On March 27, 2019, journalists affiliated with Reuters reported that the Kunlun Group (“Kunlun”), a China-based tech firm, was preparing to sell its wholly owned subsidiary, Grindr, after the Committee on Foreign Investment in the United States (“CFIUS”) informed the group that Kunlun’s continued ownership of Grindr constituted a national security risk. This forced divestiture of Grindr is a pointed reminder that CFIUS remains focused on protecting the sensitive personal data of U.S. citizens, has the power to upend closed deals that have not been cleared by the committee, and is dedicating increased resources to the review of transactions that are not notified to CFIUS.
Grindr, which describes itself as “a geosocial networking and online dating application geared towards gay, bi, trans, and queer people” and reportedly has 27 million users, requires potentially personally identifiable information from users (e.g., account credentials, unique device identifiers, and last known device locations). In addition, users can voluntarily provide, among other details: ethnicity, age, height, weight, relationship status, and personal messages. Grindr also allows its users to share on its platform information “concerning health characteristics, such as . . . HIV status” or last date tested for HIV. In short, Grindr collects and maintains a substantial amount of sensitive personal information.
Protecting the sensitive personal data of U.S. citizens continues to be a major focal point for CFIUS. In the case of Grindr, CFIUS may have been specifically concerned about the data of military and intelligence personnel, or other persons with access to information of potential interest to foreign intelligence agencies and potentially vulnerable to blackmail. The attempted acquisition in 2017 of MoneyGram, a U.S. money transmitter business with a strong presence at and around military bases, by Ant Financial, a fintech affiliate of the Chinese Alibaba group, was also blocked by CFIUS, apparently because of the risk of access to potentially sensitive personal financial data. CFIUS has previously raised concerns about transactions that involve the personal data of U.S. officials, such as the acquisition by Fosun International Ltd., a Chinese investment company, of Ironshore Inc. and its subsidiary Wright & Co., which reportedly insured U.S. law enforcement and national security personnel.
CFIUS’s concern about protecting personal data is shared by Congress, which made protecting sensitive personal data a central feature of its recent reforms to the CFIUS process. The Foreign Investment Risk Review Modernization Act (“FIRRMA”), enacted in August 2018, calls out transactions involving businesses that maintain or collect the sensitive personal data of U.S. citizens, together with certain transactions involving critical technology or critical infrastructure, as requiring additional scrutiny of potential foreign influence and access to non-public information.
Also notable was CFIUS’s decision to review the Grindr acquisition more than three years after Kunlun gained control. Kunlun acquire 60 percent ownership and effective control of Grindr in January 2016. In January 2018, Kunlun acquired the remaining ownership interests of Grindr and replaced Grindr’s longtime CEO and founder, Joel Simkhai, an Israeli national, with Yahui Zhou, the Chairman of the Kunlun Group and a Chinese national. Because CFIUS does not provide individual case information (except in the rare instances where they issue a formal blocking order), we do not know whether the Chinese acquisition of control three years ago or the Chinese assumption of a day-to-day operational role last year formed the impetus for CFIUS’s recent actions. Either way, CFIUS’s actions were taken post-closing, emphasizing the risk to acquirors of proceeding with a transaction raising potential CFIUS concerns without completing the voluntary filing process.
Although post-closing reviews and remedial actions have been relatively infrequent (though far from unknown) in the past, FIRRMA also anticipates an enhanced focus on “non-notified” or “non-declared” transactions that fall within CFIUS jurisdiction. FIRRMA provides for a filing fee and additional appropriations for CFIUS and its member agencies to hire additional leadership and staff and otherwise administer the CFIUS process. One of the prime targets for these additional resources will be improving CFIUS’s ability to identify and review non-notified transactions of interest.
Parties engaged in transactions in which CFIUS may be interested should take note of CFIUS’s broad definition of “national security” and increasingly assertive reviews of non-notified transactions. This does not mean that every borderline case outside the mandatory filing regime should be notified to the committee, but parties should think carefully, in consultation with CFIUS counsel, about potential national security issues raised by transactions, the risk that CFIUS will take interest, and the costs and benefits of notification.
This post comes to us from Cleary, Gottlieb, Steen & Hamilton. It is based on the firm’s blog post, “CFIUS Forces Kunlun to Unwind 2016 Acquisition of Grindr over Concerns about the Protection of Sensitive Personal Data,” dated April 5, 2019, and available here.