TikTok and Oracle Ink Data-Storage Agreement in Apparent Effort to Avoid Further CFIUS Scrutiny

What is CFIUS?

CFIUS is an inter-agency body made up of U.S. federal government agencies tasked with evaluating whether foreign investments in U.S. businesses raise national security concerns. Every year, hundreds of transactions involving foreign investment undergo review by CFIUS. If CFIUS identifies any risks to national security, it has the authority to enforce conditions on the parties to mitigate those risks, or to refer the transaction to the U.S. President, who can suspend or prohibit a transaction that threatens to impair the national security of the United States.

Background on CFIUS Review of ByteDance

TikTok’s new partnership with Oracle is the latest chapter in a saga dating back to the Trump administration. On August 14, 2020, then-President Donald Trump issued an executive order forcing the Chinese internet and technology company, ByteDance, to sell or spin off its U.S. TikTok business within ninety days. According to the order, there was “credible evidence” that ByteDance might take action that threatens to impair the national security of the United States. The order further stated that any sale or transfer of TikTok would be subject to CFIUS approval.

The following month, ByteDance made a tentative deal to create a U.S. subsidiary called TikTok Global, which would be part-owned by Walmart Inc. (“Walmart”) and Oracle. Under the terms of the deal, ByteDance would still own eighty percent of the business. The proposed agreement sought to address CFIUS’s stated national security concerns through the provision of secure technology, and received then-President Trump’s blessing. Nevertheless, the deal soon began to unravel in the midst of successful legal challenges brought by ByteDance.

While pursuing the Walmart/Oracle deal, ByteDance simultaneously sought court review of the divestment order. On September 27, 2020, the U.S. District Court for the District of Columbia partially granted a preliminary injunction against the Trump administration, halting a ban that would have immediately forced TikTok off of application stores run by companies such as Apple and Google.¹ One month later, another federal district court fully blocked the Trump administration’s attempt to ban TikTok in the United States in a suit brought by three online influencers.² The court noted that a nationwide injunction was necessary to provide “complete relief” to the plaintiffs, who would otherwise lose their millions of U.S. followers.³ Then, in December 2020, the U.S. District Court of the District of Columbia granted the rest of the preliminary injunction originally sought by ByteDance in September 2020 and declared the injunction to be nationwide, ruling that President Trump had overstepped his authority in using his emergency economic powers to effectively put TikTok out of business.⁴

When President Joe Biden entered office in January 2021, the plan to force the sale of TikTok’s U.S. operations to Walmart and Oracle was shelved indefinitely, as the Biden administration undertook a broad review of his predecessor’s efforts to assess potential security risks from Chinese technology companies. Last summer, the U.S. Court of Appeals for the District of Columbia Circuit granted a motion to voluntarily dismiss the government’s pending appeal against TikTok.⁵ In the meantime, ByteDance quietly resumed negotiations with Oracle in an effort to assuage any of CFIUS’s lingering concerns about data security at TikTok, with the latest news on these efforts revealing the migration of U.S. users’ information to servers at Oracle.

What This Means For You

Although TikTok is a headline-grabbing business due to its mobile application’s extreme popularity, companies seeking foreign investment should be aware that CFIUS has a keen interest in scrutinizing foreign investment in U.S. businesses that collect or maintain data on U.S. citizens.

Certain types of data meet the CFIUS regulations’ definition of “sensitive personal data,” as defined at 31 C.F.R. § 800.241. While mobile applications businesses may be among the best known targets of CFIUS scrutiny, the Committee has also taken an interest in what U.S. person data is collected or maintained by insurance companies, hotel chains, biotech companies, healthcare providers, government contractors, communications providers, and financial institutions. Depending on the ownership structure of the foreign investor, an investment in one of these U.S. businesses that collects or maintains sensitive personal data can result in a mandatory obligation to file with CFIUS before closing the investment. Even if a mandatory filing is not required, or even if the definition of sensitive personal data is not met, CFIUS may still be interested in understanding what type of data a U.S. business receiving foreign investment maintains or collects, and how that U.S. business uses, stores, protects, or otherwise handles such data.

Beyond information about the U.S. business itself, CFIUS may also be interested in what type of data rights or access a foreign investor and its government may receive when it enters into a transaction with a U.S. business that collects or maintains certain types of data. For example, with TikTok, U.S. national security concerns seemed to arise from TikTok’s Chinese parent ByteDance and the type of access that the Chinese government may have to U.S. person data collected or maintained by TikTok as a result of the Chinese company ownership. CFIUS itself is likewise interested in what access or use rights a foreign investor may have in a U.S. business’s data, and how the foreign investor may be able to exercise those rights in ways that threaten or harm U.S. national security.

With these considerations in mind, both companies that are interested in receiving foreign investment and that collect, maintain, use, or handle data of U.S. citizens, and foreign persons and companies interested in investing in such companies, should take steps to determine what, if any, national security risks such an investment may present. In assessing such risks, both parties to the investment should contact legal counsel to interface with CFIUS and, should a CFIUS filing be mandatory or advisable, to guide the parties through the CFIUS process. Such efforts may avoid the protracted CFIUS scrutiny that TikTok has received.

¹TikTok Inc. v. Trump, 490 F. Supp. 3d 73 (D.D.C. 2020).

²Marland v. Trump, 498 F. Supp. 3d 624 (E.D. Pa. 2020).

³Id. at 643−44.

⁴TikTok Inc. v. Trump, 507 F. Supp. 3d 92 (D.D.C. 2020).

⁵TikTok Inc. v. Biden, No. 20-5381, 2021 WL 3082803 at *1 (D.C. Cir. July 14, 2021).