This is the first post in a three-part series focussing on key legal issues in data centre, fibre and towers acquisitions and investments.
The ever increasing demand for connectivity is set to lead to a transformation of the digital infrastructure on which the telecoms sector is built. The huge amount of capital required to upgrade telecoms networks is creating opportunities for investors in the fibre, towers and data centre asset classes, and as the importance of the transformation of these networks grows (as underlined by the current pandemic situation), so does the value of this critical infrastructure.
The imminent deployment of 5G networks will play a big part in this transformation, projected to drive $13 trillion of annual global economic activity within the next 15 years. In order to deploy these networks; more fibre will be required to connect to the antenna sites; more tower sites themselves will be needed; and we will need more data centres, where the AI to increase the quality of these networks will live. Investment in the new generation of data centres will continue grow, the sector becoming more nuanced, as investors carve out differentiated strategies based on their own preferences and capabilities.
This post highlights selected key legal due diligence areas for an acquisition of, or investment in, a data centre provider whose business model involves carrier-neutral and cloud-neutral, multi- customer data centres which offer technical space, power, cooling, physical security, connectivity through third party infrastructure and other services, such as remote hands for smaller customer requirements. This may be particularly relevant for infrastructure funds, which are showing an increasing appetite for investing in data centre businesses as ‘core-plus’ assets, attracted by their infrastructure-like characteristics and the potential IRR and cash yields for these types of assets which are an essential part of the digital infrastructure ecosystem.
|Security of tenure to land on which the data centres are located||Typically, most data centre providers will hold their properties as freehold properties, but in some cases the freeholds will be held by third parties such as local governments in accordance with local law requirements. Termination of, or failure to renew, these leases as well as disputes arising under the terms of the leaseholds could have a material adverse impact on the data centre provider’s business and ability to achieve its business plan.
It is therefore critical for investors to confirm ownership or long leasehold of properties used in a data centre provider’s business, as well as that of any ‘land banks’ which may be used for expansion.
|Material customer contracts||It is critical from revenue generation perspective to understand what the weighted-average remaining service agreement duration is across the customer base. Typically, this tends to be somewhere between three to five years.
Investors also need to understand how easily customers can exit their service agreements. This becomes even more important where the data centre provider has targeted hyperscale customers (rather than retail colocation customers) and is therefore exposed to increased customer concentration risk. Such customers typically have a right to terminate for convenience (with early termination charges being payable in most cases, although the level will depend on bargaining power of the parties). Other termination rights typically include:
While customers may be reluctant to terminate or not renew their service agreements given the fit out costs they would have incurred in establishing their presence in the data centre, there is a risk that larger customers could exit as they develop new data centres or expand existing facilities. Investors may wish to consider including conditions to any transaction that material service agreements that are close to expiry or have expired, are renewed prior to closing.
|Availability of connectivity through third party infrastructure||Data centre providers depend on third parties to provide connectivity to their data centre facilities e.g. IXPs, network end-points from telecommunications carriers, metro fibre providers and cable systems. Data centre providers also generate revenue from providing cross-connect services, linking their customers to carriers and ISPs and connecting carriers to other carriers.
As this is critical to attract and retain customers, investors should review data centre provider contracts with carriers and ISPs to assess the risk of such contracts being terminated or not renewed. Investors may wish to consider including conditions to any transaction that material third party connectivity agreements that are close to expiry or have expired, are renewed prior to closing.
|Physical and electronic security||Security is one of the key considerations for customers when selecting a data centre facility provider. Physical and electronic security breaches have the potential to cause significant harm to a data centre provider’s business, in particular where the breach results in a breach of customer networks and IT infrastructure, and misappropriation of their proprietary or confidential information or personal data.
Investors should undertake technical due diligence on physical and electronic security systems of the data centre provider as well as obtaining details in relation to any historical breaches. The results will also play a large part in valuation, as the age, specification and configuration of a data centre’s infrastructure is directly related to its profitability and marketability.
|Access to power||Data centre providers’ operations rely on adequate supply of uninterrupted power which is supplied by third parties. Whilst data centre providers attempt to limit their exposure to system downtime caused by outages by using back-up generators and uninterruptible power supply systems, the exposure cannot always be limited entirely.
Investors should review power supply contracts and material customer contracts to understand the risks, including the extent of financial liabilities to customers for power outages.
|Environmental and health and safety compliance||Data centre providers are subject to various environmental and health and safety laws and regulations, including those relating to the generation, storage, handling and disposal of hazardous substances and technological equipment, the maintenance of facilities, the generation and use of electricity or other power, noise pollution and liability for historically contaminated land. In addition, data centres, as consumers of substantial amounts of electricity, are affected by a number of regulations which are capable of imposing liability for the cost of the investigation and remediation of contaminated sites on a strict causal basis, without regard to fault or the care taken in the disposal activity.
Investors should understand the extent of any existing or potential investigation and/or remediation activities, and environmental compliance more generally.
|Permits||Data centre providers are required to comply with laws and regulations relating to permits, consents, planning, land use and building standards where they develop and operate their data centres, including provisions for the containment and management of asbestos, access for disabled persons, the measurement and reporting of the energy efficiency of buildings, and the requirements of zoning, licences and permits.
Investors should confirm details of all such permits required, as well as any non-compliance and any circumstances which may cause these permits to be revoked, suspended or varied, or otherwise not renewed or not granted.
|Data centre design and construction||Data centre providers typically engage third parties (architects and engineering firms) to design data centres according to customer requirements, local regulations and market conditions, as well as the data centre provider’s own design requirements and standards, and operational objectives. They also outsource the construction of their data centres to third parties. Construction contractors typically provide certain quality and safety warranties in the construction contracts.
As a data centre provider’s business is dependent on the operational resilience of the physical infrastructure and any failure in the data centre facilities could lead to disruption to their customers’ businesses and could harm the provider’s reputation, investors would be well served by reviewing these construction contracts to understand the data centre provider’s exposure.
|Regulatory change/national security||Investors need to be alert to the fact that any regulated industry can be subject to legal and regulatory change which can adversely affect the business – these may include changes to the regulation of; prices and interconnection; access to certain types of infrastructure; privacy and data protection; and energy usage and carbon taxes. Furthermore, connectivity infrastructure is critical in the information age, and scrutiny from a national security perspective is increasingly political. In the UK for example, there is a Government proposal to implement a distinct national security review of transactions with no turnover or share of supply requirements.
It is important for investors to understand the existing regulatory landscape and also to scan what is on the horizon in terms of regulatory change which could impact their investment.
|Data protection compliance||Data centre providers who provide infrastructure only are generally not considered ‘processors’ under the GDPR insofar as their employees and contractors do not have access to customer servers or personal data as a part of the service they provide to them. They do however process data relating to their employees, contractors, suppliers and customers. Furthermore, their customers use their facilities to process data and the physical and electronic security measures in the data centre will be used by customers to evaluate whether the data is protected by appropriate technical and organisational measures, as required under the GDPR and the Cybersecurity Directive.
Investors should obtain details in relation to GDPR and Cybersecurity Directive compliance, as well as any historical breaches, investigations and notifications.