subject to CFIUS’s mandatory filing rules (unless the foreign acquirer is an “excepted investor”[3]). Additionally, any non-controlling investment in a U.S. business involved in “sensitive personal data,” as set forth below, is subject to CFIUS’s mandatory filing rules if the acquirer, as a result of the transaction, obtains any membership or observer rights on, or the right to nominate members to, the board of directors overseeing the U.S. business.[4]
The term “sensitive personal data” includes 10 categories of data maintained or collected by U.S. businesses that (i) “target or tailor” products or services to (for example) U.S. military members and employees of U.S. Government agencies with national security responsibilities, (ii) collect or maintain data on one million or more persons, or (iii) have a demonstrated business objective to maintain or collect data on over one million individuals as an “integrated part of the U.S. business’s primary products or services.” The categories include, among others, financial, geolocation, and health data.
As noted, the first area of focus is the U.S. business – the target – and EO 14083 makes clear that foreign investments in U.S. businesses that collect or maintain sensitive personal data of U.S. persons will always be candidates for potential CFIUS review. The law is also clear that the scope of review extends well beyond government contractors or firms operating in the traditional defense sectors to include any firms that collect or maintain significant amounts of sensitive personal data, a category that may include (among others) insurance carriers, financial institutions, and health care providers.
Several recent CFIUS cases involving personal data concerned investments well outside the traditional defense sector:
The second factor considered by CFIUS is the threat presented by the foreign investor (including third parties to whom the investor might transfer data). All foreign investors are not alike, and CFIUS will be more concerned about transactions that involve foreign nations that have a fraught relationship with the United States – or parties that have a history of engagement in industrial espionage. It is important to note that security measures that may be put in place (e.g., firewalls and independent, U.S. third-party managers) are measures that may be proposed (or imposed) as mitigation – but they will not avoid CFIUS review. The fact that a company has strong security measures already in place, and a history of compliance, will definitely be an argument for approval – but it will not avoid CFIUS review.
As noted above, in cases where CFIUS or the Administration believes that the national security risk is significant, mitigation may not be available at all. In the ANT transaction, the parties reportedly offered a mitigation proposal to assuage concerns over Chinese access to data that could be used to identify U.S. citizens and their transactions – but were not successful.[13]
The key takeaways here are that CFIUS now has and will exercise the authority to review an extraordinarily broad array of transactions that implicate the personal data of U.S. persons – and that investors whose transactions do not survive CFIUS review can pay a high price in transaction costs, breakup fees, and the shattering of business plans.
It is essential for foreign investors to do a full and frank assessment of the prospects of CFIUS review when considering investment in the United States – and for U.S. firms considering foreign suitors to assess not only the likelihood of CFIUS review, but also the risks to the transaction presented by individual potential foreign investors. Many transactions that go through CFIUS review are approved, especially transactions involving investors from countries closely allied with the United States. But success depends on proper planning. Even investments from allied countries will still require review. In all cases, when foreign investors show up – and personal data is at risk – CFIUS wants to know who’s knocking at the door – and who’s ringing the bell.[14]
[1] See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/15/fact-sheet-president-biden-signs-executive-order-to-ensure-robust-reviews-of-evolving-national-security-risks-by-the-committee-on-foreign-investment-in-the-united-states/ (“Risks to U.S. persons’ sensitive data;” September 22, 2022.) (Emphasis added.)
[2] Id. (“Additional Factors to be Considered;” September 22, 2022.) (Emphasis added.)
[3] See: excepted investor requirements at: 31 C.F.R. § 800.219(a)(3).
[4] See: 31 C.F.R. § 800.401(c)(1), amended October 2020.
[5] See: https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-cfius-scrutiny-forces-chinese-sale-of-grindr (April 2019).
[6] See: https://news.yahoo.com/forced-sale-patientslikeme-founder-frets-083004025.html?guccounter=1 (May 2019).
[7] See: https://trumpwhitehouse.archives.gov/presidential-actions/order-regarding-acquisition-stayntouch-inc-beijing-shiji-information-technology-co-ltd/ (March 2020).
[8] See: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).
[9] See: https://www.csis.org/analysis/tiktok-running-out-time-understanding-cfius-decision-and-its-implications (September 2020)
[10] See: https://www.federalregister.gov/documents/2020/08/11/2020-17699/addressing-the-threat-posed-by-tiktok-and-taking-additional-steps-to-address-the-national-emergency (Aug. 6, 2020).
[11] See: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (June 2021).
[12] See: https://www.reuters.com/technology/tiktok-inching-toward-us-security-deal-avoid-sale-nyt-2022-09-26/ (September 2022). (Global: See should be in Itals)
[13] See again: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).
December 14, 2022
Client Alert
By: Chris Griner, Shannon Reaves, Tom Firestone, Christopher R. Brewster, Gregory Jaeger, Andrew J. Astuno, Erin Bruce Iacobucci
Earlier this year, President Biden issued Executive Order (“EO”) 14083, which, for the first time, provided presidential direction on factors that must be considered by the Committee on Foreign Investment in the United States (“CFIUS”) when it evaluates the national security implications of foreign investments. Transactions found to threaten U.S. national security may be blocked by the president unless the threat can and will be mitigated to the satisfaction of CFIUS and the president.
Among other things, the EO requires that the Committee consider whether a covered transaction involves the transfer of U.S. persons’ sensitive data “to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, and whether the foreign person has relevant third-party ties that have sought to exploit such information or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.”[1]
Of particular concern are investments involving U.S. businesses that have access to “United States persons' health, digital identity, or other biological data and any data that could be identifiable or de-anonymized, that could be exploited to distinguish or trace an individual's identity in a manner that threatens national security.” Also of concern are businesses that have “access to data on sub-populations in the United States [e.g., persons holding security clearances] that could be used by a foreign person to target individuals or groups of individuals in the United States in a manner that threatens national security.”[2] Note that CFIUS is concerned with risk – so the fact that a company has never experienced the loss of data, while important, does not avoid review if the company holds or generates data that could be exploited to threaten U.S. national security.
Concern over the impact of a transaction on U.S. persons’ sensitive personal data is rooted in the Foreign Investment Risk Review Modernization Act (“FIRRMA”) and its implementing regulations, which expanded CFIUS review beyond takeovers and acquisitions to include certain non-controlling foreign investments in U.S. businesses that provide the investor any involvement (other than through voting shares) in “substantive decision-making of the U.S. business regarding [among other things] …the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens generated, maintained or collected by the U.S. business” that could be exploited in a manner that threatens national security. Such investments are subject to CFIUS’s mandatory filing rules (unless the foreign acquirer is an “excepted investor”[3]). Additionally, any non-controlling investment in a U.S. business involved in “sensitive personal data,” as set forth below, is subject to CFIUS’s mandatory filing rules if the acquirer, as a result of the transaction, obtains any membership or observer rights on, or the right to nominate members to, the board of directors overseeing the U.S. business.[4]
The term “sensitive personal data” includes 10 categories of data maintained or collected by U.S. businesses that (i) “target or tailor” products or services to (for example) U.S. military members and employees of U.S. Government agencies with national security responsibilities, (ii) collect or maintain data on one million or more persons, or (iii) have a demonstrated business objective to maintain or collect data on over one million individuals as an “integrated part of the U.S. business’s primary products or services.” The categories include, among others, financial, geolocation, and health data.
As noted, the first area of focus is the U.S. business – the target – and EO 14083 makes clear that foreign investments in U.S. businesses that collect or maintain sensitive personal data of U.S. persons will always be candidates for potential CFIUS review. The law is also clear that the scope of review extends well beyond government contractors or firms operating in the traditional defense sectors to include any firms that collect or maintain significant amounts of sensitive personal data, a category that may include (among others) insurance carriers, financial institutions, and health care providers.
Several recent CFIUS cases involving personal data concerned investments well outside the traditional defense sector:
The second factor considered by CFIUS is the threat presented by the foreign investor (including third parties to whom the investor might transfer data). All foreign investors are not alike, and CFIUS will be more concerned about transactions that involve foreign nations that have a fraught relationship with the United States – or parties that have a history of engagement in industrial espionage. It is important to note that security measures that may be put in place (e.g., firewalls and independent, U.S. third-party managers) are measures that may be proposed (or imposed) as mitigation – but they will not avoid CFIUS review. The fact that a company has strong security measures already in place, and a history of compliance, will definitely be an argument for approval – but it will not avoid CFIUS review.
As noted above, in cases where CFIUS or the Administration believes that the national security risk is significant, mitigation may not be available at all. In the ANT transaction, the parties reportedly offered a mitigation proposal to assuage concerns over Chinese access to data that could be used to identify U.S. citizens and their transactions – but were not successful.[13]
The key takeaways here are that CFIUS now has and will exercise the authority to review an extraordinarily broad array of transactions that implicate the personal data of U.S. persons – and that investors whose transactions do not survive CFIUS review can pay a high price in transaction costs, breakup fees, and the shattering of business plans.
It is essential for foreign investors to do a full and frank assessment of the prospects of CFIUS review when considering investment in the United States – and for U.S. firms considering foreign suitors to assess not only the likelihood of CFIUS review, but also the risks to the transaction presented by individual potential foreign investors. Many transactions that go through CFIUS review are approved, especially transactions involving investors from countries closely allied with the United States. But success depends on proper planning. Even investments from allied countries will still require review. In all cases, when foreign investors show up – and personal data is at risk – CFIUS wants to know who’s knocking at the door – and who’s ringing the bell.[14]
[1] See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/15/fact-sheet-president-biden-signs-executive-order-to-ensure-robust-reviews-of-evolving-national-security-risks-by-the-committee-on-foreign-investment-in-the-united-states/ (“Risks to U.S. persons’ sensitive data;” September 22, 2022.) (Emphasis added.)
[2] Id. (“Additional Factors to be Considered;” September 22, 2022.) (Emphasis added.)
[3] See: excepted investor requirements at: 31 C.F.R. § 800.219(a)(3).
[4] See: 31 C.F.R. § 800.401(c)(1), amended October 2020.
[5] See: https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-cfius-scrutiny-forces-chinese-sale-of-grindr (April 2019).
[6] See: https://news.yahoo.com/forced-sale-patientslikeme-founder-frets-083004025.html?guccounter=1 (May 2019).
[7] See: https://trumpwhitehouse.archives.gov/presidential-actions/order-regarding-acquisition-stayntouch-inc-beijing-shiji-information-technology-co-ltd/ (March 2020).
[8] See: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).
[9] See: https://www.csis.org/analysis/tiktok-running-out-time-understanding-cfius-decision-and-its-implications (September 2020)
[10] See: https://www.federalregister.gov/documents/2020/08/11/2020-17699/addressing-the-threat-posed-by-tiktok-and-taking-additional-steps-to-address-the-national-emergency (Aug. 6, 2020).
[11] See: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (June 2021).
[12] See: https://www.reuters.com/technology/tiktok-inching-toward-us-security-deal-avoid-sale-nyt-2022-09-26/ (September 2022). (Global: See should be in Itals)
[13] See again: https://www.csis.org/analysis/understanding-ant-big-data-and-cfius (January 2018).
