Australia’s Foreign Investment Review Board (FIRB) is increasing its focus on investment proposals which give foreign acquirers access to personal data of Australian citizens.
While acquisitions of facilities that house data with national security implications have long been a focus of FIRB, the regulator is now taking a keen interest in any proposal which involves the transfer of personal information offshore, or which results in a foreign person owning or having the ability to access personal information – irrespective of whether the data itself raises obvious national security concerns.
The extent of FIRB’s regulatory pivot is demonstrated by recent comments made by FIRB Chairman David Irvine, who noted (in apparently unscripted comments to a business forum) that:
“The protection of sensitive data is becoming the issue du jour, and not just sensitive national security data. The development of data-security conditions – conditions on the foreign investor to protect data – continues to be a key area of focus for us.”
We are seeing this play out in the conditions that FIRB are seeking to negotiate with foreign acquirers in financial, health and education assets that have access to large amounts of personal data.
By way of background, foreign investment in Australia is regulated, and notifiable foreign investment proposals must be approved by the Australian Treasurer. When making foreign investment decisions, the Treasurer is advised by FIRB, which examines foreign investment proposals and advises on the national interest implications.
The Treasurer has the power to block foreign investment approvals that are contrary to Australia’s national interest. In practice, it is very rare for a proposal to be refused approval. However, the Treasurer also has the power to apply conditions on the way in which a proposal is to be implemented to ensure it is not contrary to the national interest.
FIRB’s stated preference is not to prohibit transactions. It sees the imposition of conditions on approvals as playing ‘an important role in enabling foreign investment to proceed while safeguarding the national interest and managing any identified risks’. Negotiating conditions with FIRB is therefore a well understood path to foreign investment in Australia.
FIRB has not published a set of standard data protection conditions. Acquirers of data-heavy assets are therefore currently exposed to case by case negotiation. However, we are aware that FIRB has recently required, or has considered, conditions which:
- restrict the storage of data to onshore Australian facilities;
- restrict the ability of certain data to be accessed from overseas, or by upstream investors or personnel;
- require service providers to have certain certifications and safeguards in place to protect data;
- require the acquirer to provide FIRB access to the data upon request;
- require businesses to maintain records of offshore access to data; and
- apply governance or physical access restrictions to support the above undertakings.
While acquirers will need to be prepared to accept and understand the impact of the conditions on the businesses being acquired and their future plans (including whether the conditions apply to anonymised or aggregated data), they should also be aware that the imposition and negotiation of these conditions can delay the approval process, and factor that process into the transaction timetable and strategy. The strength of FIRB’s purpose is illustrated by Mr Irvine’s additional comments, at the same forum, that:
“I am having a long-running battle with the Critical Infrastructure Centre, which says critical infrastructure is ports, water, power, energy and telecommunications. I am saying there is another one: it is called data.”
The Critical Infrastructure Centre (CIC) was established in 2018 and brings together various Government departments and intelligence agencies to manage national security risks arising from foreign involvement in Australia’s critical infrastructure assets, including ports, electricity, water and gas utilities. The CIC also oversees security issues relating to Australia’s telecommunications sector.
The CIC is wholly separate from FIRB and has broader reach, in that it advises the Minister for Home Affairs on the use of the Minster’s power under the Security of Critical Infrastructure Act 2018 to direct owners or operators of critical infrastructure assets to take or refrain from taking certain action. That role gives the CIC a level of influence over the ongoing operation of critical infrastructure assets which goes beyond advising on the initial foreign investment proposal. In the context of telecommunications, this has translated into a willingness by the CIC to direct the owners of certain assets as to which third party equipment suppliers they can and cannot use. In contrast, FIRB has not traditionally taken such an interventionist or ongoing role in framing its investment conditions.
It is not clear from his comments whether Mr Irvine is advocating for data assets to be brought within the formal purview of the CIC. That would require a Ministerial direction and would be a significant expansion of the CIC’s jurisdiction. What his comments do suggest, however, is that the current trend towards imposing detailed conditions on the acquisition of large data sets is not a passing phase.
Foreign acquirers of those assets would be well advised to give thought to the issues that are likely to concern FIRB in advance of making an application, and to pro-actively offer up undertakings to address those concerns.