Traditionally, foreign investment control was largely about the “hardware” of national security. Regulators cared about who owned the ports, the power plants, the tank manufacturers. If an acquirer was not buying a “strategic” physical asset, reviews tended to be smooth. Those times are over.
While the US was somewhat ahead with this, also in Europe we are witnessing the effects of a slow and for some time “silent” development: The transformation of investment screening into a high-stakes data access review. Where data protection laws protect the individual, foreign investment control is increasingly being used to protect the state’s interest in keeping control over personal data. The “national interest” has focused on the digital besides the physical.
The Italian approach: JD.com and Ceconomy
The most recent proof of this trend comes from Italy. In late 2025, the Italian government exercised its “Golden Power” over the takeover of German electronics retailer Ceconomy (the parent of MediaMarkt and Saturn) by Chinese e-commerce player JD.com.
At first glance, consumer electronics retail hardly seems like “critical infrastructure.” However, Ceconomy reportedly holds the personal data of over 21 million Italian customers.
With this in mind, the Italian government did not block the deal, but it mandated a “data firewall”: JD.com must store all Italian consumer data on European servers and ensure an operational separation between the target’s data and the data of JD.com and its subsidiaries. So, what looked like the acquisition of a retailer at first glance turned out to be a review of the acquisition of a database.
The transaction is still subject to proceedings in other countries, including foreign investment control in Germany. It will be interesting to see whether the German regulator jumps on the bandwagon or even seeks remedies going beyond the Italian solution.
The US blueprint: From Grindr to TikTok
As so often with antitrust and foreign investment control, the US and its Committee on Foreign Investment (CFIUS) laid the groundwork for the trend.
Long before the current geopolitical developments, CFIUS established that personal information is of national interest. The forced divestitures of the dating app Grindr and the health-tech PatientsLikeMe, both in 2019 and both from Chinese majority-owners, were early public signs of this. In both cases, the US government concluded that a foreign adversary’s access to sensitive health and behavioural data could expose citizens and national security to risks.
Fast forward to the present: Late last year, TikTok agreed to divest its US assets after a long process with the US government (which to some extent involved CFIUS). To avert a total ban of the app, the divestiture to a US-backed consortium was not just about ownership; it was about access to personal data. The deal means that the “algorithm” and the “user data” are handled by a domestic US entity under federal oversight. TikTok’s press release published last week highlights data protection, algorithm security and trust & safety as key elements of the transaction.
Data protection vs. FDI: Compliance is not enough
For acquirers and targets alike, the development creates risks. Companies might think that if a target complies with data protection laws, there is nothing to worry about. This is a fallacy.
Foreign investment control is pre-emptive and geopolitical. Data protection laws ask how and under which framework data is processed; foreign investment control regulators ask who an acquirer is and why a government might want that data in a few years. A target can have an impeccable privacy policy and a deal can still run into issues because the acquirer’s home country has laws that regulators find incompatible with national security.
The takeaways for transactions in 2026
In this environment, foreign control risk assessment must take data access into account:
- The metadata: Do not just look at what the target sells; look at what it knows. A logistics company with a fleet of connected trucks is no longer just a transport company; it might also be a mapping and surveillance asset.
- Remedy engineering: Where there could be data risks, start thinking about “data trust” structures early. If the acquirer is from a perceived high-risk jurisdiction, can the data be ringed-fenced?
- The “friendly” exception is shrinking: Even acquirers from “friendly” nations can face data scrutiny. As the EU pushes for “technological sovereignty,” data flows to any non-EU parent will stay under the microscope.
A “live” example of these points is the proposed acquisition of Dutch cloud services provider Solvinity by US-IT infrastructure company Kyndryl. Local stakeholders are lobbying against the deal and are even taking things to court, claiming that the transaction would give US authorities access to sensitive data of US citizens. The government is apparently weighing measures to mitigate such risks. Looks like another deal to learn from.
Picture by Scott Rodgerson on Unsplash
Antitrustpolitics.com 