It seems almost every aspect of our home and working lives has an online aspect – a reality following the Covid-19 pandemic that has fuelled a surge in cloud computing around the world. Data centres – the digital world’s warehouses for data storage and processing  – are ever more critical infrastructure. Unsurprisingly then, data centres are – simply – so hot right now as investments pile into the sector.

Record breaking investment in 2020 and 2021

Data centre-related mergers and acquisitions reached a record-breaking deal value of $32 billion in 2020 and 2021 looks set to surpass that as the demand for computing capacity continues to soar. Indeed, dozens of data centre-oriented acquisitions worth over $17 billion have already closed this year – including the largest ever data-centre deal (Blackstone’s acquisition of QTS Realty Trust for $10 billion).

So what's the FI angle?

Those investments haven’t gone unnoticed by foreign investment regulators, who stand ready to scrutinise them closely.  As FI concerns expand to encompass data and data processing as the new "oil" of the 4th industrial revolution, data centres are viewed as a core part country’s critical infrastructure with the scope, if security is breached, to provide hostile actors access to vast amounts of hugely sensitive data. In the wrong hands, control of a data centre or access to the data itself could be used to cause disruption or otherwise compromise national security interests.

Investors need, in this hottest of hot digital sectors, to pay close attention to important differences in how jurisdictions treat investment in data centres – or risk being caught out and subject to unexpected regulatory scrutiny.

European regimes

If you consider the newer FI kids on the block: the EU (with its FI Screening Framework, which is influential in shaping Member States’ regimes) and the UK (with its shiny new National Security and Investment regime coming into effect on 4 January next year), it’s obvious that authorities want to ensure investments in data centre infrastructure receive sufficient scrutiny. Both regimes expressly capture data centres and investors should pay close attention in due diligence to the sensitivity of information hosted by the data centre as well as the existing contractual counterparties, particularly public sector bodies such as governments, EU institutions and those providing critical national infrastructure).

A similar approach in Australia

The position is similar, if more ambiguous in Australia, with incoming reforms likely to expand the scope of what is caught. Investments can already require mandatory FI notifications where data centres store classified information or personal data collected by the intelligence / defence services. However, this could soon also capture data centres supplying state governments or, unusually, where it holds personal data relating to over 20,000 people.

A different approach in the US

Unusually for such an extensive regime, the CFIUS regulations do not clearly capture data centre deals (other than in a few highly specific instances). Even so, investors should still be wary of CFIUS’ ability to call in any transaction by foreign investors and means that they still need to consider if their transaction is likely to raise any substantive concerns.

Asia is prioritising inward investment

This all stands in stark contrast to Asia where governments are mostly keen to facilitate inward investment and growth in the sector (e.g., India allows 100% foreign direct investment in data centres compared to other IT sectors). It’s not a one-way street – there is a trend of “domestication” of data, requiring some data processors to keep information onshore and the future impact of new personal data protection rules in China and Hong Kong are unclear.

While data centres may be a hot market globally – it’s clear that investors can expect a warmer welcome in some places than others.

Follow our ForeignInvestmentLInks blog for a deeper dive on this issue. 

You can read both parts of our mini-series on data centres here. Part 1 delves into the approach taken by authorities in the U.S., EU and UK. Part 2 scrutinises the contrasting approaches by authorities in Australia and Asia.