China is both highly prized and under-penetrated by U.S. companies. Recent deterrents, including tough trade talk by the Trump Administration and confusing new cyber-security laws, may keep things that way.

On the trade front, Presidential intervention in cross-border mergers has traditionally been a rarity. The current administration shows no signs, however, of following that tradition and sitting on the sidelines.

Under the Defense Production Act, the President is authorized to suspend or prohibit certain acquisitions that result in foreign control of a U.S. business if he or she concludes there is credible evidence that the foreign interest exercising control might take action that threatens to impair national security.

On Jan. 10, MoneyGram and Ant Financial Services Group mutually agreed to terminate their planned merger due to the inability of the companies to obtain the required approval for the transaction from the Committee on Foreign Investment in the United States (CFIUS). The rejection came despite “extensive efforts to address the Committee’s concerns,” they said.

MoneyGram is a global provider of money transfer services. Ant Financial Services Group, an affiliate of China-based Alibaba, “is focused on serving small and micro enterprises, as well as individuals.

On April 16, 2017, MoneyGram and Ant Financial had entered into an amended merger agreement under which Ant Financial would acquire all the outstanding shares of MoneyGram for $18.00 per share in cash.

“The geopolitical environment has changed considerably since we first announced the proposed transaction with Ant Financial nearly a year ago,” Alex Holmes, CEO of MoneyGram, said in a statement. “Despite our best efforts to work cooperatively with the U.S. government, it has now become clear that CFIUS will not approve this merger."

In September, with another example of the White House flexing its trade muscles, it utilized a CFIUS review to block the sale of Lattice Semiconductor to a consortium of Chinese investment funds that had agreed to buy it for $1.3 billion.

“The national security risk posed by the transaction relates to, among other things, the potential transfer of intellectual property to the foreign acquirer, the Chinese government’s role in supporting this transaction, the importance of semiconductor supply chain integrity to the U.S. government, and the use of Lattice products by the U.S. government,” the executive order scuttling the deal said.

With the White House already inclined to block Chinese business deals, proposed legislation may give it even more ammunition.

In November, U.S. Senators John Cornyn (R-Texas), Dianne Feinstein (D-Calif.), and Sen. Richard Burr (R-N.C.), introduced the Foreign Investment Risk Review Modernization Act. Its goal: to modernize and strengthen the process by which the Committee on Foreign Investment in the United States reviews acquisitions, mergers, and other foreign investments in the United States for national security risks.

Specifically, the Foreign Investment Risk Review Modernization Act would:

Expand the CFIUS jurisdiction to include certain joint ventures, minority position investments, and real estate transactions near military bases or other sensitive national security facilities.

Update the Committee’s definition of “critical technologies” to include emerging technologies that could be essential for maintaining the U.S. technological advantage over countries that pose threats, such as China.

Allow foreign investors to submit “light filings” to CFIUS for certain types of transactions.

Add new national security factors for CFIUS to consider in its analyses.

The bill would also authorize CFIUS to exempt certain otherwise covered transactions if all foreign investors are from a country that meets certain criteria, such as being a U.S. treaty ally and having a mutual investment security arrangement.

Predictions are afoot that, if passed, the bill would make Presidential merger reviews and rejections far more commonplace.

“We are deeply concerned that current and pending security-related rules will effectively erect trade barriers along national boundaries that effectively bar participation in your market and affect companies across industry sectors that rely on information technology goods and services to conduct business.”
The U.S.-China Business Council

Also in the works is the Defending U.S. Government Communications Act, introduced by Rep. Mike Conaway (R-Texas), which would prohibit the U.S. government from purchasing or leasing telecommunications equipment and/or services from Chinese tech companies Huawei, ZTE, or any subsidiaries or affiliates.

“Chinese commercial technology is a vehicle for the Chinese government to spy on United States federal agencies, posing a severe national security threat,” Conaway said. “Allowing Huawei, ZTE, and other related entities access to U.S. government communications would be inviting Chinese surveillance into all aspects of our lives.”

U.S. lawmakers are reportedly working behind the scenes to urge wireless carriers, in particular AT&T, to sever commercial ties to Huawei.

Legislators also, reportedly, are fighting plans by China Mobile, the world’s largest mobile phone operator, to enter the U.S. marketplace.

China, intentionally or not, is also doing its part to create cross-border trade obstacles, notably with tough new cyber-security rules.

New laws went into effect June 1, provisions on matters such as the storing of data in China and security reviews of network equipment.

China says “critical information infrastructure” companies include those with computer-network operations in telecommunications, energy, transportation, information services, and finance. Foreign business groups say the definition is vague and too broad.

While many companies continue to fret uncertainties in the law and sweat its details, others quickly fell in line after the June 1 enactment, lest they fall in disfavor with the Chinese government. Apple announced plans to store all cloud data for Chinese customers with a government-owned company to comply with the new rules.

Apple also stopped selling virtual private network apps that might enable Chinese citizens to bypass censored Websites. Similarly, Microsoft released a new version of its operating system: Windows 10 China Government Edition, a partnership with China Electronics Technology Group.

The law is also causing enforcement troubles for U.S. companies. Earlier this month, Chinese regulators suspended Marriott International’s Chinese Website when an online questionnaire for its rewards program inadvertently categorized Chinese territories (Macau, Taiwan, and Tibet) as separate countries.

The faux pas was also a violation of the new cyber-security law. It prohibits any online activity that “undermines the country's sovereignty and territorial integrity.”

Critics of China’s cyber-security law include the U.S.-China Business Council.

The cyber-security law primarily applies to the construction, operation, maintenance, and usage of networks, as well as network security supervision and management within the mainland territory.

The overall intent, the law states, is “to ensure network security, to safeguard cyber-space sovereignty, national security, and the societal public interest,” but critics, such as the U.S.-China Business Council see things differently.

“We are deeply concerned that current and pending security-related rules will effectively erect trade barriers along national boundaries that effectively bar participation in your market and affect companies across industry sectors that rely on information technology goods and services to conduct business,” the Council wrote in a recent open letter.

Included in the law is a data localization requirement. It requires that personal information and other “important data” gathered and produced by “critical information infrastructure” (CII) operators must be stored on servers physically located within mainland China.

This, critics say, could pose challenges for multinational companies needing transfer data across borders in their business operations. “Personal information” broadly, and perhaps ambiguously refers to information, recorded electronically or through other means, that taken alone or together with other information is sufficient to identify a natural person’s identity, including, but not limited to, full name, birth dates, identification numbers, address, and telephone number.

CII operators found in violation of the data localization provision will be sanctioned with a warning, or worse, the confiscation of unlawful gains, Website shutdown, revocation of relevant operations permits, or a hefty fine.

The law also imposes numerous data protection measures on network owners, managers, and network service providers. Among the demands: maintaining the confidentiality of user information they collect; making data privacy notices publicly available, explicitly stating the purposes, means, and scope for collecting or using information; adopting technical measures to ensure the security of personal information and prevent against loss, destruction, or leaks; and, in the event of a data security breach, taking immediate remedial action and promptly notifying users and relevant authorities.

The law stipulates that network operators shall not provide an individual’s personal information to others without the individual’s consent or illegally sell an individual’s personal data; gather personal information unrelated to the services they provide; or disclose, tamper with, or destroy personal information that is gathered.

Those last requirements, building blocks for other cyber-security regimes, are especially similar to the European Union’s controversial General Data Protection Regulation.

Another stipulation: Network security products and services procured by CII operators that may impact national security must pass a cyber-security review by an expert panel.

“CSL will present an unprecedented challenge for international businesses with operations in China,” law firm Reed Smith said in a recent client advisory on the matter. “The path to CSL compliance is not straightforward. The Chinese legislative and enforcement style creates confusion and misunderstandings, and sometimes false hopes for Western companies.”

Xiaoyan Zhang, counsel at Reed Smith, offers a three-step plan for compliance: conduct a CSL compliance-risks assessment with a focus on content monitoring, IT procurement, and cross-border data transfer; conduct in-depth data due-diligence for new or existing mission-critical business operations in China; and conduct a comprehensive data audit to operations in China.

“CSL compliance is not an equivalent to compliance in China because there are a dozen other laws in the pipeline, in addition to other laws that are already established,” Zhang warned. “If you somehow reach compliance in China, which seems impossible right now, focus on best practices regarding security risks, business continuity, and increasing consumer confidence.”

Issues to scrutinize include procurement, outsourcing, privacy policies, privacy and security procedures, and cross-border data transfers.

“How much investment are you willing to put in to strengthen your IT and data collection practices in china?” Zhang asks. Not only does the training needed for employees and vendors take time, “you cannot go to your favorite vendor, one you have been using for the past several years.”

“You need to go through the government authority to find IT equipment,” she says.

“Before you collect data, have you actually obtained consent from the user, in addition to just giving them notice?” Zhang asks, warning that compliance policies must be followed in practice, and “translated, localized, and customized to local practice.”

Other advice: Conduct a tailored assessment for mission-critical business.

“That includes existing business and plans once you push into China,” Zhang says. “That is for obvious reasons. You don’t want to invest money and energy in some future business only to find out later that you cannot, or should not, under CSL or other laws.”