ByteDance entered the U.S. market by acquiring Musical.ly, a similar short-video-streaming app, in 2017 and then rebranding the product as TikTok. It is this acquisition that is apparently under scrutiny. (Because CFIUS never publicly comments on its investigations, it has neither confirmed nor denied these reports.)
It may seem unlikely that TikTok and its 15-second videos popular with teenagers worldwide could pose a threat to national security. TikTok, in fact, is the latest in a string of recent CFIUS investigations of tech companies. Within the past two years, CFIUS has scuttled a proposed merger between MoneyGram and the Chinese firm Ant Financial and compelled Chinese owners to divest the dating app Grindr and the health start-up PatientsLikeMe.
Historically, CFIUS tended to focus on companies with military or intelligence connections — but today, personal data and high-tech intellectual property are of greater concern. Though we don’t know what specifically triggered the TikTok review, the company came under fire from Congress for allegedly censoring information about the Hong Kong protests.
Broadly speaking, here’s what CFIUS could decide. For TikTok, the best-case scenario would be for CFIUS to decide the acquisition poses no threats to national security, and allow ByteDance to continue operating the company as is. Although this could happen, it would probably attract negative attention from Congress. The last time CFIUS was in the headlines was after it approved a 2006 deal allowing Dubai Ports World to take over operations of a number of U.S. ports. That decision prompted outrage from Congress — and ultimately new legislation that gave Congress more oversight over the process.
The worst-case scenario for TikTok? CFIUS could demand divestment, as occurred with Grindr and PatientsLikeMe. Unwinding the Musical.ly acquisition would be particularly difficult, however, because Musical.ly and its users are fully integrated into TikTok.
Would divesting mean reverting to the Musical.ly brand and interface? It’s not clear Musical.ly would have much value as a stand-alone company anymore, following the TikTok rebranding. Alternatively, divestiture could mean ByteDance selling off the entire TikTok venture, including all of its users in Europe and Asia, but this would fundamentally disrupt the company’s plans for international expansion.
Between these two extremes lies what is probably the most likely scenario — that CFIUS will produce a list of requirements for TikTok to satisfy any national security concerns. CFIUS calls these deals mitigation agreements, and they typically involve measures such as increased government reporting, auditing, and compliance training requirements, or promises to host certain data in the United States.
For TikTok, one possible CFIUS concern will be whether the Chinese government has any access to data from U.S. users, or influence or control over censorship decisions. CFIUS may want to see evidence that TikTok’s U.S. operations are run independently from ByteDance, or that the Chinese government does not control ByteDance.
In a recent statement, TikTok maintained that the content moderation for TikTok US is handled by U.S. employees, while all U.S. user data is stored in the United States and Singapore. Whether this will satisfy CFIUS, or what steps the company may need to take to prove ongoing compliance, remains to be seen. Last year, CFIUS issued its first penalty — a $1 million fine — to an undisclosed company for not following through on a mitigation agreement, a sign that the committee is beginning to take enforcement of these deals more seriously.
CFIUS is set to expand — and Silicon Valley is taking note
The kind of trouble that TikTok got into seems likely to become a lot more common, as CFIUS expands its reach into the U.S. technology sector. Currently, CFIUS reviews only mergers and acquisitions that result in a foreign person or business taking a controlling stake in a U.S. business. But Congress in 2018 passed the Foreign Investment Risk Review Modernization Act (FIRRMA), which extends CFIUS’s jurisdiction.
Among other changes, CFIUS will now have a mandate to review non-controlling, non-passive transactions in certain strategic sectors. Any transaction that allows a foreign investor access to material nonpublic information or membership of the board of directors of a U.S. company involved in critical technologies, critical infrastructure or sensitive personal data will be subject to CFIUS review.
Although the new rules won’t go into effect until next year, they’re already shaking up Silicon Valley’s funding ecosystem. Non-controlling, non-passive investments are a staple of the venture-capital-backed start-up scene, where many companies work either in critical technologies or collect lots of personal data.
Until recently, foreign finance was also a staple of Silicon Valley, where Chinese and Middle Eastern investors in particular poured billions of dollars into start-ups. The specter of CFIUS review is chilling these relationships. Funders and cash-hungry start-ups alike are pulling back, wary of the costs and time of a CFIUS review — let alone the possibility that the U.S. government will block deals or add extra layers of scrutiny.
As one report from Silicon Valley earlier this year noted, because of FIRRMA “investors with foreign ties ... now essentially consider wide swaths of the technology sector to be effectively off limits.” The news that the U.S. government is investigating TikTok will only further accelerate these trends.