Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Welcome to the world of data centres Investments in a new asset class: Success factors and pitfalls 2019
2 Hogan Lovells Introduction Hogan Lovells is your first port of call and the leading legal provider in relation to Your One-Stop adviser successful realization and investments in data centres in Germany and Europe. Our dedicated data centre team comprises lawyers with an in-depth understanding of the data centre industry and its Project Development Engineering Construction characteristics. When providing you with closely coordinated one-stop advice, we bring together our knowledge carriers from various legal disciplines including Real Estate, Infrastructure, Energy, Resources & Projects, Operating Due Diligence Intellectual Property, Project M&A, Data Security, Dispute Resolution, Corporate, Commercial, Project Finance, Employment Law and Tax Law. This approach adopted by Financing M&A our integrated industry sector team ensures that you receive consistent, industry specific and solution oriented advice which focuses on what you really need. Dispute This brochure summarizes key legal aspects Resolution to be considered when buying, selling, financing and/or constructing a data centre, including data protection, digitalization and cyber security. In the last 3 years the datacentre workload has grown on average by more than 20% worldwide. This development will continue in the coming years until at least 2021. (Source: CISCO)
What we offer: Many years of experience, a deep understanding of your industry, and a solution oriented focus.
Welcome to the world of data centres 2019 5 Welcome to the world of data centres Lease or build a data centre? costs including costs for permits, such as When a company is growing and wants to building permits, costs for fire suppression out-source servers and IT equipment, it and detection systems, notary costs, costs of must de-cide on the best way to do this. registrations, etc. Nor should companies Such a decision can be crucial if the business underestimate the various risks related to is expanding rapidly and therefore urgently power and cooling infrastructure, hardware requires additional space for servers and IT and software, technological development, equipment. The choice it faces is whether to uncertainty surrounding future business lease data centre space (by a colocation or strategy and potential space problems, i.e. if warehouse solution, which we will refer to as the space later proves to be too small or too "leasing" or a "leasing solution") or whether big. Moreover, companies should be aware of to build its own data centre. the large number of building regulations to be met, for example in the area of fire safety The obvious advantages of building over which may be very strict in some leas-ing are that jurisdictions. On balance, leasing is likely to • the company has maximum control be a better solution for many companies over the IT equipment and anything because it allows risks to be confined and related to it; gives companies the flexibility to adapt their space needs to their business needs. • there is no risk of "losing the lease", and Data centre leasing strategies – the • any unused space can be leased out to various types of contract structures other companies, thus reducing electricity, The most common types of leasing structures cooling and security infrastructure costs. for data centres are: On the other hand, the main disadvantages • Wholesale data centre and of building are upfront costs which can add colocation solutions up quickly if not calculated thoroughly. The costs of building and maintaining a data • Server hosting – managed hosting centre should not be underestimated and Balancing the need for control may be a crucial factor in the decision with the desire to cut costs making process. When evaluating the costs Ultimately, the decision between a whole involved, the focus is mainly on power, sale/colocation structure and a purely staffing and IT infrastructure. However, real managed hosting structure is one of estate related costs are often not taken into balancing the need to control the servers and account sufficiently or at all. These include IT equipment with the desire to achieve the architect, planning and design costs, building
6 Hogan Lovells best possible cost savings by entering into a What a data centre lease should cover data centre lease. Important topics which First and foremost, it is vital to clarify the need to be addressed before taking such a legal relationship between the data centre decision include: provider/landlord and the occupier/ • how much control is necessary with customer. Depending on the actual use and respect to operation of IT equipment allocation of rights and obligations, a lease and the premises in which the IT agreement (triple net or double net), a service equipment is stored; agreement or an agreement with lease and service elements are possible options. In the • whether the tenant is prepared and willing majority of cases, the parties will sign a lease to accept (high) capital expenditures for agreement which also includes elements of a repairing and updating IT equipment; and service agreement. • whether the tenant is prepared to employ As the lease agreement is the main legal and pay for the necessary personnel to document which governs the relationship operate and maintain the IT equipment. between the parties, particular care should be When taking this decision, the tenant should taken when negotiating "Provider Must not only consider its present situation and its Haves" on the one hand, and "Customer Must needs as a business, but also bear in mind its Haves" on the other. Key topics to be future strategies and plans in order to find the considered in lease agreements include: best solution. Overall, the wholesale/ Lease term and renewals colocation solution or a hybrid solution might be the right choice for many bigger Would the company prefer a long-term or companies, whereas the managed hosting shortterm lease taking into consideration solution could be the ideal solution for that the initial term is often 15 to 20 years? smaller firms. In addition, the number of renewal periods and any pre emptive rights of the tenant should be taken into account.
Welcome to the world of data centres 2019 Rent payment Another important point is how the rent will be paid. The basic rent is usually based either on square meters or on power availability. Space, permitted uses and equipment The leased space might not be enough for all the equipment and infrastructure that the tenant requires. It is therefore advisable to stipulate in the lease agreement whether the tenant is allowed to use additional space, e.g. on the roof for antennas, shaft space within the building or special support areas for the placement of generators. Set-up, alterations, maintenance, repair and replacement Depending on who owns and who will be obliged to maintain the facility infrastructure, specific provisions must be incorporated into the lease agreement regarding alterations, maintenance, repair and replacement. The tenant and/or landlord might be required to comply with certain standards and/or maintenance schedules. Provisions on services relating to data centre equipment, heating, ventilation and infrastructure should also be included.
Hogan Lovells Power supply, cooling, humidity, connectivity and data capacity Power supply, cooling, humidity, connectivity and data capacity are the core topics of a data centre lease. Provisions covering these areas must therefore be included in the agreement. Specifically, the following topics should be dis-cussed and agreed: power requirements, cost of power and uninterrupted power supply as well as redundant fibre access, multiple carriers and sufficient data capacity. Service level agreements The parties should also consider including service levels and reasonable support provisions. Moreover, the agreement should describe what happens if service levels are not met. For the customer, it might be desirable to include a termination right for continued breach of guaranteed service levels. Liability, indemnification, data protection and security A limitation of liability might be beneficial for both parties. The agreement should also include provisions regarding data protection, security (e.g. access to the building) and compliance with laws. In addition to the key topics mentioned above, it might be advisable to incorporate other provisions, depending on individual circumstances.
Welcome to the world of data centres 2019 9 Avoiding pitfalls in ultimately delivering a project ready for construction contracts operation. This means for the Employer in an Unlike brownfield projects/transactions, EPC project that the added risk of liaising developing greenfield data centre projects with various parties and allocating various are challenging and come with various risks is avoided. risks. The developer needs to decide on the Parties need to face reality in terms of right approach for such a development: construction of a data centre. According to Delivering the project with various (multi- KPMG International's 2015 Global lot) contractors and a potential designer/or Construction Project Owner's Survey, engineer or choosing an turnkey approach whereby an EPC-Contractor delivers the • Major complex EPC projects fail whole projects and agrees to engineer, more often than they succeed, procure and construct the datacentre. resulting in disputes; While the first option may deliver a more • 71% of owners in the energy and natural cost-efficient solution, a turnkey EPC resources sector reported unsatisfactory Contractor undertakes the full completion, underperforming projects; and turnkey and interface risk of such a highly • 69% of all projects between 2012 and complex project. One of the most obvious 2015 were reported to be more than benefits of entering into such a contract is 10% over budget having one single point of contact and responsibility for the project, thereby Having this in mind, a clear contractual avoiding having to manage various role- framework including a fully functional and players that would otherwise have to be efficient claims and risk management can involved in the construction and setting assist in avoiding pitfalls as well as up of such a project. significant delays and cost overruns. While it is, of course, commonplace for an EPC Contractor to engage various subcontractors to provide certain services or works, the EPC Contractor remains the single point that is directly responsible for
10 Hogan Lovells Getting your contracts right Service level agreements with respect to General Terms and Conditions, the parties data centre leases are advised to ensure that the availability of A service level agreement is the main the data centre is laid down in the contract that defines the parties' rights and agreement. Conversely, the landlord faces obligations under a data centre lease. the risk of having to guarantee the permanent availability of the data centre. Before signing such contracts, the parties should assess the scope of services that the The parties should not include a disclaimer data centre landlord will perform under a regarding warranty claims. The statutory service level agreement. These services warranty obligations of the landlord or the could range from entire business processes contractor cannot be excluded within the or merely IT processes, through to the General Terms and Conditions in many exclusive provision of IT infrastructure jurisdictions for instance. within the data centre. Finally, the parties should assess the More elaborate service level agreements validity of any limitation of liability clause may also stipulate the provision of certain regarding strict liability on a case by case types of software (applications) by the basis. However, the limitation of the potential financiers (application service landlord's liability should always take into providing, "ASP"). account the risk of cyber attacks and appropriate preventive measures. Such an assessment is a key consideration for the validity of any service level Getting the operation structure right agreement. The scope of the data centre When it comes to the operation and lease and the rights and obligations of each maintenance of data centres, it is all about party may vary according to what was availability, reliability and stability of the agreed upon between the parties. In any services. Just recently, some parts of the case, it sets the standard for the evaluation German World Wide Web were interrupted of the agreement with regard to the law on for several hours due to a downtime of an General Terms and Conditions. internet hub in Frankfurt as a result of an energy breakdown in a Frankfurt date However, both IT and data centre services centre compared with a crash of the energy are prone to faults, require maintenance or redundancies in this data centre. Even updates and may be subject to cyber short outages of the energy supply, the attacks. All these and other adverse effects cooling of the racks or the humidity control may lead to downtimes and impact on the in the data centre may cause enormous availability of the data centre. With regard downtime costs and high damage. Thus, to the strict applicability of the law on
Welcome to the world of data centres 2019 11 uninterrupted availability and fast which may lead to interruptions in the troubleshooting services are required and services. Especially the core services (e.g. should be secured at any time. power supply, cooling, humidity control, security) should then be discussed with a A key instrument for securing such view to defining contractual service levels, availability and avoiding potential losses percentages of guaranteed availability and can be seen in liquidated damages. pre-agreed reaction and trouble shooting Liquidated damages are designed to meet times. In particular, the contractual service the legal requirements in the relevant levels should ensure that the required times jurisdictions and may help to keep the for (successful) troubleshooting and the pressure on the operator in order to secure points of measurement of the availability quick troubleshooting and sufficient are exactly defined. The better the parties redundancies of the contractor. In some describe such obligations and service levels jurisdictions (such as Germany), a well in the contracts, the better they may be able thought-through drafting of contractual to link these times and percentages to an predefined liquidated damages is essential escalating mechanism of liquidated to avoid unenforceable provisions. damages covering the employer's In order to achieve this, the party engaging potential damage in a realistic manner. an operator should extensively investigate and consider in detail all possible scenarios
12 Hogan Lovells Data centre M&A and Financing Share vs. asset deal In an acquisition scenario it should be way of novation. In particular, it should be decided as early as possible whether the noted here that – in contrast to a share deal transaction will take the form of a "share – both the sale and transfer of the deal" or an "asset deal". contractual relationships re-quires the consent of the contractual partner. Under a share deal, all or part of the shares in a business are transferred to the In the course of a share deal, the purchaser purchaser. If, for instance, a project company will acquire a certain percentage of the shares or holding company has been set up as a in a target company from the shareholders of limited liability company, the purchaser – that company, including any and all of the upon completion of the purchase – becomes target company's contractual relationships, a shareholder of that company. receivables and liabilities on the basis of a share purchase agreement (SPA). Unless In contrast, under an asset deal, the seller dedicated "change-of-control" provisions only disposes of and transfers individual apply, no consent from the other contractual assets (and liabilities) under an asset parties is required, as it is only the purchase agreement (APA). On the basis of shareholder of the counterparty (the target the principle of legal certainty in some company) that changes, not the counterparty jurisdictions, the transferred assets and itself. Potential risks, in particular on the liabilities must be clearly defined in the APA investor/purchaser side, arise not only from together with any required particular kind of the acquired assets themselves, but also transfer method to the purchaser. Therefore, potentially from the underlying entity that an asset deal initially also involves increased actually owns the assets and whose shares costs and effort on the part of the seller and have now been acquired by an investor/ the purchaser to establish and agree on the purchaser. Consequently, since under a share "object of the purchase" and the contractual deal the transaction does not affect any documentation (i.e. the APA). However, the existing contracts – claims by employees, advantage of an asset deal lies in the third parties as well as long term contractual possibility to select individual assets and relationships potentially unknown to the liabilities for transfer. Any ancillary contracts purchaser will be assumed – this risk (incl. rights and obligations e.g. power should be mitigated by way of in-depth purchase agreements, commercial due diligence as well as by imposing an agreements such as lease agreements for the appropriate guarantee and liability regime on provision of data centre services) will have to the seller in the SPA. be transferred to the purchaser separately by
Welcome to the world of data centres 2019 Nonetheless, transactions involving data centres are typically implemented as share deals, in particular because they allow a clean exit for the seller and a comprehensive acquisition of rights and assets for the purchaser. However, asset deals may be preferable if the target company bears major liability risks (e.g. from other operations or from pending disputes with customers), or if the transaction takes place in the context of a crisis or insolvency proceedings of the target company (distressed M&A). In summary, the question of whether a share deal or an asset deal is preferable cannot be answered in general – the decision must be taken follow- ing an assessment of the interests of the respective party (seller or purchaser) and the specific transaction. Due diligence – the best of both worlds Our practical experience repeatedly confirms that due diligence in data centre M&A transactions significantly differs from due diligence in traditional M&A transactions. This aspect is frequently underestimated and often leads to risks not being identified and therefore not reflected in the underlying share (or asset) purchase agreement. By nature, data centre acquisitions require a different approach to due diligence. While it
14 Hogan Lovells may be sufficient in "traditional" M&A to identifying the risks inherent in the often summarize the key provisions of the complex contractual documentation and of commercial agreements (such as termination avoiding any unpleasant surprises later on and change of control) and to examine – this is a significant success factor for any whether the agreements are legally binding, data centre transaction. this is not enough when dealing with data In this regard, we believe that a careful centre projects. The traditional approach examination of the data centre specific tacitly assumes a large number of commercial agreements yields the best results if it is agreements and that these agreements are carried out by lawyers with appropriate implemented according to their provisions, drafting and negotiating experience. Only without any "problems" arising. they are able to rapidly and reliably This approach is too simple for the data understand which scenarios will have which centre world. It tends to be the rule rather effect on the project agreements. Our than the exception that for instance only a experience of providing legal advice for data limited number of (long term) and centre project developments means that we commercially highly relevant lease know what can go wrong and are thus able agreements are in place – and the loss of to identify typical risks. just one of those agreements may jeopardize As a result, our clients are aware not only of the buyer's assumptions in its financial the current status of the agreements, but model and accordingly the success of the also of precisely what may lie ahead – and entire transaction. what does not. Therefore: heads up! We mitigate such Focus on cash flows – not on warranties transaction risks by conducting risk-based The approach to share (or asset) purchase and tailored data centre due diligence that agreements in a data centre transaction analyses the commercial agreements as part differs significantly from "traditional" M&A. of a stress test and takes into account the specific characteristics of the respective data In contrast to traditional M&A transactions centre: we review in detail any lease cash flow and profit are often not generated agreements, power purchase agreements via the sale of goods and services to a market, with a view to ensuring uninterrupted power but via a small number of key contracts – supply and cooling of the facilities, as well as and sometimes only one. This makes any other operation and maintenance investment attractive for long term strategic agreements that are critical for the operation and financial investors, but also shows that of the data centre. Ultimately, this means the return is dependent on these contracts. that our clients can be sure of correctly
Welcome to the world of data centres 2019 15 In addition, data centre deals often have a centre is protected in the SPA, as this is the simpler asset structure than "normal" real asset which is bought in a data centre transactions. A lot of representations and M&A transaction. This approach only warranties which are market standard in requires a limited set of representations traditional M&A are not required in data and warranties, but needs to ensure that if centre M&A or, even worse, give a false those turn out to be wrong, the entire loss sense of security. It would be fatal if a buyer in cash flow is compensated. By focusing of a data centre that generates profits under the SPA discussions on the relevant issues, one or two long term lease agreements only we are usually able to significantly reduce relied on an extensive set of representations negotiation time and to ensure that the SPA and warranties and did not take into is structured and easy to understand. This account that such representations and approach also frequently helps our buy side warranties are usually time barred for 12 to clients to strengthen their position in 18 months after closing, often leaving the auction processes in the highly competitive major part of the contract term unprotected. and seller friendly data centre market. As a consequence we have adopted our Project finance vs. corporate finance approach to the "data centre SPA". Instead Data centres involve significant capital of having lengthy and costly discussions on in-vestment. A data centre's operator may partially meaningless representations and wish to finance either the development and warranties, we focus our efforts to ensure that the cash flow from the relevant data
16 Hogan Lovells construction or the acquisition of a data One of the core elements for successful centre with debt. Whilst it is possible to financing is a well structured and realistic source funds with all the usual instruments business case. The date centre operator of corporate finance, the revenue stream must therefore have a clear picture of the generated by operating a data centre can also investment costs, an appropriate be suitable for project finance. Project contractual set up for the reliable and finance is typically described as the long term secure performance of the development and financing of infrastructure and energy construction as well as of the long term projects held in a special purpose vehicle operation of the data centre and the (SPV) with a non recourse or limited expected return. Securing a long term lease recourse financing structure. The key agreement with at least once anchor tenant characteristic is that the project debt is which accounts for a substantial part of the exclusively repaid by the cash flow generated business case is therefore key. by the project. No other income is typically PropCo – OpCo structures with respect available and the providers of both types of to data centre leases debt must rely on the success of the project to Tax optimization helps: A PropCo-OpCo generate sufficient and stable cash flows. The lease structure can be used e.g. to reduce project's assets, rights and interests serve as exposure to German trade tax, a tax levied collateral. Compared to project finance in by German municipalities (around 15-16% other sectors, the financing of a data centre in larger cities). also includes elements of real estate finance: Real estate companies, i.e. companies Given that the owner of a date centre is engaged exclusively in the mere leasing normally also the owner of the land, one and letting of their own real estate, are able of the main security rights provided to to reduce their trade tax exposure to zero. the debt providers is a land charge in A company owning and operating the data many jurisdictions. centre cannot apply this exemption It is also not uncommon to work with an OpCo/PropCo which is also an element known from real estate finance.
Welcome to the world of data centres 2019 because it also provides a number of services that go beyond the leasing of real estate to its customers. Thus, the data centre building and the underlying real estate, excluding all fixtures and fittings, needs to be allocated to a different entity ("PropCo") than the entity operating the data centre ("OpCo"), which in turn leases the data centre building from PropCo. As the business activities of PropCo are limited to mere leasing, the PropCo can make use of the specific exemption for real estate companies. Any rents payable by OpCo to PropCo will consequently be exempt from German trade tax at the level of PropCo. Although OpCo will have to consider an add back of a certain portion of the rent to its trade tax base, overall the trade tax exposure is reduced by such a structure. In other jurisdictions thoughtful structuring helps to reduce taxes as well.
Welcome to the world of data centres 2019 19 Energy and efficiency Energy: optimizing cost efficiency noted, however, that in order to incentivize and minimizing risk tenants to take such measures, it is essential Every data centre operator will eventually to meter their individual power consumption. have to address one considerable cost factor Additional incentives for tenants to reduce of any such operation: energy costs. energy consumption may be Fortunately, operating a data centre offers contractually agreed. numerous opportunities for energy cost Finally, it is possible to obtain long-term optimization on both the operator and loans at favourable interest rates for tenant side. measures to increase energy efficiency. With One of the goals for operators is probably to regard to the German market, for example, maximize their data centre's power usage such loans are offered by the German bank efficiency ("PUE"). The PUE is the ratio of a Kreditanstalt für Wiederaufbau (KfW). centre's overall energy consumption versus Disaggregated recursive data the energy used by the IT installation. Ideally, centre-in-a-box (dReDBox) the PUE equals 1. In this case, all energy Besides energy costs, data centres are limited consumed in the data centre is used to power by the available space. Today, once the IT the IT infrastructure and no additional energy infrastructure is established, it is set in stone, is required for auxiliary equipment, i.e. for and any changes can only be made with cooling or lighting. significant effort. So processing capacity, Although a PUE of 1 is a theoretical value, memory and other resources are allocated to there are several ways to get as close as one specific user. This means that possible to this figure. One of the most connections, once established within the data promising methods is to use a combined heat centre ecosystem, will stay as they are even and power plant ("CHP"), which converts when these resources are not required by the heat from the IT hardware into electrical user (server asaunit model). This leads to a energy and simultaneously provides cooling significant waste of space, energy and through absorption refrigeration. computing capacity. On the tenant side, an increase in energy The European Union (EU) aims to tackle this efficiency can be achieved particularly by static concept in order to create a socalled maximizing the efficiency of the hardware disaggregated recursive data centre in a box in use. This includes efforts such as (dReDBox) as part of the Horizon 2020 virtualization. Other, physical measures pro-gram (H2020). The aim of this research comprise the use of state of the art energy project is the more flexible and on demand saving computing platforms. It should be creation of interconnections within a data
20 Hogan Lovells centre ecosystem. Reacting to user demand very often subsidized and operators profit and shifting resources where they are needed from comparably high feedin tariffs. will unlock the full potential of the – currently Additionally, tax reductions may apply. unused – data centre infrastructure. As a From a regulatory perspective, operators result, efficiency gains are achieved while should ensure an adequately scaled grid electric power consumption is reduced. connection for the data centre. In this regard, The dReDBox is based on pooling otherwise the relevant agreements with the grid disaggregated IT resources. Pooling the IT operator – and if applicable with the land infrastructure to match the needs of cloud owner – need to be in place. As a stable and users is intended to lead to improved uninterrupted energy supply is paramount utilization, scalability, reliability and power for the operation of a data centre, contractual efficiency (pooled computer model). With regulations on down times of the grid regard to the generally limited space capacity connection for maintenance reasons should of data centres, this will eventually enable the be reviewed carefully. Therefore it is data centre operators to do more with their important to be familiar with applicable space while consuming less energy. Although regulatory and market standards. this sounds utopian, three initial prototypes Due to the importance of energy supply and of the dReDBox have already been developed cooling systems, data centre projects are in an and are undergoing test operations to excellent position to integrate onsite energy demonstrate the value and capacity of pooled generation facilities such as solar panels or data centre infrastructure with regard to CHPs. If structured in compliance with the cyber security, network analytics and telecoms. regulatory framework, the advantage of such Energy regulatory onsite generation is that it allows operators to Operators should carefully assess options for avoid some of the taxes and levies that onsite power generation because, if typically increase energy costs. By using structured appropriately, this could generate energy that has been generated onsite, an additional income stream. Energy operators may thus avoid paying grid usage produced by solar panels and/or a CHP fees, electricity tax and in certain cases even on-site and fed into the public power grid is
Welcome to the world of data centres 2019 further levies. Further more, operators should assess opportunities to benefit from government subsidy programs for investments in onsite renewable energy facilities or CHPs. In order to assess the options for on-site energy generation, operators may consider entering into a so called energy contracting agree-ment with specialized service providers. The scope of such agreements varies from a mere assessment and planning exercise for a project to the complete financing, planning and operation of onsite energy generation facilities. When negotiating contracting agreements, it is vital to understand the applicable regulatory framework in order to identify potential pitfalls. For green field projects, there are specific energy regulatory requirements resulting from European regulations. For example, land owners are obliged to use renewable energy sources up to a certain percentage for heating and/or cooling of new builds. There are attractive ways to meet these obligations, for example by using a CHP.
Welcome to the world of data centres 2019 23 Data protection – beware and protect your data From a data protection perspective, Moreover, machine generated data has running a data centre is essentially about become increasingly important. The so storing, maintaining and processing digital called "Internet of Things" ("IoT") is an information. In practice, however, there almost unlimited source of digital are many more things to consider, such as information which requires storage and knowing your customer (KYC), maintenance. Handling such big data and understanding their needs, providing offering services such as text and data tailored physical and digital infrastructure mining algorithms is both a technical as well as suitable software architecture, challenge and a business opportunity. server capacity and staff. We understand The increasing volume of machine generated the need to combine both the legal and data raises a whole new set of questions. practical approaches. Who owns the data (e.g. data collected from cars on the road or home power systems)? After all, adequate data protection and What security level should be applied? Is security require a certain infrastructure there a public interest in allowing and highly trained staff. Managing a data authorities to demand disclosure (possibly centre therefore inevitably involves and through the data centre)? The answers to rests on a prudent and forward looking these questions are still being debated. privacy concept. To the point internal We advise our clients on exactly these issues. guidelines as well as comprehensive contractual agreements with suppliers, However, in January the European sub contractors and customers are key in Commission published the first regulatory this context. This is what we focus on in initiatives in this area. The legal our day today advice. environment and statutory framework are taking shape and Hogan Lovells is closely The correct and legally compliant treatment monitoring this development. Follow us at of personal data is only one aspect to be www.dsmwatch.com). addressed, but is probably the most obvious one. Confidentiality requirements are not The new law merely confined to personal data. There is We are currently faced with an plenty of digital information stored in data environment of change in Europe. centres that may not be classified as data The General Data Protection Regulation relating to an identified or identifiable (GDPR) has been enacted and will take individual, but may still be of crucial effect as of 25 May 2018. It will replace 28 economic value to the customer. Prime domestic privacy laws throughout the examples of this are trade secrets and European Union. National laws will only confidential technical information. continue to apply in areas not fully
24 Hogan Lovells harmonized by the GDPR. The supervision Data privacy of privacy compliance will differ from what Having mentioned the new GDPR, it is we have been used to in the past. worth highlighting a few regulatory Notably, the territorial scope of the GDPR requirements that are most likely to demand not only covers the activities of an the adaptation of existing technical establishment located in the EU. It also processes and legal terms and conditions. applies as soon as the processing activities The obligations that deserve particular are related to the offering of goods or mention include compulsory cooperation services to data subjects in the EU or the requirements with the competent monitoring of behaviour to the extent that it supervisory authorities, notification takes place within the EU. This means that obligations as regards infringements, data processing personal data in data centres privacy by design and by default, the right may not only allude to EU data privacy law, to be forgotten and various new but also raise a wide array of complex documentation requirements. Also, the challenges and questions in this field. concept of a data protection officer has In particular in view of the significant been expanded to the entire Union. sanctions regime – with fines of up to 2 It should also be noted that under the GDPR percent of worldwide annual turnover both the controller and the processor are – compliance with data privacy requirements responsible for privacy compliance. Fines has become even more important to any for non compliance are substantial, not to entity handling person-al data. mention the damage that would be caused However, it should be noted that the GDPR is to a company's image if it were accused of not the only new piece of legislation failing to meet data protection requirements. governing the storage and processing of data. Accordingly, it is crucial to have adequate In January 2017, the European Commission and upto date privacy concepts in place published a proposal for an ePrivacy governing staff, services and infrastructure. Regulation. Its core focus is to ensure an Data processing agreements need to be adequately high level of confidentiality of revised and adapted to reflect the new electronic communications throughout regulations of the GDPR and the coming Europe. In pursuing this aim, the draft ePrivacy Regulation. In this context, Regulation goes beyond purely personal data multiple layers of subcontractors in cloud and covers all kinds of private information. infrastructures are a particularly common For more details, see our international blog source of difficulty and ambiguity. Clear at http://www.hlmediacomms.com. contractual structures and transparent
Welcome to the world of data centres 2019 25 technical architectures are recommended access to the processed data are offered by safe-guards in this respect. the housing provider, the latter may be deemed neither a processor nor a controller Different business scenarios of the data. However, such scenarios rarely Privacy law generally differentiates between exist in practice. "controllers" and "processors". A different set of obligations applies depending on which As we have seen, there are various ways to of these two roles a company has. A data "design" a data centre service and each centre operator has various options to choose design brings with it a slightly different set of from. The business model chosen by a firm legal requirements. will determine which legal regulations it Cyber security must meet. Conversely, the respective legal Data centres are data hubs and therefore obligations can make certain business susceptible to cyber attacks. Such attacks models more or less attractive. Therefore, could result not only in data theft, but also in taking an informed decision as to how the the disruption of internet services of data centre service will be structured is multiple customers and businesses. essential for business success. Consequently, a data centre operator faces Generally, a distinction can be made high liability risks. between two common business scenarios: There have been many instances of high First, controllers deploying a hosting profile cyber attacks such as: provider. Here, processing and • (Distributed) Denial of Service (DDoS) infrastructure are part of the service attacks where servers shut down due to rendered. Whereas the original controller is being overloaded by a flood of still regarded as a controller, the hosting incoming messages. provider might either be a processor or a (secondary) controller, depending on the • Ransomware attacks, such as WannaCry extent of autonomy involved in the service and NotPetya, where malicious software rendered. The service contracts need to be blocks access to a computer's data, asking drafted accordingly to ensure adequate for a ransom to release the data or justification for the agreed handling of data. otherwise threatening to destroy it. Secondly, controllers deploying a mere • Attacks against the data centre housing provider providing only the data infrastructure to screen, control or centre infrastructure. Under a "pure" eventually destroy the facility such as version of this scenario, i.e. where no the Stuxnet virus. (emergency) services that potentially allow
26 Hogan Lovells Recently, there has been a noticeable trend Hence, more efficient security packages or toward more sophisticated attacks. Such change of outdated IT infrastructure may be unprecedented techniques render the data advantageous to such operators. They might centre infrastructure even more vulnerable result in higher costs, but augmented and are likely to result in liability claims by liability and negative publicity can lead to the data centre's customers. more severe problems. Unpredictable and unforeseen incidents – Certain data centre operators might also be also known as black swan events – may not subject to stricter regulation. Data centres necessarily trigger fault based liability of the with an annual performance of more than data centre operator. However, it can be very 5 Mega watt, IT hosting with more than challenging and practically impossible for 25,000 annual average instances, content the operator to prove the existence of such a delivery networks with an annual data black swan event. The WannaCry and volume of 75,000 TByte, trust services with NotPetya incidents illustrate that threat more than 500,000 issued qualified actors exploit malware families and reuse certificates or 10,000 certificates for efficient attack strategies. Considering the authentication of publicly available servers nature of cyber attacks, it is notable that, are subject to the German Federal Agency e.g. in Q1 and Q2 2017, 75% of all for Security in Information Technology Act ransomware attacks were based on the same (BSIG). As a result, sector-specific security six known malware variants. This means standards (Branchenspezifische that, had the proper security mechanisms Sicherheitsstandards – B3S) apply. The B3S been in place, these threats could have been for data centres, however, are based on ISO prevented. In such cases, data centre family 270xx. Especially the ISO 27001 and operators may not be able to be released ISO 22301 – in addition to the other data from nonfault liability; as such events could centre specific security standards – are have been prevented and are not to be referenced and need to be respected and considered as black swan events. The data implemented by the data centre operator. centre operators may thus be held liable. Therefore, it is strongly recommended that data centre operators stay informed about current threats and cyber security trends. Otherwise, the data centre's board faces personal liability or regulatory fines.
Welcome to the world of data centres 2019 29 Data centre projects and transactions – our expertise Our credentials Setting up a data centre also has various tax At Hogan Lovells we have a great depth of implications for the provider as well as for experience in advising clients on the potential customers which should be taken establishment and acquisition of data centres. into account (e.g. permanent establishment aspects, VAT aspects). Our Tax team is The value we bring to clients is both in the highly experienced in setting up tax efficient depth of expertise in critical subject areas, structures and dealing with all relevant tax such as telecommunications regulation, aspects in the respective agreements. real estate and land use law and regulation, tax, employment, and environmental Our services regulation, and in our ability to co-ordinate • Industry specific due diligence this advice across jurisdictions, exercising • Real estate and regulation sound judgment in supporting clients with location selection decisions and strategies • Service – and O&M-contracts for execution. We have strong relationships • Energy-related advice and with local regulators and we understand the cost efficiency markets in which our clients operate. • Coordination of global deals as your More than just data storage single-point-of-contact in Germany We have experienced projects, real estate, • Finance corporate, and commercial teams who can assist • Commercial and tax • with all aspects of the acquisition and construction of data centre sites or • fully operating data centre businesses if required • with establishing title and ownership • with all aspects of data centre transactions and ongoing operation, including site suitability and risk factors, planning and environmental issues, ownership of key infrastructure (e.g. backup power, cooling, and fire suppression, customer contracts)
30 Hogan Lovells Our distinctive expertise Keppel Telecommunications & Transport and Alpha Keppel DC REIT Investment Partners On its acquisition of a data centre in the Celtic Gateway On the acquisition of a EUR 76m data centre from Business Park. The data centre is fully let to one of largest Citigroup and on the sale-and-lease back agreement to global cloud service providers on a 15-year full repairing Citigroup who remains the tenant. and insuring lease that commenced in June 2016. A borrower Telehouse Holdings Ltd. and KDDI The borrower in a (re)financing of a data centre Corporation on its acquisition of Databurg GmbH. in Frankfurt. TelecityGroup A leading UK based operator of data centres • In relation to its acquisition of the Manchester based On various project developments (EPC, O&M) as well carrier neutral data centre. acquisition of such data centre in Germany. • On its GBP 87.6m acquisition of Data Electronics Group. • On its acquisition of leading Finland data centre operator Tenue Oy. • On the acquisition of Academica, a leading data centre and IT services operator in Finland. • On the acquisition of the data centre business of MedioSystems, an affiliate of the IBM Group. • On its acquisition of the entire issued share capital of SadeceHosting. • On its acquisition of the entire issued share capital of 3DC by TelecityGroup International Limited. Hogan Lovells advised On English law and oversaw local advisors. • On its acquisition of Plix.
Welcome to the world of data centres 2019 31 A UK clearing bank A major European colocation space provider On the development of a dedicated data centre and a On the development of a new data centre and number of consequent upgrade projects. consequent extension project and on projects to upgrade equipment on existing operational sites. Du Pont Fabros Technology A leading global bank On its proposed purchase and redevelopment as a data On establishing a data processing subsidiary in China. centre of a heavily contaminated former chemical and pharmaceutical manufacturing site. A leading data centre operator A leading data centre operator On the acquisition of the reversion to their facility in On the lease review of 46 leases across 6 countries for a Harbour Exchange Canary Wharf, regearing followed leading data centre operator. by sale and leaseback. One of Europe's leading data centres A number of financial institutions On all employment matters across Europe. On fit out of new UK headquarters premises, with related internal data centres.
32 Hogan Lovells Your key contacts Dr. Alexander Dr. Tobias Faber Stefan Rieger Dr. Fabian Pfuhl Johannes Groß Partner, Frankfurt Counsel, Frankfurt Counsel, Frankfurt Associate, Frankfurt Dr. Carla Luh Partner, Hamburg Dr. Mathias Schönhaus Counsel, Dusseldorf Dion Panambalana Nicola Evans Partner, London Partner, London
Welcome to the world of data centres 2019 33 Alex Wong Partner, Singapore
Alicante Amsterdam Baltimore Beijing Birmingham Boston Brussels Budapest* Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta* Johannesburg London Los Angeles Louisville Luxembourg Madrid Mexico City Miami Milan Minneapolis Monterrey Moscow Munich New York Northern Virginia Paris Perth Philadelphia Riyadh* Rome San Francisco Sao Paulo www.hoganlovells.com Shanghai Shanghai FTZ* Silicon Valley “Hogan Lovells” or the “firm” is an international legal practice that includes Hogan Lovells Singapore International LLP, Hogan Lovells US LLP and their affiliated businesses. Sydney The word “partner” is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee Tokyo or consultant with equivalent standing. Certain individuals, who are designated as Ulaanbaatar* partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. Warsaw For more information about Hogan Lovells, the partners and their qualifications, Washington, D.C. see www.hoganlovells.com. Zagreb* Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not connected with the firm. *Our associated offices © Hogan Lovells 2019. All rights reserved. 1059936_0419
You can also read