The Committee on Foreign Investment in the United States (CFIUS) is reportedly forcing Beijing Kunlun Tech Co. Ltd. (“Kunlun”) to divest Grindr LLC (“Grindr”), the dating app Kunlun acquired in 2016. Much of the popular press is focusing on the seemingly remote connection between a popular dating platform for gay, bi, trans, and queer people on the one hand, and the national security of the United States on the other. The circumstances, however, highlight perfectly one of the U.S. government’s keenest national security concerns: the ability of foreign governments, and in particular the Chinese government, to collect and potentially exploit data related to U.S. citizens.

CFIUS’s actions in this case are an important development for non-U.S. investors in the social media space evaluating new investments, as well as for U.S. social media companies evaluating potential or even existing investors. It also highlights the ultimate risk of not notifying CFIUS of potentially sensitive transactions. CFIUS unilaterally reached out, investigated, and is ultimately forcing a major divestment more than three years after the initial acquisition.

CFIUS Background

CFIUS is an interagency committee of the U.S. government charged with reviewing foreign acquisitions of or investments in U.S. businesses to ensure that the transactions do not pose unresolvable national security concerns. CFIUS has the authority to impose measures to mitigate any national security concerns, or even recommend that the president block transactions before they close or unwind transactions after closing.

Over the past few years, CFIUS has increased its scrutiny of Chinese investments in U.S. technology companies, particularly where those companies involve critical technologies (e.g., export-controlled technology, robotics, AI), critical infrastructure, or sensitive personal data. Indeed, Congress passed sweeping CFIUS-reform legislation — the Foreign Investment Risk Review Modernization Act (“FIRRMA”) — to better equip CFIUS to address these very concerns. See here. Among other things, FIRRMA broadened CFIUS’s reach to consider, as part of national security risk, the extent to which a transaction is likely to expose personally identifiable information and other sensitive data of U.S. citizens to a foreign government or person that may exploit that information in a manner that threatens national security.

CFIUS Concerns Regarding Kunlun Ownership of Grindr

Kunlun is a Chinese gaming company and is publicly traded on the Shenzhen Stock Exchange. In January 2016, Kunlun acquired a 60 percent stake in Grindr for $93 million. In 2018, Kunlun acquired the remaining interest in Grindr for $152 million. Now, more than three years after the initial acquisition, CFIUS is seeking to require Kunlun to divest its stake, either “voluntarily” or through an executive order issued by the president.

Although CFIUS does not comment publicly on transactions it reviews, CFIUS’s concerns regarding Kunlun’s ownership of Grindr are likely multifaceted:

  • Grindr collects and maintains location and other behavioral data on its more than 27 million users, including over 3.3 million daily users. These data can be used to ascertain the behavioral trends of U.S. citizens, including, for example, the behavior of military or intelligence personnel in the United States.
  • Grindr’s datasets also include highly sensitive and highly personal information, including records of chats and photos exchanged between users. These datasets could be used to blackmail users, including those with security clearances or access to sensitive military or intelligence information. Grindr has previously been the subject of congressional scrutiny due to its treatment of users’ data, including users’ HIV status and other personal details.
  • China’s National Intelligence Law, enacted in 2017, compels Chinese entities to provide access for or cooperate with the government’s intelligence-gathering activities. Thus, CFIUS may be concerned about Beijing’s ability to compel Kunlun to provide the PRC access to Grindr’s datasets.

In addition, these concerns must be viewed in the context of China’s acquisition of other large datasets by commercial means (i.e., acquisitions of U.S. businesses) or by more nefarious means (e.g., the OPM cyberattack). The compilation of these datasets potentially enables China to build sophisticated databases with detailed profiles of U.S. citizens.

Takeaways:

  1. This case should be a clear warning sign to parties involved in investments in social media platforms and other entities that collect significant amounts of personally identifiable or otherwise sensitive information. Although such considerations have not been a traditional focus of CFIUS, they have been a growing concern in recent years, particularly given heightened concern about Chinese government exploitation of personal data. Last year, FIRRMA made such considerations an independent factor for CFIUS’s evaluation of national security risk. Given the large number of companies across industries that collect personally identifiable information or other sensitive data, the implications are significant. Parties to covered transactions must now consider the consequences of any U.S. data that may be acquired as part of a transaction — and the possibility that the U.S. government may not want such data to be in foreign hands.
  2. In addition to the risk that CFIUS may block or unwind the transaction, parties also need to evaluate the types of CFIUS mitigation they may face. Mitigation not only affects the foreign party, but may also have impact he current operations of the U.S. business. For example, CFIUS may insist on prior notice or approval of certain changes to the company’s development processes or to the company’s service providers.
  3. It is not clear, in the Grindr case, whether CFIUS entertained ways to mitigate the national security concerns short of divestment. Given the Chinese ownership of the U.S. business and heightened concern about Chinese government exploitation of personal data, however, it is possible CFIUS determined that the national security risk could not be mitigated.
  4. For CFIUS-ordered divestments, the foreign acquirer is required to sell its stake; the U.S. business is not required to buy out the acquirer. According to The Wall Street Journal, Kunlun is attempting to sell the app for twice what it paid. Although CFIUS typically affords the foreign party an opportunity to close the sale on commercially reasonable terms, it may impose time constraints or other measures that might impact the ability of the seller to obtain its desired terms. CFIUS may also seek to ensure that the new buyer does not present national security concerns, to the extent the buyer is a foreign entity, and that Kunlun does not retain any indicia of control over the U.S. business.
  5. While a CFIUS-mandated unwinding is a powerful remedy, CFIUS may now, as a result of FIRRMA, impose penalties on parties that do not notify CFIUS in advance of certain types of transactions covered by CFIUS’s pilot program. See here. It is critical, therefore, that parties engage CFIUS counsel as early as possible in any deal involving potential foreign investment in a U.S. business.