On November 2, Senators Marco Rubio (R-FL) and Raphael Warnock (D-GA) introduced a bill to expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to review foreign investments where sensitive personal information is involved.
The bill, S. 3130, is titled Protecting Sensitive Personal Data Act. It would add one additional type of investment transaction to the current scope of CFIUS’ authority to require declarations for these transactions.
Under the current law, CFIUS is authorized to mandate the submission of a declaration for transactions involving "business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies.” The proposed bill would grant CFIUS similar authority with respect to investments in a business that “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”
Congress previously passed the Foreign Investment Risk Review Modernization Act of 2018, which expanded the jurisdiction of CFIUS by broadening the scope of covered transactions and added a number of situations when mandatory declaration of the transaction is required. It is worth noting that the current law already requires parties to declare a transaction if it "results in the acquisition, directly or indirectly, of a substantial interest in a United States business” that, among other things, “maintains or collects sensitive personal data of United States citizens,” “by a foreign person in which a foreign government has, directly or indirectly, a substantial interest.”
What this new legislation would do is “expand CFIUS’ authority to issue regulations that require mandatory declarations to foreign investments in U.S. companies that handle sensitive personal data, increasing critical oversight,” according to a statement issued by Senator Rubio along with the bill. It further stated: “Foreign investment is one of the legal means that adversaries, like the People’s Republic of China, uses to stockpile Americans’ healthcare data, creating both privacy and national security risks.”
Senator Rubio also said that “Americans should be deeply concerned about foreign investments in U.S. companies that handle their personal information, which pose a risk of exposing personal data, like genetic testing results and private financial transactions, to harmful actors in China and elsewhere.”
Last year, Senator Rubio urged a CFIUS review of Chinese company Harbin’s acquisition of vitamin retailer GNC, citing concerns over health data of U.S. customers. At the time, GNC responded to such concerns by stating that CFIUS already cleared Harbin’s acquisition of a controlling stake in GNC back in 2018, and that “our consumer data is safeguarded by rigorous standards and none of it is accessible to any foreign nationals." Later, a U.S. Bankruptcy court signed off the deal.
In recent years, Chinese companies have been forced to divest their investments in U.S. companies due to concerns over Chinese companies’ access to personal data. In 2019, the Trump administration ordered Chinese company iCarbonX to divest its investment in PatientsLikeMe, which collects users’ health data. Last year, the administration ordered Beijing Shiji Information Technology to divest its investment in StayNTouch, a hotel management platform, to prevent customers’ data from falling into Chinese hands.
China is also strengthening its control over personal information. Its first Personal Information Protection Law just went into force earlier this week, and it is proposing new rules to govern data exports. Instead of restricting foreign investment in business that involves a large amount of user data, China is curbing companies from transferring local data abroad, through required security assessment and other actions.