Site search
Navigating the six key issues affecting data centre investment and operation
Navigating the six key issues affecting data centre investment and operation

Regulatory considerations

Data sovereignty as a key theme in Australian data centre investment

'Data Sovereignty' has become a critical theme in data centre transactions over the past 18 months, driven by heightened national security concerns and regulatory focus. As the Government becomes increasingly focused on security risks relating to both its own data, and the data of private sector operators of critical economic and social infrastructure, we expect this theme will continue to shape data centre investment.

What is data sovereignty?

Data sovereignty refers to the ability for the government to control and regulate nationally-significant data and the underlying infrastructure which stores and processes that data. Data localisation, being regulations relating to the location of data, is a subset of this concept.

What are the key regulatory and policy developments affecting data sovereignty?

  • SoCI Act: iterative reforms to the Security of Critical Infrastructure Act (SoCI Act) have focused regulatory attention on the data storage and processing practices of critical infrastructure assets. Amongst other obligations, the SoCI Act requires responsible entities of prescribed critical infrastructure assets1 to adopt and maintain a risk management program. As part of this obligation, entities must:
    • comply with one of the prescribed cyber security frameworks; and
    • minimise or eliminate the risk that the storage, transmission or processing of sensitive operational information2 occurs outside Australia.

These obligations impact data centre operators and cloud computing businesses. As data centres are increasingly thought of as housing critical 'AI factories', it is likely that the operationalisation of these risk management obligations will be scrutinised more robustly.

  • FIRB: parallel reforms to the Foreign Acquisitions and Takeovers Act have resulted in critical data storage or processing assets (ie most data centre and cloud computing businesses) being classed as 'national security businesses'. This means that any acquisition by a foreign person of a direct interest in such a business requires approval from the Treasurer. Investments in national security businesses are generally subject to closer review.
  • HCF: under the Protective Security Policy Framework (PSPF), Commonwealth agencies must ensure that classified government data is only hosted by cloud services and data centre providers which have been certified under the Hosting Certification Framework (HCF). In order to be certified under the HCF, the service provider must ensure that it is owned by 'low-risk entities' and controlled by individuals and parties that exercise strategic and direction-setting decisions that are consistent with the Commonwealth’s interests. As part of ongoing compliance measures, service providers are generally required to obtain the Commonwealth's consent to undergoing change of control transactions (with a failure to do so leading to the risk of certification being lost). The HCF process is increasingly rigorous and forensic, and involves, among other things, an assessment of the data centre operator's security protocols and operational measures (including, in some cases, to a level of detail which considers the history of the data centre's communications network installation process). 

What does this mean for data centre transactions?

  • Advantages to Australian investors: given the zero-dollar FIRB threshold, Australian investors are at a distinct advantage to overseas investors who are not required to obtain FIRB approval. Change of control approval is still required under the HCF, but our experience is that this is not as difficult for Australian investors to obtain.
  • If not Australian, then Five Eyes: our experience has demonstrated that it is quite difficult for investors located outside of 'Five Eyes' countries to obtain FIRB approval to acquire an interest in data centres. Even where a non-Five Eyes investor can obtain approval to acquire an interest in a data centre 'shell', they are unlikely to obtain approval to acquire an interest in an operating asset, particularly one with HCF certification.
  • HCF is a key commercial driver: in a number of the recent data centre transactions, the ability to obtain and/or maintain HCF certification has been a defining factor in investment decisions. This is because HCF certification unlocks both the Federal Government as a potential partner and hyperscale cloud providers (Microsoft, AWS, Google etc) who themselves rely on HCF certification to attract government client workloads. It also represents a recognised industry-wide standard of security (and corporate stability) that can be relied upon by regulated customers.

Data localisation

Whilst technical requirements (eg the increasing need for latency and redundancy) will continue to be the primary driver for the location of key workloads, we are also seeing an increase in major customers mandating that data must be housed and processed in Australia only. The SOCI Act risk management obligations in relation to sensitive operational data add to this trend. We anticipate this will be a further driver of demand for Australian data centre capacity.

Footnotes

  1. Including critical electricity assets, gas assets; designated hospitals; critical food and grocery assets, and critical water assets.  

  2. This includes layout diagrams, schematics; geospatial information, configuration information, operational constraints or tolerances information, and data that a reasonable person would consider to be confidential or sensitive about the asset. Whilst this obligation does not go so far as to absolutely impose an obligation of data localisation in respect of sensitive data for critical infrastructure assets, it does come very close to operating in that way.