CFIUS, Grindr and data protection

The Trump Administration has recently intervened to unwind a commercial transaction in which a Chinese games company acquired a US-based provider of geo-locational dating or ‘hook up’ services on grounds of ‘national security’. The transaction had not been notified to the US Government, apparently because the foreign firm was not state-owned and the US firm did not own or produce a strategic technology, indeed its service was entirely reproducible by rivals, though subject to network economics. Consequently, the merging parties had no reason to think the transaction concerned ‘national security’.

Partly because of the lack of transparency of the administrative processes it remains unclear what the supposed security concern is. It might be that some users of the dating service are politicians or government personnel, possibly from the intelligence and military services, who could become subject to blackmail.

CFIUS

One of the less transparent parts of the US Administration is CFIUS, the Committee on Foreign Investment in the United States. It describes itself thus:

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States (“covered transactions”), in order to determine the effect of such transactions on the national security of the United States.

The legal bases for its activities are:

·        section 721 of the Defense Production Act of 1950;

·        Executive Order 11858; and

·        Regulations at 31 C.F.R. Part 800 and 31 C.F.R. Part 801

A sequence of amendments include the Foreign Investment and National Security Act of 2007 (FINSA) and, most recently, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) have extended the CFIUS process and enlarged its jurisdiction (see, for example, an assessment by White & Case). 

The chair of CFIUS is held by the Secretary of the Treasury, while the other agencies represented include the Departments of Defense, State, Commerce and Homeland Security, together with the Director of National Intelligence (DNI).

A formal review by CFIUS can last 90 days:

·        30-day CFIUS review;

·        45-day CFIUS investigation; and

·        15-day presidential decision.

However, this is often preceded by an informal review process. Given the shortness of the formal timetable firms may sound out CFIUS about their proposed transactions.

The definition of ‘national security’ is left to the discretion of US President and CFIUS. Moreover, it is not subject to appeal or to judicial review, which might have limited or developed a clear definition.

CFIUS approves or disapproves foreign investments into the United States. For example, Dubai Ports World, owned by the rulers of the United Arab Emirates (UAE), was obliged to divest contracts to manage half a dozen US ports. A more complex case concerned the USD 130 million sale of Tyco International, owner of undersea cables, in which the acquirer was VSNL, owned 75% by the Tata Group and 25% by the Government of India. CFIUS viewed the cables as a critical part of the US communications network, taking five months to negotiate a comprehensive Network Security Agreement (NSA) that required VSNL to:

·        facilitate US government surveillance of communications originating or ending in the US;

·        store saved data from such communications solely in the US;

·        store personal information about American consumers solely in the US;

·        adopt special procedures to safeguard sensitive US government communications;

·        restrict visits by non-US citizens to its facilities in the US;

·        obtain approval from the Department of Justice before complying with any foreign government request for access to communications data or other company information;

·        seek US government approval before adopting a personnel screening plan; and

·        facilitate US government background checks of VSNL security personnel.

While CFIUS has become more prominent in recent years it far is from self-evident which deals are likely to be of interest or to be rejected, with the enduring suspicion that its decisions are political. As Tipler observed:

… the vagueness of the factors and the Committee’s broad authority to interpret the potential effects a transaction has virtually eviscerated any predictive capabilities from FINSA §721(f).

Kunlun and Grindr exemplify this unpredictability and administrative discretion.

Grindr

Grindr is an app running on the Android and iOS operating systems for smartphones and tablets, launched in March 2009. It uses the location of the mobile device to identify other users of the app who are presented in a grid of photos, starting with those nearest. Each photo can be tapped to display a profile of that user, with options to chat and send pictures, with the possibility of meeting and, presumably, grinding.

Grindr and similar apps have been the subject of academic research noting, for example, that Grindr introduces tensions in the self-presentation of users and the higher proportion of young men having met on Grindr subsequently have unprotected sex. Some authorities have been concerned that Grindr does not properly operate controls to block underage individuals from accessing its service.

Joel Simkhai founded Grindr and served as its first chief executive officer (CEO). Legally, ownership was through Nearby Buddy Finder, LLC, registered in West Hollywood, later Grindr LLC.

Beijing Kunlun Tech Co Ltd (Kunlun) is one of the largest mobile gaming companies in China, listed on the Shenzhen Stock Exchange (300418.SZ). It acquired control of Grindr in two stages in 2016 and 2018, respectively 61.5 and 38.5 per cent for USD 93 and 152 million respectively. Once it acquired 100 per cent of the stock Simkhai stepped down as CEO.

Although Grindr is owned by a Chinese firm the service is not available in China. The principal gay dating app there is Blued, founded in 2012.

In August 2018, Kunlun announced plans to float Grindr in an IPO on a non-Chinese stock exchange.

Then in March 2019 Kunlun began to search for a new owner for Grindr, having announced that CFIUS had informed it that ownership by a Chinese company posed an unacceptable ‘national security’ risk to the United States.

US Senate

Based on a story in Buzzfeed, Senators Edward Markey and Richard Blumenthal wrote to Grindr in April 2018, alleging it was sharing data about users without their informed consent. They asked 13 questions that reflected the absence of data protection legislation in the US and the very limited nature of privacy rights.

Interestingly, the senators did not refer the matter to the Federal Trade Commission (FTC), which has a record of 38 complaints mostly concerning payments for the Grindr Xtra service. There do appear to have been serious complaints about data protection or privacy.

When the issue was taken up by CFIUS, Markey and Blumenthal remarked:

CFIUS made the right decision in unwinding Grindr’s acquisition. It should continue to draw a line in the sand for future foreign acquisition of sensitive personal data.

It not obvious that there is any difference in the acquisition of sensitive personal data by US and non-US firms, both are subject to applicable data protection legislation and privacy rights. Both the Chinese and US governments can require firms to provide them with access to data they have collected from customers based on their respective national laws.

CFIUS and Grindr

Kunlun acquired Grindr without submitting the acquisition for review by CFIUS, presumably because the two firms and their advisers did not consider it was likely to be of interest. However, without consent before the implementation of the change of ownership, CFIUS has the power to seek to reverse the change.

In the absence of a statement from CFIUS, Reuters noted that:

CFIUS’ specific concerns and whether any attempt was made to mitigate them could not be learned. The United States has been increasingly scrutinizing app developers over the safety of personal data they handle, especially if some of it involves U.S. military or intelligence personnel.

Almost any app accessed by the general public is likely to be used by and thus to collect data about military and intelligence personnel. Consequently, such a limit would appear to exclude almost all apps and, potentially, any foreign ownership.

The question of the US military was complicated by the Trump Administration having abandoned the 1993 Clinton policy of “Don’t ask, don’t tell” (DADT).

There had previously been a gross failure by US-based firms to control data generated by intelligence and military users of Fitbit and its transfer to Strava. Belatedly, the Pentagon banned the use of such geolocation apps having realised it was exposing details about bases, including the locations of purportedly secret facilities, and of individuals and the deployment of military units.

It might now be wise to limit the use of dating apps, especially photos in uniform and showing service tattoos. Given some dating apps use geolocation data, a ban similar to fitness apps would seem unavoidable.

CFIUS had previously expressed concern about data protection in proposed acquisitions of Applovin and Moneygram.

It is possible that the objection to the Grindr deal arises from its control by an entity acting on behalf of the Chinese government. This would preclude any acquisition by any Chinese firm, since they are all subject to domestic laws.

Even if the data are to be held in the US it is unlikely that they would be held so securely as to be beyond the reach of foreign security services.

GDPR and Grindr

Grindr claims to be available in some 170 countries, while blocked in a handful of authoritarian and heteronormative states.

From the outset its operations in Europe fell under the Data Protection Directive 95/46/EC and, since 2018, the General Data Protection Regulation (EU) 2016/679 (GDPR). The categories of data Grindr collects, such as sexual orientation and preferences, location and HIV status, email addresses and telephone numbers are all considered personal and must be gathered only with consent, must be kept securely, and not passed to third parties without consent. Email addresses and telephone numbers can be linked to external databases, further identifying individuals, as increasingly can facial recognition software.

In terms of the GDPR there are strict obligations on the transfer of data to foreign jurisdictions. Transfers to the US are subject to the EU-US Privacy Shield. This has been the subject of complaints by consumer bodies, while the European Parliament adopted a resolution that the Shield was inadequate protection. Transfers to Japan are now permissible under the recent Partnership Agreement. Otherwise any transfer would require specific binding corporate rules.

The issue of the change of ownership of Grindr was raised in a written question in the European Parliament, in terms of data becoming accessible to the Chinese Government.

The potential problem is that Kunlun, as a Chinese company, might be required to transfer data to the Chinese government or permit its intelligence services access to the data, whether stored in Europe or China. Such access would violate the GDPR and potentially the EU Charter of Fundamental Rights. Such a clash of laws would require to be addressed bilaterally between the EU and China, since it would have much wider scope than just a single dating service.

While the UK Information Commissioner's Office (ICO) has said it was investigating transfers from Grindr to third parties it appears to have taken no action.

As Grindr has stated, it followed standard practice among digital businesses to transfer data to third parties, something it ceased. The companies concerned were Apptimize and Localytics, which monitored how users interact with the software to see how it could be improved.

US-based firms routinely collect personal data from other countries and transfer it ‘home’ for processing and sale to third parties, where it is available to the US National Security Agency (NSA). The EU-US Privacy Shield binds the firms, but not the US Government, which may capture the data while it is being transferred or may obtain copies using warrants, for example, from the FISA Court.

Conclusion

There are two problems with the data gathered by Grindr, firstly there is the corporate use and abuse and secondly there is governmental use and abuse. Grindr has stated its use no longer follows industry practice in transfers to third parties, which was known to disregard the privacy of customers. The location of the stored data gives some governments differential access, whether with or without a warrant.

Anyone using Grindr ought to have given thought to the personal details they are providing, including the location, email address and telephone number, which might allow a full identity to be determined. Anyone who might be subject to embarrassment or blackmail should think twice before using Grindr and posting a photograph of their face, especially given the use of facial recognition. Government officials, politicians and those serving in the intelligence and military should be even more circumspect, certainly not posting photos in uniform, displaying USMC tattoos or standing in front of official buildings.

The US Government is strongly opposed to data localisation, with the US Trade Representative (USTR) complaining about policy where it is implemented by foreign governments. Hypocritically, it now insists in the Grindr case that data be localised in the United States. A central problem is that the US does not have effective data protection legislation, which would have been the obvious way to deal with the concerns raised about geo-locational, sexual orientation, HIV infection and other personal data. This is largely because of corporate lobbying, with a view to maximising the analysis and targeting of advertisements, including sales of personal data and profiles to third parties.

The VSNL case shows the lengths to which US authorities will go to obtain access to personal and communications data. This suggests that any data gathered by Grindr is fully available to the National Security Agency (NSA), whether owned by a Chinese or US firm.

The use of CFIUS rather than the FTC suggests the reasoning is the increasingly routine sinophobia of the Trump Administration. There is no reason to think that this administration has any interest in the LGBT community, indeed it has withdrawn or is withdrawing rights formerly granted to its members, and adopting heteronormative laws and policies. It may be that some member of Congress and of the defence and intelligence communities will feel more secure using Grindr if ownership reverts to a US-based firm, but it is almost impossible to conceive that the national security of the United States has been increased. It would be a unusual piece of public policy that by boosting heteronormativity the Trump Administration had so increased the opportunities for blackmail that it dare not allow data to be accessible to a foreign government.

More generally, the Trump Administration may be trying to monopolise the gathering and processing of personal data in the US, where it is unprotected and exploited by firms and accessible to intelligence services.