What is CFIUS and Why Should You Care?

A Washington Post headline caught my attention some time ago – “Why is the U.S. forcing a Chinese company to sell the gay dating app Grindr?” The article discusses how the Committee on Foreign Investment in the United States (CFIUS) apparently decided that the acquisition of Grindr by a Chinese technology company, Beijing Kunlun Tech, is a threat to United States national security. As a result of CFIUS action, as reported by Reuters, Beijing Kunlun Tech agreed to sell Grindr about three years after it first acquired a majority ownership interest.

In my career as a transactional attorney representing companies in mergers and acquisitions, I have had to assist clients with CFIUS review from time to time. The transactions in which CFIUS was a concern involved high-tech companies controlling sensitive technologies or technologies touching on matters relating to national defense. If Grindr, which claims to be the largest social networking app for gay, bi, trans, and queer people, can be a target of CFIUS’s attention, it seems to be a good time to revisit the scope of CFIUS review.

What is CFIUS? CFIUS is chaired by the Secretary of the Treasury and includes the Secretaries of Defense and Homeland Security, among other members. CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States (referred to as covered transactions), to determine the effect of such transactions on the national security of the United States. CFIUS has the power to block covered transactions and to force covered transactions to be unwound. While CFIUS remains focused exclusively on national security, recent amendments to applicable federal law emphasize that access to personally identifiable information by foreign governments or foreign persons can raise national security concerns.

Recent Changes to the Law

The scope of CFIUS review was expanded by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). FIRRMA became law in August 2018. The sponsors of FIRRMA introduced FIRRMA to, among other things, address concerns that certain transactions may “expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security.” FIRRMA §1702(c)(5). Accordingly, Section 1703(a) FIRRMA expands the scope of “covered transactions” eligible for review by CFIUS to include any “other investment” by a foreign person in any unaffiliated United States business that does any of the following:

• Owns, operates, manufactures, supplies, or services critical infrastructure;
• Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or
• Maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens to harm national security.

Rules proposed recently by the Office of Investment Security, Department of the Treasury defined “sensitive personal data” to include ten separate categories of data maintained or collected by United States businesses, including (i) data that could be used to analyze or determine an individual’s financial distress or hardship, and (ii) the set of data in a consumer report, unless such data is obtained from a consumer reporting agency for one or more purposes specified in the Fair Credit Reporting Act and is not substantially similar to the full contents of a consumer file. United States business covered include businesses that collect or maintain such data on more than one million individuals or have a demonstrated business objective to maintain or collect such data on more than one million individuals and such data is an integrated part of the United States business’s primary products or services.

“Data that could be used to analyze or determine an individual’s financial distress” is not further defined by the proposed rules and the commentary in the rules release is not particularly helpful. However, it seems that information indicating that an individual has had one or more accounts placed for collection, or has one or more past due accounts, could easily be considered data that can be utilized to determine financial distress or hardship. Furthermore, as many, if not most, collections agencies and other similar participants in the ARM industry, maintain data on well over a million consumers on an annual basis, many ARM industry participants likely maintain or collect sensitive personal data as defined by the proposed rule.

What does Grindr have to do with CFIUS?

The proposed definition of “sensitive personal data” also includes non-public electronic communications, including without limitation email, messaging, or chat communications, between or among users of a United States business’s products or services if a primary purpose of such product or service is to facilitate third-party user communications and certain geolocation data in the categories of sensitive personal data covered that may raise national security issues – exactly the type of information Grindr likely maintains.

It is not likely that participants in the ARM industry collect or maintain the type of information Grindr collects and maintains. Nonetheless, the Grindr matter does serve as a cautionary tale. While the ARM industry is not traditionally seen as posing a national security threat, that traditional view does not mean ARM industry transactions are immune from CFIUS scrutiny.

What to do now

With respect to transactions involving companies controlling or having access to large amounts of personal data, FIRRMA’s expansion of the definition of “covered transaction” to include business that maintain or collect sensitive personal data of United States citizens that may be exploited in a manner that threatens national security may be more of a clarification than a change. Nonetheless, FIRRMA and recent CFIUS action highlight the increased focus on transactions involving companies controlling sensitive personal data.

ARM industry participants often control vast amounts of personal information, much of which may qualify as “sensitive personal data.” If you are looking to sell your ARM business, you, along with your legal counsel, may want to consider the potential impact of CFIUS. CFIUS may create transaction risk for you and your company and you may want to take steps to limit that risk. Such steps could include limiting the pool of potential buyers to buyers based in the United States or other jurisdictions considered to be friendly toward the United States, such as Canada and adding additional buyer representations and warranties to the acquisition agreement.