So hot right now: booming foreign investment in data centres faces regulatory heat (Part 1)

Data centres – the centre of attention

Post-lockdowns, it seems almost every aspect of our daily lives has an online aspect – a reality that has fuelled a surge in cloud computing around the world. Data centres – the warehouses of the digital world and a crucial backbone for data storage and processing – are consequently increasingly critical for our societies, economies and security. Unsurprisingly, data centre infrastructure is – simply – so hot right now as investments pile into the sector. But such investments haven’t gone unnoticed by FI regulators, who have signalled their appetite to scrutinise them closely.  Authorities are conscious that data centres not only allow controllers access to vast amounts of hugely sensitive data but also, in the wrong hands, provide a growing ability to inflict catastrophic disruption.

Yet, notwithstanding shared concerns, there are important differences between jurisdictions in the treatment of investment in data centres. Investors will need to pay close attention to these distinctions, including whether filings are triggered by owning the premises where data centres are located or only the data centre operators, what type of information held by a data centre is sufficiently sensitive to trigger a filing, and whether filings can be triggered by the nature of the data held even if owners, operators and managers of data centre sites may well not know what’s ‘inside the box’.

In this special mini-series of blog posts, we take a deep dive into the distinctive positions taken in jurisdictions across the globe for this ‘hot’ asset class and offer some practical tips for investors facing FI reviews. In this first post, we delve into the approaches taken in the U.S., EU and UK – and next week we will take a closer look at how authorities in Asia and Australia are dealing with the challenges posed by FI in data centres.

Investment in data centres hits boiling point

Data centre-related M&A reached a record-breaking deal value of $32 billion last year – and 2021 looks set to surpass that, as the demand for computing capacity continues to soar. Indeed, dozens of data centre-oriented acquisitions worth over $17 billion have already closed this year – including the largest ever data-centre deal (Blackstone’s acquisition of QTS Realty Trust for $10 billion) and a SPAC acquisition of Cyxtera for $3.4 billion.

data centre M&A activity

Source: CRN, 10 June 2021

This boom is being fuelled by a number of key industry trends, with a broader universe of investors being attracted to the sector than previously. The appeal is driven by the explosive growth of cloud computing as well as consolidation plays by hyperscale operators that are expanding the scope of their data centre platforms to appeal to large enterprise customers. Investors also like the relatively high asset yields, long term growth outlook, as well as the reliable cashflows promised by valuable long term customer leases. On the sell-side, large enterprises are increasingly outsourcing their data centre services, particularly where they can monetise these non-core assets at current digital infrastructure market multiples vs. their historical real estate valuations.

However, with the attractive returns promised by critical infrastructure also comes critical regulators…


An attractive asset class generating a lot of activity

Data centre infrastructure in the EU has been a particular focus for investors, with significant recent investments taking place. This is particularly true in the Nordics, a region considered highly attractive for digital investments given its cool temperatures, reliable power supply and high level of connectivity. Google invested €2 billion in its Finnish data centre (with approval obtained last year to further expand it) while IPI Partners acquired Digiplex and its eight data centres (seven of which are in Sweden, Denmark and Norway) – a business valued at $650 million in 2019.
The rest of the EU hasn’t lacked for attention either. Liberty Global and Digital Colony recently announced a European Edge data centre business joint venture, with over 100 active Edge facilities. And Ascendas REIT purchased 11 data centres from Digital Realty for $678 million (with six of those in the EU), while Digital Realty bought its competitor Interxion (with its 53 facilities in 11 Member States) for over $8.4 billion.

Data storage & processing is at the centre of the EU’s FDI regulatory radar

Under the EU Framework for the Screening of Foreign Direct Investments both data processing and storage are explicitly classified as “critical infrastructure”. FDI regulators within each Member State are therefore being strongly encouraged to take into account the potential effects of such a transaction on security or public order in their jurisdiction.

While each Member State is ultimately responsible for adopting its own FDI rules (and defining the scope of activities falling within it) the express inclusion of data storage/processing facilities within EU Framework means that transactions involving data centres will, more often than not, fall within the scope of national European FDI regimes.

Further complexities arise in transactions involving data centres located across multiple Member States. For these deals, transaction parties can expect additional questions and comments from other Member States and potentially even a non-binding opinion from the European Commission. Particular scrutiny is likely where the data centres in question store strategic or sensitive data (e.g., for public authorities or EU institutions) or represent a significant network with only a few comparable alternatives.

Preparation and a co-ordinated strategy is key

With the substantive review (and ultimate decision-making) being reserved to each individual Member State it is critical that investors carefully assess the potential sensitivity of the data centres being acquired in each country.

For this purpose, the simplest approach will be to confirm whether the data centre (i) has government contracts (i.e., such that it could be considered an important supply to public bodies); and (ii) stores data for any entity which could be considered sensitive/strategic (such as energy, water, defence etc).

In addition, where data centres are located across multiple Member States (and so investors should anticipate additional interest and co-ordination at the Commission level) consideration should be given to the potential timing implications of questions and comments being issued under the EU Screening Mechanism (which cause national regulators to pause their review) as well as ensuring consistency across submissions. Preparing in advance the type of information that is likely to be requested through this process can mitigate potential timetable delays.


A new regime focuses on data centres working with critical sectors

The UK’s National Security and Investment Act (NSIA) will become operational on 4 January 2021 and ushers in a new world of investment screening in the UK – which will apply equally to foreign and domestic investments, to the surprise of many. Like the EU, the UK has developed a new regime, specifically designed for the digital age, to ensure that sensitive data and data centres are captured by the regime from the outset. Data centres are explicitly covered as one of the 17 mandatory notification sectors. The scope of transactions to be notified has been circumscribed after extensive push back (over half of the 94 responses to the Government’s consultation were from the data infrastructure community) on initial proposals, which would have required landowners, leaseholders, and investors in sensitive data, to notify – even when they did not know what was “inside the box”.

The solution reached neatly sidesteps this conundrum by requiring a direct contractual relationship with a critical sector entity. As a result, mandatory and suspensory filings are required for acquisitions of 25% or more of a company which owns or operates a data centre, manages a data centre’s facilities, or provides equipment installation / R&M services to data centres where the operator has a contract with a critical sector entity (e.g., civil nuclear, police, defence, energy, etc.) or which is used by public communications providers.

However, critics remain given the particular features of data centre development and building timescales which are very short – particularly in the current environment where demand from UK enterprises for cloud and internet hosted services continues to rise exponentially.  Although mandatory notification under the NSIA applies only to the acquisition of 25% or more in entities with existing activities, given these can come onstream very quickly, a 6 week+ delay to bringing in a new investor in order to go through the screening process is material.

The consequences of getting it wrong are severe: fines of the higher of up to £10m or 5% of worldwide turnover; and up to 5 years imprisonment for individuals who fail to file.

As a result, there is real concern in the sector that deal completion deadlines will be pushed back with the volume of precautionary reporting from investors understandably wanting to avoid falling foul of the new law and being made examples of. The proof will be in the pudding from 4 January and investors will be holding the new Investment Security Unit to the government’s promise of clearing “the vast majority” of transactions in the initial up to 6-week period.


In contrast to the (relatively) straightforward situation in the EU and UK – where new regimes clearly set out how, when and why data centres fall within the purview of FI authorities – the U.S. CFIUS regulations do not clearly capture transactions involving the acquisition of data centres (other than in a few highly specific instances where data centres may be collocated with “covered investment critical infrastructure”, such as major securities exchanges or submarine cable landing points).

However, while this may initially suggest on its face that investors in data centres do not need to be overly concerned about the U.S., CFIUS is nevertheless concerned with U.S. businesses that “maintain or collect” sensitive personal data of U.S. citizens. It is currently unclear whether data centres that host third-party data qualify as “sensitive personal data” businesses (thereby potentially triggering a CFIUS filing / jurisdiction), although one could reasonably interpret the rules as excluding data centres whose operators are unable to access hosted personal data that is encrypted (as they cannot decrypt it). In any event, CFIUS has authority to assert jurisdiction over foreign acquisitions of control of any U.S. business (including a data centre) and call in transactions – thereby giving it scope to potentially review data centre transactions that would otherwise not have been caught.

Moreover, once CFIUS does have jurisdiction over a transaction (whether by virtue of a data centre being involved or not), it is free to find that a national security concern arises from the foreign acquisition of a U.S. data centre based on its substantive assessment. This is not an abstract concern – as in Asia, U.S. data localisation has long been a concern for CFIUS. In fact, as early as 2014 CFIUS required that data was retained on U.S. servers with no foreign access as one of the mitigation conditions it placed on a deal.

CFIUS is also not the only game in town for U.S. FI reviews. Most notably, U.S. data centres that host classified data may be subject to conditions to mitigate foreign influence (imposed by the Defense Counterintelligence and Security Agency based on the newly published NISPOM rules). Such conditions generally include a combination of governance requirements and access restrictions, with greater conditions placed on U.S. companies that handle more sensitive information.