So hot right now: booming foreign investment in data centres faces regulatory heat (Part 2)
Data centres, the warehouses underpinning the digital aspects of our working and home lives, have become red hot assets, with investors piling into the sector – and regulators in the West signalling their readiness to closely scrutinise foreign investment (FI). In this special mini-series of blog posts, we take a deep dive into the distinctive positions taken in jurisdictions across the globe for this hot asset class and offer some practical tips for investors facing FI reviews.
In our first post, we considered the approaches taken in the U.S., EU and UK. Data centre investment is booming across Europe and the U.S. – and the EU and UK regimes now expressly include data centres within the scope of their FI regulatory regimes. In the U.S., CFIUS can call in any FI and investors need to be mindful of the data related concerns that may arise and build FI reviews into deal planning.
In this second post, we delve into the distinctive approaches taken by authorities in Australia (which in some ways goes beyond even the European approach), and Asia (where authorities have very different pro-investment policy priorities).
Soaring demand for assets – despite clear FI concerns
Attracted by compelling infrastructure-like returns, investors have been piling into Australian data centres – from Morrison & Co’s purchase of Canberra Data Centres for more than $A1 billion in 2016, to the recent acquisition by Macquarie Infrastructure and Real Assets of an 88% stake in Sydney-based AirTrunk in 2020 (a deal which valued the assets at over $A3 billion). Investors are also keen on greenfield projects, with a number of sites being marketed as data centre "ready": i.e., via development approvals, connections etc.
Investors’ growing interest in data centres is, however, matched by that of Australia’s Foreign Investment Review Board (FIRB). FIRB’s guidance leaves little doubt as to its intentions to pay close scrutiny to foreign investments in relation to this asset class – stressing that “[d]ata centres and cloud providers are critical to maintaining the supply and availability of data and cloud services in Australia”.
Notably, FIRB raises concerns that go well beyond ensuring business continuity and its guidance flags that data centres hold sensitive data and personal information that can be “a target for espionage, sabotage and foreign interference activity."
But policy on FI filings is evolving…
Yet it is increasingly complex to assess whether acquiring investors need to make an FI filing. The sensitivity of the area, unhelpfully for investors, means there is very little public guidance and investors need to rely on well versed practitioners experienced in FIRB practice.
In principle, a notification is mandatory and suspensory (i.e., an investor must wait for clearance before the transaction can complete) if the data centre stores, maintains or enables access to either:
- security classified information; or
- more broadly, personal information, collected by Australia’s intelligence community or Defence Department / Defence Force which could compromise Australia’s national security.
Investors acquiring the premises where the data centre is based may also be caught by the regime if the owner can access its information (e.g., by having physical access to servers if the data centre operator does not have exclusive possession of the parts of the building containing the servers).
As a practical matter, FIRB policy is nuanced and evolving. Investors may, therefore, choose to make a voluntary filing even where the thresholds aren’t met in order to avoid being subject to FIRB’s new call-in powers or an order to remedy national security concerns – including unwinding orders.
…and further reform is on the way
It is expected that additional types of data centres will be caught by a proposed expansion to the scope of assets subject to FIRB review – even when government data isn’t stored in the data centre at hand. A bill to implement the expanded regime is currently before the Australian Senate, with a vote expected in late November. The expanded regime may also include physical infrastructure or computing platforms used primarily for storing or processing ‘business critical information’ on a commercial basis, where the data centre owner/operator knows that the customer is a direct supplier to national or state governments, or a responsible entity of a critical infrastructure asset (generally the entity holding the operating licence for the asset).
Notably, this proposal goes further than in other jurisdictions (except maybe mainland China – see below) by extending business critical information beyond classified data to include personal data or sensitive information relating to 20,000+ individuals.
Data centres caught by these changes will not only be subject to mandatory filings with FIRB but also to ongoing regulatory supervision by the Critical Infrastructure Centre, which in practice usually involves ongoing reporting and notification requirements.
As a result, investors considering data centre investments in Australia should pay particular attention in due diligence to: (i) physical security e.g., security of access to the racks, and security of connections (including from sabotage or hacking); and (ii) ascertaining whether the operator has a contract with the Australian government.
As in other countries, intra-Asia competition for data centre capacity has intensified for key assets located in Singapore, Hong Kong SAR, mainland China, Japan and Korea. This is mainly as a reaction to the exponential demand for capacity – not least as 5G completes rollout across more jurisdictions and hyperscale facilities are needed across the region.
A warmer welcome...
Yet in contrast to the approach generally taken in Western countries, governments across the region have traditionally sought to incentivise unhindered inward investment and growth in the sector. For example, India has for many years allowed 100% FI in data centres compared to other IT sectors. Growth in the sector is also often encouraged under national policies in the region. For example, in line with the Malaysian government’s agenda to digitalise the country’s economic and social sectors, Microsoft is reportedly making a $1 billion investment in Malaysia to establish its first data centre in the ASEAN state. In contrast, the Vietnamese government has included data centres as one of the “conditional business lines” whereby foreign investors are subject to certain conditions and approvals.
...but FI filings remain possible
While M&A does not generally trigger significant FI issues in the region, certain transactions may require pre-closing FI approvals (e.g., in Taiwan or India) depending on the nationality of the acquirer. In cases where the approval is triggered by acquirer nationality, there is often no minimum shareholding threshold so that any level of share acquisition may be subject to scrutiny.
And the situation is evolving in relation to the regulation of existing operations in some countries.
As Alex Roberts wrote in his blog, “[r]egulators’ desire to ensure companies’ compliance in respect of data management and retention practices, quickly morphs into national security concerns where international groups want to create regional or global data pools a long way from the citizens whose data has been collected”. This “domestication” of data is a trend reflected in current and proposed legislation requiring some data processors to keep information onshore in the guise of strict data security rules in jurisdictions such as China and India.
Demand for data centres isn’t slowing
This hasn't slowed down investments though – with this summer’s high-profile acquisitions e.g., PCCW’s sale of its mainland China, Hong Kong SAR and Malaysian data centres to DigitalBridge for US$750 million and Singapore-based Digital Edge entering the Indonesian market through the acquisition of Indonet Data Centres for US$165 million.
We have also seen market players in the region entering new markets, e.g., Tencent launched its first data centre in Indonesia earlier this year, and has indicated that a second data centre will soon be established in Indonesia. Similarly, AirTrunk brought online its first hyperscale data centres outside Australia in Hong Kong and Singapore, while Facebook’s renewable energy data centre is expected to be online in Singapore to support its aspirations in the metaverse from 2022.
All in all, while data centres may be a hot market globally, it’s clear that investors can expect a warmer welcome in some places than others.