TikTok Ban: How CFIUS Can Block Foreign M&As for Privacy Concerns6 min read

The TikTok ban is now a long story. Countless press articles relate the latest twists. But here, I focus on the actual national security rules that allow the US to force the Chinese company out. I’m not taking sides, but I’d like to bring attention on how privacy concerns can now trigger national security reviews and block foreign investors deemed suspicious. This is a defensive mechanism against the weaponization of personal data in the cyberwarfare playing out.

The following contains elements of my PhD thesis defended at Shanghai Jiao Tong University in December 2019.

CFIUS National Security Review: Blocking Suspicious Foreign Investors

National Security Reviews of foreign direct investments allow a state to block a deal that undermines its national security. It can also order mitigation measures, such as divesting strategic assets. The US mechanism is the oldest and most developed; it is led by the Committee on Foreign Investment in the United States (CFIUS).

Created to Control Japanese Investments

The United States’ system is the most advanced example of a national security review mechanism. In 1975 President Ford established the Committee on Foreign Investment in the United States (CFIUS). Following the Exon-Florio amendment in 1988, the committee received the authority to review and block foreign investment threatening national security. At that time, a TikTok ban or even a cyberwarfare was not in the minds. This evolution was provoked by political concerns following a wave of acquisitions of U.S. companies by Japanese investors that even has been called “economic Pearl Harbor.” The law has since been amended at several occasions, each time in response to new controversial acquisitions, like the purchase of a missile producer by France’s Thompson (today’s Thales).¹ Moreover, the U.S. has increased the emphasis on national security after the September 11, 2001 events and due to the increase of economic globalization.²

CFIUS and the Enactment of FIRRMA: Personal Data are now Strategic Assets

Before the TikTok ban case, in 2018, another transaction prefigured the U.S. change on national security reviews, to include personal data. China’s Alibaba proposed a USD 1.2 billion acquisition of Moneygram, a U.S. online payment service, in a move to expand internationally its own online payment service, Alipay. This transaction went through a CFIUS review. Here, the fact that the Chinese company would hold financial data of U.S. citizens allegedly implied threats on national security. On January 2, 2018, Alibaba and Moneygram publicly announced they decided to abandon the deal.

Later the same year, the Congress passed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), that President Trump signed into law on August 13, 2018. It considerably expands the jurisdiction of CFIUS in different ways that won’t detail here. What matter to us for the TikTok ban is that CFIUS’s jurisdiction now comprises not only investments in companies dealing with U.S. critical infrastructures and technologies, previously covered, but also companies handling sensitive personal data of U.S. citizens. There is no clear definition of what “sensitive personal data” are. FIRRMA only provides that such data “may be exploited in a manner that threatens national security. This broad scope is typical of national security review rules; they must remain adaptable to the many situations that may happen.

TikTok Ban: How Did the App Fall Under CFIUS Review’s Scope?

It’s simple. ByteDance, TikTok parent’s company, acquired Musical.ly in 2017. It gave way for CFIUS to open an investigation in 2019 over the Musical.ly acquisition.

Without a local CFIUS, is a TikTok Ban Possible in the European Union?

Europe isn’t yet a nation like China or the US, which prevents it from controlling foreign investment for national security. Indeed, national defense and public security are within the exclusive competence of Member States. However, more and more EU Member States have their own national security review framework. They are now fourteen to have such mechanism for filtering foreign investments. Those are: France, UK, Germany, Spain, Italy, Poland, Sweden, Austria, Latvia, Lithuania, Netherlands, Hungary, Portugal, Finland.

A significant change in the EU approach happened in April 2019, when the regulation 2019/452 establishing a framework for the screening of foreign direct investments into the Union (FDI Regulation) entered into force.³

The purpose of the FDI regulation is to establish a cooperation and information-sharing mechanism among EU Member States and the Commission for the reviewing FDI into the EU that are likely to security or public order.⁴ Factors to be considered by Member States or the European Commission for the screening process include “access to sensitive information, including personal data, or the ability to control such information.”⁵

To date, banning TikTok in Europe would only be possible on a state by state basis. But, most importantly, it would first require that ByteDance had acquired an app from that country, like it did in the US. Which, to my knowledge, was not the case.

A Last Note: National Security reviews in China

Blocking foreign direct investment deals using a national security review has been used as retorsion measures in the past. Therefore, a quick introduction to China’s mechanism may be useful.

Like the U.S., China felt the need to control M&As by foreign investors in strategic sectors. Initially, “China’s national security review of foreign direct investment [had] the same motivations as the United States’ [CFIUS] review, but it [was] much murkier and less efficient.”⁶ In 2011, new Chinese regulations came in force to improve the security review system, mostly through transplantation of the CFIUS mechanism.⁷

Therefore, China now also have a legal framework allowing it to block the purchase of a strategic data controller by a foreign entity. However, unlike the U.S. or the EU, it does not yet specifically seek to protect personal data; considering the rapid pace of evolution in this domain, this may change soon.