CFIUS Flexes New Muscles Where Customer Data and Critical Technology Are Involved

A new law has expanded the oversight powers of the Committee on Foreign Investment in the United States (CFIUS), and businesses are quickly learning that the interagency committee won’t hesitate to block a deal or force the divestment of a prior acquisition, particularly one involving sensitive customer data or “critical technologies” in industries ranging from semiconductors to social media.

Within the past two years, CFIUS blocked the acquisition of U.S. money transfer company MoneyGram International Inc., as well as a deal in which Chinese investors aimed to acquire mobile marketing firm AppLovin.

Most recently, CFIUS forced the divestment of prior acquisitions in companies that involve sensitive customer data. The Chinese owner of Grindr, a dating app based in California, was ordered to sell its ownership interest when CFIUS concluded that Chinese ownership of the business amounted to a national security risk. CFIUS did not disclose its rationale, but officials familiar with the situation pointed to concerns about personal user data, including geolocation and health information, that Grindr collects and the potential for exploitation by foreign governments to coerce individuals, particularly anyone holding security clearances. The investor, Beijing Kunlun Tech Co Ltd., had acquired a major stake in Grindr in 2016, but CFIUS intervened nearly three years after the deal closed.

CFIUS further reinforced its interest in personal data last week when it forced another Chinese owner to divest its interest in health tech startup, PatientsLikeMe, which it had acquired two years ago. The company provides a network for patients to find others with similar conditions. Just as with Grindr, users share health information on the network. 

The Grindr and PatientsLikeMe decisions strongly suggest that the overseers are very concerned about Chinese investment, particularly where sensitive personal data is involved, even if it closed before the new law kicked in.

CFIUS is chaired by the Secretary of the Treasury and by statute includes the heads of nine cabinet departments, including Defense, Homeland Security, Justice and State.

Last year, the scope of CFIUS’s oversight was expanded with the passage of FIRRMA (the Foreign Investment Risk Review Modernization Act of 2018).

The new law expands CFIUS’s jurisdiction to cover a number of new industries, including data privacy and critical technologies, such as semiconductors, robotics and artificial intelligence. Critical infrastructure is also a priority, including transportation, health care, financial services and energy. Chinese investors are receiving the most scrutiny in these fields.

The new law also makes CFIUS filings mandatory in certain cases (previously all filings were voluntary). CFIUS now requires companies involved with critical technologies in one of 27 industries, such as aircraft, inorganic chemical manufacturing, biotechnology and semiconductors, among others, to seek CFIUS approval for foreign investment (even non-controlling) in certain circumstances.

Even if a U.S. company does not itself design, produce or develop such technology, but has customers in one of these industries, it could still be covered under the mandatory filing requirement.  

If a company fails to make a filing, CFIUS can initiate its own review – even after closing, as seen in the cases of Grindr and PatientsLikeMe. CFIUS may clear the transaction, impose mitigating measures or force divestment by the foreign investor (as it did with Grindr and PatientsLikeMe). CFIUS can also impose civil penalties up to the value of the transaction for failure to file mandatory filings. 

U.S. companies that assume they are not covered by CFIUS may very well be wrong, because the committee has taken a very broad view of what may constitute a covered transaction that requires its approval. And as the owners of Grindr and PatientsLikeMe discovered, CFIUS clearly likes to make examples of parties that choose not to file.

In passing FIRRMA, Congress indicated that the national security landscape has shifted in recent years, and that it believes that China and certain other countries are actively weaponizing their stakes in advanced technology industries and in companies that hold sensitive personal data.

CFIUS is sending a message that it is now willing to use its powers not just to block investment, but to also force divestment of prior acquisitions. The Grindr and PatientsLikeMe decisions show that CFIUS is particularly concerned about Chinese ownership, especially in critical technology and sensitive personal data. It’s clear that no company is safe, as CFIUS has gone after multibillion-dollar companies and startups alike.