It’s said that every company should treat itself as a data company – now it seems that every regulator is becoming a data regulator.
The appointment of David Irvine, ex-ASIO head, as the Chairperson of FIRB accelerated the use of Australia’s foreign investment rules as a tool to address the Government’s concerns about data security, including data gleaned from smart infrastructure.
The unfortunate consequence of doing this through the foreign investment legislation is that foreign-owned businesses are subject to restrictions that domestic-owned businesses are not, leading to different operating costs and ability to exploit opportunities.
Ilona Hunnisett: Hi, I'm Ilona Hunnisett and I'm here with Deborah Johns to discuss how the foreign investment review board has changed its approach to data.
Over the last couple of years, businesses and investors globally have been experiencing greater regulatory oversight and intervention in relation to businesses and investments that are information rich and data heavy. Here in Australia, FIRB has been getting involved in this space. Debra, what is FIRB's approach here and how has anything changed and what are they actually interested in now?
Deborah Johns: Well, the potential for malicious actors to exploit data has been a concern of the government across the board, not just in relation to foreign investment. The kinds of data that they're concerned about are Australians' personal data, government data, and any data that can be gleaned from smart infrastructure.
In the absence of any sort of national comprehensive regulation though, the government has used what tools they can to put protections in place, and the foreign investment rules are one of those tools. The reason the foreign investment rules work for this purpose is that they regulate whether something is contrary to the national interest. And the term national interest is not defined. That allows the government to adapt its views to whatever the issues of the day are and so it's able to assess transaction based on whatever the current threats are, and data is definitely considered to be a current hot topic.
The appointment of David Irvine, who's the ex-head of ASIO. As the chairperson of FIRB a few years ago was the first big signal that they were starting to adapt their interpretation of national interest to cover things that were a little more esoteric than the usual military national security type issues.
Ilona Hunnisett: And so as FIRB considers applications, we're seeing more and more conditions being put in place on businesses and investors. So what's the nature of those in relation to information rich businesses?
Deborah Johns: Yeah, yeah. So the conditions normally focus on what sorts of information do people have access to, who has access to that information, where can they access it from, and where is the information actually physically stored? If it's stored in the cloud, there's a couple of cloud service providers that are on a white list that the government has.
These conditions are problematic in a few different respects. One is that they're not especially well drafted. They use some important terms that aren't actually defined in the conditions or in any other legislation. They also can have a really significant impact on the way a business is operated. So as an example, there's often a condition that says people can't access information from offshore. Well, what happens if the target happens to have an offshore call centre that provides customer service? The target actually really needs to think about the ways that these conditions are going to apply to the way that it runs its business
Ilona Hunnisett: And these conditions, they're also now audited. Is that something that's also happening with FIRB?
Deborah Johns: Yeah, so FIRB is actually following up. There are a few people that we're aware of that have gotten some of the big four accounting firms, for example, to audit their compliance with the conditions.
Ilona Hunnisett: Is this just a China investment issue?
Deborah Johns: Publicly, the government is always going to say that they assess all of the applications in the same way against the same criteria, but it's just a fact of life that the things that they look at, do you have the motive and the ability to exploit this data that we think is sensitive, is more likely to be something that they have to worry about when it's a Chinese foreign government investor versus an American private equity fund.
Ilona Hunnisett: And so how should businesses and investors be looking at the FIRB application process when they're looking at a business or a target that is in this potential national interest space? What's the approach they should be taking?
Deborah Johns: So what we tell people is they just need to be as upfront as possible about the kinds of information that the business has, who has access to that information, where is it stored, and what is done with that information. The biggest lesson we've learned in the past few years is that the target really needs to be involved in negotiating the conditions. Too often, we've seen acquirers just willing to agree to anything in order to get the deal done and then the target is stuck being the ones who actually have to comply with these things, and they just don't make sense sometimes for their business.
Ilona Hunnisett: And so overseas, we've seen a couple of instances where the FIRB equivalent has stepped into transactions and unwound them. Is this something that you think an action that FIRB might potentially take or that we might see more and more of in Australia?
Deborah Johns: Yeah, I think that Australia is very dependent on foreign investment, so I think the government generally is pretty reluctant to do anything that suggests that they're not completely open for business. So I don't think that we're going to see a wave of rejections around data. The government is eventually going to have to grapple with the fact that this threat in relation to data that has been identified doesn't actually apply to just foreign owned businesses, domestic businesses store information offshore can be attacked by people trying to access information. And so the foreign investment rules are actually a pretty clunky way to try to address the concerns that the government has in relation to the protection of these kinds of data.