ARGUMENT: Data securityHow a Norwegian Government Report Shows the Limits of CFIUS Data Reviews

Published 3 May 2021

Amid growing attention to data and national security threats from China, a recent Norwegian government report sheds light on the limits of a U.S. government process for tackling them: the Committee on Foreign Investment in the United States (CFIUS). Kamran Kara-Pabani and Justin Sherman write that “CFIUS is still a useful and important mechanism for addressing the national security risks associated with direct foreign access to sensitive U.S. citizen data,” but that “policymakers must recognize that CFIUS must be complemented with other measures outside of the body’s scope.”

Amid growing attention to data and national security threats from China, a recent Norwegian government report sheds light on the limits of a U.S. government process for tackling them: the Committee on Foreign Investment in the United States (CFIUS).

Kamran Kara-Pabani and Justin Sherman write in Lawfare that in 2019, CFIUS, which reviews foreign investments in sensitive U.S. companies for national security risks, initiated a review of Chinese company Beijing Kunlun Tech’s 2016 and 2018 investments into dating app Grindr. Beijing Kunlun Tech had a more than 98 percent ownership stake in Grindr.

The committee’s logic was that Grindr’s user data, including on sexual orientation, sexual behavior and health data, was too sensitive to risk ending up in the hands of the Chinese government via the Chinese owner. CFIUS went through its review process and, though the specifics of that review are classified, it reportedly asked Beijing Kunlun Tech to sell Grindr in March 2019, which the company then did in March 2020 to San Vicente Acquisition LLC, a U.S-incorporated group of tech investors and entrepreneurs.

Yet a recent Norwegian government report on Grindr found that the application is sharing data with a range of third parties including data brokers—meaning data on the application’s users is traveling far beyond the bounds of just that company. This all raises the question: Is forcing the sale of a sensitive-data-holding company from a Chinese firm enough to mitigate national security risks when the data can still end up in that Chinese firm’s, or the Chinese government’s, hands?

This post uses Grindr as a case study of how CFIUS reviews of data security risks may be insufficient to fully limit the spread of sensitive data to foreign governments. It examines what happened in 2019, what the Norwegian report found, and how this fits into a broader context of reforming U.S. federal processes to identify and mitigate the spread of sensitive U.S. citizen data. To respond to this issue, we recommend that policymakers take a far more comprehensive view of data brokerage and data sharing when approaching data security risks to the United States and that they make CFIUS tools only one part of a broader U.S. policy toolbox.

CFIUS is still a useful and important mechanism for addressing the national security risks associated with direct foreign access to sensitive U.S. citizen data, Kara-Pabani and Sherman conclude, “But policymakers must recognize that CFIUS must be complemented with other measures outside of the body’s scope….. the fact remains that policies on the privacy and security risks of U.S. data leaks should build up and leverage a toolkit much broader than just CFIUS.”