Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Welcome to the world of data centres Investments in a new asset class: Success factors and pitfalls 2019
2 Hogan Lovells
Introduction
Hogan Lovells is your first port of call and
the leading legal provider in relation to
Your One-Stop adviser
successful realization and investments in
data centres in Germany and Europe.
Our dedicated data centre team comprises
lawyers with an in-depth understanding of
the data centre industry and its Project Development
Engineering Construction
characteristics. When providing you with
closely coordinated one-stop advice, we bring
together our knowledge carriers from various
legal disciplines including Real Estate,
Infrastructure, Energy, Resources & Projects, Operating Due Diligence
Intellectual Property, Project M&A, Data
Security, Dispute Resolution, Corporate,
Commercial, Project Finance, Employment
Law and Tax Law. This approach adopted by
Financing M&A
our integrated industry sector team ensures
that you receive consistent, industry specific
and solution oriented advice which focuses
on what you really need.
Dispute
This brochure summarizes key legal aspects
Resolution
to be considered when buying, selling,
financing and/or constructing a data
centre, including data protection,
digitalization and cyber security.
In the last 3 years the datacentre workload
has grown on average by more than 20%
worldwide. This development will continue
in the coming years until at least 2021.
(Source: CISCO)
What we offer: Many years of experience, a deep understanding of your industry, and a solution oriented focus.
Welcome to the world of data centres 2019 5
Welcome to the world of data centres
Lease or build a data centre? costs including costs for permits, such as
When a company is growing and wants to building permits, costs for fire suppression
out-source servers and IT equipment, it and detection systems, notary costs, costs of
must de-cide on the best way to do this. registrations, etc. Nor should companies
Such a decision can be crucial if the business underestimate the various risks related to
is expanding rapidly and therefore urgently power and cooling infrastructure, hardware
requires additional space for servers and IT and software, technological development,
equipment. The choice it faces is whether to uncertainty surrounding future business
lease data centre space (by a colocation or strategy and potential space problems, i.e. if
warehouse solution, which we will refer to as the space later proves to be too small or too
"leasing" or a "leasing solution") or whether big. Moreover, companies should be aware of
to build its own data centre. the large number of building regulations to be
met, for example in the area of fire safety
The obvious advantages of building over which may be very strict in some
leas-ing are that jurisdictions. On balance, leasing is likely to
• the company has maximum control be a better solution for many companies
over the IT equipment and anything because it allows risks to be confined and
related to it; gives companies the flexibility to adapt their
space needs to their business needs.
• there is no risk of "losing the lease", and
Data centre leasing strategies – the
• any unused space can be leased out to various types of contract structures
other companies, thus reducing electricity,
The most common types of leasing structures
cooling and security infrastructure costs.
for data centres are:
On the other hand, the main disadvantages
• Wholesale data centre and
of building are upfront costs which can add
colocation solutions
up quickly if not calculated thoroughly. The
costs of building and maintaining a data • Server hosting – managed hosting
centre should not be underestimated and Balancing the need for control
may be a crucial factor in the decision with the desire to cut costs
making process. When evaluating the costs
Ultimately, the decision between a whole
involved, the focus is mainly on power,
sale/colocation structure and a purely
staffing and IT infrastructure. However, real
managed hosting structure is one of
estate related costs are often not taken into
balancing the need to control the servers and
account sufficiently or at all. These include
IT equipment with the desire to achieve the
architect, planning and design costs, building
6 Hogan Lovells
best possible cost savings by entering into a What a data centre lease should cover
data centre lease. Important topics which
First and foremost, it is vital to clarify the
need to be addressed before taking such a
legal relationship between the data centre
decision include:
provider/landlord and the occupier/
• how much control is necessary with customer. Depending on the actual use and
respect to operation of IT equipment allocation of rights and obligations, a lease
and the premises in which the IT agreement (triple net or double net), a service
equipment is stored; agreement or an agreement with lease and
service elements are possible options. In the
• whether the tenant is prepared and willing
majority of cases, the parties will sign a lease
to accept (high) capital expenditures for
agreement which also includes elements of a
repairing and updating IT equipment; and
service agreement.
• whether the tenant is prepared to employ
As the lease agreement is the main legal
and pay for the necessary personnel to
document which governs the relationship
operate and maintain the IT equipment.
between the parties, particular care should be
When taking this decision, the tenant should taken when negotiating "Provider Must
not only consider its present situation and its Haves" on the one hand, and "Customer Must
needs as a business, but also bear in mind its Haves" on the other. Key topics to be
future strategies and plans in order to find the considered in lease agreements include:
best solution. Overall, the wholesale/
Lease term and renewals
colocation solution or a hybrid solution might
be the right choice for many bigger Would the company prefer a long-term or
companies, whereas the managed hosting shortterm lease taking into consideration
solution could be the ideal solution for that the initial term is often 15 to 20 years?
smaller firms. In addition, the number of renewal periods
and any pre emptive rights of the tenant
should be taken into account.
Welcome to the world of data centres 2019 Rent payment Another important point is how the rent will be paid. The basic rent is usually based either on square meters or on power availability. Space, permitted uses and equipment The leased space might not be enough for all the equipment and infrastructure that the tenant requires. It is therefore advisable to stipulate in the lease agreement whether the tenant is allowed to use additional space, e.g. on the roof for antennas, shaft space within the building or special support areas for the placement of generators. Set-up, alterations, maintenance, repair and replacement Depending on who owns and who will be obliged to maintain the facility infrastructure, specific provisions must be incorporated into the lease agreement regarding alterations, maintenance, repair and replacement. The tenant and/or landlord might be required to comply with certain standards and/or maintenance schedules. Provisions on services relating to data centre equipment, heating, ventilation and infrastructure should also be included.
Hogan Lovells Power supply, cooling, humidity, connectivity and data capacity Power supply, cooling, humidity, connectivity and data capacity are the core topics of a data centre lease. Provisions covering these areas must therefore be included in the agreement. Specifically, the following topics should be dis-cussed and agreed: power requirements, cost of power and uninterrupted power supply as well as redundant fibre access, multiple carriers and sufficient data capacity. Service level agreements The parties should also consider including service levels and reasonable support provisions. Moreover, the agreement should describe what happens if service levels are not met. For the customer, it might be desirable to include a termination right for continued breach of guaranteed service levels. Liability, indemnification, data protection and security A limitation of liability might be beneficial for both parties. The agreement should also include provisions regarding data protection, security (e.g. access to the building) and compliance with laws. In addition to the key topics mentioned above, it might be advisable to incorporate other provisions, depending on individual circumstances.
Welcome to the world of data centres 2019 9
Avoiding pitfalls in ultimately delivering a project ready for
construction contracts operation. This means for the Employer in an
Unlike brownfield projects/transactions, EPC project that the added risk of liaising
developing greenfield data centre projects with various parties and allocating various
are challenging and come with various risks is avoided.
risks. The developer needs to decide on the Parties need to face reality in terms of
right approach for such a development: construction of a data centre. According to
Delivering the project with various (multi- KPMG International's 2015 Global
lot) contractors and a potential designer/or Construction Project Owner's Survey,
engineer or choosing an turnkey approach
whereby an EPC-Contractor delivers the • Major complex EPC projects fail
whole projects and agrees to engineer, more often than they succeed,
procure and construct the datacentre. resulting in disputes;
While the first option may deliver a more • 71% of owners in the energy and natural
cost-efficient solution, a turnkey EPC resources sector reported unsatisfactory
Contractor undertakes the full completion, underperforming projects; and
turnkey and interface risk of such a highly
• 69% of all projects between 2012 and
complex project. One of the most obvious
2015 were reported to be more than
benefits of entering into such a contract is
10% over budget
having one single point of contact and
responsibility for the project, thereby Having this in mind, a clear contractual
avoiding having to manage various role- framework including a fully functional and
players that would otherwise have to be efficient claims and risk management can
involved in the construction and setting assist in avoiding pitfalls as well as
up of such a project. significant delays and cost overruns.
While it is, of course, commonplace for an
EPC Contractor to engage various
subcontractors to provide certain services or
works, the EPC Contractor remains the
single point that is directly responsible for
10 Hogan Lovells
Getting your contracts right
Service level agreements with respect to General Terms and Conditions, the parties
data centre leases are advised to ensure that the availability of
A service level agreement is the main the data centre is laid down in the
contract that defines the parties' rights and agreement. Conversely, the landlord faces
obligations under a data centre lease. the risk of having to guarantee the
permanent availability of the data centre.
Before signing such contracts, the parties
should assess the scope of services that the The parties should not include a disclaimer
data centre landlord will perform under a regarding warranty claims. The statutory
service level agreement. These services warranty obligations of the landlord or the
could range from entire business processes contractor cannot be excluded within the
or merely IT processes, through to the General Terms and Conditions in many
exclusive provision of IT infrastructure jurisdictions for instance.
within the data centre. Finally, the parties should assess the
More elaborate service level agreements validity of any limitation of liability clause
may also stipulate the provision of certain regarding strict liability on a case by case
types of software (applications) by the basis. However, the limitation of the
potential financiers (application service landlord's liability should always take into
providing, "ASP"). account the risk of cyber attacks and
appropriate preventive measures.
Such an assessment is a key consideration
for the validity of any service level Getting the operation structure right
agreement. The scope of the data centre When it comes to the operation and
lease and the rights and obligations of each maintenance of data centres, it is all about
party may vary according to what was availability, reliability and stability of the
agreed upon between the parties. In any services. Just recently, some parts of the
case, it sets the standard for the evaluation German World Wide Web were interrupted
of the agreement with regard to the law on for several hours due to a downtime of an
General Terms and Conditions. internet hub in Frankfurt as a result of an
energy breakdown in a Frankfurt date
However, both IT and data centre services
centre compared with a crash of the energy
are prone to faults, require maintenance or
redundancies in this data centre. Even
updates and may be subject to cyber
short outages of the energy supply, the
attacks. All these and other adverse effects
cooling of the racks or the humidity control
may lead to downtimes and impact on the
in the data centre may cause enormous
availability of the data centre. With regard
downtime costs and high damage. Thus,
to the strict applicability of the law onWelcome to the world of data centres 2019 11
uninterrupted availability and fast which may lead to interruptions in the
troubleshooting services are required and services. Especially the core services (e.g.
should be secured at any time. power supply, cooling, humidity control,
security) should then be discussed with a
A key instrument for securing such
view to defining contractual service levels,
availability and avoiding potential losses
percentages of guaranteed availability and
can be seen in liquidated damages.
pre-agreed reaction and trouble shooting
Liquidated damages are designed to meet
times. In particular, the contractual service
the legal requirements in the relevant
levels should ensure that the required times
jurisdictions and may help to keep the
for (successful) troubleshooting and the
pressure on the operator in order to secure
points of measurement of the availability
quick troubleshooting and sufficient
are exactly defined. The better the parties
redundancies of the contractor. In some
describe such obligations and service levels
jurisdictions (such as Germany), a well
in the contracts, the better they may be able
thought-through drafting of contractual
to link these times and percentages to an
predefined liquidated damages is essential
escalating mechanism of liquidated
to avoid unenforceable provisions.
damages covering the employer's
In order to achieve this, the party engaging potential damage in a realistic manner.
an operator should extensively investigate
and consider in detail all possible scenarios12 Hogan Lovells
Data centre M&A and Financing
Share vs. asset deal
In an acquisition scenario it should be way of novation. In particular, it should be
decided as early as possible whether the noted here that – in contrast to a share deal
transaction will take the form of a "share – both the sale and transfer of the
deal" or an "asset deal". contractual relationships re-quires the
consent of the contractual partner.
Under a share deal, all or part of the shares
in a business are transferred to the In the course of a share deal, the purchaser
purchaser. If, for instance, a project company will acquire a certain percentage of the shares
or holding company has been set up as a in a target company from the shareholders of
limited liability company, the purchaser – that company, including any and all of the
upon completion of the purchase – becomes target company's contractual relationships,
a shareholder of that company. receivables and liabilities on the basis of a
share purchase agreement (SPA). Unless
In contrast, under an asset deal, the seller
dedicated "change-of-control" provisions
only disposes of and transfers individual
apply, no consent from the other contractual
assets (and liabilities) under an asset
parties is required, as it is only the
purchase agreement (APA). On the basis of
shareholder of the counterparty (the target
the principle of legal certainty in some
company) that changes, not the counterparty
jurisdictions, the transferred assets and
itself. Potential risks, in particular on the
liabilities must be clearly defined in the APA
investor/purchaser side, arise not only from
together with any required particular kind of
the acquired assets themselves, but also
transfer method to the purchaser. Therefore,
potentially from the underlying entity that
an asset deal initially also involves increased
actually owns the assets and whose shares
costs and effort on the part of the seller and
have now been acquired by an investor/
the purchaser to establish and agree on the
purchaser. Consequently, since under a share
"object of the purchase" and the contractual
deal the transaction does not affect any
documentation (i.e. the APA). However, the
existing contracts – claims by employees,
advantage of an asset deal lies in the
third parties as well as long term contractual
possibility to select individual assets and
relationships potentially unknown to the
liabilities for transfer. Any ancillary contracts
purchaser will be assumed – this risk
(incl. rights and obligations e.g. power
should be mitigated by way of in-depth
purchase agreements, commercial
due diligence as well as by imposing an
agreements such as lease agreements for the
appropriate guarantee and liability regime on
provision of data centre services) will have to
the seller in the SPA.
be transferred to the purchaser separately byWelcome to the world of data centres 2019 Nonetheless, transactions involving data centres are typically implemented as share deals, in particular because they allow a clean exit for the seller and a comprehensive acquisition of rights and assets for the purchaser. However, asset deals may be preferable if the target company bears major liability risks (e.g. from other operations or from pending disputes with customers), or if the transaction takes place in the context of a crisis or insolvency proceedings of the target company (distressed M&A). In summary, the question of whether a share deal or an asset deal is preferable cannot be answered in general – the decision must be taken follow- ing an assessment of the interests of the respective party (seller or purchaser) and the specific transaction. Due diligence – the best of both worlds Our practical experience repeatedly confirms that due diligence in data centre M&A transactions significantly differs from due diligence in traditional M&A transactions. This aspect is frequently underestimated and often leads to risks not being identified and therefore not reflected in the underlying share (or asset) purchase agreement. By nature, data centre acquisitions require a different approach to due diligence. While it
14 Hogan Lovells
may be sufficient in "traditional" M&A to identifying the risks inherent in the often
summarize the key provisions of the complex contractual documentation and of
commercial agreements (such as termination avoiding any unpleasant surprises later on
and change of control) and to examine – this is a significant success factor for any
whether the agreements are legally binding, data centre transaction.
this is not enough when dealing with data
In this regard, we believe that a careful
centre projects. The traditional approach
examination of the data centre specific
tacitly assumes a large number of commercial
agreements yields the best results if it is
agreements and that these agreements are
carried out by lawyers with appropriate
implemented according to their provisions,
drafting and negotiating experience. Only
without any "problems" arising.
they are able to rapidly and reliably
This approach is too simple for the data understand which scenarios will have which
centre world. It tends to be the rule rather effect on the project agreements. Our
than the exception that for instance only a experience of providing legal advice for data
limited number of (long term) and centre project developments means that we
commercially highly relevant lease know what can go wrong and are thus able
agreements are in place – and the loss of to identify typical risks.
just one of those agreements may jeopardize
As a result, our clients are aware not only of
the buyer's assumptions in its financial
the current status of the agreements, but
model and accordingly the success of the
also of precisely what may lie ahead – and
entire transaction.
what does not.
Therefore: heads up! We mitigate such Focus on cash flows – not on warranties
transaction risks by conducting risk-based
The approach to share (or asset) purchase
and tailored data centre due diligence that
agreements in a data centre transaction
analyses the commercial agreements as part
differs significantly from "traditional" M&A.
of a stress test and takes into account the
specific characteristics of the respective data In contrast to traditional M&A transactions
centre: we review in detail any lease cash flow and profit are often not generated
agreements, power purchase agreements via the sale of goods and services to a market,
with a view to ensuring uninterrupted power but via a small number of key contracts –
supply and cooling of the facilities, as well as and sometimes only one. This makes
any other operation and maintenance investment attractive for long term strategic
agreements that are critical for the operation and financial investors, but also shows that
of the data centre. Ultimately, this means the return is dependent on these contracts.
that our clients can be sure of correctlyWelcome to the world of data centres 2019 15 In addition, data centre deals often have a centre is protected in the SPA, as this is the simpler asset structure than "normal" real asset which is bought in a data centre transactions. A lot of representations and M&A transaction. This approach only warranties which are market standard in requires a limited set of representations traditional M&A are not required in data and warranties, but needs to ensure that if centre M&A or, even worse, give a false those turn out to be wrong, the entire loss sense of security. It would be fatal if a buyer in cash flow is compensated. By focusing of a data centre that generates profits under the SPA discussions on the relevant issues, one or two long term lease agreements only we are usually able to significantly reduce relied on an extensive set of representations negotiation time and to ensure that the SPA and warranties and did not take into is structured and easy to understand. This account that such representations and approach also frequently helps our buy side warranties are usually time barred for 12 to clients to strengthen their position in 18 months after closing, often leaving the auction processes in the highly competitive major part of the contract term unprotected. and seller friendly data centre market. As a consequence we have adopted our Project finance vs. corporate finance approach to the "data centre SPA". Instead Data centres involve significant capital of having lengthy and costly discussions on in-vestment. A data centre's operator may partially meaningless representations and wish to finance either the development and warranties, we focus our efforts to ensure that the cash flow from the relevant data
16 Hogan Lovells
construction or the acquisition of a data One of the core elements for successful
centre with debt. Whilst it is possible to financing is a well structured and realistic
source funds with all the usual instruments business case. The date centre operator
of corporate finance, the revenue stream must therefore have a clear picture of the
generated by operating a data centre can also investment costs, an appropriate
be suitable for project finance. Project contractual set up for the reliable and
finance is typically described as the long term secure performance of the development and
financing of infrastructure and energy construction as well as of the long term
projects held in a special purpose vehicle operation of the data centre and the
(SPV) with a non recourse or limited expected return. Securing a long term lease
recourse financing structure. The key agreement with at least once anchor tenant
characteristic is that the project debt is which accounts for a substantial part of the
exclusively repaid by the cash flow generated business case is therefore key.
by the project. No other income is typically PropCo – OpCo structures with respect
available and the providers of both types of to data centre leases
debt must rely on the success of the project to
Tax optimization helps: A PropCo-OpCo
generate sufficient and stable cash flows. The
lease structure can be used e.g. to reduce
project's assets, rights and interests serve as
exposure to German trade tax, a tax levied
collateral. Compared to project finance in
by German municipalities (around 15-16%
other sectors, the financing of a data centre
in larger cities).
also includes elements of real estate finance:
Real estate companies, i.e. companies
Given that the owner of a date centre is
engaged exclusively in the mere leasing
normally also the owner of the land, one
and letting of their own real estate, are able
of the main security rights provided to
to reduce their trade tax exposure to zero.
the debt providers is a land charge in
A company owning and operating the data
many jurisdictions.
centre cannot apply this exemption
It is also not uncommon to work with an
OpCo/PropCo which is also an element
known from real estate finance.Welcome to the world of data centres 2019
because it also provides a number of
services that go beyond the leasing of real
estate to its customers.
Thus, the data centre building and the
underlying real estate, excluding all fixtures
and fittings, needs to be allocated to a
different entity ("PropCo") than the entity
operating the data centre ("OpCo"), which
in turn leases the data centre building from
PropCo. As the business activities of PropCo
are limited to mere leasing, the PropCo can
make use of the specific exemption for real
estate companies.
Any rents payable by OpCo to PropCo will
consequently be exempt from German
trade tax at the level of PropCo. Although
OpCo will have to consider an add back of a
certain portion of the rent to its trade tax
base, overall the trade tax exposure is
reduced by such a structure.
In other jurisdictions thoughtful structuring
helps to reduce taxes as well.Welcome to the world of data centres 2019 19
Energy and efficiency
Energy: optimizing cost efficiency noted, however, that in order to incentivize
and minimizing risk tenants to take such measures, it is essential
Every data centre operator will eventually to meter their individual power consumption.
have to address one considerable cost factor Additional incentives for tenants to reduce
of any such operation: energy costs. energy consumption may be
Fortunately, operating a data centre offers contractually agreed.
numerous opportunities for energy cost Finally, it is possible to obtain long-term
optimization on both the operator and loans at favourable interest rates for
tenant side. measures to increase energy efficiency. With
One of the goals for operators is probably to regard to the German market, for example,
maximize their data centre's power usage such loans are offered by the German bank
efficiency ("PUE"). The PUE is the ratio of a Kreditanstalt für Wiederaufbau (KfW).
centre's overall energy consumption versus Disaggregated recursive data
the energy used by the IT installation. Ideally, centre-in-a-box (dReDBox)
the PUE equals 1. In this case, all energy Besides energy costs, data centres are limited
consumed in the data centre is used to power by the available space. Today, once the IT
the IT infrastructure and no additional energy infrastructure is established, it is set in stone,
is required for auxiliary equipment, i.e. for and any changes can only be made with
cooling or lighting. significant effort. So processing capacity,
Although a PUE of 1 is a theoretical value, memory and other resources are allocated to
there are several ways to get as close as one specific user. This means that
possible to this figure. One of the most connections, once established within the data
promising methods is to use a combined heat centre ecosystem, will stay as they are even
and power plant ("CHP"), which converts when these resources are not required by the
heat from the IT hardware into electrical user (server asaunit model). This leads to a
energy and simultaneously provides cooling significant waste of space, energy and
through absorption refrigeration. computing capacity.
On the tenant side, an increase in energy The European Union (EU) aims to tackle this
efficiency can be achieved particularly by static concept in order to create a socalled
maximizing the efficiency of the hardware disaggregated recursive data centre in a box
in use. This includes efforts such as (dReDBox) as part of the Horizon 2020
virtualization. Other, physical measures pro-gram (H2020). The aim of this research
comprise the use of state of the art energy project is the more flexible and on demand
saving computing platforms. It should be creation of interconnections within a data20 Hogan Lovells
centre ecosystem. Reacting to user demand very often subsidized and operators profit
and shifting resources where they are needed from comparably high feedin tariffs.
will unlock the full potential of the – currently Additionally, tax reductions may apply.
unused – data centre infrastructure. As a
From a regulatory perspective, operators
result, efficiency gains are achieved while
should ensure an adequately scaled grid
electric power consumption is reduced.
connection for the data centre. In this regard,
The dReDBox is based on pooling otherwise the relevant agreements with the grid
disaggregated IT resources. Pooling the IT operator – and if applicable with the land
infrastructure to match the needs of cloud owner – need to be in place. As a stable and
users is intended to lead to improved uninterrupted energy supply is paramount
utilization, scalability, reliability and power for the operation of a data centre, contractual
efficiency (pooled computer model). With regulations on down times of the grid
regard to the generally limited space capacity connection for maintenance reasons should
of data centres, this will eventually enable the be reviewed carefully. Therefore it is
data centre operators to do more with their important to be familiar with applicable
space while consuming less energy. Although regulatory and market standards.
this sounds utopian, three initial prototypes
Due to the importance of energy supply and
of the dReDBox have already been developed
cooling systems, data centre projects are in an
and are undergoing test operations to
excellent position to integrate onsite energy
demonstrate the value and capacity of pooled
generation facilities such as solar panels or
data centre infrastructure with regard to
CHPs. If structured in compliance with the
cyber security, network analytics and telecoms.
regulatory framework, the advantage of such
Energy regulatory onsite generation is that it allows operators to
Operators should carefully assess options for avoid some of the taxes and levies that
onsite power generation because, if typically increase energy costs. By using
structured appropriately, this could generate energy that has been generated onsite,
an additional income stream. Energy operators may thus avoid paying grid usage
produced by solar panels and/or a CHP fees, electricity tax and in certain cases even
on-site and fed into the public power grid isWelcome to the world of data centres 2019 further levies. Further more, operators should assess opportunities to benefit from government subsidy programs for investments in onsite renewable energy facilities or CHPs. In order to assess the options for on-site energy generation, operators may consider entering into a so called energy contracting agree-ment with specialized service providers. The scope of such agreements varies from a mere assessment and planning exercise for a project to the complete financing, planning and operation of onsite energy generation facilities. When negotiating contracting agreements, it is vital to understand the applicable regulatory framework in order to identify potential pitfalls. For green field projects, there are specific energy regulatory requirements resulting from European regulations. For example, land owners are obliged to use renewable energy sources up to a certain percentage for heating and/or cooling of new builds. There are attractive ways to meet these obligations, for example by using a CHP.
Welcome to the world of data centres 2019 23
Data protection – beware and protect your data
From a data protection perspective, Moreover, machine generated data has
running a data centre is essentially about become increasingly important. The so
storing, maintaining and processing digital called "Internet of Things" ("IoT") is an
information. In practice, however, there almost unlimited source of digital
are many more things to consider, such as information which requires storage and
knowing your customer (KYC), maintenance. Handling such big data and
understanding their needs, providing offering services such as text and data
tailored physical and digital infrastructure mining algorithms is both a technical
as well as suitable software architecture, challenge and a business opportunity.
server capacity and staff. We understand The increasing volume of machine generated
the need to combine both the legal and data raises a whole new set of questions.
practical approaches. Who owns the data (e.g. data collected from
cars on the road or home power systems)?
After all, adequate data protection and
What security level should be applied? Is
security require a certain infrastructure
there a public interest in allowing
and highly trained staff. Managing a data
authorities to demand disclosure (possibly
centre therefore inevitably involves and
through the data centre)? The answers to
rests on a prudent and forward looking
these questions are still being debated.
privacy concept. To the point internal
We advise our clients on exactly these issues.
guidelines as well as comprehensive
contractual agreements with suppliers, However, in January the European
sub contractors and customers are key in Commission published the first regulatory
this context. This is what we focus on in initiatives in this area. The legal
our day today advice. environment and statutory framework are
taking shape and Hogan Lovells is closely
The correct and legally compliant treatment
monitoring this development. Follow us at
of personal data is only one aspect to be
www.dsmwatch.com).
addressed, but is probably the most obvious
one. Confidentiality requirements are not The new law
merely confined to personal data. There is We are currently faced with an
plenty of digital information stored in data environment of change in Europe.
centres that may not be classified as data The General Data Protection Regulation
relating to an identified or identifiable (GDPR) has been enacted and will take
individual, but may still be of crucial effect as of 25 May 2018. It will replace 28
economic value to the customer. Prime domestic privacy laws throughout the
examples of this are trade secrets and European Union. National laws will only
confidential technical information. continue to apply in areas not fully24 Hogan Lovells harmonized by the GDPR. The supervision Data privacy of privacy compliance will differ from what Having mentioned the new GDPR, it is we have been used to in the past. worth highlighting a few regulatory Notably, the territorial scope of the GDPR requirements that are most likely to demand not only covers the activities of an the adaptation of existing technical establishment located in the EU. It also processes and legal terms and conditions. applies as soon as the processing activities The obligations that deserve particular are related to the offering of goods or mention include compulsory cooperation services to data subjects in the EU or the requirements with the competent monitoring of behaviour to the extent that it supervisory authorities, notification takes place within the EU. This means that obligations as regards infringements, data processing personal data in data centres privacy by design and by default, the right may not only allude to EU data privacy law, to be forgotten and various new but also raise a wide array of complex documentation requirements. Also, the challenges and questions in this field. concept of a data protection officer has In particular in view of the significant been expanded to the entire Union. sanctions regime – with fines of up to 2 It should also be noted that under the GDPR percent of worldwide annual turnover both the controller and the processor are – compliance with data privacy requirements responsible for privacy compliance. Fines has become even more important to any for non compliance are substantial, not to entity handling person-al data. mention the damage that would be caused However, it should be noted that the GDPR is to a company's image if it were accused of not the only new piece of legislation failing to meet data protection requirements. governing the storage and processing of data. Accordingly, it is crucial to have adequate In January 2017, the European Commission and upto date privacy concepts in place published a proposal for an ePrivacy governing staff, services and infrastructure. Regulation. Its core focus is to ensure an Data processing agreements need to be adequately high level of confidentiality of revised and adapted to reflect the new electronic communications throughout regulations of the GDPR and the coming Europe. In pursuing this aim, the draft ePrivacy Regulation. In this context, Regulation goes beyond purely personal data multiple layers of subcontractors in cloud and covers all kinds of private information. infrastructures are a particularly common For more details, see our international blog source of difficulty and ambiguity. Clear at http://www.hlmediacomms.com. contractual structures and transparent
Welcome to the world of data centres 2019 25
technical architectures are recommended access to the processed data are offered by
safe-guards in this respect. the housing provider, the latter may be
deemed neither a processor nor a controller
Different business scenarios
of the data. However, such scenarios rarely
Privacy law generally differentiates between
exist in practice.
"controllers" and "processors". A different
set of obligations applies depending on which As we have seen, there are various ways to
of these two roles a company has. A data "design" a data centre service and each
centre operator has various options to choose design brings with it a slightly different set of
from. The business model chosen by a firm legal requirements.
will determine which legal regulations it Cyber security
must meet. Conversely, the respective legal
Data centres are data hubs and therefore
obligations can make certain business
susceptible to cyber attacks. Such attacks
models more or less attractive. Therefore,
could result not only in data theft, but also in
taking an informed decision as to how the
the disruption of internet services of
data centre service will be structured is
multiple customers and businesses.
essential for business success.
Consequently, a data centre operator faces
Generally, a distinction can be made high liability risks.
between two common business scenarios:
There have been many instances of high
First, controllers deploying a hosting profile cyber attacks such as:
provider. Here, processing and
• (Distributed) Denial of Service (DDoS)
infrastructure are part of the service
attacks where servers shut down due to
rendered. Whereas the original controller is
being overloaded by a flood of
still regarded as a controller, the hosting
incoming messages.
provider might either be a processor or a
(secondary) controller, depending on the • Ransomware attacks, such as WannaCry
extent of autonomy involved in the service and NotPetya, where malicious software
rendered. The service contracts need to be blocks access to a computer's data, asking
drafted accordingly to ensure adequate for a ransom to release the data or
justification for the agreed handling of data. otherwise threatening to destroy it.
Secondly, controllers deploying a mere • Attacks against the data centre
housing provider providing only the data infrastructure to screen, control or
centre infrastructure. Under a "pure" eventually destroy the facility such as
version of this scenario, i.e. where no the Stuxnet virus.
(emergency) services that potentially allow26 Hogan Lovells Recently, there has been a noticeable trend Hence, more efficient security packages or toward more sophisticated attacks. Such change of outdated IT infrastructure may be unprecedented techniques render the data advantageous to such operators. They might centre infrastructure even more vulnerable result in higher costs, but augmented and are likely to result in liability claims by liability and negative publicity can lead to the data centre's customers. more severe problems. Unpredictable and unforeseen incidents – Certain data centre operators might also be also known as black swan events – may not subject to stricter regulation. Data centres necessarily trigger fault based liability of the with an annual performance of more than data centre operator. However, it can be very 5 Mega watt, IT hosting with more than challenging and practically impossible for 25,000 annual average instances, content the operator to prove the existence of such a delivery networks with an annual data black swan event. The WannaCry and volume of 75,000 TByte, trust services with NotPetya incidents illustrate that threat more than 500,000 issued qualified actors exploit malware families and reuse certificates or 10,000 certificates for efficient attack strategies. Considering the authentication of publicly available servers nature of cyber attacks, it is notable that, are subject to the German Federal Agency e.g. in Q1 and Q2 2017, 75% of all for Security in Information Technology Act ransomware attacks were based on the same (BSIG). As a result, sector-specific security six known malware variants. This means standards (Branchenspezifische that, had the proper security mechanisms Sicherheitsstandards – B3S) apply. The B3S been in place, these threats could have been for data centres, however, are based on ISO prevented. In such cases, data centre family 270xx. Especially the ISO 27001 and operators may not be able to be released ISO 22301 – in addition to the other data from nonfault liability; as such events could centre specific security standards – are have been prevented and are not to be referenced and need to be respected and considered as black swan events. The data implemented by the data centre operator. centre operators may thus be held liable. Therefore, it is strongly recommended that data centre operators stay informed about current threats and cyber security trends. Otherwise, the data centre's board faces personal liability or regulatory fines.
Welcome to the world of data centres 2019 29
Data centre projects and transactions – our expertise
Our credentials Setting up a data centre also has various tax
At Hogan Lovells we have a great depth of implications for the provider as well as for
experience in advising clients on the potential customers which should be taken
establishment and acquisition of data centres. into account (e.g. permanent establishment
aspects, VAT aspects). Our Tax team is
The value we bring to clients is both in the highly experienced in setting up tax efficient
depth of expertise in critical subject areas, structures and dealing with all relevant tax
such as telecommunications regulation, aspects in the respective agreements.
real estate and land use law and regulation,
tax, employment, and environmental Our services
regulation, and in our ability to co-ordinate • Industry specific due diligence
this advice across jurisdictions, exercising • Real estate and regulation
sound judgment in supporting clients with
location selection decisions and strategies • Service – and O&M-contracts
for execution. We have strong relationships • Energy-related advice and
with local regulators and we understand the cost efficiency
markets in which our clients operate.
• Coordination of global deals as your
More than just data storage single-point-of-contact in Germany
We have experienced projects, real estate,
• Finance
corporate, and commercial teams who
can assist • Commercial and tax
• with all aspects of the acquisition and
construction of data centre sites or
• fully operating data centre businesses
if required
• with establishing title and ownership
• with all aspects of data centre
transactions and ongoing operation,
including site suitability and risk
factors, planning and environmental
issues, ownership of key infrastructure
(e.g. backup power, cooling, and fire
suppression, customer contracts)30 Hogan Lovells
Our distinctive expertise
Keppel Telecommunications & Transport and Alpha Keppel DC REIT
Investment Partners
On its acquisition of a data centre in the Celtic Gateway
On the acquisition of a EUR 76m data centre from Business Park. The data centre is fully let to one of largest
Citigroup and on the sale-and-lease back agreement to global cloud service providers on a 15-year full repairing
Citigroup who remains the tenant. and insuring lease that commenced in June 2016.
A borrower Telehouse Holdings Ltd. and KDDI
The borrower in a (re)financing of a data centre Corporation on its acquisition of Databurg GmbH.
in Frankfurt.
TelecityGroup A leading UK based operator of data centres
• In relation to its acquisition of the Manchester based On various project developments (EPC, O&M) as well
carrier neutral data centre. acquisition of such data centre in Germany.
• On its GBP 87.6m acquisition of Data
Electronics Group.
• On its acquisition of leading Finland data centre
operator Tenue Oy.
• On the acquisition of Academica, a leading data
centre and IT services operator in Finland.
• On the acquisition of the data centre business of
MedioSystems, an affiliate of the IBM Group.
• On its acquisition of the entire issued share capital of
SadeceHosting.
• On its acquisition of the entire issued share capital
of 3DC by TelecityGroup International Limited.
Hogan Lovells advised On English law and oversaw
local advisors.
• On its acquisition of Plix.Welcome to the world of data centres 2019 31
A UK clearing bank A major European colocation space provider
On the development of a dedicated data centre and a On the development of a new data centre and
number of consequent upgrade projects. consequent extension project and on projects to
upgrade equipment on existing operational sites.
Du Pont Fabros Technology A leading global bank
On its proposed purchase and redevelopment as a data On establishing a data processing subsidiary in China.
centre of a heavily contaminated former chemical and
pharmaceutical manufacturing site.
A leading data centre operator A leading data centre operator
On the acquisition of the reversion to their facility in On the lease review of 46 leases across 6 countries for a
Harbour Exchange Canary Wharf, regearing followed leading data centre operator.
by sale and leaseback.
One of Europe's leading data centres A number of financial institutions
On all employment matters across Europe. On fit out of new UK headquarters premises, with
related internal data centres.32 Hogan Lovells
Your key contacts
Dr. Alexander
Dr. Tobias Faber Stefan Rieger Dr. Fabian Pfuhl Johannes Groß
Partner, Frankfurt Counsel, Frankfurt Counsel, Frankfurt Associate, Frankfurt
Dr. Carla Luh
Partner, Hamburg
Dr. Mathias
Schönhaus
Counsel, Dusseldorf
Dion Panambalana Nicola Evans
Partner, London Partner, LondonWelcome to the world of data centres 2019 33
Alex Wong
Partner, SingaporeAlicante
Amsterdam
Baltimore
Beijing
Birmingham
Boston
Brussels
Budapest*
Colorado Springs
Denver
Dubai
Dusseldorf
Frankfurt
Hamburg
Hanoi
Ho Chi Minh City
Hong Kong
Houston
Jakarta*
Johannesburg
London
Los Angeles
Louisville
Luxembourg
Madrid
Mexico City
Miami
Milan
Minneapolis
Monterrey
Moscow
Munich
New York
Northern Virginia
Paris
Perth
Philadelphia
Riyadh*
Rome
San Francisco
Sao Paulo www.hoganlovells.com
Shanghai
Shanghai FTZ*
Silicon Valley
“Hogan Lovells” or the “firm” is an international legal practice that includes Hogan Lovells
Singapore International LLP, Hogan Lovells US LLP and their affiliated businesses.
Sydney The word “partner” is used to describe a partner or member of Hogan Lovells
International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee
Tokyo or consultant with equivalent standing. Certain individuals, who are designated as
Ulaanbaatar* partners, but who are not members of Hogan Lovells International LLP, do not hold
qualifications equivalent to members.
Warsaw
For more information about Hogan Lovells, the partners and their qualifications,
Washington, D.C. see www.hoganlovells.com.
Zagreb* Where case studies are included, results achieved do not guarantee similar outcomes
for other clients. Attorney advertising. Images of people may feature current or former
lawyers and employees at Hogan Lovells or models not connected with the firm.
*Our associated offices © Hogan Lovells 2019. All rights reserved. 1059936_0419You can also read
