Data centres and the UK National Security and Investment Act 2021
Impact on data centre operators and investors
The UK Government's new investment screening regime under the National Security and Investment Act 2021 (the "Act"), has garnered significant interest due to the broad-reaching powers granted to the Secretary of State for Business, Energy and Industrial Strategy to review, and potentially intervene in, the acquisition of certain interests in legal entities, assets and intellectual property if the UK Government identifies a national security concern. Data infrastructure is identified as a sector where transactions could potentially give rise to national security concerns and this briefing considers the impact of the regime on data centre operators and investors.
Background
With the presentation before UK Parliament on 2 November 2021 of the statement of the UK Government's statement of policy intent under Section 3 of the Act (the "Statement of Policy Intent") and additional guidance issued by the UK Government on 15 November 2021, some general conclusions about the possible impact of the Act and UK Government's policy for assessing threats to national security can be drawn. Although the Act will come fully in force on 4 January 2022, the UK Government's powers to call in transactions is retrospective, meaning that transactions which completed on or after 12 November 2020 could be investigated for national security concerns.
With rapid growth in the use of digital communications infrastructure, both in the wake of the Coronavirus pandemic and as part of wider trends such as the continued growth of internet usage, data centres – fundamental points within this ecosystem – have attracted the attention of an increasingly wide number of investors. The Act could affect investments in data centres in a variety of ways and will need to be considered by anyone making or considering investments into data centres, whether they are existing data centre operators or new market entrants. The types of investments affected will include not only investments in data centre operators, but also acquisitions of land on which a data centre is situated and even leasing parts of a data centre. The impact on the financing of data centres should also not be discounted.
In this article we provide an overview of the of the way the regime works and have provided example transactions in the data centre sector to illustrate how the regime could impact data centre operators and investors.
The New Regime
From the perspective of parties to a transaction, the regime can be viewed as a two-level notification system:
- "Mandatory Notification Regime" - certain acquisitions of interests in legal entities crossing specified thresholds must be notified and cleared before they can complete ("Mandatory Notification"). If the transaction is completed without approval, it is a criminal offence (penalties include imprisonment and fines) and the transaction is void.
- "Voluntary Notification Regime" - other acquisitions of interests in legal entities crossing those thresholds or which otherwise give material influence or involve acquisition of assets and that are not subject to the Mandatory Notification Regime, may complete but, if they present potential national security concerns, could be subsequently called in within five years for a national security assessment. If deemed to be a national security risk, conditions may be imposed and, in the worst-case scenario, unwound. Parties seeking deal certainty can submit a voluntary notification with a view to getting clearance from the UK Government that their transaction is not a national security concern.
The Mandatory Notification Regime and data centre transactions
The Mandatory Notification Regime only applies to:
- Acquisitions of, or certain increases of share ownership or voting rights in, qualifying entities (broadly, companies and similar entities, trusts and partnerships) above certain thresholds, starting at 25%. In addition, acquisitions of shares can be caught, even below the 25% threshold, if the voting rights attached to those shares confer an ability to secure or block the passage of any class of resolutions (e.g. ordinary or special resolutions) at shareholder meetings. Therefore, acquisitions of assets such as land or buildings will not be subject to Mandatory Notification.
- Entities participating in one of 17 sectors of the UK economy identified by the UK Government as core areas where changes in control of the entity could give rise to elevated national security concerns (the "Sensitive Sectors").
The 17 Sensitive Sectors are set out in a separate statutory instrument which will come into effect on 4 January 2022 (the "Sensitive Sector Definitions"). For more detail, see our briefing on the Sensitive Sector Definitions and subsequent key changes. Additional guidance on activities which would bring entities within the Sensitive Sectors has also been published by the UK Government.
The most relevant definition for data centre transactions is that of "Data infrastructure". This definition broadly covers entities which own, manage, operate or provide services to data infrastructure, where the data infrastructure supports public sector authorities, provides peering, interconnection or exchange functions for public communications networks/services. The definition expressly includes virtualised infrastructure and covers parties who provide ancillary services (e.g. to facilities which house data infrastructure) which results in access to the data infrastructure. Where the service is provided to public sector authorities, the definition extends to sub-contractors providing these services indirectly to public sector authorities if they are aware that the ultimate recipient is a public sector authority. The guidance makes it clear that data centres with exclusively paper records are not in scope, which is perhaps an indication of the relative helpfulness of the guidance.
However, other definitions may also need to be considered. For example, the definition of "Communications", while primarily aimed at providers of public electronic communications networks and services, also includes making available facilities (such as data centre buildings) associated with providing communications networks where the main purpose is to host an active network element and the network or service provider has a turnover exceeding £50m. In certain narrow circumstances it may also be possible for other Sensitive Sectors to apply to a data centre – for instance, in theory, the "Critical suppliers to government" Sensitive Sector Definition could capture a data centre operator with a service agreement directly with a UK Government entity which requires it to obtain certain security clearances.
The Sensitive Sector Definitions have evolved considerably over the last twelve months as a reaction by the UK Government to industry responses to their consultations and discussions with trade bodies. Consequently, explicit and broad references which previously brought landowners within scope, have largely been removed (for example, the "Data infrastructure" definition was previously defined as including a party who "owns" a site or building on which data infrastructure was located). This is good news for some prospective real estate investors, because passive owners of a data centre site who primarily lease it to a data centre operator and not involved in the operation of the data centre are now likely to fall outside the regime. However, each data centre will still need to be assessed based upon the operations conducted at the site because, notwithstanding the changes referred to above, the Sensitive Sector Definitions of "Data Infrastructure" and "Communications" will still capture some passive data centre investments depending upon the characteristics and operations at the site.
Additionally, any investor in shares in a data centre operator will need to consider their operations at the site and whether these fall within the Sensitive Sector Definitions. If they do, and the proposed transaction meets the relevant ownership thresholds, then the transaction will be subject to a Mandatory Notification and need national security clearance.
The Voluntary Notification Regime and data centre transactions
As noted above, the UK Government's powers to scrutinise transactions are not limited to the qualifying transactions under the Mandatory Notification Regime. The powers extend to:
- Asset transactions
- Acquiring material influence over an entity
- Acquisitions of interests crossing the relevant thresholds but in legal entities not carrying out activities falling within a Sensitive Sector Definition
As has been made clear in the Statement of Policy Intent, the UK Government intends to use these powers in transactions relating to assets that are, or could be, used in connection with the activities set out in the Sensitive Sector Definitions or "closely linked" activities or entities which undertake activities "closely linked" to the activities set out in the Sensitive Sector Definitions.
The acquisition of land or buildings which is "proximate" to a "sensitive" site also has an elevated risk of being called in, even if the activities on that land or in that building are not within or closely linked to Sensitive Sector Definitions. There is no further detail in the Statement of Policy Intent on the meaning of "closely linked", "proximate" or "sensitive".
Consequently, parties entering into a transaction which is not subject to the Mandatory Notification Regime may consider voluntarily notifying a transaction in order to seek the certainty and comfort that the UK Government does not have any national security concerns with their transaction. Otherwise, the risk is that the UK Government becomes aware of the transaction by other means (for instance, in the Press), applies its call-in power and imposes conditions on the acquirer, which could happen as late as five years after the transaction took place.
What factors will the Government consider for assessing national security risk?
The Statement of Policy Intent states that, in assessing whether a notified transaction is of national security concern:
The Secretary of State is likely to use the call-in power where there may be a potential for immediate or future harm to UK national security. This includes risks to governmental and defence assets (infrastructure, technologies and capabilities), such as disruption or erosion of military advantage; the potential impact of a qualifying acquisition on the security of the UK’s critical infrastructure; and the need to prevent actors with hostile intentions towards the UK building defence or technological capabilities which may present a national security threat to the UK.
This assessment is based upon three risk factors:
- Target risk – whether the subject of the transaction, e.g. the asset or company, could pose a risk to national security. In the context of data centres, we expect this to focus on both the type and nature of data processed and stored, but also the importance of a data centre to the wider digital infrastructure network. In relation to asset transactions, whether ownership of the asset provides physical or administrative access to the data infrastructure.
- Control risk – whether the nature of the change in control pursuant to the transaction increases the risk to national security either by the ability to direct the activities of an entity or control how an asset is used. Acquisitions of land, buildings or data centre equipment will generally amount to complete control of the asset in question. However, in the context of an investor acquiring a data centre which is let to an operator the nature of the investor's rights to enter the property as landlord will be relevant.
- Acquirer risk – whether the acquirer has characteristics that suggest it is or might be a risk to national security. This will be fact-specific and some characteristics such as a history of passive or long-term investments are indicative of a low acquirer risk.
The Statement of Policy Intent helpfully confirms that when the UK Government calls in a transaction this will generally be where all three risk factors are present, though the potential for acquisitions on the basis of fewer risk factors to be called in is nonetheless not ruled out.
For more details on the Statement of Policy Intent, see our wider briefing on the impact of the Act and our update briefing.
What should you look out for next?
The Act comes into force on 4 January 2022. In the meantime, the Statement of Policy Intent by the UK Government will be issued under section 3 of the Act and will be very important in aiding assessments of the degree of risk associated with a transaction. It is in final form from the UK Government's perspective and has been presented before the UK Parliament, so while unlikely it also remains subject to further changes.
Looking further ahead, under section 6 of the Act, the UK Government has: (i) the power to vary the types of acquisitions which could be subject to Mandatory Notification - this could mean that asset acquisitions may become captured by the Mandatory Notification Regime; and (ii) exempt a category of acquirers by reference to their characteristics from the Mandatory Notification Regime - this could mean that particular groups, most likely to be those who are subject to some form of regulatory regime, would be able to complete a transaction without notification in advance.
Conclusion
As can be seen from the commentary above, the scope of the Act is broad and may affect data centre transactions more than has been anticipated. The impact is not just upon future data centre transactions; parties who have entered into transactions connected with data centres since November 2020 also need to be mindful of the impact of the Act.
Generally, market commentary expects a significant number of precautionary voluntary notifications and therefore for the UK Government to be extremely busy with the potential for commensurate delays to responding. It is hoped that if this is the case, the UK Government will issue further guidance once they have a better idea of transactions where precautionary notifications are being made which will assist parties in assessing the transactions which the Government are most interested in and make a better-informed decision on when precautionary voluntary filings are necessary.
In the meantime, parties to data centre transactions which are being contemplated, especially those completing after 4 January 2022, will need to consider the impact of the new regime and incorporate appropriate provisions in the contractual documentation.
Please get in touch if you have any queries or you would like advice.
The UK Government's new investment screening regime under the National Security and Investment Act 2021 (the "Act"), has garnered significant interest due to the broad-reaching powers granted to the Secretary of State for Business, Energy and Industrial Strategy to review, and potentially intervene in, the acquisition of certain interests in legal entities, assets and intellectual property if the UK Government identifies a national security concern. Data infrastructure is identified as a sector where transactions could potentially give rise to national security concerns and this briefing considers the impact of the regime on data centre operators and investors.
Background
With the presentation before UK Parliament on 2 November 2021 of the statement of the UK Government's statement of policy intent under Section 3 of the Act (the "Statement of Policy Intent") and additional guidance issued by the UK Government on 15 November 2021, some general conclusions about the possible impact of the Act and UK Government's policy for assessing threats to national security can be drawn. Although the Act will come fully in force on 4 January 2022, the UK Government's powers to call in transactions is retrospective, meaning that transactions which completed on or after 12 November 2020 could be investigated for national security concerns.
With rapid growth in the use of digital communications infrastructure, both in the wake of the Coronavirus pandemic and as part of wider trends such as the continued growth of internet usage, data centres – fundamental points within this ecosystem – have attracted the attention of an increasingly wide number of investors. The Act could affect investments in data centres in a variety of ways and will need to be considered by anyone making or considering investments into data centres, whether they are existing data centre operators or new market entrants. The types of investments affected will include not only investments in data centre operators, but also acquisitions of land on which a data centre is situated and even leasing parts of a data centre. The impact on the financing of data centres should also not be discounted.
In this article we provide an overview of the of the way the regime works and have provided example transactions in the data centre sector to illustrate how the regime could impact data centre operators and investors.
The New Regime
From the perspective of parties to a transaction, the regime can be viewed as a two-level notification system:
- "Mandatory Notification Regime" - certain acquisitions of interests in legal entities crossing specified thresholds must be notified and cleared before they can complete ("Mandatory Notification"). If the transaction is completed without approval, it is a criminal offence (penalties include imprisonment and fines) and the transaction is void.
- "Voluntary Notification Regime" - other acquisitions of interests in legal entities crossing those thresholds or which otherwise give material influence or involve acquisition of assets and that are not subject to the Mandatory Notification Regime, may complete but, if they present potential national security concerns, could be subsequently called in within five years for a national security assessment. If deemed to be a national security risk, conditions may be imposed and, in the worst-case scenario, unwound. Parties seeking deal certainty can submit a voluntary notification with a view to getting clearance from the UK Government that their transaction is not a national security concern.
The Mandatory Notification Regime and data centre transactions
The Mandatory Notification Regime only applies to:
- Acquisitions of, or certain increases of share ownership or voting rights in, qualifying entities (broadly, companies and similar entities, trusts and partnerships) above certain thresholds, starting at 25%. In addition, acquisitions of shares can be caught, even below the 25% threshold, if the voting rights attached to those shares confer an ability to secure or block the passage of any class of resolutions (e.g. ordinary or special resolutions) at shareholder meetings. Therefore, acquisitions of assets such as land or buildings will not be subject to Mandatory Notification.
- Entities participating in one of 17 sectors of the UK economy identified by the UK Government as core areas where changes in control of the entity could give rise to elevated national security concerns (the "Sensitive Sectors").
The 17 Sensitive Sectors are set out in a separate statutory instrument which will come into effect on 4 January 2022 (the "Sensitive Sector Definitions"). For more detail, see our briefing on the Sensitive Sector Definitions and subsequent key changes. Additional guidance on activities which would bring entities within the Sensitive Sectors has also been published by the UK Government.
The most relevant definition for data centre transactions is that of "Data infrastructure". This definition broadly covers entities which own, manage, operate or provide services to data infrastructure, where the data infrastructure supports public sector authorities, provides peering, interconnection or exchange functions for public communications networks/services. The definition expressly includes virtualised infrastructure and covers parties who provide ancillary services (e.g. to facilities which house data infrastructure) which results in access to the data infrastructure. Where the service is provided to public sector authorities, the definition extends to sub-contractors providing these services indirectly to public sector authorities if they are aware that the ultimate recipient is a public sector authority. The guidance makes it clear that data centres with exclusively paper records are not in scope, which is perhaps an indication of the relative helpfulness of the guidance.
However, other definitions may also need to be considered. For example, the definition of "Communications", while primarily aimed at providers of public electronic communications networks and services, also includes making available facilities (such as data centre buildings) associated with providing communications networks where the main purpose is to host an active network element and the network or service provider has a turnover exceeding £50m. In certain narrow circumstances it may also be possible for other Sensitive Sectors to apply to a data centre – for instance, in theory, the "Critical suppliers to government" Sensitive Sector Definition could capture a data centre operator with a service agreement directly with a UK Government entity which requires it to obtain certain security clearances.
The Sensitive Sector Definitions have evolved considerably over the last twelve months as a reaction by the UK Government to industry responses to their consultations and discussions with trade bodies. Consequently, explicit and broad references which previously brought landowners within scope, have largely been removed (for example, the "Data infrastructure" definition was previously defined as including a party who "owns" a site or building on which data infrastructure was located). This is good news for some prospective real estate investors, because passive owners of a data centre site who primarily lease it to a data centre operator and not involved in the operation of the data centre are now likely to fall outside the regime. However, each data centre will still need to be assessed based upon the operations conducted at the site because, notwithstanding the changes referred to above, the Sensitive Sector Definitions of "Data Infrastructure" and "Communications" will still capture some passive data centre investments depending upon the characteristics and operations at the site.
Additionally, any investor in shares in a data centre operator will need to consider their operations at the site and whether these fall within the Sensitive Sector Definitions. If they do, and the proposed transaction meets the relevant ownership thresholds, then the transaction will be subject to a Mandatory Notification and need national security clearance.
The Voluntary Notification Regime and data centre transactions
As noted above, the UK Government's powers to scrutinise transactions are not limited to the qualifying transactions under the Mandatory Notification Regime. The powers extend to:
- Asset transactions
- Acquiring material influence over an entity
- Acquisitions of interests crossing the relevant thresholds but in legal entities not carrying out activities falling within a Sensitive Sector Definition
As has been made clear in the Statement of Policy Intent, the UK Government intends to use these powers in transactions relating to assets that are, or could be, used in connection with the activities set out in the Sensitive Sector Definitions or "closely linked" activities or entities which undertake activities "closely linked" to the activities set out in the Sensitive Sector Definitions.
The acquisition of land or buildings which is "proximate" to a "sensitive" site also has an elevated risk of being called in, even if the activities on that land or in that building are not within or closely linked to Sensitive Sector Definitions. There is no further detail in the Statement of Policy Intent on the meaning of "closely linked", "proximate" or "sensitive".
Consequently, parties entering into a transaction which is not subject to the Mandatory Notification Regime may consider voluntarily notifying a transaction in order to seek the certainty and comfort that the UK Government does not have any national security concerns with their transaction. Otherwise, the risk is that the UK Government becomes aware of the transaction by other means (for instance, in the Press), applies its call-in power and imposes conditions on the acquirer, which could happen as late as five years after the transaction took place.
What factors will the Government consider for assessing national security risk?
The Statement of Policy Intent states that, in assessing whether a notified transaction is of national security concern:
The Secretary of State is likely to use the call-in power where there may be a potential for immediate or future harm to UK national security. This includes risks to governmental and defence assets (infrastructure, technologies and capabilities), such as disruption or erosion of military advantage; the potential impact of a qualifying acquisition on the security of the UK’s critical infrastructure; and the need to prevent actors with hostile intentions towards the UK building defence or technological capabilities which may present a national security threat to the UK.
This assessment is based upon three risk factors:
- Target risk – whether the subject of the transaction, e.g. the asset or company, could pose a risk to national security. In the context of data centres, we expect this to focus on both the type and nature of data processed and stored, but also the importance of a data centre to the wider digital infrastructure network. In relation to asset transactions, whether ownership of the asset provides physical or administrative access to the data infrastructure.
- Control risk – whether the nature of the change in control pursuant to the transaction increases the risk to national security either by the ability to direct the activities of an entity or control how an asset is used. Acquisitions of land, buildings or data centre equipment will generally amount to complete control of the asset in question. However, in the context of an investor acquiring a data centre which is let to an operator the nature of the investor's rights to enter the property as landlord will be relevant.
- Acquirer risk – whether the acquirer has characteristics that suggest it is or might be a risk to national security. This will be fact-specific and some characteristics such as a history of passive or long-term investments are indicative of a low acquirer risk.
The Statement of Policy Intent helpfully confirms that when the UK Government calls in a transaction this will generally be where all three risk factors are present, though the potential for acquisitions on the basis of fewer risk factors to be called in is nonetheless not ruled out.
For more details on the Statement of Policy Intent, see our wider briefing on the impact of the Act and our update briefing.
What should you look out for next?
The Act comes into force on 4 January 2022. In the meantime, the Statement of Policy Intent by the UK Government will be issued under section 3 of the Act and will be very important in aiding assessments of the degree of risk associated with a transaction. It is in final form from the UK Government's perspective and has been presented before the UK Parliament, so while unlikely it also remains subject to further changes.
Looking further ahead, under section 6 of the Act, the UK Government has: (i) the power to vary the types of acquisitions which could be subject to Mandatory Notification - this could mean that asset acquisitions may become captured by the Mandatory Notification Regime; and (ii) exempt a category of acquirers by reference to their characteristics from the Mandatory Notification Regime - this could mean that particular groups, most likely to be those who are subject to some form of regulatory regime, would be able to complete a transaction without notification in advance.
Conclusion
As can be seen from the commentary above, the scope of the Act is broad and may affect data centre transactions more than has been anticipated. The impact is not just upon future data centre transactions; parties who have entered into transactions connected with data centres since November 2020 also need to be mindful of the impact of the Act.
Generally, market commentary expects a significant number of precautionary voluntary notifications and therefore for the UK Government to be extremely busy with the potential for commensurate delays to responding. It is hoped that if this is the case, the UK Government will issue further guidance once they have a better idea of transactions where precautionary notifications are being made which will assist parties in assessing the transactions which the Government are most interested in and make a better-informed decision on when precautionary voluntary filings are necessary.
In the meantime, parties to data centre transactions which are being contemplated, especially those completing after 4 January 2022, will need to consider the impact of the new regime and incorporate appropriate provisions in the contractual documentation.
Please get in touch if you have any queries or you would like advice.