On March 6, 2020, President Trump issued an Executive Order requiring a publicly traded Chinese company, Beijing Shiji Information Technology Co., Ltd., to divest its 2018 acquisition of StayNTouch, Inc. (StayNTouch), a US-based hotel management software company. The Executive Order was issued pursuant to the law that authorizes the Committee on Foreign Investment in the United States (CFIUS), the interagency committee tasked with reviewing investments and acquisitions in the US, to assess national security risk. This is the third time President Trump blocked a transaction for national security reasons since taking office and only the sixth time a president has exercised such authority.

Shiji initially invested in StayNTouch’s Series A round in 2016 before acquiring StayNTouch in September 2018. StayNTouch’s cloud-based mobile hotel property management software products enable its hotel customers, including MGM Resorts and the Fontainebleau Miami Beach, to personalize hotel guest services and to enable mobile guest check-in/out at hotel properties.

According to the Executive Order, President Trump determined there is credible evidence that Shiji “might take action that threatens to impair the national security of the United States,” and Shiji must divest its holdings in StayNTouch within 120 days, subject to a 90-day extension from CFIUS. In the interim, the Executive Order prohibits Shiji from accessing any hotel guest data through StayNTouch.

This Executive Order is the latest example of the US government using its CFIUS authorities to address concerns regarding foreign access to US citizen personal data. As described in our prior alerts—Treasury Finalizes New CFIUS Regulations and Treasury Issues Long-Awaited Proposed CFIUS Regulations—sensitive personal data is one of the three key areas of expanded CFIUS jurisdiction under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). And, while blocking Shiji’s acquisition of StayNTouch is the first instance of a presidential order stemming from personal data concerns, it follows two cases in 2019 of Chinese companies agreeing to divest their acquisitions of US companies reportedly after CFIUS raised concerns about access to US citizen personal data. In April 2019, China-based iCarbonX agreed to divest its acquisition of PatientsLikeMe, a US company that provides a platform for patients with the same medical condition to connect and exchange information, and in May 2019, Beijing Kunlun Tech Co. Ltd. agreed to sell gay dating app Grindr, whose database contains personal information, including user location and HIV status.

This action by the Trump Administration highlights CFIUS’s attention to deals that have closed without notification and the government’s legal authority to force post-closing divestment, as well as the financial and reputational risks of not seeking CFIUS clearance proactively.