International Trade & Compliance Alert
April.23.2019
CFIUS热点追踪:对涉及个人可识别信息交易的审查——以Grindr和PatientsLikeMe为例
In the last three weeks, the Committee for Foreign Investment in the United States (CFIUS) has reportedly informed two Chinese companies that they must sell their stakes in two U.S. companies. It is understood that in late March 2019, CFIUS conveyed to the Kunlun Group that it must sell its stake in Grindr, an online dating app. More recently, it was announced that CFIUS ordered iCarbonX, the Shenzhen-based unicorn, to sell its majority stake in the U.S. company PatientsLikeMe. PatientsLikeMe is an online service that links individuals suffering similar health issues in an effort to improve disease detection and treatment.
CFIUS's disposition of these transactions reinforces two points about CFIUS's administration of restraints on non-U.S. investment in the United States for national security reasons:
Non-Cleared Transactions – Exposure to Disturbance by CFIUS
The Kunlun-Grindr and iCarbonX-PatientsLikeMe cases illustrate how foreign investment transactions not cleared by CFIUS are susceptible to disturbance at any time.
Kunlun-Grindr
iCarbonX-PatientsLikeMe
Foreign Company Access to U.S. PII – Exposure to Disturbance by CFIUS
The U.S. government's focus on a foreign company's access to the PII of U.S. citizens is not entirely new. The watershed was the Ant Financial-MoneyGram proposed transaction. In December 2017, Ant Financial Services Group's proposed purchase of MoneyGram International Inc. was de facto blocked due to concerns that Ant Financial would then have access to significant PII as part of the transaction. Another example is the 2018 China Oceanwide-Genworth Financial deal. In that transaction, China Oceanwide Holdings Group Co. first had to implement mitigation measures to prevent "personal consumer information [from] becoming more vulnerable" before CFIUS clearance was granted. Specifically, the mitigation agreement required, among other things, that Genworth use a U.S.-based third-party service provider to manage and protect the personal data of Genworth's U.S. policyholders.
In August 2018, the U.S. Congress codified in the Foreign Investment Risk Review Modernization Act (FIRRMA) that CFIUS is to focus on potential national security concerns associated with the U.S. investment target's maintenance or collection of "sensitive personal data of United States citizens."
Importance of CFIUS Planning
CFIUS's disposition of these transactions underlines the importance of informed CFIUS planning well before proceeding with a foreign investment transaction that could implicate CFIUS's jurisdiction. For Chinese companies in the process of an investment or an acquisition in the U.S., the parties need to resolve whether a filing with CFIUS is mandatory under October 2018 FIRRMA "pilot program" regulations relating to an investment in a U.S. business involved in "critical technology." If not, but the non-U.S. investor could gain control over a U.S. business, the parties should consciously resolve whether they will seek CFIUS clearance for the transaction. Whether to do so may depend on the types and magnitude of national security considerations (such as the target company's PII storage) that the transaction presents.
For any number of reasons, deciding not to notify the transaction to CFIUS may be in the parties' interest. But they should recognize that without CFIUS clearance, the CFIUS Sword of Damocles (large or small as it may be) will hang over the outcome of the transaction.
For Chinese companies that have already invested in or acquired a U.S. company and did not notify CFIUS in the process, it may be prudent to now conduct an internal review of those transactions. The review should cover, among other questions, whether the transaction has made PII of U.S. citizens accessible to the Chinese company. Various measures may then be considered, such as a partial divestment of shareholding in the U.S. company that would eliminate the Chinese company's access to the PII of U.S. citizens. Or the parties could propose that the U.S. company engage a U.S.-based third party service provider to manage and protect the PII of U.S. citizens. By proactively managing this risk going forward, the Chinese company would potentially be in a stronger position with more options than if CFIUS intervenes and demands a fire-sale divestment.