Trump Blocks Foreign Investment Over Personal Data Concerns
On March 6, 2020, in a case with significant implications for foreign investment in U.S. companies dealing in personal data, President Trump ordered the complete divestiture by a publicly traded Chinese company, Beijing Shiji Information Technology Co. Ltd. (Shiji), of its 2018 acquisition of StayNTouch, Inc. (StayNTouch), a U.S. hotel management software company. The order is the first major executive action under new regulations which came into effect last month on February 13, 2020, promulgated by the Committee on Foreign Investment in the United States (CFIUS), focusing in part on foreign investment in companies collecting or maintaining the “sensitive personal data” of U.S. citizens.
Presidents have long had the authority, infrequently invoked, under Sec. 721 of the Defense Production Act of 1950 § 721, 50 U.S.C. § 4565 (2018), to block (or order the unwinding of) foreign investments in U.S. companies based on national security concerns. Moreover, CFIUS has a recent trend of acting to block or undo foreign acquisitions that raised U.S. personal data privacy concerns. Examples include the April 2019 divestiture by China’s iCarbonX of the U.S. PatientsLikeMe, a patient peer-information platform, and the May 2019 forced sale by Beijing Kunlun Tech Co. of the U.S. gay dating application, Grindr. But the enactment of 2018’s Foreign Investment Risk Review Modernization Act (FIRRMA) greatly expanded CFIUS’ jurisdiction to review foreign investments in certain businesses and technologies. The recently effective regulations (31 C.F.R. pts. 800-802 (Westlaw 2020)) focus on even non-controlling investments in so-called “TDI” (technology, data and infrastructure) industries. For the first time, national security concern regarding the foreign acquisition of “sensitive personal data” is specifically codified as subject to review.
Sensitive Personal Data of U.S. Citizens
Under the new regulations, the term “sensitive personal data” applies to:
- Any U.S. business that directly or indirectly collects or maintains genetic test results of U.S. citizens;
- U.S. businesses that collect or maintain a high volume of records containing a list of other categories of sensitive personal data, including geolocation data; physical or mental health information; biometric data; insurance application data; detailed financial data; government security clearance information; and nonpublic electronic data between business users of the target company’s data. The specific categories set forth in the regulations (31 C.F.R. § § 800.201-254 (Westlaw 2020)) are:
- Financial data that could be used to analyze financial distress or hardship;
- Consumer report data (with some exceptions);
- Data sets in applications for health, long term care, professional liability, mortgage or life insurance;
- Nonpublic messaging or e-mail between business users;
- Geolocation data whether from cell, Wi-Fi points, or wearable device;
- Biometric enrollment data (face, retina, fingerprint or voice);
- Data stored for the purpose of generating or renewing a Federal government identification;
- Data regarding a U.S. Federal security clearance;
- Data in an application for such clearance;
- Results of an individual’s genetic tests.
Specific exclusions include court records and other matters already in the public record, and data maintained by a target employer regarding its own employees. An exception to this exclusion is data regarding clearance-holding employees of a U.S. government contractor.
It’s important to note that non-controlling investments in companies holding or collecting data of the nature listed above are not in themselves prohibited, but rather (subject to the conditions mentioned below) trigger a filing requirement for CFIUS review.
A non-controlling foreign investment does NOT trigger an “automatic” filing requirement with CFIUS if:
- The terms of the investment do not confer membership, nomination or observer rights on the board of the acquired entity; nor any involvement (other than voting of shares) in substantive decision-making; nor access to “material, non-public data or information” possessed by the acquired entity or any U.S. subsidiary;
- The investor is from an “excepted investor state” (currently including only Australia, Canada and the UK) and meets a specified set of eligibility criteria set forth in the regulations.
This expanded review authority – and CFIUS and the Administration’s manifest readiness to use it to block or force post-closing divestment in cases deemed to be of concern – has clear implications for potential foreign investment in a wide range of U.S. companies. This could well affect the ready access to foreign capital for such enterprises as health care companies; insurance companies; telecommunications companies; “cloud” services entities; information and information-sharing web applications; U.S. government contractors; any foreign enterprise with U.S. operations, subsidiaries or personnel; and likely a host of others.
While a non-controlling investment in such companies may not in every instance explicitly trigger a requirement for CFIUS review, as a practical matter, parties considering such investment decline to file at their peril. Failing to do so, should CFIUS subsequently determine that filing was in order, risks penalties equal to the value of the transaction or $250,000, whichever is greater.
In any case, prudence suggests that prospective parties to foreign investment in data-rich or personal data-focused companies consult with experienced counsel regarding their potential obligation to file, and build into their acquisition process sufficient time and resources to undergo CFIUS review.