The U.S. Department of the Treasury finalized the new Committee on Foreign Investment in the United States ("CFIUS") regulations, which became effective on February 13, 2020.1

Amongst other matters, the new regulations significantly expand CFIUS's jurisdiction for non-controlling investments, including the review of transactions involving U.S. businesses that manage or collect "sensitive personal data" of U.S. citizens. Notably, section 721 of the Defense Production Act of 1950, authorizes CFIUS's jurisdiction to review covered transactions for national security implications, and enumerates the President's authority to "suspend or prohibit any covered transaction that threatens to impair the national security of the United States."

Since taking office, President Trump has exercised this authority three times. The first two blocked transactions occurred in 2017 and 2018 (see our previous newsletter article for more details). Most recently and as discussed below, President Trump prohibited a Chinese company from acquiring a U.S. hotel-software company. Overall, U.S. Presidents have only exercised the authority to block certain covered transactions due to national security concerns six times, three of which have occurred during the past three years.

New Executive Order

On March 6, 2020, President Trump issued an Executive Order ("EO"),2 requiring publicly traded Chinese company Beijing Shiji Information Technology Co., Ltd. and its wholly owned subsidiary, Shiji (Hong Kong) Ltd. (collectively referred to as "Shiji"), to divest its 2018 acquisition of StayNTouch, Inc. ("StayNTouch"), a U.S.-based hotel-management software company. StayNTouch offers hotels cloud-based property management systems that help track reservations, guest check-in/out, and several other services.

Pursuant to the EO, there is credible evidence that Shiji through its acquiring interest of StayNTouch "might take action that threatens to impair the national security of the United States." The EO states that within 120 days (with a possible 90-day extension from CFIUS), Shiji must fully divest all its interests in StayNTouch.

The EO does not detail CFIUS's concerns with the acquisition, but in the interim the EO does prohibit Shiji from accessing any hotel guest data through StayNTouch. Additionally, the EO requires that within seven days, Shiji must ensure that controls are in place to prevent such data access until the divestment has been completed and verified to the satisfaction of CFIUS. As such, it can be inferred that at least one of CFIUS's concerns was that StayNTouch's cloud-based system could provide Shiji access to a large database of personal and financial information of U.S. citizens.

Details of CFIUS reviews are typically kept confidential and the Shiji acquisition of StayNTouch was no exception. Shiji and StayNTouch issued press releases, noting their disappointment and disagreement with the EO, and stating that Shiji offered a range of significant proposals to mitigate any concerns by the U.S. Government, including further restricting access to guest data and appointing an independent monitor to ensure these protections. But it appears that CFIUS did not accept the proposals and ultimately recommended that this transaction be divested.

Significantly, the EO also authorizes CFIUS to implement measures as it deems necessary and appropriate to verify compliance with the EO, including permitting CFIUS-designated U.S. Government employees access to StayNTouch's U.S. premises and facilities, on reasonable notice to Shiji and StayNTouch, to:

(i) "inspect and copy any books, ledgers, accounts, correspondence, memoranda, and other records and documents in the possession or under the control of [Shiji] or StayNTouch that concern any matter relating to this order";

(ii) "inspect or audit any information systems, networks, hardware, software, data, communications, or property in the possession or under the control of [Shiji] or StayNTouch"; and

(iii) "interview officers, employees, or agents of [Shiji] or StayNTouch concerning any matter relating to this order."3

2019 Sensitive Personal Data Cases

This EO is the first occurrence of a presidential order blocking a covered transaction based on sensitive personal data concerns. But it does not come as a surprise, because it follows two cases in 2019 of Chinese companies having to divest their acquisitions of U.S. companies, reportedly after CFIUS raised concerns about access to personal data of U.S. citizens.

Unlike Shiji, the 2019 cases were not formally/publicly blocked transactions by CFIUS or the president. Instead, the media reported that these agreed-upon divestments were made pursuant to CFIUS's requirements to have the companies divest their acquisitions either "voluntarily" or through a presidential EO. Ultimately, both Chinese companies "voluntarily" divested their acquisitions of the U.S. companies.

In the first instance, according to media reports, CFIUS required Chinese gaming company Beijing Kunlun Tech Co. Ltd. to divest its 100% ownership of Grindr, LLC ("Grindr"). Grindr is a dating app whose database contains personal information of over 27 million users, including a user's location, HIV status, and other personal details.

Moreover, CFIUS also required iCarbonX, a Chinese genome company, to divest its majority ownership of U.S. company, PatientsLikeMe Inc. ("PatientsLikeMe"). PatientsLikeMe provides a platform for patients with the same diseases to connect with one another and exchange information. The company collects important personal data, including a user's name, date of birth, various genome analysis, biographic and demographic information, condition/disease information, and laboratory results and biomarkers.

Importantly, CFIUS was not notified of the Grindr or PatientsLikeMe acquisitions by foreign investors. CFIUS reviewed the transactions after they were completed and ordered that the transactions be unwound several years later.

***

The March 6, 2020 EO is the most recent example of CFIUS closely scrutinizing foreign investments in certain U.S. businesses. In addition to implementing the new CFIUS regulations, CFIUS is not hesitant to require the unwinding of covered transactions that have been completed in the past. Companies should be aware that CFIUS will likely continue to review non-notified investments from the past several years and may require that the foreign acquisitions be divested.

Small companies should carefully consider the recent cases because, while they may appear to only affect large companies and acquisitions, small acquisitions and investments with minimal risk when the transaction is completed could generate enhanced risks due to the company's increased growth and exposure.

For more information on the new regulations and whether your future investments in the U.S. could trigger CFIUS filings, please do not hesitate to contact us.

Footnotes

1 See Provisions Pertaining to Certain Investments in the United States by Foreign Persons, 85 Fed. Reg. 3112 (Jan. 17, 2020) (codified at 31 C.F.R. pt. 800); Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States, 85 Fed. Reg. 3158 (Jan. 17, 2020) (codified at 31 C.F.R. pt. 802).

2 Exec. Order of March 6, 2020, 85 Fed. Reg. 13,719 (Mar. 10, 2020).

3 Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.