As we reported this past Friday, on March 6, 2020, President Trump issued only the sixth Executive Order (the “Order”) in history formally prohibiting the acquisition of a U.S. business by a foreign person, pursuant to the authorities that allow the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) to review foreign mergers and acquisitions in the United States. The Order — which follows the recommendation of CFIUS and is enforceable in court by the U.S. Attorney General — directs the divestiture of StayNTouch, Inc. (“StayNTouch”) by Beijing Shiji Information Technology Co., Ltd., a public company organized under the laws of China, and its wholly-owned subsidiary Shiji (Hong Kong) Ltd., a Hong Kong limited company (together “Shiji Group”). The Order comes 18 months after Shiji Group acquired StayNTouch in September 2018.

The Order compels divestiture of StayNTouch within 120 days, unless otherwise extended by CFIUS, and imposes interim security requirements that preclude Shiji Group or any of its affiliates from having any access to hotel guest data possessed by StayNTouch. Among other things, the Order also provides CFIUS with a range of compliance monitoring mechanisms and the right to object to the buyer of StayNTouch.

The Order did not provide a detailed account of the national security concerns underlying its decision to prohibit the transaction, other than to state that there was “credible evidence” that through the acquisition Shiji Group “might take action that threatens to impair the national security of the United States.” The Department of the Treasury (“Treasury”), which chairs CFIUS, has not issued a statement in connection with the Order, though it has done so in the past in connection with similar such orders. Nevertheless, it is possible to glean several important takeaways from this action:

  1. CFIUS Scrutinizing Closed Transactions. While transactions filed with and approved by CFIUS receive a legal safe harbor from CFIUS re-opening review under most circumstances, there is no statute of limitations on CFIUS’s unilateral review of “non-notified” transactions or its ability to request a filing from parties to such non-notified transactions even years after completion of a covered transaction. CFIUS has, in recent months, been adding staff and other resources to enhance its ability to identify and assess non-notified transactions for potential national security concerns. If CFIUS reviews a closed transaction and identifies an unresolved national security risk, CFIUS may impose mitigation measures. If such measures cannot permanently resolve the national security risk, and if the parties do not voluntarily agree to a divestiture, then CFIUS will recommend that the President order the divestiture of the U.S. business. The risk of divestiture for consummated transactions that have not received a legal safe harbor from a prior CFIUS approval also reflects another important dimension of the CFIUS process — namely, the congressional certification. When CFIUS approves a transaction, Treasury, as chair of CFIUS, and the other co-lead agencies are required to certify to Congress at senior political levels within the agencies that the Committee has resolved all national security concerns. This is a very high legal and, in a sense, political bar, and it has an important disciplining effect within the CFIUS process: senior officials will not make such certifications to Congress lightly, and in turn, CFIUS conducts a very thorough review to ensure that its approvals — and the certifications to Congress — are adequately supported by the record before the Committee. Conversely, if the Committee determines that a transaction threatens to impair the national security and the transaction has already been closed, it becomes more challenging for the Committee to resolve the concern through permanent mitigation — and certify to Congress that it has done so — because it may not be able to account fully for the risk between the time the transaction closed and the time the mitigation comes into effect. In these circumstances, it has become increasingly common for parties that are confronted with CFIUS concerns post-closing to negotiate an agreement to “abandon” the transaction through a voluntary divestiture. Such agreements provide a greater ability for the parties to pursue a controlled exit, rather than a compelled divestiture under a tighter timeline that would typically arise through a Presidential order — such as the one issued for StayNTouch. The fact that there apparently was no such voluntary divestiture in the StayNTouch matter could reflect more acute national security concerns in that matter as well as a failure by the parties to engender confidence with the Committee that the acquirer would cooperate with a voluntary divestiture.
  2. Heightened Scrutiny for Particularly Sensitive Personal Data. StayNTouch provides cloud-based property management system (“PMS”) software to hotels, which suggests that the company likely handles a significant volume of individuals’ travel-related personal information. Additionally, StayNTouch’s software tools leverage ID scanning and facial recognition technology to authenticate hotel guests’ identities, and the platform also is utilized to create and manage room keys. This suggests that the primary national security risk CFIUS identified with the transaction relates to foreign access to the sensitive personal data, including identification and location data, of U.S. citizens, as well as potential access to the rooms of those individuals. The general area of personal data protection is one of increasing concern for the Committee, as underscored by the provisions in the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) and its implementing regulations related to sensitive personal data. With that said, the nature of the data at issue here — hotel guest names, address, contact information, dates of travel, and room information — was likely viewed as particularly sensitive from a national security standpoint, as it could include information on U.S. government travelers and other officials with national security sensitive positions.