United States: CFIUS Rule Puts National Security Spotlight On Investments That Result In Foreign Access To Sensitive Personal Data

Personal data is now a strategic asset under federal regulations. On October 15, 2020, a Final Rule by the Committee on Foreign Investment in the United States (CFIUS or the Committee) will become effective, imposing new requirements for foreign investment in light of national security risks related to sensitive personal data. As we discussed in a recent New York Law Journal article, the US government's view of sensitive personal data as a strategic asset should not be a surprise, but it presents competitive risks to US businesses that focus on data-driven products and services.

CFIUS' role in examining data access

CFIUS is an interagency committee authorized to suspend, modify or prohibit foreign investments in the US where there may be a risk to national security. The Committee even has the authority to force divestitures for completed transactions. In the past, CFIUS has exercised its authority on certain occasions where a foreign party may have access to sensitive data, such as location data, biometric data, health data and certain financial data. For example, in 2018 CFIUS blocked the acquisition of MoneyGram International, a US money transfer provider, by Ant Financial, a Chinese fintech company and Alibaba affiliate, reportedly due to concerns that Ant Financial may provide the Chinese government access to Americans' financial data through MoneyGram.

New requirements

As we explain in our detailed overview of the rule, the new regulations codify the Committee's ability to review transactions where a foreign investor may have control over "the use, development, acquisition, safekeeping or release of sensitive personal data of US citizens." CFIUS has such expanded authority under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which was designed to expand the jurisdiction of and tools available to CFIUS. Where a foreign government may have access to sensitive personal data through certain involvement in the investment, the parties must submit a pre-closing filing to CFIUS. Even where a filing is not mandated, for certain transactions, the regulations allow the Committee authority to require parties to adopt measures to address potential security risks.

Our take

With the new regulations coming into effect shortly, many more foreign investments will come under scrutiny, especially those involving data-driven companies. This may well create a chilling effect for foreign investment, particularly in emerging companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.