CFIUS Offers Hope for Chinese Acquisitions Involving Personal Data – but the Department of Commerce May Be Taking It Away

We’ve learned that on October 1, 2021, CFIUS cleared the 2016 acquisition of Spigot Inc., a data-driven marketing company, by Genimous Investment Co., Ltd.  According to a pair of October 2021 news reports from China (English and Chinese), CFIUS clearance was conditioned on the following:

  • The majority of the boards of Spigot and of the Genimous overseas holding companies that are Spigot’s intermediate parents will comprise CFIUS-approved U.S. citizens who will establish security policies and serve as the company’s liaison with CFIUS;
  • Genimous will appoint a U.S. security director and compliance officer at the offshore holding company level to implement the new security policies;
    Spigot will store all data on U.S. persons in the United States;
  • Spigot will not transfer any U.S. persons’ data outside the United States without approval of CFIUS’s appointees; and
  • Spigot will retain a third-party monitoring company to ensure compliance with the data storage and transfer restrictions.

For a number of years, CFIUS has forced Chinese investors to divest their interests in U.S. companies that have access to personal data, including Grindr (online dating) and PatientsLikeMe (medical affinity groups) in 2019; and StayNTouch (hotel management) and TikTok Inc. (personal videos) in 2020.  CFIUS is also currently reviewing Tencent’s pending acquisition of Sumo Group (video games) and is reportedly considering Tencent’s prior investments in video game developers Riot Games and Epic Games. 

The Genimous/Spigot result offers a ray of hope to investors from China subject to CFIUS reviews involving personal data.  Specifically, CFIUS’s acceptance of mitigation conditions demonstrates the Committee’s acknowledgement that offshore access to U.S. persons’ data can be managed sufficiently to allay national security concerns.  These conditions may be the model for addressing similar concerns in other transactions, including the ongoing CFIUS cases involving Tencent and Tiktok.

  • Notably, the TikTok divestment order (which should not be—but often is—confused with the rescinded Commerce Department order prohibiting certain transactions with TikTok) has not yet occurred, though it was issued by former President Trump over a year ago.  In November 2020, TikTok and its parent ByteDance sued to overturn the Trump divestment order.  The matter has been put on hold for a number of 60-day intervals, most recently in October 2021, presumably to continue settlement negotiations.

If, on the other hand, the Tencent and Tiktok cases cannot be resolved using the same approach as in Genimous/Spigot, that may indicate either (i) data having a higher level of sensitivity or (ii) concerns unrelated to personal data (e.g., security issues in the software through which the target companies’ products are delivered).

Genimous/Spigot also offers one other reminder to the parties to cross-border investments in U.S. businesses:  If CFIUS has jurisdiction over a transaction, that jurisdiction is perpetual, and CFIUS retains the right to call in the transaction for review at any time.  The Genimous/Spigot transaction was highlighted in a 2018 report by the U.S. Trade Representative, which noted that Genimous’s 2016 acquisition was approved by the Henan provincial government and reflected a shift in Genimous’ business model from electronics products to mobile internet software, which was favored at the time under China’s industrial policies.  The USTR report was likely a factor in CFIUS’s decision to review the transaction so many years after it had closed.

However, less encouraging for Chinese investors is the US Department of Commerce’s notice of proposed rulemaking published on November 26, 2021.  Pursuant to earlier rules implementing a 2019 Trump-administration executive order, Commerce has the right to review—and if deemed necessary block—certain U.S. transactions with foreign adversaries (specifically including certain parties from China) involving “information and communications technology and services” (ICTS).  In response to a follow-up executive order by President Biden aimed at protecting sensitive personal data, the newly proposed rule would expand the scope of Commerce’s authority to include “connected software applications,” defined as software used on end-user devices that has “the ability to collect, process, or transmit data via the internet.”  

As a result, the adoption and implementation of this rule following a comment period ending December 27, 2021, could significantly undercut some of the opportunities presented to Chinese investors by CFIUS’s decision in Genimous/Spigot.