Historically, foreign investors in U.S. retailers have not considered as a potential impediment to raising capital or M&A activity the clearance of such transactions under the foreign investment regulations administered by the Committee on Foreign Investment in the United States (CFIUS or the Committee). Recent actions by CFIUS, however, suggest that foreign investment in any U.S. company, including retailers, that collects sensitive personal data of U.S. citizens is at potential risk of CFIUS review and remedial action, particularly where the transaction involves Chinese investors.

CFIUS is a federal interagency committee charged, pursuant to Section 721 of the Defense Production Act of 1950 (Section 721), with administering the review process for foreign investments in the United States that raise national security issues. The Committee is composed of senior officials of the U.S. Departments of Treasury, Defense, Justice, State, Homeland Security, Labor, Energy and Commerce, as well as various other senior government officials (e.g., the director of National Intelligence, the U.S. Trade Representative, the director of the Office of Science and Technology Policy, and others). Prior to 2018, review of transactions by CFIUS under Section 721 was entirely “voluntary” and it was never unlawful to close a transaction without obtaining CFIUS approval; however, if a foreign person acquired control over a U.S. business without obtaining CFIUS approval, and if CFIUS later determined that such acquisition could adversely affect U.S. national security, CFIUS and the president had the authority to require the owner of such U.S. business to take various steps up to and including the divestiture of the acquired U.S. business.

In August 2018 Congress passed, and the president signed into law, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which modernized and expanded CFIUS’s authority in various respects and made it unlawful to consummate a relatively narrow subset of transactions potentially affecting U.S. national security without prior CFIUS approval. Before FIRRMA, CFIUS had on relatively rare occasions blocked transactions, on national security grounds, in which a foreign buyer had acquired control of a U.S. business that had substantial personal information about U.S. persons. For example, in January 2018, it blocked the sale of MoneyGram International Inc., a money transfer company, to Ant Financial, a Chinese electronic payments company, even after the buyer proposed to take certain steps to mitigate concerns over the safety of data that could be used to identify U.S. persons. After FIRRMA (which specifically codified CFIUS’s consideration of the national security issues associated with sensitive personal information), CFIUS has seemed to show an increased willingness to intervene in transactions that involve U.S. businesses with significant sensitive information regarding U.S. persons.

In April 2019, it was publicly disclosed that two Chinese investors were being forced to divest their interests in three U.S. companies over personal data concerns.

  • In 2015, a Chinese gaming company acquired 60% of (and control over) the entity that owned Grindr, a popular dating app that describes itself as the world’s largest social networking app for gay, bi, trans and queer people; in early 2018, the acquirer acquired the remaining 40%. In April 2019 news services reported that CFIUS had ordered the Chinese gaming company to sell Grindr. Although CFIUS does not publicly explain its actions, it appeared that the divestiture of Grindr was due to national security concerns over Chinese access to information related to HIV status and other personal information the app collects on its users. Grindr’s owner was given until June 2020 in which to find a buyer for Grindr.
  • In April 2019, PatientsLikeMe Inc., a U.S.-based health care company that collects health data on its approximately one million users, disclosed that CFIUS was forcing its Chinese majority shareholder, iCarbonX, to divest its interest. At about the same time, news sources reported that CFIUS had likewise ordered iCarbonX to divest its interests in HealthTell, Inc., another health care company that collects sensitive health data on U.S. citizens.

These recent actions by CFIUS suggest that parties to any transactions involving a foreign acquisition of (or investment in) a U.S. retail business should carefully consider whether such retail business collects and maintains sensitive personal data of U.S. citizens as part of the diligence for any such transaction. This consideration appears to be particularly important in transactions involving Chinese investors.