Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells

Page created by Suzanne Gill
 
CONTINUE READING
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Welcome to the world
of data centres
Investments in a new asset class:
Success factors and pitfalls
2019
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
2                                                                                  Hogan Lovells

Introduction

Hogan Lovells is your first port of call and
the leading legal provider in relation to
                                                 Your One-Stop adviser
successful realization and investments in
data centres in Germany and Europe.
Our dedicated data centre team comprises
lawyers with an in-depth understanding of
the data centre industry and its                   Project Development
                                                        Engineering         Construction
characteristics. When providing you with
closely coordinated one-stop advice, we bring
together our knowledge carriers from various
legal disciplines including Real Estate,
Infrastructure, Energy, Resources & Projects,          Operating          Due Diligence
Intellectual Property, Project M&A, Data
Security, Dispute Resolution, Corporate,
Commercial, Project Finance, Employment
Law and Tax Law. This approach adopted by
                                                           Financing         M&A
our integrated industry sector team ensures
that you receive consistent, industry specific
and solution oriented advice which focuses
on what you really need.
                                                                     Dispute
This brochure summarizes key legal aspects
                                                                    Resolution
to be considered when buying, selling,
financing and/or constructing a data
centre, including data protection,
digitalization and cyber security.
In the last 3 years the datacentre workload
has grown on average by more than 20%
worldwide. This development will continue
in the coming years until at least 2021.
(Source: CISCO)
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
What we offer:
Many years of experience,
a deep understanding of
your industry, and a
solution oriented focus.
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Welcome to the world of data centres 2019                                                      5

Welcome to the world of data centres

Lease or build a data centre?                    costs including costs for permits, such as
When a company is growing and wants to           building permits, costs for fire suppression
out-source servers and IT equipment, it          and detection systems, notary costs, costs of
must de-cide on the best way to do this.         registrations, etc. Nor should companies
Such a decision can be crucial if the business   underestimate the various risks related to
is expanding rapidly and therefore urgently      power and cooling infrastructure, hardware
requires additional space for servers and IT     and software, technological development,
equipment. The choice it faces is whether to     uncertainty surrounding future business
lease data centre space (by a colocation or      strategy and potential space problems, i.e. if
warehouse solution, which we will refer to as    the space later proves to be too small or too
"leasing" or a "leasing solution") or whether    big. Moreover, companies should be aware of
to build its own data centre.                    the large number of building regulations to be
                                                 met, for example in the area of fire safety
The obvious advantages of building over          which may be very strict in some
leas-ing are that                                jurisdictions. On balance, leasing is likely to
•	the company has maximum control               be a better solution for many companies
   over the IT equipment and anything            because it allows risks to be confined and
   related to it;                                gives companies the flexibility to adapt their
                                                 space needs to their business needs.
• there is no risk of "losing the lease", and
                                                 Data centre leasing strategies – the
•	any unused space can be leased out to         various types of contract structures
   other companies, thus reducing electricity,
                                                 The most common types of leasing structures
   cooling and security infrastructure costs.
                                                 for data centres are:
On the other hand, the main disadvantages
                                                 •	Wholesale data centre and
of building are upfront costs which can add
                                                    colocation solutions
up quickly if not calculated thoroughly. The
costs of building and maintaining a data         • Server hosting – managed hosting
centre should not be underestimated and          Balancing the need for control
may be a crucial factor in the decision          with the desire to cut costs
making process. When evaluating the costs
                                                 Ultimately, the decision between a whole
involved, the focus is mainly on power,
                                                 sale/colocation structure and a purely
staffing and IT infrastructure. However, real
                                                 managed hosting structure is one of
estate related costs are often not taken into
                                                 balancing the need to control the servers and
account sufficiently or at all. These include
                                                 IT equipment with the desire to achieve the
architect, planning and design costs, building
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
6                                                                                       Hogan Lovells

best possible cost savings by entering into a      What a data centre lease should cover
data centre lease. Important topics which
                                                   First and foremost, it is vital to clarify the
need to be addressed before taking such a
                                                   legal relationship between the data centre
decision include:
                                                   provider/landlord and the occupier/
•	how much control is necessary with              customer. Depending on the actual use and
   respect to operation of IT equipment            allocation of rights and obligations, a lease
   and the premises in which the IT                agreement (triple net or double net), a service
   equipment is stored;                            agreement or an agreement with lease and
                                                   service elements are possible options. In the
•	whether the tenant is prepared and willing
                                                   majority of cases, the parties will sign a lease
   to accept (high) capital expenditures for
                                                   agreement which also includes elements of a
   repairing and updating IT equipment; and
                                                   service agreement.
•	whether the tenant is prepared to employ
                                                   As the lease agreement is the main legal
   and pay for the necessary personnel to
                                                   document which governs the relationship
   operate and maintain the IT equipment.
                                                   between the parties, particular care should be
When taking this decision, the tenant should       taken when negotiating "Provider Must
not only consider its present situation and its    Haves" on the one hand, and "Customer Must
needs as a business, but also bear in mind its     Haves" on the other. Key topics to be
future strategies and plans in order to find the   considered in lease agreements include:
best solution. Overall, the wholesale/
                                                   Lease term and renewals
colocation solution or a hybrid solution might
be the right choice for many bigger                Would the company prefer a long-term or
companies, whereas the managed hosting             shortterm lease taking into consideration
solution could be the ideal solution for           that the initial term is often 15 to 20 years?
smaller firms.                                     In addition, the number of renewal periods
                                                   and any pre emptive rights of the tenant
                                                   should be taken into account.
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Welcome to the world of data centres 2019

Rent payment
Another important point is how the rent will
be paid. The basic rent is usually based either
on square meters or on power availability.
Space, permitted uses and equipment
The leased space might not be enough for all
the equipment and infrastructure that the
tenant requires. It is therefore advisable to
stipulate in the lease agreement whether the
tenant is allowed to use additional space,
e.g. on the roof for antennas, shaft space
within the building or special support areas
for the placement of generators.
Set-up, alterations, maintenance, repair
and replacement
Depending on who owns and who will be
obliged to maintain the facility
infrastructure, specific provisions must be
incorporated into the lease agreement
regarding alterations, maintenance, repair
and replacement. The tenant and/or landlord
might be required to comply with certain
standards and/or maintenance schedules.
Provisions on services relating to data centre
equipment, heating, ventilation and
infrastructure should also be included.
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Hogan Lovells

Power supply, cooling, humidity,
connectivity and data capacity
Power supply, cooling, humidity, connectivity
and data capacity are the core topics of a data
centre lease. Provisions covering these areas
must therefore be included in the agreement.
Specifically, the following topics should be
dis-cussed and agreed: power requirements,
cost of power and uninterrupted power
supply as well as redundant fibre access,
multiple carriers and sufficient data capacity.
Service level agreements
The parties should also consider including
service levels and reasonable support
provisions. Moreover, the agreement should
describe what happens if service levels are not
met. For the customer, it might be desirable to
include a termination right for continued
breach of guaranteed service levels.
Liability, indemnification, data protection
and security
A limitation of liability might be beneficial for
both parties. The agreement should also
include provisions regarding data protection,
security (e.g. access to the building) and
compliance with laws.
In addition to the key topics mentioned
above, it might be advisable to incorporate
other provisions, depending on individual
circumstances.
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
Welcome to the world of data centres 2019                                                     9

Avoiding pitfalls in                            ultimately delivering a project ready for
construction contracts                          operation. This means for the Employer in an
Unlike brownfield projects/transactions,        EPC project that the added risk of liaising
developing greenfield data centre projects      with various parties and allocating various
are challenging and come with various           risks is avoided.
risks. The developer needs to decide on the     Parties need to face reality in terms of
right approach for such a development:          construction of a data centre. According to
Delivering the project with various (multi-     KPMG International's 2015 Global
lot) contractors and a potential designer/or    Construction Project Owner's Survey,
engineer or choosing an turnkey approach
whereby an EPC-Contractor delivers the          •	Major complex EPC projects fail
whole projects and agrees to engineer,             more often than they succeed,
procure and construct the datacentre.              resulting in disputes;
While the first option may deliver a more       •	71% of owners in the energy and natural
cost-efficient solution, a turnkey EPC             resources sector reported unsatisfactory
Contractor undertakes the full completion,         underperforming projects; and
turnkey and interface risk of such a highly
                                                •	69% of all projects between 2012 and
complex project. One of the most obvious
                                                   2015 were reported to be more than
benefits of entering into such a contract is
                                                   10% over budget
having one single point of contact and
responsibility for the project, thereby         Having this in mind, a clear contractual
avoiding having to manage various role-         framework including a fully functional and
players that would otherwise have to be         efficient claims and risk management can
involved in the construction and setting        assist in avoiding pitfalls as well as
up of such a project.                           significant delays and cost overruns.
While it is, of course, commonplace for an
EPC Contractor to engage various
subcontractors to provide certain services or
works, the EPC Contractor remains the
single point that is directly responsible for
Welcome to the world of data centres - Investments in a new asset class: Success factors and pitfalls - Hogan Lovells
10                                                                                   Hogan Lovells

Getting your contracts right

Service level agreements with respect to        General Terms and Conditions, the parties
data centre leases                              are advised to ensure that the availability of
A service level agreement is the main           the data centre is laid down in the
contract that defines the parties' rights and   agreement. Conversely, the landlord faces
obligations under a data centre lease.          the risk of having to guarantee the
                                                permanent availability of the data centre.
Before signing such contracts, the parties
should assess the scope of services that the    The parties should not include a disclaimer
data centre landlord will perform under a       regarding warranty claims. The statutory
service level agreement. These services         warranty obligations of the landlord or the
could range from entire business processes      contractor cannot be excluded within the
or merely IT processes, through to the          General Terms and Conditions in many
exclusive provision of IT infrastructure        jurisdictions for instance.
within the data centre.                         Finally, the parties should assess the
More elaborate service level agreements         validity of any limitation of liability clause
may also stipulate the provision of certain     regarding strict liability on a case by case
types of software (applications) by the         basis. However, the limitation of the
potential financiers (application service       landlord's liability should always take into
providing, "ASP").                              account the risk of cyber attacks and
                                                appropriate preventive measures.
Such an assessment is a key consideration
for the validity of any service level           Getting the operation structure right
agreement. The scope of the data centre         When it comes to the operation and
lease and the rights and obligations of each    maintenance of data centres, it is all about
party may vary according to what was            availability, reliability and stability of the
agreed upon between the parties. In any         services. Just recently, some parts of the
case, it sets the standard for the evaluation   German World Wide Web were interrupted
of the agreement with regard to the law on      for several hours due to a downtime of an
General Terms and Conditions.                   internet hub in Frankfurt as a result of an
                                                energy breakdown in a Frankfurt date
However, both IT and data centre services
                                                centre compared with a crash of the energy
are prone to faults, require maintenance or
                                                redundancies in this data centre. Even
updates and may be subject to cyber
                                                short outages of the energy supply, the
attacks. All these and other adverse effects
                                                cooling of the racks or the humidity control
may lead to downtimes and impact on the
                                                in the data centre may cause enormous
availability of the data centre. With regard
                                                downtime costs and high damage. Thus,
to the strict applicability of the law on
Welcome to the world of data centres 2019                                                  11

uninterrupted availability and fast             which may lead to interruptions in the
troubleshooting services are required and       services. Especially the core services (e.g.
should be secured at any time.                  power supply, cooling, humidity control,
                                                security) should then be discussed with a
A key instrument for securing such
                                                view to defining contractual service levels,
availability and avoiding potential losses
                                                percentages of guaranteed availability and
can be seen in liquidated damages.
                                                pre-agreed reaction and trouble shooting
Liquidated damages are designed to meet
                                                times. In particular, the contractual service
the legal requirements in the relevant
                                                levels should ensure that the required times
jurisdictions and may help to keep the
                                                for (successful) troubleshooting and the
pressure on the operator in order to secure
                                                points of measurement of the availability
quick troubleshooting and sufficient
                                                are exactly defined. The better the parties
redundancies of the contractor. In some
                                                describe such obligations and service levels
jurisdictions (such as Germany), a well
                                                in the contracts, the better they may be able
thought-through drafting of contractual
                                                to link these times and percentages to an
predefined liquidated damages is essential
                                                escalating mechanism of liquidated
to avoid unenforceable provisions.
                                                damages covering the employer's
In order to achieve this, the party engaging    potential damage in a realistic manner.
an operator should extensively investigate
and consider in detail all possible scenarios
12                                                                                      Hogan Lovells

Data centre M&A and Financing
Share vs. asset deal
In an acquisition scenario it should be             way of novation. In particular, it should be
decided as early as possible whether the            noted here that – in contrast to a share deal
transaction will take the form of a "share          – both the sale and transfer of the
deal" or an "asset deal".                           contractual relationships re-quires the
                                                    consent of the contractual partner.
Under a share deal, all or part of the shares
in a business are transferred to the                In the course of a share deal, the purchaser
purchaser. If, for instance, a project company      will acquire a certain percentage of the shares
or holding company has been set up as a             in a target company from the shareholders of
limited liability company, the purchaser –          that company, including any and all of the
upon completion of the purchase – becomes           target company's contractual relationships,
a shareholder of that company.                      receivables and liabilities on the basis of a
                                                    share purchase agreement (SPA). Unless
In contrast, under an asset deal, the seller
                                                    dedicated "change-of-control" provisions
only disposes of and transfers individual
                                                    apply, no consent from the other contractual
assets (and liabilities) under an asset
                                                    parties is required, as it is only the
purchase agreement (APA). On the basis of
                                                    shareholder of the counterparty (the target
the principle of legal certainty in some
                                                    company) that changes, not the counterparty
jurisdictions, the transferred assets and
                                                    itself. Potential risks, in particular on the
liabilities must be clearly defined in the APA
                                                    investor/purchaser side, arise not only from
together with any required particular kind of
                                                    the acquired assets themselves, but also
transfer method to the purchaser. Therefore,
                                                    potentially from the underlying entity that
an asset deal initially also involves increased
                                                    actually owns the assets and whose shares
costs and effort on the part of the seller and
                                                    have now been acquired by an investor/
the purchaser to establish and agree on the
                                                    purchaser. Consequently, since under a share
"object of the purchase" and the contractual
                                                    deal the transaction does not affect any
documentation (i.e. the APA). However, the
                                                    existing contracts – claims by employees,
advantage of an asset deal lies in the
                                                    third parties as well as long term contractual
possibility to select individual assets and
                                                    relationships potentially unknown to the
liabilities for transfer. Any ancillary contracts
                                                    purchaser will be assumed – this risk
(incl. rights and obligations e.g. power
                                                    should be mitigated by way of in-depth
purchase agreements, commercial
                                                    due diligence as well as by imposing an
agreements such as lease agreements for the
                                                    appropriate guarantee and liability regime on
provision of data centre services) will have to
                                                    the seller in the SPA.
be transferred to the purchaser separately by
Welcome to the world of data centres 2019

Nonetheless, transactions involving data
centres are typically implemented as share
deals, in particular because they allow a clean
exit for the seller and a comprehensive
acquisition of rights and assets for the
purchaser. However, asset deals may be
preferable if the target company bears major
liability risks (e.g. from other operations or
from pending disputes with customers), or if
the transaction takes place in the context of a
crisis or insolvency proceedings of the target
company (distressed M&A). In summary, the
question of whether a share deal or an asset
deal is preferable cannot be answered in
general – the decision must be taken follow-
ing an assessment of the interests of the
respective party (seller or purchaser) and the
specific transaction.
Due diligence – the best of both worlds
Our practical experience repeatedly confirms
that due diligence in data centre M&A
transactions significantly differs from due
diligence in traditional M&A transactions.
This aspect is frequently underestimated and
often leads to risks not being identified and
therefore not reflected in the underlying
share (or asset) purchase agreement.
By nature, data centre acquisitions require a
different approach to due diligence. While it
14                                                                                      Hogan Lovells

may be sufficient in "traditional" M&A to          identifying the risks inherent in the often
summarize the key provisions of the                complex contractual documentation and of
commercial agreements (such as termination         avoiding any unpleasant surprises later on
and change of control) and to examine              – this is a significant success factor for any
whether the agreements are legally binding,        data centre transaction.
this is not enough when dealing with data
                                                   In this regard, we believe that a careful
centre projects. The traditional approach
                                                   examination of the data centre specific
tacitly assumes a large number of commercial
                                                   agreements yields the best results if it is
agreements and that these agreements are
                                                   carried out by lawyers with appropriate
implemented according to their provisions,
                                                   drafting and negotiating experience. Only
without any "problems" arising.
                                                   they are able to rapidly and reliably
This approach is too simple for the data           understand which scenarios will have which
centre world. It tends to be the rule rather       effect on the project agreements. Our
than the exception that for instance only a        experience of providing legal advice for data
limited number of (long term) and                  centre project developments means that we
commercially highly relevant lease                 know what can go wrong and are thus able
agreements are in place – and the loss of          to identify typical risks.
just one of those agreements may jeopardize
                                                   As a result, our clients are aware not only of
the buyer's assumptions in its financial
                                                   the current status of the agreements, but
model and accordingly the success of the
                                                   also of precisely what may lie ahead – and
entire transaction.
                                                   what does not.
Therefore: heads up! We mitigate such              Focus on cash flows – not on warranties
transaction risks by conducting risk-based
                                                   The approach to share (or asset) purchase
and tailored data centre due diligence that
                                                   agreements in a data centre transaction
analyses the commercial agreements as part
                                                   differs significantly from "traditional" M&A.
of a stress test and takes into account the
specific characteristics of the respective data    In contrast to traditional M&A transactions
centre: we review in detail any lease              cash flow and profit are often not generated
agreements, power purchase agreements              via the sale of goods and services to a market,
with a view to ensuring uninterrupted power        but via a small number of key contracts –
supply and cooling of the facilities, as well as   and sometimes only one. This makes
any other operation and maintenance                investment attractive for long term strategic
agreements that are critical for the operation     and financial investors, but also shows that
of the data centre. Ultimately, this means         the return is dependent on these contracts.
that our clients can be sure of correctly
Welcome to the world of data centres 2019                                                      15

In addition, data centre deals often have a       centre is protected in the SPA, as this is the
simpler asset structure than "normal"             real asset which is bought in a data centre
transactions. A lot of representations and        M&A transaction. This approach only
warranties which are market standard in           requires a limited set of representations
traditional M&A are not required in data          and warranties, but needs to ensure that if
centre M&A or, even worse, give a false           those turn out to be wrong, the entire loss
sense of security. It would be fatal if a buyer   in cash flow is compensated. By focusing
of a data centre that generates profits under     the SPA discussions on the relevant issues,
one or two long term lease agreements only        we are usually able to significantly reduce
relied on an extensive set of representations     negotiation time and to ensure that the SPA
and warranties and did not take into              is structured and easy to understand. This
account that such representations and             approach also frequently helps our buy side
warranties are usually time barred for 12 to      clients to strengthen their position in
18 months after closing, often leaving the        auction processes in the highly competitive
major part of the contract term unprotected.      and seller friendly data centre market.
As a consequence we have adopted our              Project finance vs. corporate finance
approach to the "data centre SPA". Instead        Data centres involve significant capital
of having lengthy and costly discussions on       in-vestment. A data centre's operator may
partially meaningless representations and         wish to finance either the development and
warranties, we focus our efforts to ensure
that the cash flow from the relevant data
16                                                                                   Hogan Lovells

construction or the acquisition of a data         One of the core elements for successful
centre with debt. Whilst it is possible to        financing is a well structured and realistic
source funds with all the usual instruments       business case. The date centre operator
of corporate finance, the revenue stream          must therefore have a clear picture of the
generated by operating a data centre can also     investment costs, an appropriate
be suitable for project finance. Project          contractual set up for the reliable and
finance is typically described as the long term   secure performance of the development and
financing of infrastructure and energy            construction as well as of the long term
projects held in a special purpose vehicle        operation of the data centre and the
(SPV) with a non recourse or limited              expected return. Securing a long term lease
recourse financing structure. The key             agreement with at least once anchor tenant
characteristic is that the project debt is        which accounts for a substantial part of the
exclusively repaid by the cash flow generated     business case is therefore key.
by the project. No other income is typically      PropCo – OpCo structures with respect
available and the providers of both types of      to data centre leases
debt must rely on the success of the project to
                                                  Tax optimization helps: A PropCo-OpCo
generate sufficient and stable cash flows. The
                                                  lease structure can be used e.g. to reduce
project's assets, rights and interests serve as
                                                  exposure to German trade tax, a tax levied
collateral. Compared to project finance in
                                                  by German municipalities (around 15-16%
other sectors, the financing of a data centre
                                                  in larger cities).
also includes elements of real estate finance:
                                                  Real estate companies, i.e. companies
Given that the owner of a date centre is
                                                  engaged exclusively in the mere leasing
normally also the owner of the land, one
                                                  and letting of their own real estate, are able
of the main security rights provided to
                                                  to reduce their trade tax exposure to zero.
the debt providers is a land charge in
                                                  A company owning and operating the data
many jurisdictions.
                                                  centre cannot apply this exemption
It is also not uncommon to work with an
OpCo/PropCo which is also an element
known from real estate finance.
Welcome to the world of data centres 2019

because it also provides a number of
services that go beyond the leasing of real
estate to its customers.
Thus, the data centre building and the
underlying real estate, excluding all fixtures
and fittings, needs to be allocated to a
different entity ("PropCo") than the entity
operating the data centre ("OpCo"), which
in turn leases the data centre building from
PropCo. As the business activities of PropCo
are limited to mere leasing, the PropCo can
make use of the specific exemption for real
estate companies.
Any rents payable by OpCo to PropCo will
consequently be exempt from German
trade tax at the level of PropCo. Although
OpCo will have to consider an add back of a
certain portion of the rent to its trade tax
base, overall the trade tax exposure is
reduced by such a structure.
In other jurisdictions thoughtful structuring
helps to reduce taxes as well.
Welcome to the world of data centres 2019                                                          19

Energy and efficiency

Energy: optimizing cost efficiency                 noted, however, that in order to incentivize
and minimizing risk                                tenants to take such measures, it is essential
Every data centre operator will eventually         to meter their individual power consumption.
have to address one considerable cost factor       Additional incentives for tenants to reduce
of any such operation: energy costs.               energy consumption may be
Fortunately, operating a data centre offers        contractually agreed.
numerous opportunities for energy cost             Finally, it is possible to obtain long-term
optimization on both the operator and              loans at favourable interest rates for
tenant side.                                       measures to increase energy efficiency. With
One of the goals for operators is probably to      regard to the German market, for example,
maximize their data centre's power usage           such loans are offered by the German bank
efficiency ("PUE"). The PUE is the ratio of a      Kreditanstalt für Wiederaufbau (KfW).
centre's overall energy consumption versus         Disaggregated recursive data
the energy used by the IT installation. Ideally,   centre-in-a-box (dReDBox)
the PUE equals 1. In this case, all energy         Besides energy costs, data centres are limited
consumed in the data centre is used to power       by the available space. Today, once the IT
the IT infrastructure and no additional energy     infrastructure is established, it is set in stone,
is required for auxiliary equipment, i.e. for      and any changes can only be made with
cooling or lighting.                               significant effort. So processing capacity,
Although a PUE of 1 is a theoretical value,        memory and other resources are allocated to
there are several ways to get as close as          one specific user. This means that
possible to this figure. One of the most           connections, once established within the data
promising methods is to use a combined heat        centre ecosystem, will stay as they are even
and power plant ("CHP"), which converts            when these resources are not required by the
heat from the IT hardware into electrical          user (server asaunit model). This leads to a
energy and simultaneously provides cooling         significant waste of space, energy and
through absorption refrigeration.                  computing capacity.

On the tenant side, an increase in energy          The European Union (EU) aims to tackle this
efficiency can be achieved particularly by         static concept in order to create a socalled
maximizing the efficiency of the hardware          disaggregated recursive data centre in a box
in use. This includes efforts such as              (dReDBox) as part of the Horizon 2020
virtualization. Other, physical measures           pro-gram (H2020). The aim of this research
comprise the use of state of the art energy        project is the more flexible and on demand
saving computing platforms. It should be           creation of interconnections within a data
20                                                                                       Hogan Lovells

centre ecosystem. Reacting to user demand           very often subsidized and operators profit
and shifting resources where they are needed        from comparably high feedin tariffs.
will unlock the full potential of the – currently   Additionally, tax reductions may apply.
unused – data centre infrastructure. As a
                                                    From a regulatory perspective, operators
result, efficiency gains are achieved while
                                                    should ensure an adequately scaled grid
electric power consumption is reduced.
                                                    connection for the data centre. In this regard,
The dReDBox is based on pooling otherwise           the relevant agreements with the grid
disaggregated IT resources. Pooling the IT          operator – and if applicable with the land
infrastructure to match the needs of cloud          owner – need to be in place. As a stable and
users is intended to lead to improved               uninterrupted energy supply is paramount
utilization, scalability, reliability and power     for the operation of a data centre, contractual
efficiency (pooled computer model). With            regulations on down times of the grid
regard to the generally limited space capacity      connection for maintenance reasons should
of data centres, this will eventually enable the    be reviewed carefully. Therefore it is
data centre operators to do more with their         important to be familiar with applicable
space while consuming less energy. Although         regulatory and market standards.
this sounds utopian, three initial prototypes
                                                    Due to the importance of energy supply and
of the dReDBox have already been developed
                                                    cooling systems, data centre projects are in an
and are undergoing test operations to
                                                    excellent position to integrate onsite energy
demonstrate the value and capacity of pooled
                                                    generation facilities such as solar panels or
data centre infrastructure with regard to
                                                    CHPs. If structured in compliance with the
cyber security, network analytics and telecoms.
                                                    regulatory framework, the advantage of such
Energy regulatory                                   onsite generation is that it allows operators to
Operators should carefully assess options for       avoid some of the taxes and levies that
onsite power generation because, if                 typically increase energy costs. By using
structured appropriately, this could generate       energy that has been generated onsite,
an additional income stream. Energy                 operators may thus avoid paying grid usage
produced by solar panels and/or a CHP               fees, electricity tax and in certain cases even
on-site and fed into the public power grid is
Welcome to the world of data centres 2019

further levies. Further more, operators should
assess opportunities to benefit from
government subsidy programs for
investments in onsite renewable energy
facilities or CHPs.
In order to assess the options for on-site
energy generation, operators may consider
entering into a so called energy contracting
agree-ment with specialized service
providers. The scope of such agreements
varies from a mere assessment and
planning exercise for a project to the
complete financing, planning and operation
of onsite energy generation facilities. When
negotiating contracting agreements, it is
vital to understand the applicable
regulatory framework in order to identify
potential pitfalls.
For green field projects, there are specific
energy regulatory requirements resulting
from European regulations. For example,
land owners are obliged to use renewable
energy sources up to a certain percentage for
heating and/or cooling of new builds. There
are attractive ways to meet these obligations,
for example by using a CHP.
Welcome to the world of data centres 2019                                                     23

Data protection – beware and protect your data

From a data protection perspective,            Moreover, machine generated data has
running a data centre is essentially about     become increasingly important. The so
storing, maintaining and processing digital    called "Internet of Things" ("IoT") is an
information. In practice, however, there       almost unlimited source of digital
are many more things to consider, such as      information which requires storage and
knowing your customer (KYC),                   maintenance. Handling such big data and
understanding their needs, providing           offering services such as text and data
tailored physical and digital infrastructure   mining algorithms is both a technical
as well as suitable software architecture,     challenge and a business opportunity.
server capacity and staff. We understand       The increasing volume of machine generated
the need to combine both the legal and         data raises a whole new set of questions.
practical approaches.                          Who owns the data (e.g. data collected from
                                               cars on the road or home power systems)?
After all, adequate data protection and
                                               What security level should be applied? Is
security require a certain infrastructure
                                               there a public interest in allowing
and highly trained staff. Managing a data
                                               authorities to demand disclosure (possibly
centre therefore inevitably involves and
                                               through the data centre)? The answers to
rests on a prudent and forward looking
                                               these questions are still being debated.
privacy concept. To the point internal
                                               We advise our clients on exactly these issues.
guidelines as well as comprehensive
contractual agreements with suppliers,         However, in January the European
sub contractors and customers are key in       Commission published the first regulatory
this context. This is what we focus on in      initiatives in this area. The legal
our day today advice.                          environment and statutory framework are
                                               taking shape and Hogan Lovells is closely
The correct and legally compliant treatment
                                               monitoring this development. Follow us at
of personal data is only one aspect to be
                                               www.dsmwatch.com).
addressed, but is probably the most obvious
one. Confidentiality requirements are not      The new law
merely confined to personal data. There is     We are currently faced with an
plenty of digital information stored in data   environment of change in Europe.
centres that may not be classified as data     The General Data Protection Regulation
relating to an identified or identifiable      (GDPR) has been enacted and will take
individual, but may still be of crucial        effect as of 25 May 2018. It will replace 28
economic value to the customer. Prime          domestic privacy laws throughout the
examples of this are trade secrets and         European Union. National laws will only
confidential technical information.            continue to apply in areas not fully
24                                                                                 Hogan Lovells

harmonized by the GDPR. The supervision         Data privacy
of privacy compliance will differ from what     Having mentioned the new GDPR, it is
we have been used to in the past.               worth highlighting a few regulatory
Notably, the territorial scope of the GDPR      requirements that are most likely to demand
not only covers the activities of an            the adaptation of existing technical
establishment located in the EU. It also        processes and legal terms and conditions.
applies as soon as the processing activities    The obligations that deserve particular
are related to the offering of goods or         mention include compulsory cooperation
services to data subjects in the EU or the      requirements with the competent
monitoring of behaviour to the extent that it   supervisory authorities, notification
takes place within the EU. This means that      obligations as regards infringements, data
processing personal data in data centres        privacy by design and by default, the right
may not only allude to EU data privacy law,     to be forgotten and various new
but also raise a wide array of complex          documentation requirements. Also, the
challenges and questions in this field.         concept of a data protection officer has
In particular in view of the significant        been expanded to the entire Union.
sanctions regime – with fines of up to 2        It should also be noted that under the GDPR
percent of worldwide annual turnover            both the controller and the processor are
– compliance with data privacy requirements     responsible for privacy compliance. Fines
has become even more important to any           for non compliance are substantial, not to
entity handling person-al data.                 mention the damage that would be caused
However, it should be noted that the GDPR is    to a company's image if it were accused of
not the only new piece of legislation           failing to meet data protection requirements.
governing the storage and processing of data.   Accordingly, it is crucial to have adequate
In January 2017, the European Commission        and upto date privacy concepts in place
published a proposal for an ePrivacy            governing staff, services and infrastructure.
Regulation. Its core focus is to ensure an      Data processing agreements need to be
adequately high level of confidentiality of     revised and adapted to reflect the new
electronic communications throughout            regulations of the GDPR and the coming
Europe. In pursuing this aim, the draft         ePrivacy Regulation. In this context,
Regulation goes beyond purely personal data     multiple layers of subcontractors in cloud
and covers all kinds of private information.    infrastructures are a particularly common
For more details, see our international blog    source of difficulty and ambiguity. Clear
at http://www.hlmediacomms.com.                 contractual structures and transparent
Welcome to the world of data centres 2019                                                      25

technical architectures are recommended          access to the processed data are offered by
safe-guards in this respect.                     the housing provider, the latter may be
                                                 deemed neither a processor nor a controller
Different business scenarios
                                                 of the data. However, such scenarios rarely
Privacy law generally differentiates between
                                                 exist in practice.
"controllers" and "processors". A different
set of obligations applies depending on which    As we have seen, there are various ways to
of these two roles a company has. A data         "design" a data centre service and each
centre operator has various options to choose    design brings with it a slightly different set of
from. The business model chosen by a firm        legal requirements.
will determine which legal regulations it        Cyber security
must meet. Conversely, the respective legal
                                                 Data centres are data hubs and therefore
obligations can make certain business
                                                 susceptible to cyber attacks. Such attacks
models more or less attractive. Therefore,
                                                 could result not only in data theft, but also in
taking an informed decision as to how the
                                                 the disruption of internet services of
data centre service will be structured is
                                                 multiple customers and businesses.
essential for business success.
                                                 Consequently, a data centre operator faces
Generally, a distinction can be made             high liability risks.
between two common business scenarios:
                                                 There have been many instances of high
First, controllers deploying a hosting           profile cyber attacks such as:
provider. Here, processing and
                                                 •	(Distributed) Denial of Service (DDoS)
infrastructure are part of the service
                                                    attacks where servers shut down due to
rendered. Whereas the original controller is
                                                    being overloaded by a flood of
still regarded as a controller, the hosting
                                                    incoming messages.
provider might either be a processor or a
(secondary) controller, depending on the         •	Ransomware attacks, such as WannaCry
extent of autonomy involved in the service          and NotPetya, where malicious software
rendered. The service contracts need to be          blocks access to a computer's data, asking
drafted accordingly to ensure adequate              for a ransom to release the data or
justification for the agreed handling of data.      otherwise threatening to destroy it.

Secondly, controllers deploying a mere           •	Attacks against the data centre
housing provider providing only the data            infrastructure to screen, control or
centre infrastructure. Under a "pure"               eventually destroy the facility such as
version of this scenario, i.e. where no             the Stuxnet virus.
(emergency) services that potentially allow
26                                                                                    Hogan Lovells

Recently, there has been a noticeable trend        Hence, more efficient security packages or
toward more sophisticated attacks. Such            change of outdated IT infrastructure may be
unprecedented techniques render the data           advantageous to such operators. They might
centre infrastructure even more vulnerable         result in higher costs, but augmented
and are likely to result in liability claims by    liability and negative publicity can lead to
the data centre's customers.                       more severe problems.
Unpredictable and unforeseen incidents –           Certain data centre operators might also be
also known as black swan events – may not          subject to stricter regulation. Data centres
necessarily trigger fault based liability of the   with an annual performance of more than
data centre operator. However, it can be very      5 Mega watt, IT hosting with more than
challenging and practically impossible for         25,000 annual average instances, content
the operator to prove the existence of such a      delivery networks with an annual data
black swan event. The WannaCry and                 volume of 75,000 TByte, trust services with
NotPetya incidents illustrate that threat          more than 500,000 issued qualified
actors exploit malware families and reuse          certificates or 10,000 certificates for
efficient attack strategies. Considering the       authentication of publicly available servers
nature of cyber attacks, it is notable that,       are subject to the German Federal Agency
e.g. in Q1 and Q2 2017, 75% of all                 for Security in Information Technology Act
ransomware attacks were based on the same          (BSIG). As a result, sector-specific security
six known malware variants. This means             standards (Branchenspezifische
that, had the proper security mechanisms           Sicherheitsstandards – B3S) apply. The B3S
been in place, these threats could have been       for data centres, however, are based on ISO
prevented. In such cases, data centre              family 270xx. Especially the ISO 27001 and
operators may not be able to be released           ISO 22301 – in addition to the other data
from nonfault liability; as such events could      centre specific security standards – are
have been prevented and are not to be              referenced and need to be respected and
considered as black swan events. The data          implemented by the data centre operator.
centre operators may thus be held liable.
Therefore, it is strongly recommended that
data centre operators stay informed about
current threats and cyber security trends.
Otherwise, the data centre's board faces
personal liability or regulatory fines.
Welcome to the world of data centres 2019                                                    29

Data centre projects and transactions – our expertise

Our credentials                                  Setting up a data centre also has various tax
At Hogan Lovells we have a great depth of        implications for the provider as well as for
experience in advising clients on the            potential customers which should be taken
establishment and acquisition of data centres.   into account (e.g. permanent establishment
                                                 aspects, VAT aspects). Our Tax team is
The value we bring to clients is both in the     highly experienced in setting up tax efficient
depth of expertise in critical subject areas,    structures and dealing with all relevant tax
such as telecommunications regulation,           aspects in the respective agreements.
real estate and land use law and regulation,
tax, employment, and environmental               Our services
regulation, and in our ability to co-ordinate    •   Industry specific due diligence
this advice across jurisdictions, exercising     •   Real estate and regulation
sound judgment in supporting clients with
location selection decisions and strategies      •   Service – and O&M-contracts
for execution. We have strong relationships      •	Energy-related advice and
with local regulators and we understand the         cost efficiency
markets in which our clients operate.
                                                 •	Coordination of global deals as your
More than just data storage                         single-point-of-contact in Germany
We have experienced projects, real estate,
                                                 •   Finance
corporate, and commercial teams who
can assist                                       •   Commercial and tax

•	with all aspects of the acquisition and
   construction of data centre sites or
•	fully operating data centre businesses
   if required
•   with establishing title and ownership
•	with all aspects of data centre
   transactions and ongoing operation,
   including site suitability and risk
   factors, planning and environmental
   issues, ownership of key infrastructure
   (e.g. backup power, cooling, and fire
   suppression, customer contracts)
30                                                                                                           Hogan Lovells

Our distinctive expertise

Keppel Telecommunications & Transport and Alpha               Keppel DC REIT
Investment Partners
                                                              On its acquisition of a data centre in the Celtic Gateway
On the acquisition of a EUR 76m data centre from              Business Park. The data centre is fully let to one of largest
Citigroup and on the sale-and-lease back agreement to         global cloud service providers on a 15-year full repairing
Citigroup who remains the tenant.                             and insuring lease that commenced in June 2016.

A borrower                                                    Telehouse Holdings Ltd. and KDDI
The borrower in a (re)financing of a data centre              Corporation on its acquisition of Databurg GmbH.
in Frankfurt.

TelecityGroup                                                 A leading UK based operator of data centres
•	In relation to its acquisition of the Manchester based     On various project developments (EPC, O&M) as well
   carrier neutral data centre.                               acquisition of such data centre in Germany.
•	On its GBP 87.6m acquisition of Data
   Electronics Group.
•	On its acquisition of leading Finland data centre
   operator Tenue Oy.
•	On the acquisition of Academica, a leading data
   centre and IT services operator in Finland.
•	On the acquisition of the data centre business of
   MedioSystems, an affiliate of the IBM Group.
•	On its acquisition of the entire issued share capital of
   SadeceHosting.
•	On its acquisition of the entire issued share capital
   of 3DC by TelecityGroup International Limited.
   Hogan Lovells advised On English law and oversaw
   local advisors.
• On its acquisition of Plix.
Welcome to the world of data centres 2019                                                                         31

A UK clearing bank                                         A major European colocation space provider
On the development of a dedicated data centre and a        On the development of a new data centre and
number of consequent upgrade projects.                     consequent extension project and on projects to
                                                           upgrade equipment on existing operational sites.

Du Pont Fabros Technology                                  A leading global bank
On its proposed purchase and redevelopment as a data       On establishing a data processing subsidiary in China.
centre of a heavily contaminated former chemical and
pharmaceutical manufacturing site.

A leading data centre operator                             A leading data centre operator
On the acquisition of the reversion to their facility in   On the lease review of 46 leases across 6 countries for a
Harbour Exchange Canary Wharf, regearing followed          leading data centre operator.
by sale and leaseback.

One of Europe's leading data centres                       A number of financial institutions
On all employment matters across Europe.                   On fit out of new UK headquarters premises, with
                                                           related internal data centres.
32                                                                                          Hogan Lovells

     Your key contacts

                           Dr. Alexander
     Dr. Tobias Faber      Stefan Rieger        Dr. Fabian Pfuhl     Johannes Groß
     Partner, Frankfurt    Counsel, Frankfurt   Counsel, Frankfurt   Associate, Frankfurt

     Dr. Carla Luh
     Partner, Hamburg

     Dr. Mathias
     Schönhaus
     Counsel, Dusseldorf

     Dion Panambalana Nicola Evans
     Partner, London  Partner, London
Welcome to the world of data centres 2019                        33

                                            Alex Wong
                                            Partner, Singapore
Alicante
Amsterdam
Baltimore
Beijing
Birmingham
Boston
Brussels
Budapest*
Colorado Springs
Denver
Dubai
Dusseldorf
Frankfurt
Hamburg
Hanoi
Ho Chi Minh City
Hong Kong
Houston
Jakarta*
Johannesburg
London
Los Angeles
Louisville
Luxembourg
Madrid
Mexico City
Miami
Milan
Minneapolis
Monterrey
Moscow
Munich
New York
Northern Virginia
Paris
Perth
Philadelphia
Riyadh*
Rome
San Francisco
Sao Paulo                 www.hoganlovells.com
Shanghai
Shanghai FTZ*
Silicon Valley
                          “Hogan Lovells” or the “firm” is an international legal practice that includes Hogan Lovells
Singapore                 International LLP, Hogan Lovells US LLP and their affiliated businesses.
Sydney                    The word “partner” is used to describe a partner or member of Hogan Lovells
                          International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee
Tokyo                     or consultant with equivalent standing. Certain individuals, who are designated as
Ulaanbaatar*              partners, but who are not members of Hogan Lovells International LLP, do not hold
                          qualifications equivalent to members.
Warsaw
                          For more information about Hogan Lovells, the partners and their qualifications,
Washington, D.C.          see www.hoganlovells.com.

Zagreb*                   Where case studies are included, results achieved do not guarantee similar outcomes
                          for other clients. Attorney advertising. Images of people may feature current or former
                          lawyers and employees at Hogan Lovells or models not connected with the firm.
*Our associated offices   © Hogan Lovells 2019. All rights reserved. 1059936_0419
You can also read