Jeff Farrah is the general counsel of the National Venture Capital Association .
Foreign investment scrutiny continues to creep into the startup world via a once obscure U.S. government agency that has new tools and a shift in focus that stands to impact young, high-growth companies in huge ways. The Committee on Foreign Investment in the U.S., or CFIUS, recently made waves when it forced Chinese investors into two American companies to divest because of national security concerns.
There is much to learn from these developments about how government concerns over foreign investment will affect startups and investors going forward.
It is important to understand how we got here. CFIUS has long had the authority to review investments for national security concerns when the investment delivers “control” of a U.S. entity to a foreign entity — and control is defined broadly to mean the ability to determine important matters of the business. CFIUS is the body that rejected Broadcom’s acquisition of Qualcomm to name one well-known example.
The Treasury Department-led body can tap a few powers if it has concerns about an investment, such as blocking it outright, requiring mitigation measures, or—as we saw recently—forcing a fire sale of assets long after a deal is complete.
In the last few weeks, CFIUS has forced Chinese investors to divest from PatientsLikeMe, a healthcare startup that claims to have millions of data points about diseases, and Grindr, the LGBTQ dating app that collects personal data.
Historically, CFIUS’s focus has been on things like ports, computer systems, and real estate adjacent to military bases, but in recent years its emphasis has included data as a national security threat. The Grindr and PatientsLikeMe actions underscore that CFIUS is more focused than ever on how data can pose a security threat.
For example, the U.S. government’s move against Grindr was reportedly motivated by concerns the Chinese government could blackmail individuals with security clearances or its location data could help unmask intelligence agents. These developments make CFIUS highly relevant to tech and healthcare startups, which frequently hold valuable data about customers and users.
Last year, Congress expanded CFIUS’s jurisdiction and gave it new tools to scrutinize even minority, non-controlling investments into critical technology companies or those with sensitive personal data of U.S. citizens if the investor receives certain rights, like a board seat. These might be direct investments into startups by a foreign corporation or individual, or indirect investments into a venture fund by institutional investors like foreign pensions, endowments, or family offices.
Many aspects of the new law have been partially implemented through a pilot program that is impacting foreign investors into venture funds and direct investments into startups. One piece of the law that has not been implemented through the pilot program is the authority of CFIUS to scrutinize certain non-controlling investments into companies that maintain or collect “sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”
This piece is likely to go into effect in early 2020.
Keep in mind that in the cases of Grindr and PatientsLikeMe, the government relied on its preexisting authority to police investments that delivered control to a foreign person. Due to CFIUS reform, we are likely to see it similarly scrutinize minority, non-controlling investments into companies with sensitive personal data once the authorities are fully in force. Now is the time for investors and startups to go to school on recent cases to understand what is at stake.
Three lessons stand out from the Grindr and PatientsLikeMe actions.
First, CFIUS’s focus has evolved over the years to include control over data-rich companies. That is a trend that is likely to pick up considerably now that Congress has directed the agency to examine some of these deals, even when the investment does not give control to a foreign person.
Second, in both the Grindr and PatientsLikeMe cases, reporting indicates that neither company filed with CFIUS in advance of the transaction, thereby opening both companies up to the deals being unwound. Once CFIUS’s focus on sensitive data expands to non-controlling investments, we can assume CFIUS will not be shy about forcing divestiture for venture-style investments if the parties did not file and get approval for the transaction in advance.
Finally, it is important to understand that while recent newsworthy cases involved China, CFIUS’s jurisdiction applies on a global basis, so its data concerns may port over to investments from other countries as well. The National Venture Capital Association, where I work, is urging Treasury to use authority it has in the CFIUS reform bill to not apply the expansion to non-controlling investments from friendly countries. This makes perfect sense, since the impetus for CFIUS expansion was largely China, and narrowing the scope of foreign actors will help CFIUS focus on true threats. However, as long as the pilot rules are in effect—and perhaps longer—the full suite of CFIUS’s authorities apply whether you are from China, Canada, or Chile.
The one constant of the enhanced foreign investment scrutiny we have seen of late is that it is always shifting. Investors, entrepreneurs, and companies must be on their toes going forward to understand how to raise and deploy capital in innovative American companies.