In recent weeks, Reuters and other media outlets have reported that Beijing Kunlun Tech Co., Ltd. (Kunlun), the owner of the popular gay dating app Grindr, was seeking to sell the app due to concerns raised by the Committee on Foreign Investment in the United States (CFIUS). CFIUS is the interagency US government committee with authority to review foreign acquisitions of, and certain investments in, US companies that present US national security concerns.
According to these reports, CFIUS initiated a review of Kunlun’s acquisition of the US-based Grindr based on the sensitive nature of the personal data the app collects on US citizen users. The Grindr case has generated headlines due to the odd paring of a dating app owned by a Chinese gaming company and US national security. In our view, the case confirms the continued validity of several recent trends in US government policy and procedures for reviewing foreign investments in the United States.
- CFIUS Remains Focused on Access to Personal Data
CFIUS’s primary concern with Kunlun’s ownership of Grindr almost certainly relates to the data that the app collects on its users. Grindr’s website indicates that it has “millions of daily users,” a significant number of whom are in the United States, and the app collects a variety of sensitive information about its users, including location, private messages, and in some cases HIV status, among other things.
CFIUS’s focus on personal data is a marked change from just a few years ago, when personal data was rarely considered a primary concern for the Committee. Given developments over the last few years, however, it is not surprising that CFIUS expressed concerns about a Chinese investment in a US company that collects substantial amounts of US person data.
In its most recent annual report published in September 2017, CFIUS indicated that it had identified national security vulnerabilities in US companies that “hold substantial pools of potentially sensitive data about US persons and businesses” in “any number of sectors, including, for example, the insurance sectors, health services, and technology sectors.” In August 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) expanded the Committee’s jurisdiction to review foreign investment in US companies that maintain or collect “sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.” (See additional information on FIRRMA in our advisory here.) And in January 2019, the US Director of National Intelligence testified that the “pursuit” by China of “US person data” is “a significant threat to the US government and private sector.”
Personal data concerns were also paramount in the Genworth Financial Inc. and China Oceanwide Holdings Group Co., Ltd. deal, which was ultimately approved by CFIUS but only after the parties were forced to withdraw their notice to the Committee and refile it with a proposal for additional, significant mitigation measures. Additionally, on April 4, 2019, reports emerged that CFIUS was also requiring China-based iCarbonX to divest its stake in PatientsLikeMe, an online service that helps individuals with similar health conditions connect, due to personal data concerns.
- China Continues to Be the Country of Largest Concern
Kunlun is a Chinese company. Not surprisingly, transactions with Chinese buyers have been a focus of the Committee. This is particularly true with respect to personal data and with respect to the tech sector where CFIUS has reportedly scuttled a number of deals with Chinese buyers. Many observers, including a number of key members of Congress, viewed the passage of FIRRMA and the recent rollout of the CFIUS “pilot program” for investments in US “critical technology” as specifically aimed at countering China (although the act and pilot program apply to investments from all countries).
- CFIUS’s Unilateral Review of Deals is Becoming More Common
With the exception of the “pilot program,” the traditional CFIUS process has been, and remains, voluntary. In most transactions, there is no requirement to file for CFIUS approval. However, CFIUS review and approval of a transaction provides a safe harbor against a future unilateral review of the deal by CFIUS, even well after a deal has closed. As apparently happened with Grindr, a unilateral review can have dramatic consequences, including the potential unwinding of the transaction.
Kunlun acquired Grindr in two separate deals in 2016 and 2018. According to reports, neither party submitted these transactions to CFIUS for review. That decision to forego the voluntary review process is what allowed the Committee to initiate a unilateral review and ultimately (apparently) require Kunlun’s post-closing divestment of Grindr. These retroactive reviews almost invariably impact the foreign investor more than the original owners of the US target company.
In recent years, the Treasury Department has indicated its desire to strengthen CFIUS’s process for identifying and flagging potentially problematic non-notified transactions. FIRRMA provides a number of tools, including the authorization of a (yet-to-be implemented) filing fee, that should bolster the Committee’s resources, allowing it to engage in additional review of transactions not voluntarily filed. For these reasons, we expect unilateral review of non-notified transactions by CFIUS to become increasingly common.
- CFIUS is Increasingly Likely to Find Mitigation Measures Insufficient
Historically, outright rejection of a transaction by CFIUS has been rare. Typically, when CFIUS identifies national security concerns the Committee will negotiate with the parties to implement so-called “mitigation measures” to alleviate the concern. Mitigation measures have varied widely. However, for issues related to sensitive US person data, mitigation may include restrictions on access to the data by foreign persons.
In recent years, CFIUS has indicated in words and in practice that it is less willing to adopt mitigation measures – particularly when mitigation would require substantial US government oversight or where compliance with mitigation cannot be easily verified. Reporting suggests that outright rejections of transactions have become increasingly common under the Trump Administration, particularly with respect to deals involving Chinese buyers. In many cases, the “mitigation” most likely to succeed under current CFIUS practice involving a global business with US operations is to carve the “US business” out from the scope of the proposed investment.
- Grindr is a Rare Case of Post-Closing Divestment
If Grindr is sold at the request of CFIUS, it will turn out to be one of a handful of cases in which CFIUS’s objections have led to the unwinding of a transaction post-closing. Although the President can order an unwinding, CFIUS’s strong concerns about a transaction can convince parties to “voluntarily” unwind a deal rather than face a presidential directive to do so. While there are no complete public data on this issue, our sense is that post-transaction “unwinding” remains relatively rare. In 2013, it was reported that Procon Resources Inc. divested its interest in Lincoln Mining Corporation because of pressure from CFIUS, although a formal presidential order was not issued in the matter. In 2012, President Obama issued an order requiring the divestment of four windfarms located in close proximity to a US defense installation by Ralls Corporation.
While unwinding of transactions remains rare, we expect to see more cases in this posture, given CFIUS’s increased focus on non-notified transactions and the Trump Administration’s seeming willingness to use the CFIUS process more aggressively to block deals than under prior administrations.