According to news articles, the Committee on Foreign Investment in the United States (CFIUS) is reviewing the two-year-old acquisition of Musical.ly, now part of TikTok, over national security concerns regarding China’s access to sensitive personal data of the app’s users.1  An additional concern raised by Senator Marco Rubio is the Chinese Government’s potential censorship of content on the TikTok platform that is “not in line with the Chinese Government and Communist Party directives.”2  Review of this transaction could potentially lead to a forced divestiture of TikTok.  It is the latest in a list of Chinese acquisitions of software apps that have been reviewed by CFIUS more than a year post-closing.

In November 2017, Beijing-based company ByteDance purchased the app Musical.ly for roughly $1 billion and later combined it with a similar app, TikTok.  TikTok is a platform that allows users to create and share short videos and to connect with other users. The app has approximately 1.5 billion active monthly users worldwide, 26.5 million of which are located in the United States. The growing popularity of the app led to bipartisan concern about how ByteDance handles the user information and whether the Chinese government can compel ByteDance to hand over user information such as user location, name, age, and IP address. Earlier this year, TikTok also received the then-largest-ever fine under the Children’s Online Privacy Protection Act (COPPA) for its failure to properly handle children’s information.

On October 9, Senator Marco Rubio sent a letter to Secretary of Treasury Steve Mnuchin expressing concern that TikTok was potentially censoring videos and information about the widespread protests in Hong Kong. On October 23 this was followed by a letter from Senators Chuck Schumer and Tom Cotton to Acting Director of National Intelligence Joseph Maguire.3 The letter stated that “[w]hile [ByteDance] has stated that TikTok does not operate in China and stores U.S. user data in the U.S., ByteDance is still required to adhere to the laws of China,” including “laws compel[ling] Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.”  Referring to TikTok as a “potential counterintelligence threat,” the Senators requested a review of the company.

CFIUS has the authority to review and potentially block foreign acquisitions of U.S. businesses and alternatively to retroactively review a deal and force a company to divest foreign interests. In 2019 alone, CFIUS has forced the divestiture of two other Chinese-acquired apps, PatientsLikeMe and Grindr.  PatientsLikeMe, an app that allowed users to input information about medical conditions to connect with others with similar conditions, was purchased by Chinese company iCarbonX in 2017. Due to the sensitive medical information that patients uploaded onto the PatientsLikeMe platform, and the potential for misuse of that data in the interests of China, CFIUS retroactively reviewed the deal and forced divestiture. Similarly, the dating app Grindr, which gathers information such as geolocation and HIV status, was purchased by Chinese company Beijing Kunlun Tech, beginning with a 60% majority stake in 2016 and completing a full acquisition in January 2018.4  In early 2019, under pressure from CFIUS, Beijing Kunlun Tech sold Grindr at auction. 

While CFIUS does not publicize the reasons for its decisions, news organizations reported speculation that national security was implicated because China could potentially blackmail and otherwise influence U.S. government or military personnel through data gained from these apps.

Although the transaction of Musical.ly was apparently subject to CFIUS review under pre-existing rules, the recent changes and expansion of CFIUS’s authority includes special focus on businesses that maintain or collect sensitive personal data. Once the final regulations are issued, CFIUS will have authority to review even non-controlling, but non-passive, investments in businesses that maintain sensitive personal data of greater than one million individuals, as discussed below. The popularity of the TikTok platform in the United States far exceeds this threshold, with approximately 26.5 million monthly U.S.-based users according to the company.

We have written about the recently expanded CFIUS authorities under the Foreign Investment Risk Review Modernization Act (FIRRMA) here, here, and here.  

The ten categories of sensitive personal data include data “that could be used to analyze . . . financial distress or hardship,” the sets of data found in consumer reports, insurance applications, and U.S. Government clearance applications, physical and mental health data, geolocation data. The definition also includes non-public electronic communications, but only if the primary purpose of the product or service is to facilitate communications. Finally, the definition expressly recognizes biometric data, including facial, voice, iris, and fingerprint data, categories that are becoming more commonly used.

Regardless of the outcome of the Tiktok review, these divestitures and other preemptive blockages by CFIUS over data privacy concerns seem to demonstrate a focus on access to personal data as a driving force for CFIUS. With public support from both parties and national security interests at stake, we anticipate the handling of sensitive personal data will continue to be a top concern to trigger CFIUS review.  Further, the willingness of CFIUS to force divestiture of closed deals means companies should still carefully consider whether to disclose transactions that do not trigger mandatory filing requirements.  

Footnotes

1 https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL

2 Letter from U.S. Sen. Rubio to Secretary of the Treasury Steve Mnuchin, Oct. 9, 2019, https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0-e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

3 Letter from U.S. Sens. Schumer and Cotton to Acting Director of National Intelligence Joseph Maguire, Oct. 23, 2019, https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf

4 Why is the U.S. forcing a Chinese company to sell the gay dating app Grindr?, Washington Post, Apr. 3, 2019, https://www.washingtonpost.com/politics/2019/04/03/why-is-us-is-forcing-chinese-company-sell-gay-dating-app-grindr/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.