US Expands National Security Review of Foreign Investments Involving Sensitive Personal Data
US Expands National Security Review of Foreign Investments Involving Sensitive Personal Data
The United States government has broadened the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to increase scrutiny of foreign acquisitions involving sensitive personal data. This policy change was prompted by an incident where a foreign entity acquired an insurance provider for US intelligence personnel. The expansion specifically targets transactions that could grant foreign actors access to large volumes of personally identifiable information or genetic data of US citizens.
Context & What Changed
The Committee on Foreign Investment in the United States (CFIUS) is an inter-agency committee authorized to review certain transactions involving foreign investment in the United States to determine the effect of such transactions on U.S. national security (source: treasury.gov). Historically, its mandate focused on tangible threats, such as foreign control over critical infrastructure like ports, defense contractors, or advanced semiconductor technology. The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) significantly updated and expanded CFIUS’s authorities, but the committee’s focus remained largely on technology and infrastructure.
The recent policy change, triggered by the acquisition of an insurance provider for intelligence personnel, marks a significant evolution in the U.S. government's definition of national security (source: news.thestaer.com). It codifies the principle that large-scale access to sensitive personal data of U.S. citizens by a foreign entity can, in itself, constitute a national security threat. This is a departure from a model where data was a concern primarily as an adjunct to a company operating in a critical sector. Now, a company in a seemingly benign sector, such as online gaming, consumer finance, or health and wellness apps, can fall under CFIUS jurisdiction if the transaction involves a foreign acquisition and the company holds a sufficient volume of sensitive personal data. This change reflects a broader geopolitical reality where data is viewed as a strategic asset that can be exploited for intelligence gathering, blackmail, social manipulation, and the development of artificial intelligence capabilities by strategic competitors.
Stakeholders
U.S. Government & CFIUS Agencies: The primary actors are the Department of the Treasury (as chair) and member agencies including the Departments of Defense, Justice, Homeland Security, Commerce, and Energy. Their objective is to prevent foreign adversaries from acquiring sensitive data assets that could be used to compromise U.S. security interests. They face the challenge of scaling their review capacity to cover a much broader set of transactions without stifling beneficial economic activity.
Foreign Investors: This group includes sovereign wealth funds, state-owned enterprises, private equity firms, and multinational corporations. Investors from countries identified as strategic competitors, particularly China, face the most significant hurdles. They will encounter increased transaction costs, longer deal timelines, and a higher probability of deals being blocked or requiring costly mitigation measures. Investors from allied nations may also face heightened scrutiny.
U.S. Companies: The policy most directly affects U.S. businesses that collect, process, or maintain sensitive personal data. This includes technology startups, healthcare providers, fintech companies, data brokers, and social media platforms. The pool of potential foreign acquirers and investors may shrink, potentially impacting company valuations and exit strategies for venture capital backers. These companies now bear a greater compliance burden to understand and plan for potential CFIUS reviews.
Advisory Ecosystem: Law firms, investment banks, and risk consultancies with CFIUS expertise will see a significant increase in demand. The complexity and ambiguity of the new rules necessitate specialized counsel to navigate the review process, structure transactions, and negotiate mitigation agreements.
Evidence & Data
The expansion of CFIUS’s focus on data is not without precedent. The committee’s actions in recent years signaled this direction. For example, CFIUS prompted the 2018 blockage of Ant Financial’s proposed acquisition of MoneyGram over concerns about the security of U.S. customers’ financial data (source: reuters.com). Similarly, in 2019, CFIUS ordered the Chinese company Beijing Kunlun Tech to divest its ownership of the dating app Grindr, citing risks that the Chinese government could access personal data on U.S. citizens, including military and intelligence personnel (source: wsj.com). These cases demonstrated CFIUS’s willingness to act on data-related risks even before this formal policy expansion.
Under FIRRMA regulations, "sensitive personal data" is defined to include a wide range of information that can be used to identify an individual. The rules specifically target businesses that maintain or collect such data on over one million individuals. Key categories include financial data, health and genetic information, geolocation data, and other forms of personally identifiable information (source: U.S. Code, 31 C.F.R. § 800.241). The recent policy change effectively lowers the threshold for what kind of company holding this data is considered relevant to national security. CFIUS annual reports have consistently shown a rise in the number of notices filed and reviewed, with technology and finance sectors representing a large portion of cases (source: treasury.gov/cfius). The new policy is expected to accelerate this trend significantly.
Scenarios (3) with probabilities
Scenario 1: Broad & Aggressive Enforcement (Probability: 60%)
In this scenario, CFIUS interprets its expanded mandate broadly, applying intense scrutiny to a wide array of transactions in consumer tech, health-tech, ad-tech, and fintech. The committee proactively “calls in” non-notified deals it deems risky. This results in a higher number of withdrawn filings and deals blocked outright. For approved deals, mitigation requirements become standard, such as mandatory data localization within the U.S., the appointment of independent, security-cleared board members, and third-party auditing of data security protocols. The consequence is a notable “chilling effect” on foreign investment in the U.S. tech sector, particularly from non-allied countries. U.S. startups with large user data sets may see valuations compressed due to a smaller pool of potential strategic acquirers.
Scenario 2: Targeted & Strategic Enforcement (Probability: 35%)
CFIUS applies a more nuanced approach, focusing its resources on transactions that present the clearest and most immediate threats. Scrutiny is highest for acquisitions by entities with known ties to the governments of China, Russia, and other strategic competitors. The type of data is also a key differentiator; deals involving comprehensive genomic data or detailed financial records of government employees are prioritized over those involving more generic consumer marketing data. Investments from allied nations (e.g., UK, Canada, Australia, EU) with strong data protection regimes and security cooperation agreements face a much lighter-touch review. This creates a bifurcated investment landscape, favoring capital from allied countries and pushing U.S. firms to be more selective about their foreign partners.
Scenario 3: Symbolic Change, Limited Impact (Probability: 5%)
The policy change proves to be more of a declarative statement than a practical shift in enforcement. Overwhelmed by the potential volume of new cases, CFIUS continues to prioritize its traditional areas of focus—defense, critical infrastructure, and dual-use technologies. The committee lacks the resources to effectively police hundreds of additional consumer-facing tech deals. Enforcement actions related solely to personal data remain rare and are confined to the most egregious cases, similar to the pre-expansion status quo. The market quickly learns the practical boundaries of the new rule, and foreign investment flows are not significantly altered. This outcome would represent a failure of policy implementation.
Timelines
Immediate (0-6 months): Legal and advisory firms are actively briefing clients on the expanded risks. Companies with pending cross-border transactions are reassessing their CFIUS filing strategies, with many opting to file voluntary notices out of an abundance of caution. A backlog of cases at CFIUS may begin to form.
Medium-Term (6-24 months): The first high-profile test cases under the expanded mandate will emerge, providing clarity on CFIUS's enforcement posture. The committee may issue additional public guidance to clarify ambiguities. A tangible shift in investment patterns will become visible, with a decrease in announced deals from certain countries in sensitive U.S. sectors and an increase in structuring deals to mitigate CFIUS risk (e.g., non-controlling stakes, data security agreements).
Long-Term (2+ years): The expanded review of data-centric transactions becomes an established part of the global M&A landscape. Data governance and investor provenance are now standard, critical components of due diligence for any U.S. company seeking foreign capital. Other nations, particularly in Europe and Asia, may accelerate the adoption of similar investment screening mechanisms focused on data, leading to greater fragmentation of the global digital economy and data sovereignty becoming a key policy principle.
Quantified Ranges (if supported)
Affected Transactions: Based on typical M&A volume in the U.S. tech, healthcare, and financial services sectors, this policy expansion could bring an additional 150-300 transactions per year under potential CFIUS jurisdiction. (author's assumption).
Compliance & Mitigation Costs: The legal and advisory fees for a full CFIUS review and negotiation can range from $250,000 to over $1.5 million per transaction. The aggregate annual compliance cost for industry could increase by $100 million to $300 million. Mitigation measures, such as establishing a U.S.-based data subsidiary, can add millions more in operational costs. (author's assumption based on industry pricing).
Valuation Impact: For U.S. companies in data-intensive sectors, the effective exclusion of a class of aggressive foreign buyers could reduce potential acquisition premiums. This impact could range from a 5% to 20% reduction in valuation in a competitive sale process, depending on the sector and the specific bidders involved. (author's assumption).
Risks & Mitigations
Risk 1: Investment Deterrence & Economic Harm: Overly broad or unpredictable enforcement could deter legitimate foreign investment that is vital for innovation, job creation, and capital markets liquidity in the U.S. This could slow growth in key technology sectors.
Mitigation: CFIUS must provide clear, public guidance on its specific concerns and create safe harbors or expedited review processes for transactions deemed low-risk. Aligning with allies on investment screening standards can create a larger, more predictable market for trusted capital.
Risk 2: Geopolitical Retaliation: Nations targeted by the expanded CFIUS reviews may retaliate by imposing similar data-centric security reviews on U.S. investments in their countries, harming U.S. multinational corporations.
Mitigation: The U.S. should use diplomatic channels to clearly articulate that the policy is a targeted national security measure, not broad economic protectionism. Multilateral engagement through forums like the G7 and OECD can help establish international norms for investment screening to prevent tit-for-tat retaliation.
Risk 3: Policy Circumvention: Adversaries may use increasingly sophisticated methods to bypass CFIUS review, such as complex ownership structures, investments through intermediary countries, or acquiring data through non-M&A means (e.g., data purchasing agreements, cyber theft).
Mitigation: CFIUS must enhance its intelligence capabilities and its non-notified transactions team to proactively identify and investigate deals that were not voluntarily filed. This requires greater resources and improved information sharing between the intelligence community and Treasury.
Sector/Region Impacts
Sectors: The most impacted sectors will be Health-tech (electronic health records, genomic sequencing), Fintech (payment processing, consumer lending), Ad-tech/Mar-tech (user profiling, location tracking), Social Media, Online Gaming, and any Software-as-a-Service (SaaS) company with a large U.S. user base.
Regions: Investors from China will face the most significant impact, with a near-presumption of denial for control transactions in data-sensitive sectors. Investors from Russia and other geopolitical adversaries face similar barriers. Sovereign wealth funds and state-linked enterprises from the Middle East and other regions may also face heightened scrutiny depending on their governance and ties to foreign governments. The U.S. venture capital and technology ecosystems will need to adapt their funding and exit strategies.
Recommendations & Outlook
For Government/Public Finance: Policymakers must ensure CFIUS is adequately funded to handle its expanded mandate without creating a debilitating bottleneck for investment. Consideration should be given to a tiered review system to fast-track applications from trusted sources.
For Large-Cap Industry Actors & Boards:
Investors: Pre-transaction due diligence must now include a thorough CFIUS risk assessment as a primary workstream. Deals should be structured with potential mitigation requirements in mind from the outset.
U.S. Companies: Boards must elevate data governance to a strategic priority. Companies seeking investment should be prepared to provide deep transparency into their data collection, storage, and security practices. They should also diversify their capital-raising strategies to include a robust domestic investor base.
Outlook: Scenario-based assumption: The most probable future aligns with a hybrid of Scenarios 1 and 2: enforcement will be aggressive and broader than in the past, but strategically focused on the highest-risk combinations of data type and investor origin. This policy solidifies the treatment of large personal datasets as a form of critical national infrastructure. For global corporations and investors, this marks a definitive end to the era of treating data as a freely traded commodity in cross-border transactions. The long-term trend is toward greater data localization and a splintering of the global digital economy along geopolitical lines, a reality that must be central to any forward-looking corporate or investment strategy.