In the last three weeks, the Committee for Foreign Investment in the United States (CFIUS) has reportedly informed two Chinese companies that they must sell their stakes in two U.S. companies. It is understood that in late March 2019, CFIUS conveyed to the Kunlun Group that it must sell its stake in Grindr, an online dating app. More recently, it was announced that CFIUS ordered iCarbonX, the Shenzhen-based unicorn, to sell its majority stake in the U.S. company PatientsLikeMe. PatientsLikeMe is an online service that links individuals suffering similar health issues in an effort to improve disease detection and treatment.
CFIUS's disposition of these transactions reinforces two points about CFIUS's administration of restraints on non-U.S. investment in the United States for national security reasons:
First, as these transactions closed years ago, CFIUS's treatment highlights that a foreign investment transaction is susceptible to disturbance by CFIUS at any time into the indefinite future if CFIUS has not cleared it.
Second, CFIUS's treatment of these transactions shows the importance that CFIUS attaches to a U.S. target company's storage of personally identifiable information (PII) as a potential national security concern.
Non-Cleared Transactions – Exposure to Disturbance by CFIUS
The Kunlun-Grindr and iCarbonX-PatientsLikeMe cases illustrate how foreign investment transactions not cleared by CFIUS are susceptible to disturbance at any time.
The Kunlun Group is a wholly owned subsidiary of Beijing Kunlun Tech Co. Ltd., a listed company in China. The Kunlun Group acquired 100% of the shares of Grindr LLC in two separate transactions. In March 2016, Kunlun acquired 61.53% of the shares of Grindr for US$93 million. In May 2017, Kunlun signed agreements to purchase the remaining shares of Grindr for US$152 million, with the deal closing in January 2018. In August 2018, Beijing Kunlun announced that Grindr was preparing for an IPO.
In March 2019, spurred by data privacy concerns, CFIUS intervened and Kunlun is now in an auction process to sell Grindr. On April 1, 2019, Beijing Kunlun announced it is in communication with CFIUS and has not reached any agreement on this matter.
In January 2017, the U.S. healthtech startup company PatientsLikeMe announced that it received an investment from iCarbonX, the Chinese digital healthcare unicorn, in excess of US$100 million, resulting in iCarbonX being the majority stakeholder in PatientsLikeMe.
In April 2019, it was reported that CFIUS is insisting that iCarbonX fully divest its stake in PatientsLikeMe.
Foreign Company Access to U.S. PII – Exposure to Disturbance by CFIUS
The U.S. government's focus on a foreign company's access to the PII of U.S. citizens is not entirely new. The watershed was the Ant Financial-MoneyGram proposed transaction. In December 2017, Ant Financial Services Group's proposed purchase of MoneyGram International Inc. was de facto blocked due to concerns that Ant Financial would then have access to significant PII as part of the transaction. Another example is the 2018 China Oceanwide-Genworth Financial deal. In that transaction, China Oceanwide Holdings Group Co. first had to implement mitigation measures to prevent "personal consumer information [from] becoming more vulnerable" before CFIUS clearance was granted. Specifically, the mitigation agreement required, among other things, that Genworth use a U.S.-based third-party service provider to manage and protect the personal data of Genworth's U.S. policyholders.
In August 2018, the U.S. Congress codified in the Foreign Investment Risk Review Modernization Act (FIRRMA) that CFIUS is to focus on potential national security concerns associated with the U.S. investment target's maintenance or collection of "sensitive personal data of United States citizens."
Importance of CFIUS Planning
CFIUS's disposition of these transactions underlines the importance of informed CFIUS planning well before proceeding with a foreign investment transaction that could implicate CFIUS's jurisdiction. For Chinese companies in the process of an investment or an acquisition in the U.S., the parties need to resolve whether a filing with CFIUS is mandatory under October 2018 FIRRMA "pilot program" regulations relating to an investment in a U.S. business involved in "critical technology." If not, but the non-U.S. investor could gain control over a U.S. business, the parties should consciously resolve whether they will seek CFIUS clearance for the transaction. Whether to do so may depend on the types and magnitude of national security considerations (such as the target company's PII storage) that the transaction presents.
For any number of reasons, deciding not to notify the transaction to CFIUS may be in the parties' interest. But they should recognize that without CFIUS clearance, the CFIUS Sword of Damocles (large or small as it may be) will hang over the outcome of the transaction.
For Chinese companies that have already invested in or acquired a U.S. company and did not notify CFIUS in the process, it may be prudent to now conduct an internal review of those transactions. The review should cover, among other questions, whether the transaction has made PII of U.S. citizens accessible to the Chinese company. Various measures may then be considered, such as a partial divestment of shareholding in the U.S. company that would eliminate the Chinese company's access to the PII of U.S. citizens. Or the parties could propose that the U.S. company engage a U.S.-based third party service provider to manage and protect the PII of U.S. citizens. By proactively managing this risk going forward, the Chinese company would potentially be in a stronger position with more options than if CFIUS intervenes and demands a fire-sale divestment.