According to recent disclosures, the Trump Administration has been acting aggressively to control Chinese investment in companies that have access to Americans’ personal data. Last week, it was revealed that the Committee on Foreign Investment in the United States (CFIUS) has ordered Chinese company Beijing Kunlun Tech Co. Ltd. to sell its majority stake in on-line dating app Grindr over concerns that Chinese access to personal data held by Grindr could pose a threat to U.S. national security. Then, on April 4, 2019, it was announced that CFIUS had also ordered Chinese investor and digital healthcare company iCarbonX to sell its stake in the U.S. company PatientsLikeMe. PatientsLikeMe is an on-line service that links individuals suffering the same health issues in an effort to improve disease detection and treatment. Again, the concern reportedly prompting the CFIUS action is Chinese access to the personal data of Americans and the national security risk that could pose.
CFIUS is an executive branch committee comprised of federal national security, trade, and related agencies and White House offices and chaired by the U.S. Treasury Secretary. It has the power to review foreign investments that pose a risk to U.S. national security. Unless CFIUS has conducted a review of a transaction and found no national security concerns (a process that effectively grants the foreign investment a “safe harbor” from future CFIUS risk), CFIUS can order the blocking, unwinding, or divestiture of foreign investments. For more on CFIUS and recent changes to the CFIUS laws and regulations, click here.
Historically, CFIUS has rarely exercised its power to unwind transactions after the transactions have closed. It has also tended to focus on foreign investments in companies and industries – such as semiconductors and aerospace – that are more closely tied to traditional concepts of “national security.” The Grindr and PatientsLikeMe cases, therefore, serve as important signals of an increasingly aggressive approach by CFIUS to monitor Chinese investments in U.S. companies and to address a much broader range of perceived threats to U.S. national security – including threats arising from data privacy concerns.
Companies and investors in U.S. industries that have access to Americans’ personal data – such as internet and technology start-ups, on-line services, and data analytics – as well as more traditional U.S. businesses like healthcare and retail – should take note of these developments and take steps to ensure that their interests are protected. The first step is to assess the CFIUS risks of any potential or existing investment, merger, acquisition, or takeover and develop a strategy for eliminating or minimizing those risks.