Data control conditions for foreign investment approvals in Australia

Key takeaways

Recent decisions by the Treasurer indicate a growing trend towards the imposition of data control conditions in connection with foreign investment approvals. In particular, the conditions focus on personal information and other sensitive, industry-specific data (sensitive data) being stored or accessed from outside Australia.

Implications for foreign investors

The imposition of data control conditions may in certain cases slow down the approval process and, potentially, lengthen the timeline for completing a transaction. Investors should allow for the possibility of delays at various stages in the approval process, including due to the consultation process between FIRB and CIC and negotiations between the investor and FIRB regarding the appropriateness of any conditions imposed.

Importantly, recent consultations with stakeholders indicate that FIRB and the CIC are seeking to better understand any practical challenges which may arise when implementing these conditions. This will hopefully provide foreign investors with greater clarity regarding compliance with conditions.

What conditions will be imposed?

Conditions may include obligations on foreign investors to ensure that:

• sensitive data remains stored in, and is only accessible from, Australia (subject to limited exceptions);
• where sensitive data is stored in the cloud, the cloud provider is on a preapproved list maintained by the Australian Signals Directorate; and
• certain representatives of the foreign investor, for example directors of parent companies and nominee directors of Australian target companies, must not access sensitive data.

In circumstances where the Foreign Investment Review Board (FIRB) has not restricted offshore storage or access to sensitive data, it may still impose conditions requiring foreign investors to:

• maintain detailed records of each instance of offshore access to sensitive data;
• store those records and provide access to them to FIRB or the relevant customer or individual upon request; and
• notify customers if sensitive data is stored offshore.

What has prompted FIRB’s focus on data control?

FIRB’s increasing use of data control conditions is likely driven, at least in part, by the recent establishment of the Australian Federal Government’s Critical Infrastructure Centre (CIC).

Our September 2017 update, The Critical Infrastructure Centre: what foreign investors need to know, noted that the aim of the CIC was to bring together all levels of government, owners and operators of critical infrastructure to identify and manage potential national security risks. CIC then uses that information to advise FIRB in relation to inbound investments.

While the CIC is primarily focused on the high risk telecommunications, electricity, gas, water and ports sectors, recent FIRB decisions indicate it is also willing to recommend data control conditions in respect of businesses and assets in other sectors that hold large amounts of sensitive data.