nrf17008 data centre unboxed_v2 full.indd

72
Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Data centres unboxed A guide to legal issues, trends and risks

Upload: others

Post on 09-Feb-2022

2 views

Category:

Documents


0 download

TRANSCRIPT

Financial institutionsEnergyInfrastructure, mining and commoditiesTransportTechnology and innovationLife sciences and healthcare

Data centres unboxed A guide to legal issues, trends and risks

Attorney advertising

Data centres unboxed A guide to legal issues, trends and risks

A Norton Rose Fulbright guide 2013

Contents

1 Preface 05

2 Introduction 07

3 Planning and locating a data centre 09

4 Building and opening a data centre 17

5 Environment and corporate governance 25

6 Outsourcing and offshoring 33

7 Shared services 41

8 Data privacy 49

9 Hot topics and regional trends 55

10 Concepts and glossary 63

11 Contacts 67

6 Norton Rose Fulbright – 2013

Data centres unboxed

1Preface

Norton Rose Fulbright – 2013 07

Preface

Preface

Mike RebeiroGlobal head of technology and innovationNorton Rose Fulbright LLP

We are pleased to present the second edition of Data centres unboxed.

The world is reliant on data and the internet in our technological era. With increases in corporate data storage requirements and generally in data-heavy applications and solutions, the facilities and processes used to store such data are being more intensely scrutinised in areas such as security, availability and adherence to standards; and as shown in this guide, there is a degree of commonality of issues across international borders.

With that in mind we have prepared this guide with the aim of explaining some of the key considerations affecting data centres. The guide includes chapters on building a data centre; selecting an appropriate location; environmental and corporate governance issues; outsourcing, offshoring and shared services; data privacy; and a look at some of the hot topics and regional trends in this space around the world.

This publication is likely to be of particular interest to data centre operators, IT service providers, banks and other institutions funding data centre projects, and any other person with a vested interest in storing and handling large amounts of data.

Technology and innovation is a key area of strength for Norton Rose Fulbright. Knowing how our clients’ businesses work and understanding what drives their industries is fundamental to us. This is particularly true in the fast paced areas of technology and information management. Our lawyers share industry knowledge and sector experience across borders, enabling us to support our clients anywhere in the world. Our technology and innovation team comprises lawyers across many different practice areas, including sourcing and technology, construction, real estate, corporate finance, banking and dispute resolution. This reflects the complex nature of transactions and issues in this sector.

We trust that you will find our guide useful and insightful. If we can be of any further assistance please do contact us.

08 Norton Rose Fulbright – 2013

Data centres unboxed

2Introduction

Norton Rose Fulbright – 2013 09

Introduction

Introduction

There has been an explosion in the consumption and processing of data in recent years; as increasing volumes of data need to be stored, the overwhelming reliance on data centres is proportionately becoming greater and greater. As data centres become more prevalent and the need for them continues to increase, it can only be expected that the legal regime surrounding their construction and use (in particular environmental and data security laws) will be adapted and developed.

In practical terms, the size of a data centre can be greater than three large supermarkets. The costs of building a large data centre are said to be up to US $500 million and in some cases up to US $1 billion. With that in mind, anyone contemplating constructing a data centre will inevitably have many issues to consider, and will have to make sure that the cost of the project and the associated risks are appropriate, compared with the intended rewards.

There are obvious practical questions, such as how big should the data centre be, how much energy will it require and who will build it. In this guide, we have focused on some of the legal and commercial considerations that will apply once these decisions have been made. The planning and locating a data centre and the building and opening a data centre chapters are relevant to someone considering building or setting up a data centre, but the criteria for considering location of a data centre could also apply to someone considering, for example, the use of a shared services solution – e.g. sharing services in a data centre based in a zone that is at risk of flooding, storms or other hazardous elements could risk loss of the data stored there.

Before embarking on a project of building a new data centre, it may be useful to re-confirm that construction of a new data

centre is the most efficient way of dealing with the data storage needs concerned. There may in fact be a more suitable alternative solution, such as utilising services provided by an independent data centre provider or re-assessing the efficiency of any existing data centres. We have also considered in the shared services chapter other alternatives such as whether, in fact, the efficiency of any existing data centre could be improved (rather than incurring the costs of building a new data centre) or even whether parties can share services.

Regardless of whether the data is stored in a new data centre built for purpose or an existing one, there are a number of other matters that need to be considered simply to operate a data centre. The list is considerably larger than can be included in detail within this guide, but includes data privacy and continuing energy efficiency. As also mentioned in more detail in the environment and corporate governance chapter, the public demand for cleaner and greener IT may result, in due course, in requirements to report publicly on the “green” status of data centres or to comply with an industry-based standard of efficiency. This has already been discussed in a number of jurisdictions. Other possibilities are tax and investment incentives for data centres that will be powered using green energy sources.

We have also considered a number of “Hot Topics” across different regions (Africa, South America, Europe, Asia and the Pacific, the Middle East, the United States and Canada). Each of these demonstrates how data centres are becoming of greater significance worldwide and indicate a key trend or issue for that region at the time of writing.

10 Norton Rose Fulbright – 2013

Data centres unboxed

3Planning and locating

a data centre

Norton Rose Fulbright – 2013 11

Planning and locating a data centre

are set to rise, as are energy costs. Environmental issues and related factors that may also affect the selection of a data centre location are described in Chapter 5 on environment and corporate governance. Further real estate matters such as ownership of the chosen land and construction considerations are discussed further in Chapter 4 on building and opening a data centre.

The location will be largely determined on the basis of the end-needs of the functioning data centre. The factors described in this Chapter and Chapters 4 and 5 will be balanced and prioritised according to the purpose of the data centre – that is whose needs it will meet.

Factors in determining the location of a facility will be influenced by whether the data centre is to be an in-house facility, also known as an owner/occupier facility (which often leads to proximity being a major factor) as compared to a facility owned and operated by a third party provider (who may also be referred to as a “developer”) where the service is outsourced.

If the developer is a private developer, whose main source of business is not providing data centres (and therefore the data centre is a support function to protect the security and data of the existing “main” business), such developer may want to locate the data centre near to the main head office in order to utilise existing staff and to check on performance and security.

However, if the private developer builds the data centre and then appoints an agent who is fully responsible for its efficiency and operation, the developer may be comfortable locating the data centre away from its head office. In either case disaster recovery planning may take the decision away and impose the need for a remote facility.

The decision criteria as to whether an owner/occupier should seek to externalise the service include the need for internal management (perhaps for regulatory purposes), the lack of capital to build facilities/acquire new space, business needs (for example where additional facilities are required to service short to medium term demands from clients) and the lack of in-house skills. Choosing a third party to provide data centre services is clearly a major decision, and is considered further in Chapter 6 on outsourcing and offshoring.

Planning and locating a data centre

In this Chapter we will describe some of the major legal and commercial considerations in determining the location of a data centre. Whilst the recent economic climate has led to greater efficiencies of existing data centre footprint space, recent market surveys have confirmed that the need to expand facilities is increasingly a commercial imperative. It should be noted that a variety of finance and logistics models exist which granulise the site selection process in considerably more detail than is allowed in this paper. For example, sophisticated models may factor into data centre location the flight paths of commercial aircraft, the routes taken and changes predicted to flight landing paths, with the stated purpose of assessing the risk of aircraft collision with the data centre.

The importance of site selection

For global operators, clearly a growing sector given the inexorable growth of the cloud, an assessment must be made of the jurisdiction of the proposed data centre site. Data centre down time is costly and potentially catastrophic to a business, yet technological advantages have divorced the need for physical proximity of the data centre to the end user. Comparative analysis can often demonstrate a significant saving in operating costs by offshoring, but cost saving alone is rarely the definitive factor in deciding the location of a new facility.

Macro factors include political stability, international bandwidth, the risk of natural disasters, levels of regulatory control, energy infrastructure and levels of taxation. As assessment of these risks, together with the application of a weighting factor for each (imposed in order to reflect specific operator requirements) need to be considered carefully as a part of the site selection process.

The need to locate the data centre “offshore” due to the perceived reduction in costs (for example of land, labour, construction, telecommunications, and electricity) is considered further in Chapter 6 on outsourcing and offshoring.

Sustainability is increasingly a major consideration. It is claimed that data centres account for between 2 per cent and 5 per cent of global carbon emissions, a figure which draws significant attention. Carbon taxes

12 Norton Rose Fulbright – 2013

Data centres unboxed

• the seismic risk profile; it is noted that the data centre operations in Japan have proved to be remarkably robust despite recent major earthquakes;

• the ground can withstand the foundations or the floor loading can accommodate the levels of equipment installed; retro-fitting an existing building for data centre usage can prove to be problematic.

TemperatureData centres need to be kept cool in order to prevent any of the internal systems from overheating. Optimising air flow within a data centre is crucial to maintaining the correct temperature. A key requirement is to prevent hot air and cold air mixing, hence the design of many data centres include the provision of hot aisles and cold aisles.

Whilst it is possible to use energy resources to ensure that the data centre is kept cool, this can be costly both in terms of electricity costs and also in terms of potential carbon credits. Accordingly there has been a recent trend towards locating data centres in colder locations such as Iceland and Ireland, to reduce the cooling costs. In other words, the data centre benefits from “free” cooling from the ambient temperature rather than the developer paying for chillers and the energy such chillers consume. These cooler ambient temperatures are often complemented by an abundance of cold water, another resource used for temperature regulation.

Suitability and security of the actual land siteSecurity and protection of the data held within data centres is one of the biggest concerns to any data centre owner; this is considered further at Chapter 8 on data privacy. In order to protect the data, the energy supply should run all year round and the building has to be protected from extreme environmental factors. The risks (such as a breach of data security, or simply in losing the value of a multi-million dollar building) are far greater to anyone seeking to develop a data centre in an environment subject to inclement weather, extreme physical conditions such as earthquakes and volcanoes, or security threats/civil unrest.

Numerous industry surveys have sought to rank the importance of the factors used to determine the location of a data centre. Whilst results vary, the two standout and interrelated factors in choosing a data centre are the availability of power and the actual location of the data centre. Perhaps, and counter-intuitively, the availability of a skilled workforce ranks much lower down the list of requirements when choosing a site for a data centre.

Regardless of the risks and factors relevant in assessing the merits of choosing a certain location for a data centre, the commercial considerations are often those paramount in making the decision. As a result, the legal analysis in this guide will focus on mitigating the legal and commercial risks associated with the relevant jurisdiction and the ownership/operating model to be adopted.

Supply and demand

As with any project, location of a data centre may depend (to some extent) upon the demand for data centre services. For example, as seen in Chapter 9 on hot topics and regional trends, there is currently a demand for data centres in the Middle East to serve the burgeoning data supply within the region. Equally, China and India are rapidly increasing the number of data centres in their countries. On the other hand, the trend for increased mergers and acquisitions in the sector has been perceived by some users as running the risk of reducing the choice of providers.

The physical nature of the underlying land

It has to be determined whether it is physically possible to build and operate a data centre in the proposed location. Issues to consider include:

• whether a data centre can be built on the land concerned;

• local weather profiles, for example flood, tsunami and typhoon risk and the impact of these upon the site for the data centre;

Norton Rose Fulbright – 2013 13

Planning and locating a data centre

TelecommunicationsEvery data centre has to be able to send and receive the information it is storing. If a server crashes, the consequences for the end-users can be far-reaching. The availability of a reliable telecommunications supply may also affect the insurance premiums.

Data centres should ordinarily therefore be located in a position where they can receive a consistent and effective telecommunications supply, and which is linked to a network that passes on to customers over a fast connection. On the other hand, some countries may not be a desirable location for a data centre because of their lack of infrastructure. Reference is made to “peering point”, as a desirable location with an abundance of fibre network.

In a similar vein, “latency” (effectively the small delay caused in signals due to the physical remoteness of a site) can be a material factor where a data centre is expected to provide a near instantaneous back-up of data. As the fibre optic network improves and gigabit capacity increases, latency, as measured in milliseconds, continues to reduce.

Efficient energy supply Getting access to efficient and reliable energy is always a factor in data centre construction and operation. Where uninterruptible power supply is needed, access both to mains power and a temporary power supply is required. Indeed, many data centre users measure their requirement in terms of critical power usage rather than “space” as measured in square meters or number of racks.

There are major variances in the resilience of energy transmission systems across jurisdictions. Even where power is available, fees may be payable to ensure that adequate power supplies are available to meet future demand. Certain jurisdictions and locations benefit from nature’s renewable resources such as hydro-power and geothermal energy. Such locations tend to lend themselves to longevity and reliability of supply.

Even if the relevant jurisdiction has adequate mains power supply available to the intended location of the data centre, not all locations have access to temporary power. In some countries the mobile/telecommunications network has

Access to services and supplies

Anyone considering building a data centre should also consider, prior to embarking on the project, whether the data centre will be able to function efficiently after completion of the construction of the external building. For example the data centre should have access to the necessary networks/information grids, efficient energy supplies, goods and services, and skilled employees.

Two further and associated points are worth highlighting, based on recent experience:

• “reserving” power is important, particularly when planning a data centre facility, to ensure that the facility can be energised when required. This is even more important when a phased facility is planned or a commitment to deliver expanded facilities is given by a developer; and

• the power grid infrastructure should be considered. Future supply risks (including energy supply costs) can be managed through long term energy contracts. The Uptime Institute provide useful statistics in order to measure historic costs for comparison purposes and which assist in predicting future costs.

Physical access to the property itselfAs part of considering the location of a data centre, the ability to access the land is a crucial consideration. If there is no access via a public road and the only way to access it is via neighbouring land held by independent parties, the data centre will be land-locked. A similar position is arrived at if the facility forms part of a campus or larger complex where there is a failure to deliver the expected services and infrastructure. The possible effect is that either no one can access the land to build, use or check the security of the data centre. In some cases, neighbouring landowners could seek to hold the land owner to ransom – i.e. require payments to be made in exchange for the grant of the necessary land rights.

These risks can be managed through ring fencing a facility in order to allow the data centre to be self-sufficient wherever possible.

14 Norton Rose Fulbright – 2013

Data centres unboxed

Time for provision of goods and servicesGoods and services necessary for the construction or operation of a data centre are often on long lead times and the timescale for obtaining such products will need to be factored into the planning process. Many items used in the construction of data centres may not be manufactured locally. For example, it is likely that the necessary diesel or rotary UPS has been manufactured in Europe and data centres being located outside of Europe should tailor delivery times into their critical path analysis. Procurement process is a factor in the construction of almost every data centre and experienced consultants and suppliers should be involved during the design and planning phases ahead of construction.

Availability of key personnel Some staff may be able to work remotely from the data centre. However these remote staff will have to be supplemented by key personnel who can attend the site and deal with any issues that must be addressed on the ground. These are likely to include engineers, nearing close proximity to the premises to deal with problems in a matter of minutes. The remote staff will need to have suitable access to the “on-the-ground” staff. Working together with project managers and other consultants is also essential which raises the issue of dealing with the liability apportionment for key consultants during use.

There may be a requirement under local laws to employ local staff (or at least to employ a certain proportion of employees who are local staff).

expanded beyond the geographical boundaries of the electricity network. Anyone seeking to place a data centre in such jurisdiction should consider relying on on-site generators, with a greater risk that the data centre would not have suitable, constant or reliable power.

A metric often used to measure the cost of energy to a data centre is simply to determine the cost of the provision of electricity expressed in units of local currency (or US Dollar equivalent) in kw/h. Similarly users will be able to estimate their average power drawn from data centre facilities, measured in kw/sq m (i.e. the cost of the supply of electricity/size of facility). Combining the cost of supply against average use provides an indication of the energy costs, which in most instances is the most significant operating cost of a data centre.

Temporary back up power can either be stored on site (assuming the site has capacity to hold a generator) or it could be sourced from an external supplier. The contractual position can become quite complex when there are different sources of energy (and especially when there are different suppliers involved). Given that the temporary power is an emergency back-up, it must be a reliable source of power and it should be considered whether any failure to obtain such back-up power could affect the validity or cost of insuring the data centre.

One of the latest factors to enter any deliberation of location of a data centre is whether the energy supply is renewable. There are even suggestions of building data centres that can be powered by biogas, so that the data centre should be located near to a biogas supply.

Rights of wayIn order to receive the power from the main grid or temporary provider and to send and receive information by and through the telecommunications networks, it must be established whether cables are required to be laid over or through neighbouring land. If this is the case then the land on which the data centre is located should have sufficient rights of way over such neighbouring properties.

Norton Rose Fulbright – 2013 15

Planning and locating a data centre

Jurisdictional case study: AustraliaThere are varying strategies in place across Australia to encourage and promote “greener” construction and operating practices. Typically, the regulation of general planning and construction issues is undertaken at the State level and not at the national level, leading to inconsistent outcomes. Examples of Australia’s State-based regulation that can impact on the construction and development of data centres include:

• in New South Wales, contractors seeking to work on major projects worth AUS $10 million or more (or projects that are environmentally sensitive) are required to have a corporate Environment Management System accredited by a government construction agency. This system must either comply with the New South Wales Environmental Management System Guidelines, or comply with the Australian Standard AS/NZS ISO 14001:1996 relating to Environmental Management Systems;

• in Western Australia, the Environment Protection Agency (Agency) undertaking environmental impact assessments of proposals and schemes referred to under the relevant legislation. Where a development proposal is likely to have a significant effect on the environment,the project may be referred to the Agency for a decision on whether an impact assessment must be undertaken. However, an assessment of whether a project needs approval will usually depend on the environmental values of the area affected by the construction and the extent and likely impact of the change on the environment; and

• in Queensland, certain environmentally relevant activities are required to have development approval or to implement a code of compliance before the activity can be commenced.

Jurisdiction

Planning consentsThe developer should ensure that it is permitted to build and operate the data centre in the proposed location. If planning permission is not obtained prior to acquiring a site and ultimately is not available for the project, the site could become redundant.

In most jurisdictions, planning permission/consent is required prior to carrying out any development. Planning consent is usually obtained from a local planning authority or government department, although other entities may also need to approve the development, depending on the size of the development and the effect on the environment and any other applicable local laws.

The intended use of the land concerned may be set out in a “plan” and it can be extremely difficult to seek to place a data centre on land that has been determined by the authority to be used for purposes other than a data centre such as residential or retail purposes.

In some situations, the planning authority may require the developer to mitigate any negative effects on the local area. For example if the existing road infrastructure is inadequate to deal with the construction traffic, the authority may seek payments towards the road network or for the developer to build new roads.

There may also be authorities that will have specific requirements on the design and this will largely depend on the extent to which the jurisdiction concerned has experience in and houses existing data centres.

Obtaining planning permission can be a costly and lengthy process and it is recommended that planning consultants are appointed.

16 Norton Rose Fulbright – 2013

Data centres unboxed

Political and legislative interventionThought must be given to the political stability of the jurisdiction of the data centre. Protectionist legislation and protective markets can hinder development and political instability can endanger long term confidence in a project.

Design considerations

For new data centres being constructed, there are some additional design options that should be considered.

One option available for new data centre developments is to utilise external ambient air to cool the data centre, which is particularly effective where the data centre is located in colder environments.

Greenfield data centres can also take into account location-specific benefits when deciding on the site of a new data centre. For example, sea or lake water may be used as a thermal sink or heat exchange, or the data centre may be located near sources of renewable wind, solar or hydro power where available. However, these locations may conflict with other requirements such as ease of access to telecommunications infrastructure, geo-stability of the location and flood zone considerations.

Another option is the deployment of self-contained modular data centres that can be built to scale up capacity on demand or which can even be re-located to meet needs in another area.

Finally, for new data centres located near other buildings, waste heat from the data centre may be used to heat nearby office buildings.

Ownership structures

Different structures also exist in terms of the actual ownership of the data centre facility. Two common ownership structures used by data centre owners are the tenancy agreement model and the joint venture model, which are described in diagrammatic form opposite.

Incentives to locate data centres in the regionThere are a number of jurisdictions that actively encourage data centre development, with the intended consequence of enhancing development in the area and improving employment and economic factors. In the US, incentives are offered in some markets to “enterprise” users (businesses operating commercial software and data) in order to create a business friendly environment.

Such jurisdictions may offer incentives to locate data centres there, advertise their power rates, or offer land for free, in return for the developer locating the data centre in the specified area.

Another positive factor in such jurisdictions is that planning consents are likely to be more readily obtainable for the proposed project site.

There has been an emergence of “clustering” whereby one well known provider develops a data centre and other providers subsequently place their data centres in the same geographical area. Many data centres have therefore emerged around business centres, which are likely to have established real estate laws and are also likely to attract employees.

For example, in Australia, several business parks have emerged as data centre clusters, such as the DC Creek Facility in New South Wales. In America, a number of clusters have arisen, such as at Quincy in Washington, where Yahoo! set up its data centre and others followed.

Whilst a private developer will be able to utilise the benefits of a data centre cluster, a host developer may be uncomfortable locating in an area where competing services already exist. However the host developer considering development in a location without any data centre experience may find that the hurdles in dealing with authorities and setting up outweigh the benefits from lack of competition.

Norton Rose Fulbright – 2013 17

Planning and locating a data centre

Option 2: Joint venture

Data owner

Data centre owner/

developer

Site acquisition (purchase, lease)

Energy provider

Equipment

Design and construct

Telecommunications provider

Operator(s)

Funding(equity and debt)

Joint venture vehicle

Data owner

Data centre

developer

Energy provider

Equipment

Design and construct

Telecommunications provider

Operator(s)

Funding(equity and debt)

Jurisdictional case study: SwedenWith growing capacity requirements for data centres, the demand for using “clean energy” for cooling and operation is increasing. Having used diesel or coal derived energy in the past, many operators are looking to reduce their carbon footprint. But not only energy usage and sources are important in locating a data centre, as mentioned above factors to consider include political and geological stability, access to skilled labour, an investment friendly business environment and security.

Facebook announced towards the end of 2011 that it had decided to locate its first data centre outside the United States in Luleå close to the Arctic Circle in northern Sweden. The move is not surprising. The area around Luleå has established itself as a cluster for high tech companies.

With an average annual temperature not much above the freezing point and very few days per year above 25 degrees Celsius, an overcapacity in the grid and access to 100 per cent renewable hydro power, the area is ideal. Additionally Sweden has the benefit of a very stable political environment, a business friendly climate with transparent legislation and no foreign investment or ownership limitation. The government, local as well as central, is encouraging investment in the north of Sweden and the access to skilled labour at reasonable cost is good – there is a technical college in Luleå focussing on high tech, providing ample to research and development and skilled staff.

The one drawback of locating a data centre in Sweden could be security. Although there have been very few, if any, security issues at secure installations in Sweden, there is no tradition of having armed guards, even at nuclear power stations, although this is now being revisited. From an international perspective, this might come as a surprise and considering the sensitivity of the information stored in the data centres, this may well have to change.

Site acquisition (purchase, lease)

Option 1: Tenancy agreement

18 Norton Rose Fulbright – 2013

Data centres unboxed

4Building and opening

a data centre

Norton Rose Fulbright – 2013 19

Building and opening a data centre

In some countries it is not possible to hold freehold title to land. It may therefore be the case that the developer is only able to obtain a lease and then build the data centre on the basis of such rights.

If the developer does not hold and cannot acquire freehold title to the underlying land, it is fundamental that the developer will have sufficient legal and contractual rights to build on the land concerned and to have exclusive use of the constructed data centre for the desired period of time. (In some countries there are also limitations on the length of leasehold type interests – for example there may be a maximum duration of 50 years, with a possible renewal thereafter.)

Due diligence If the land is to be acquired on a freehold basis, the developer should complete a full due diligence of the title to the property. Matters to be considered include:

• whether there are any encumbrances (third party rights) over the property such as an existing mortgage or a lease;

• whether there are sufficient rights to access the property (which are mentioned in Chapter 3 on planning and locating a data centre); and

• whether any third parties have rights to purchase the land or other priority interests that could prejudice the developer’s ownership and use of the land concerned.

Building and opening a data centre

In this Chapter we consider a number of factors that can fundamentally impede or affect the speed and ability to build a data centre. These are some of the salient issues, however they will still vary on a case by case basis. The issues can be separated into real estate matters and contractual matters. Many of the issues regarding building a data centre apply to both host and private developers, regardless of the end purpose. However we have made some references to issues that will likely only apply to either a private developer or a host developer.

Building a data centre: real estate factors

Ownership of the land concerned In most jurisdictions land is commonly owned by either:

• freehold estate/title, which gives the holder absolute title over the land (subject to any encumbrances (interests) that may legally affect the land); or

• leasehold estate/title, which gives the holder an interest in the land for a specific timeframe (or potentially for a rolling period), and on expiry of such term or other termination of the lease, all interest in the land reverts to the landlord. A leasehold estate may be subject to payment of rent and other restrictions and obligations. Assuming the intention is to build, the leasehold structure must enable construction upon the relevant site, which in some jurisdictions may be permitted by a mechanism such as a musataha.

It is increasingly common in certain jurisdictions for freehold and leasehold estates (usually long leasehold estates) to be held in the context of a “strata” or community title, where there has been a sub-division of land and/or a building. An application of this to a data centre project might be where a data centre is housed in the basement of a bigger building or other facility. This guide does not consider this and other types of land holding structures and only refers to freehold and leasehold estates.

A major consideration will therefore be whether the developer will hold leasehold or freehold title to the land on which the data centre will be built.

Acquisition of an existing data centreAs an alternative to constructing a data centre, a data centre provider may wish to acquire an existing data centre or at least accommodation which is readily adaptable for use as such. A few brief issues to consider are set out below.

If the developer is purchasing a completed data centre due diligence will be required on, for example, the ownership of the property and the equipment housed within the building.

It should not be assumed that ownership of both should rest in the same party.

20 Norton Rose Fulbright – 2013

Data centres unboxed

A building surveyor should check the structure, a valuer should confirm the value and other specialists should be called upon to look at more technical elements of the premises, for example the plant and equipment. If the “defects liability period”, or the period within which the parties involved in the initial construction of the facility have liabilities has not expired, then the developer may require the existing owner to assign to it the rights under the contractors’ appointments or by other means extend the duty of care owed to the developer by other key sub contractors and consultants engaged in the construction project. A similar analysis should be conducted in respect of key items of equipment in the data centre.

Many of the other issues in this Chapter will also apply to any such acquisition. Additionally, points on location, data privacy and environmental considerations will apply regardless of whether the data centre is being constructed or acquired as a completed (and possibly operating) structure.

However, other issues may apply when acquiring a data centre and a checklist will be akin to those to be considered when acquiring a business. For example some countries have laws regarding the automatic transfer of employees if there is a transfer of a business and indeed impose a regime that cannot be contracted out of; purchase taxes take different forms and are imposed at different rates depending on the jurisdiction; contractual arrangements may not be freely assignable or consent may be needed.

A key consideration in determining the form of the lease is the stage at which the tenant/developer engages with the land owner. At an early stage the land owner and intended tenant can work in unison to build a facility to meet the requirements of the tenant (commonly referred to as a “pre-let” agreement). The bespoke nature of the project should be reflected in the terms of the lease. A land owner may choose to build a facility in the expectation that a tenant can be found in due course. This type of development, often referred to as a “speculative development”, relies on the land owner being sufficiently confident that there is demand for his product. A facility procured on this basis is typically offered as a “powered shell” product (i.e. providing the external shell/structure of the building and an adequate power supply). A lease granted in this situation will include provisions to reflect the circumstances at the time, for example in order to address the often difficult issue of ownership and responsibility for fitting out the building for data centre usage. Retro fitting a premises as a data centre or granting a lease at different times in the lifecycle of a building, impose special demands to be factored into a lease.

Regardless the developer should consider:

• is the term/length of the lease long enough?;

• is there a right to break the lease early?;

• does the landlord have a right to terminate early which could prejudice the completion or use of the data centre?;

• is the rent a premium, or is it payable on an annual basis or a “turnover” basis?;

• are provisions regarding rent review appropriate? Does any increased rent over the course of the lease reflect projected revenue increases? (Negotiations on the meaning of “open market rent” can often be intense. For example in the UK data centre market the uncertainty in the open market value has resulted in many leases moving away to an alternative basis of review, such as fixed increment increases or review by reference to a market index, such as the retail prices index);

• what additional costs will be incurred by virtue of the lease, such as business rates and other local land taxes?;

LeaseIf leasehold property is being considered the major concern for the developer (as potential tenant) and its financier will be to ensure that the premises that are the subject of the lease are clear by reference to a plan, and that the lease cannot be broken early.

We would expect in most cases to see a “fully repairing insuring” lease, where the costs of all repairs and insurance are borne by the tenant (developer). The developer (especially any host developer) would likely wish to obtain the insurance itself and then provide evidence to the landlord, in order to ensure that the insurance is a viable and effective policy.

Norton Rose Fulbright – 2013 21

Building and opening a data centre

The developer will need to be certain that any contractor carrying out such building works complies with applicable planning and building consents and any other laws and regulations.

Registration and taxDepending on the jurisdiction in which the land concerned is located, there may be formalities applicable to either the acquisition of land on either a freehold or leasehold basis. For example it may be necessary to register:

• a purchase of freehold title; or

• entry into a lease – registration would likely be against the landlord’s (or superior landlord’s) freehold title.

Furthermore, transfer tax and duty may be payable on any acquisition of freehold land or entry into a lease and value added tax may be due on the rent payable under or the grant of the lease.

Financing the construction or acquisition of a data centre Any lenders will have separate concerns that need to be addressed.

Lenders will likely require a mortgage over the land. Usually lenders require their own independent legal advisers to complete a due diligence over the underlying land that will be mortgaged, to ensure that the mortgage will be valid and effective.

Financing documents can take a long time to prepare and usually contain the following:

• protections for the lenders – warranties and indemnities by the developer;

• costs of financing;

• construction standards and timelines (if applicable);

• operation standards which potentially will include environmental criteria to reflect the relevant lender’s corporate social responsibility requirements;

• events of default and consequences thereof, including an ability to call upon the security/mortgage; and

• what service charges are payable? If the user leases a “powered shell”, the service charge will be much lower as compared with a fully serviced facility where the scope of services often seen in a stand alone master services agreement are incorporated into the lease;

• are there sufficient rights to make alterations?;

• is there a mechanism to expand the facilities, for example to install additional UPS and/or standby facilities?;

• what are the powers to sell/ transfer the leasehold interest or enter into sub-leases? If the developer does not wish to operate the data centre and has to appoint a third party to do so on a leasehold basis this can be a deal breaker; and

• is there a right to obtain security over the leasehold interest (i.e. as a consequence of any mortgage)?

Some of the issues mentioned earlier in this Chapter regarding encumbrances may also apply to a lease.

It should also be considered whether a superior landlord’s consent is required.

In response to the user demands for flexible space a different approach is under review from the traditional lease. An alternative is to pay for data centre space by reference to power consumption (to reflect the major cost element for a data centre) or by number of rack spaces used. The scaleability of demand and useage can be matched by prices which tracks this metric directly.

Consents and permits We have referred to the ability to obtain planning permission in Chapter 3 on planning and locating a data centre. In most countries it is a requirement to obtain permission prior to commencing the development. The planning permission will likely contain conditions and require the development to be in accordance with the approved plans.

Additionally, prior to commencing building works, the developer will likely need to obtain a “building permit” or other equivalent consent. This usually entails submission of various plans and information to the applicable local authority. Such consents frequently contain conditions and ordinarily require the development to be completed in accordance with the approved plans.

22 Norton Rose Fulbright – 2013

Data centres unboxed

• requirements on the developer to provide information, such as regular reports on the construction progress and payments to contractors, and finance statements once the data centre is operational.

This list is not exhaustive as often the documentation will depend on the size and nature of the project concerned and also the relationship between the parties. As with any financing, the timescales and issues involved can be greater if dealing with a consortium of lenders.

Construction issues

The developer should need to appoint an array of consultants to ensure that the end data centre:

• fulfils the needs of the developers and if applicable, if the developer will be a host developer, the needs of the clients who will use the data centre services;

• complies with the requirements of any lenders;

• complies with any planning permissions, building consents and all other relevant laws affecting the construction and use of the data centre; and

• meets desired energy efficiency levels whether imposed by legislation or otherwise.

In the case of a turnkey product, it can become increasingly difficult to find a single team of consultants to deliver all the skills and services needed for the project.

Accordingly, (other than a legal team) the developer may need to consider the appointment of an architect/designer, a planning expert, a contractor/builder, a project manager and other specialist contractors.

The contracts of appointment for any of these consultants should be considered carefully. The allocation of responsibilities for completion of the end product needs to be established early in the appointment discussions and clearly set out in the appointment documentation.

Contracts of appointment should also at the very least require that the consultant concerned:

• maintains a specified standard of care;

• holds the necessary insurance throughout the course of the development;

• complies with all laws;

• if necessary holds a permit to carry out the relevant services; and

• meets targets and timetables (potentially a consultant could be offered greater pay for better efficiency in the data centre).

The appointments will also need to clearly set out when costs are payable and whether there should be a retention of payment until any “snagging” or defects have been rectified. The developer will likely also want the ability to assign its rights under the appointments to any purchasers and rights for its lenders to also rely on the consultant (collateral warranties). In addition, separate warranties and guarantees might be issued directly to the user to ensure that the integrity of the developer’s suite of warranties need not be broken up.

Specific contract issues will include site access and availability of particular parts of the building during different times of construction and then upgrades to the plant and equipment therein.

Plant and equipment: depreciation and upgradesWhether buying plant and equipment for a new data centre or as part of an existing data centre, the ownership and then depreciation of such plant and equipment should be considered.

Many items of plant and equipment will over the course of time be redundant from subsequent technological advancements. It therefore needs to be considered whether it is possible to efficiently upgrade such plant.

Norton Rose Fulbright – 2013 23

Building and opening a data centre

novated to the builder (or else directs the builder to adopt the nominated design team). We have set out the D&C model in diagrammatic form below:

Structures for appointment of building contractors This section examines at a high level some typical structures for the design and construction of a data centre project. It examines the conventional method of structuring the procurement by way of “construct only” and “D&C” models. It then discusses a unique solution to the challenges faced by data centre procurement – the “split model”.

Model 1: Construct only modelUnder this model the developer uses and retains a designer throughout the project, and accepts all design risk, while the builder (also known as the contractor) accepts only construction risk. The consultancy agreement between the developer and the designer remains in place throughout the design development stage, which takes the design to 100 per cent complete, prior to engagement of the builder. We have set out the construct only model in diagrammatic form below:

The owner

Builder

DesignerConsultancy agreement

Construct only contract

The owner

Builder Novation deed

Designer

Design and construct contract

Consultancy agreement

Model 2: Design and construct procurement structure (also known as a design and build structure)This model (the D&C model) commonly uses a novated design and construct structure, or else imposes an obligation to direct the contractor to use a nominated design team (which achieves a similar result). Under such a structure the developer would engage a designer to carry out initial design work and then separately engage a builder to carry out both the design and the construction of the data centre.

The D&C model will require that the builder accept the risk of carrying out the design, in circumstances where a significant portion (if not all) of the design has in fact been carried out by the designer while engaged by the developer. To enable the builder to accept this risk, the consultancy agreement under which the developer engages the designer will be

Model 3: Split modelThe split model combines the advantages of both the construct only model and D&C models.

Under the split model, it is anticipated that the developer will enter into two main contracts:

• a design contract with the relevant designer (for the preparation of a fully detailed design specification); and

• a modified “construct only” contract with a builder (who will be required to build the facility strictly in accordance with the detailed design).

The designer will take all design responsibility for the data centre project, and the builder will take all construction risk for the project.

24 Norton Rose Fulbright – 2013

Data centres unboxed

that in handing over greater responsibility to the builder, the builder could value manage down the quality of the facility; and

• timing – sometimes the developer is not clear on which packages of work will be undertaken and the timing for those packages, so it requires the ability to direct precisely what is built and when. By using the split model, the developer can tender and award the work as multiple packages as and when needed, which will minimise variations and keep the price to a minimum.

Disadvantages include:

• no single point of responsibility – by adopting a split model, there is a risk that if defects are found in the facility, this may lead to disputes as to whether the defect was caused by defective design or defective construction works. Under the D&C model, regardless of whether the defect is design or construction related (or a mix of both), the responsibility will rest with the builder. This may be particularly important if the data centre must achieve certain operational outcomes (for example cooling control, and ample power supply and availability). However, to mitigate this risk associated with the split model, the developer, designer and builder could jointly engage an independent certifier. Any disputes between the parties as to whether a defect in the facility is due to design or construction would then be dealt with by the independent certifier and the parties will be bound by this determination (subject to any agreed exceptions);

• designer insolvency – by separately engaging the designer, the developer places more dependency on the designer than it would do if the D&C model was adopted. In addition, the designer is likely to have lower levels of professional indemnity insurance and a smaller cap on liability than the builder. However, a developer can mitigate this risk by ensuring any designer it engages is of sound financial backing with prominence in the market, and the professional indemnity insurance level and limit of liability can be negotiated; and

• design management skills – under the D&C model, the developer would have the ability to tap into the in-house design management skill that large design and construct contractors have, which usually results in the design and construction process being better co-ordinated. However, often the design is largely complete by the time the construction commences, which minimises this risk.

The developer will also enter into a simple consultancy agreement with an independent certifier who will be responsible for testing the design of the facility (prior to being accepted by the developer) and for managing disputes regarding defects. The split model is set out in diagrammatic form below:

The owner

Builder DesignerIndependent certifier

Construct only contract

Independent certifier

agreement

Design agreement

There are both advantages and disadvantages of procuring a data centre using the split model.

Advantages include:

• price – by engaging separate entities for the design and construction elements of the project, the developer will avoid paying the premium that a single entity would impose for taking on both design and construction risk. This is advantageous considering the developer is likely to have a fixed budget for a project;

• design control – by directly engaging the designer for the duration of the project, the developer will retain control over the design for the entire project. If the developer does not have significant in-house design expertise for the specific type of project, this will enable the developer to have access to the designer to provide advice throughout all stages of the project when dealing with the builder;

• quality control – where the designer is separately engaged by the developer for the duration of the project, there is no incentive for the designer to compromise on quality. Where the D&C model is used, there is a risk

Norton Rose Fulbright – 2013 25

Building and opening a data centre

Summary of structure alternativesConventional models such as the construct only model and the D&C model remain the simplest way to approach procuring a new data centre. However, such conventional models are often not appropriate having regard to the commercial and technical requirements normally put forward by the developer’s commercial and technical representatives. In particular the following factors often mitigate against use of a conventional model and favour the use of the split model:

• the increased costs that will be incurred by the developer if the construct only model or the D&C model are used; and

• the timing issues which flow out of the requirement that the developer has direct control over both the design (through a direct design contract) and the facility that is actually constructed (through a construct only contract).

Under the split model, the developer will be required to play a more significant role in project management and, in particular, instructing and co-ordinating the roles of the designer and the contractor. While this is often a preference for the developer’s technical and commercial representatives, it is also an added responsibility and therefore a further risk.

Contractual matters

The developer will also enter into a number of contracts such as:

• contracts for equipping and maintaining the data centre with servers and infrastructure;

• contracts to procure staff or contracts with third parties responsible for managing the data centre; and

• contracts with telecommunications providers, electricity providers and security providers.

Insurance contracts Different types of insurance are required at different stages:

• insurance by both developer and consultant during construction of the project. The responsibility for procuring may be transferred to the principle contractor or retained by the developer. Regardless of the arrangements, continuity of insurance is a key requirement for risk management;

• insurance during ownership and use of the data centre, which could include:

— services interruption insurance (e.g. covering a failure of the utility company to provide electricity which prohibitively affects the business);

— property insurance;

— business interruption insurance (or “loss of revenue insurance”);

— accounts receivable insurance; and

— valuable documents insurance.

Developers should review any insurance policy and consider:

• does it cover replacement value or some depreciated value;

• what are the caveats; and

• managing user expectations. Economic loss as a consequence of an interruption in service is usually not an insurable risk. Developers are often advised to encourage users to make their own insurance arrangements for their business operations.

Case study – prevention is better than cureMany US data centres incorporate anti-hurricane measures to ensure additional layers of protection are available to preserve continuity of service. This has proved to be the case during the annual US East Coast hurricane season. In a similar vein, although in very difficult conditions, the anti-earthquake measures incorporated in Japanese data centres proved to be robust and effective in early 2011. Insurance risk reflected in the insurance premium and so proper design and management should result in an immediate and ongoing saving in insurance premiums.

26 Norton Rose Fulbright – 2013

Data centres unboxed

5Environment and

corporate governance

Norton Rose Fulbright – 2013 27

Environment and corporate governance

Environment and corporate governance

Carbon footprint of data centresIt is estimated that the ICT sector contributes similar global emissions attributable to the airline industry.

Of the global CO2 emissions currently attributed to the ICT sector, it is estimated that data centres are responsible for approximately a quarter of those emissions. Furthermore, the rapid growth in the number and size of data centres makes them an increasing contributor of CO2 emissions going forward.

Power consumption of data centres as an operating costThe energy consumption and efficiency of a data centre are also significant commercial issues for operators and users of data centres, as the cost of powering a data centre is a significant portion of its overall running cost. The power consumption of a data centre can be broadly grouped into two categories:

• user consumption – the power consumption of the computer equipment hosted in the data centre; and

• operator consumption – the power consumption of the data centre infrastructure (such as cooling and environmental controls, security systems, fire control systems, monitoring systems and redundancies).

User consumption is typically within the control of the user of the data centre, while operator consumption is within the control of the operator (and builder of the data centre). In a typical data centre hosting agreement, costs relating to user consumption are generally passed through directly from the data centre operator to the user, while the costs relating to operator consumption are generally amortised across all users of the data centre. This amortisation is usually performed as part of the fees for the “data centre services”, which are generally calculated on a fee per kW power basis or a fee per space or cabinet allocated basis. It has been estimated that the cooling requirements often consume up to 50 per cent of the electricity usage of a data centre. Accordingly, a data centre that provides more efficient cooling is likely to be more competitive in the long term (as it can offer a lower per kW or per space fee).

In this Chapter we examine some of the potential corporate governance and environmental issues relating to the operation and use of data centres. Due to the complexity and scope of the issues mentioned, it is not possible to concisely summarise the legal requirements described below on a cross-jurisdictional basis. However, we have provided case study examples of energy efficiency measures implemented in Australia and the UK.

Legal issues relevant to data centres and the environment

There is a range of conflicting and inconsistent national laws and regulations around the world relating to energy use, emissions reporting and other similar requirements. However, it is possible to draw out some general themes. Existing legislative or regulatory regimes may include either or both of the following areas:

• energy efficiency labelling or disclosure requirements for specified items, ranging from individual items of hardware or equipment to an overall rating for an entire building; and/or

• reporting requirements for energy use or carbon emissions, typically above a certain specified threshold.

These issues may be addressed through legislation, set out in mandatory standards or simply covered in voluntary codes. In addition, any existing regime typically has a broad application and does not apply solely to organisations in the information and communication technology (ICT) sector.

Energy issues relating to data centres

Data centres present a number of potential issues in the context of energy usage. As there is an increasing global focus on environmental issues, the high power demands of data centres present challenges for data centre operators due to the associated carbon emissions. Similarly, power consumption is a significant contributor to the operating costs of data centres.

28 Norton Rose Fulbright – 2013

Data centres unboxed

The efficiency of the data centre will also play a big part in the overall cost to a data centre user. The energy efficiency of a data centre is generally measured by its PUE, which is defined as the total power usage of the data centre divided by the total power usage of servers hosted at that data centre. For example, a PUE of 2.0 means that half the energy costs are used by the data centre’s own infrastructure and not by the hosted equipment. A well operated data centre is expected to have a PUE of less than 2.0. State of the art data centre designs have allowed PUE levels of 1.1 to 1.3 to be achieved.

Another common commercial factor that influences the efficiency of a data centre relates to the power density of the data centre. A higher power density data centre allows more ICT equipment to be located in the same amount of space, which decreases the physical footprint of the data centre (or increases the capacity of the data centre, at the same footprint). However, a high density data centre will require different cooling designs to ensure sufficient cooling of the hosted equipment.

In addition to power usage, the water consumption of a data centre is another significant commercial consideration. As potable water is generally used in the chillers that are typically used to cool data centres, the water consumption of a data centre is also directly related to power consumption of the data centre.

Corporate governance issues relating to data centres

Effective corporate governance is a key strategy for addressing the energy-related challenges posed by data centres. The monitoring of power usage, the adoption of energy efficiency standards and the implementation of power reduction strategies will assist in reducing both the environmental impact of data centres and the operational costs associated with such facilities.

Corporate governance and “green IT”The implementation of energy-efficient initiatives is not something that can be left to the Chief Information Officer as part of their responsibility for the organisation’s information technology needs. The board or executive management of an organisation needs to be involved and to support the implementation of such policies. A top down approach is often necessary in order to change attitudes towards energy efficiency and to drive improvements across the organisation.

In the context of data centres, senior management should be making enquiries in relation to:

• the energy efficiency of any data centres used or owned by the organisation;

• whether the data centres used or owned by the organisation already have, or could obtain, any independent certification relating to energy efficiency; and

• whether there are any power reduction strategies that could be implemented, both to drive down operating costs and to reduce the environmental impact of the organisation.

Energy efficiency standards Increasingly, ICT projects (including data centre design and construction) are seeking certification from independent national bodies on a voluntary basis. Examples of some of these national certification standards include:

• the LEED certification system – developed by the US Green Building Council. This is one of the most widely-used energy and environmental rating systems in the world. There is over 9 billion square feet of building space participating in the rating system and 1.6 million square feet being certified every day around the world. The LEED certification system provides independent, third-party verification that a building was designed and built using strategies aimed at achieving high performance in key areas of human and environmental health. In order to achieve LEED certification, a building must be eligible (this includes data centres) and must obtain a certain number of “points” in order to achieve a certification level; and

Norton Rose Fulbright – 2013 29

Environment and corporate governance

Accordingly, implementing power reduction strategies can have both environmental and practical commercial benefits. For the operators of data centres, energy efficiency can also be a key selling point for their services, particularly where large customers are interested in learning about the environmental credentials of their suppliers as part of the procurement process.

There are a number of different strategies available to reduce power consumption in a data centre. While these strategies are necessarily technical in nature, and may not be applicable in all situations, they can potentially have a significant effect on the commercial negotiations between the user and the operator.

While the user is in control over the consumption of their own equipment, the power reductions achieved by the user can have follow-on benefits and savings to the operator consumption (particularly by reducing the cooling capacity). Accordingly, a sole tenant or a substantial tenant of a data centre may be able to leverage any implementation of its own power reduction strategies to extract a lower fee from the data centre operator.

A data centre user may also impose contractual requirements on the operator to improve the power usage efficiency during the term of the contract. However, the cost savings may be difficult to quantify, given that most of the strategies will require substantial capital investment.

Options available to users of data centresAs users are not typically able to control the upgrade and configuration of the data centre, the two main power reduction strategies available to users are:

• relocating the hosted ICT equipment to a more power efficient data centre; and

• reducing the power usage of the hosted ICT equipment.

The main benefit of relocating hosted equipment to a more power efficient data centre is that power (and cost) savings are future looking in nature, and the savings will automatically extend to any new ICT equipment hosted in the new data centre. The main disadvantage is that relocation of ICT equipment is generally an expensive exercise requiring significant technical support. This is

• the Green Star certification system – administered by the Green Building Council of Australia. This is a comprehensive, national and voluntary environmental rating system that evaluates the environmental design and construction of buildings. Organisations may obtain a Green Star certification for a building if it meets all four of the Green Star Eligibility Criteria. Once a project has obtained an official Green Star rating, the relevant company may publicly claim and promote the star rating of its building(s).

Other benefits of being greenThe adoption of energy efficient strategies can have intangible benefits for organisations. Environmentally-aware organisations may wish to be seen to be “green” or at least to be “good corporate citizens” who do not use or procure environmentally-unfriendly services.

It may be a relevant factor for a data centre user (as part of its procurement requirements when choosing a data centre) that the data centre has been independently accredited under energy efficiency standards similar to those set out above.

A high level of environmental awareness and corporate social responsibility can in fact be a selling point for organisations, particularly if their competitors have not implemented environmentally-friendly policies.

As a result organisations should consider implementing energy efficiency policies (including utilising available power reduction strategies) as part of their corporate governance regime.

Power reduction strategies for data centres

The use of power reduction strategies has a dual benefit in relation to data centres, namely:

• fewer carbon emissions being produced as a result of meeting the electricity requirements of data centres, which indirectly reduces the environmental impact; and

• reduced operating costs for data centre operators and users as a result of lower power bills.

30 Norton Rose Fulbright – 2013

Data centres unboxed

particularly the case for older “24x7” equipment which may not have been powered off for an extended period of time. In addition, if the ICT equipment hosts mission critical production servers, then the migration will likely need to be conducted out of hours or in stages to minimise or eliminate downtimes, which will further increase the complexity and cost of the exercise. As a result, the engagement of a service provider to assist in the relocation will likely require a separate procurement exercise.

Users can generally reduce the power usage of their ICT equipment by upgrading older components to more power efficient components. For example, it may be possible to replace older power supplies with more modern power supplies with higher power efficiency ratings, as well as replacing hard disk drives with solid state drives and using more power efficient processors.

A significant benefit is that these upgrades can be conducted incrementally as part of an organisation’s hardware upgrade roadmap. The use of upgraded equipment may also enable significant server consolidation through virtualisation, which further reduces the total number of computer servers required.

Options available to operators of existing data centresThe operators of existing data centres can employ a range of power reduction strategies to improve the power efficiency of their data centre and reduce operating costs.

First, data centre operators can reduce power usage by upgrading older components with more efficient versions (such as more efficient chillers). For higher tier data centres, the cost and energy savings can be substantial, as higher tier data centres will generally have significant “standby” equipment to provide redundancy. This approach will allow such replacements to be carried out in a manner that is transparent to data centre users, as the changes generally do not require the cessation of operations.

More recently, significant research has been conducted in cooling designs for data centres. Practices such as the hot-aisle/cold-aisle rack arrangements are generally employed in most data centres to improve cooling efficiencies. However, newer technologies and computational fluid dynamics may

assist in identifying areas for further improvements, such as by reducing hot spots, reducing the mixing of hot and cold air and utilising variable capacity cooling units.

A more efficient cooling design may also allow the data centre operator to increase the air temperature of the cold-aisle or the chilled water without impacting the hosted equipment, which will reduce the power usage of cooling equipment and result in further operational savings. More recently, some hardware suppliers have suggested that their equipment is able to operate at much higher ambient temperatures without limiting its service life.

There are also some additional design options that should be considered for new data centres. These are considered further in Chapter 3 on planning and locating a data centre.

Tying it all together

Based on the above discussion, implementing environmentally-friendly green IT policies can be part of an overall corporate governance strategy. Energy-efficient strategies can have a positive effect on a company’s image, as well as on its bottom line. Pro-active management is essential in driving an energy-efficient approach to the way in which an organisation does business and how it implements any power reduction strategies.

In the specific context of data centres, incremental improvements implemented as part of an overall environmentally-friendly approach to corporate governance can be achieved in a number of ways as set out above. In light of the potential tangible and intangible benefits, organisations should consider implementing policies relating to energy efficiency and power consumption reduction, or reviewing and updating any existing policies covering these areas.

Norton Rose Fulbright – 2013 31

Environment and corporate governance

Although the carbon price covers a broad range of industry sectors, it is important to note that only facilities directly responsible for emitting carbon pollution will have a liability under the Mechanism. As the ICT sector contributes to emissions indirectly, through its acquisition of materials, resources and services (for example electronic equipment, electricity, transport and waste disposal), the sector itself is unlikely to have any direct obligations under the Mechanism. However, the Mechanism is likely to result in increased costs (due to higher electricity prices) being passed through from direct emitters suppling the ICT sector.

Various forms of financial assistance will be provided to industry as the Mechanism is phased in. However, as an indirect contributor to carbon emissions, the ICT industry is not directly eligible for any of these forms of assistance. It may be of relevance to the ICT industry that the power industry will receive some assistance as it may decrease the carbon liabilities for the power industry and consequently reduce the costs passed through to the ICT sector.

Those operating in the ICT sector, in particular data centre operators, may wish to ensure that the relevant clauses in supply contracts deal appropriately with liability for both direct and indirect costs arising from the Mechanism. The legal ability of suppliers to contractually pass on the carbon credit cost to customers, including data centre operators, will depend on the terms of the contract in question. Generally speaking, a tax recovery clause will not allow a supplier to pass on the carbon credit cost, as this cost is not a “tax”. The cost is more properly classified as a “charge”. However, “change in law” clauses should generally allow suppliers to pass on this charge, as it is legislatively mandated.

Other Australian-specific guidelinesThere is an existing Australian Standard for Corporate Governance of Information Technology (AS/NZS ISO/IEC 38500:2010). This standard encourages the adoption of practices and behaviours throughout an organisation to promote the efficient and effective use of IT (it does not cover green IT, energy use or carbon emissions).

Jurisdictional case study: AustraliaEnergy reportingAustralia has an existing energy efficiency and carbon emissions reporting regime. Energy efficiency and emissions reporting are particularly relevant topics in light of the Australian government’s recent introduction of a carbon emissions trading regime.

The Australian legal framework for energy use and carbon emission reporting is outlined in the National Greenhouse and Energy Reporting Act 2007 (Cth). Corporations that meet a “threshold” emissions/use level must register with the Clean Energy Regulator. Registered corporations must report annually in respect of, for example, their greenhouse gas emissions, energy production and energy consumption.

There are also additional registration and reporting requirements under the Energy Efficiency Opportunity Act 2007 (Cth) for corporations which use more than 0.5 petajoules of energy per year. However, an organisation in the ICT sector would have to be running tens of thousands of servers at peak load before such registration and reporting requirements were applicable.

There are schemes for measuring and reporting energy efficiency in relation to certain covered products. Minimum Energy Performance Standards and Energy Rating Labels are a legal requirement which apply to certain products manufactured in or imported into Australia. Suppliers of any covered products listed under these schemes must register their product or apply for an energy rating label and comply with minimum efficiency levels (e.g. commercial chillers and air conditioners).

Carbon pricing mechanismOn 8 November 2011, the Australian Federal Government introduced a carbon pricing mechanism (Mechanism). Initially, for a period of 3 years commencing on 1 July 2012, the carbon price will be fixed at a starting price of $23 per tonne of CO2 equivalent emitted and will operate in a similar way to a tax. On 1 July 2015, the Mechanism will become an emissions cap and trading scheme, which will allow the carbon price to be determined by the market.

32 Norton Rose Fulbright – 2013

Data centres unboxed

It promotes an evaluation, direction and monitoring framework that can be applied to green IT policies and initiatives formulated by an organisation. In short, the standard offers a viable framework for directing and controlling a green IT agenda.

Whilst the CRC has the potential to deliver benefits to the ICT sector such as an increased take-up of clean tech services and products, it could also result in UK technology operations (in the event of non-compliance) incurring increased costs, damaged reputation and criminal prosecution.

Risks Outsourcing: Operators of data centres may be responsible under the CRC for the electricity used on behalf of their customers should the CRC qualification criteria be met (facilities meeting the qualification criteria will normally exceed 5,000 square feet in area). This will mean that they will bear the entire cost of CRC compliance unless such costs can be passed on to customers. New customers are unlikely to sign up to contractual terms requiring them to share CRC compliance costs. Furthermore, existing customers (whose arrangements are usually subject to long term contracts) are unlikely to consent to contract amendments to allow for cost sharing. Whether costs sharing contractual terms are accepted will depend on the bargaining strength of the parties. However, due to increasing competition from overseas, it is generally considered that the bargaining strength of data centre operators is likely to be weak.

OpportunitiesCost savings: Compliance with the CRC has the potential to make CRC participants more energy efficient with attendant cost savings.

Demand for clean technology: The CRC may serve to promote the use of clean technology by CRC participants where such products enable them to function more efficiently and to reduce emissions.

Demand for data centres: The CRC is likely to lead to the significant growth of data centres as CRC participants look to outsource their IT infrastructure and other energy emitting functions in order to: (a) reduce their emissions; and/or (b) fall below the qualification criteria for participation in future phases of the CRC.

Jurisdictional case study: United KingdomThe UK has a range of policy and legislative drivers intended to cut carbon emissions, create the conditions for green growth, and improve resilience to climate change. The majority of these policies and legislation are European wide. However, we set out below an example of UK specific legislation and its potential impacts on the ICT sector.

Carbon Reduction Commitment Energy Efficiency Scheme (CRC)The CRC commenced on 1 April 2010 (and is due to run until 2043) and is a mandatory emissions trading scheme for the UK that aims to reduce CO2 emissions. It is designed to minimise energy use and encourage investment in new technology. The CRC scheme is for tackling CO2 emissions not already covered under European wide schemes (such as the EU Emissions Trading Scheme, the Climate Change Levy and/or Climate Change Agreements which already regulate operational CO2 emissions from energy intensive organisations such as power stations).

Organisations required to participate must monitor their energy use and purchase allowances, for each tonne of CO2 they emit that falls within CRC (currently priced at GBP £12 per tonne). There will be fixed price sales of allowances per year in the early part of the CRC scheme and subsequently it is intended to become a cap and trading scheme. Qualification for the CRC is based on electricity supply across organisations and groups of undertakings, rather than at an individual company or property basis. Organisations (individually or as part of a group) qualify as participants if, during the relevant qualification period, they had at least one half-hourly electricity meter and consumed (in the UK) at least 6,000 MWh (megawatt hours) through all half-hourly meters.

Norton Rose Fulbright – 2013 33

Environment and corporate governance

34 Norton Rose Fulbright – 2013

Data centres unboxed

6Outsourcing and offshoring

Norton Rose Fulbright – 2013 35

Outsourcing and offshoring

Outsourcing and offshoring

Current trends in outsourcing and offshoring

Any economic downturn, with a resultant focus on value for money and flexibility in services, indirectly affects the demand for outsourced data centre facilities. The need to implement austerity measures, utilise costly office space in a more efficient manner, reduce an organisation’s carbon footprint and reduce the large capital expenditures required to provide IT services to large organisations coupled with the increasing data storage needs of large organisations, should encourage both the private and public sectors to consider outsourcing some IT functions.

This presents an opportunity for suppliers to persuade customers that outsourcing can deliver cost reduction. Outsourcing enables the customer to eliminate large capital expenditures and concentrate on their core activities. Data centres and other IT infrastructure are a significant contributor to such capital costs. For this reason, the outsourcing or offshoring of data centres presents a prime opportunity to reduce such capital costs.

While customers are increasingly focusing on value for money in negotiations with suppliers, they need to be careful not to place too much pressure on their suppliers’ margins. Excessive pressure could lead to a decrease in service quality, eroding the benefit of any cost reduction.

Cloud computing and offshoring are two particular ways of reducing cost and present additional opportunities in the outsourcing field. However, many potential customers still have concerns about the perceived risks of these services.

Benefits and commercial factors in favour of outsourcing and offshoring

There are many potential benefits for customers who take advantage of outsourced or offshored services. The main benefits are discussed below.

Cost reductionCost reduction is commonly cited as the main driver for outsourcing. When it comes to outsourcing IT services, a customer is potentially able to consolidate and significantly reduce the expenses of running in-house IT services (including equipment costs, software licensing,

In this Chapter, we will discuss the use of data centres as part of the current trend towards the outsourcing (and sometimes offshoring) of various aspects of the information technology needs of organisations. As an initial point, it should be noted that not all data centres are used for outsourcing or offshoring or the provision of cloud computing services. Some large technology companies, such as Google and Facebook, operate their own data centres to support their products and services directly. Similarly, large corporations with substantial data requirements, particularly financial institutions, may operate their own “private” data centres to support their own information technology needs internally. The maintenance of own data centres is largely driven by a need for control and flexibility. To further complicate this area, many data centre operators are not themselves the provider of the outsourced or offshored services. Instead, data centre operators will often lease space and infrastructure to service providers for the installation of the servers and other IT equipment used by service providers in supplying their services to customers.

The use of data centres in outsourcing and offshoring

A distinction can be drawn between:

• internal offshoring (where a company re-locates resources to another country but where those resources are still under the control of the same, or a related, company);

• offshore outsourcing (where a company outsources an IT function or particular IT services to another company that is located in a different country); and

• outsourcing in-country (where a company outsources IT functions/services to a service provider or to an intra-group shared service company in the same country).

In the particular context of data centres, internal offshoring is somewhat uncommon, although not unheard of for sizeable companies in the context of a regional consolidation of resources or a large scale re-location of IT services.

36 Norton Rose Fulbright – 2013

Data centres unboxed

maintenance, electricity and other consumables, security and virus protection, staff, network connectivity, cooling and rental/property costs) into one outgoing fee that is payable to a service provider. In most cases, this fee will be less than the aggregate amount of setting up and running an in-house IT service.

As mentioned above the provision of outsourced services has been affected by the global economic downturn, with an increased focus on value for money and delivering cost-effective services. As a result, customers are willing to drive a harder bargain when it comes to negotiating service contracts. While this is a good opportunity for customers to obtain a better deal, it also equips service providers with the opportunity to advise customers about how they might assist in cutting costs and to demonstrate their value. Customers should also carefully consider what services they actually require, and be open to the possibility of using an “off the shelf” service, rather than a bespoke solution.

When compared with the costs of a customer’s internal IT team, low cost offshore arrangements may allow for more people and resources to be deployed to work on a project for a similar cost, which would significantly reduce the development time of the project.

In the context of data centres, cost reduction can be achieved by consolidating IT equipment and by obtaining ancillary services (such as hosting, maintenance and support) from a data centre operator or cloud computing provider. Outsourced service providers can take advantage of the economies of scale available to them as a consequence of their provision of services to large numbers of customers and can then pass on cost savings to their customers. This is, of course, subject to regulatory constraints – in China for example, there are requirements for certain industry sectors to maintain their “equipment room” and “back up centres”, and to retain any “material data” in China.

Access to new and innovative technology and skills Entering into an outsourcing agreement with a service provider gives a customer immediate access to specialist skills and new technology without the need to train and retain staff or to invest in technology that is continually evolving. Service providers often have a team of experienced and trained staff available upon demand. Additionally, IT services may not be a core part of the business for many customers (particularly small-to-medium enterprises) and, by outsourcing some or all of these functions, the customer is

able to focus more on its key competencies and objectives. This is particularly true for data centres and the ancillary services provided by data centre operators and cloud computing providers, as smaller organisations are unlikely to have the resources to maintain a large internal IT team or the infrastructure that might otherwise be required by their business.

FlexibilityA key benefit of outsourcing IT services is the flexibility of the arrangement. A customer is generally able to change service providers or add to/reduce the scope and cost of any services with more flexibility than would be possible if the service were being provided in-house.

This is especially attractive in the context of cloud computing, where customers are looking to rapidly deploy resources according to the peaks and lows of demand experienced by the business. For example, a customer who hosts a web-based application may experience a greater demand for access at a particular time of the day and could negotiate with a service provider to have greater support during these busy periods.

In order for the service provider to be able to provide this flexibility, it is essential that they have access to sufficient IT resources to meet the demands of customers. The use of data centres to co-locate the necessary servers and other resources and to flexibly allocate such resources to different customers according to their needs is one of the key elements necessary to provide the flexibility being demanded.

Space and overheadsThe efficient and effective use of office space and other buildings is an important consideration for businesses. Depending on the size and needs of a particular organisation, the space and other requirements necessary to host servers on-site may be both logistically complex and cost prohibitive.

For a business with multiple sites across a large geographical area, combining their data storage and software infrastructure through an outsourcing agreement with a single service provider allows them to better utilise their physical resources by relocating IT infrastructure off-site. For a business with offices in the centre of major cities, space may be limited and the rent high, so a data centre located outside the business’s actual office would be able to offer substantial savings by simply relocating the relevant IT infrastructure. Hosting servers on-site may also result in

Norton Rose Fulbright – 2013 37

Outsourcing and offshoring

a loss of opportunity costs, as the space used for a server room could be more profitably used for another part of the business.

In addition to space considerations, overheads are a relevant consideration when deciding whether to set up an on-site server room or outsource services to a data centre. Requirements such as cooling, power, connectivity and security must be considered in relation to an on-site server room, as well as the use of in-house resources (including skilled staff, hardware and infrastructure). In comparison, the outsourcing of such services to an external service provider may be more convenient and offer the ability to consolidate such costs into ongoing service fees.

Risks in outsourcing and offshoring, and mitigation strategies

For customers contemplating an outsourcing or offshoring arrangement, an important consideration is the balancing of potential benefits against the resulting risks that arise from entering into such an arrangement. Some of the main risks, as well as potential mitigation strategies, are discussed below.

Business disruption and service availabilityOne of the key issues for organisations when it comes to IT systems is service availability. If a customer chooses to outsource some or all of its IT systems, it runs the risk of experiencing service disruptions. Events such as scheduled maintenance may cause significant inconvenience for the customer, particularly if the service provider is located in another country and supplies services to several customers in different regions, as the customer will not have any control over when this service disruption occurs. Additionally, where a service provider is providing services to more than one customer, customers should be aware that it may not always get the priority response that it would if the service were being provided in house.

Service disruption may also occur as a consequence of a range of potential issues. This may be a particular problem where IT services are outsourced to offshore suppliers. In these instances, a customer may not be able to impose its own particular business continuity planning or disaster recovery planning requirements on the service provider, and managing the disruption to the customer’s business could become complicated.

The risk of business disruption and lack of service availability is of particular concern to organisations with a large consumer client base, where service performance failure will impact directly on their own customers.

Data privacy and security Another major concern for many customers entering into outsourcing arrangements involving the use of data centres or cloud computing is the security and privacy of the customers’ information. Data centres will typically provide security systems such as physical site access controls, malware and virus protection, data encryption and secure and authenticated remote access. However, unless such rights are written into the contract, a customer may not have direct rights to impose any particular security requirement on the service provider. Even if a customer does obtain these rights in its contract with the service provider, it may not be able to impose equivalent requirements on relevant third parties, such as the data centre operator or the equipment supplier, if these are different from the service provider in the contract.

If the service provider is the subject of a data breach (either through physical penetration at a data centre or remote attacks), customers may not always be aware that the breach has occurred. This is particularly the case if there is no apparent data loss or if the data can be recovered from a backup. The legal requirements for notification of a data breach may also vary across jurisdictions and may be the subject of contractual terms between the service provider and its customers.

The cross-jurisdictional aspect of data privacy and security is especially important for customers using cloud computing. Issues regarding data storage and access are complicated by the fact that data and services may be spread across several data centres and geographic locations, which may have different or no data privacy laws.

Loss of control of and access to data Concerns about privacy and data breaches are often compounded by the fact that customers lose a degree of control over and access to their data once it is stored in a data centre on an outsourced basis, especially when the data centre is located offshore. The nature of the outsourced arrangement may involve multiple software platforms and equipment suppliers and, without an understanding of how the outsourcing arrangement operates, a customer may find it difficult to obtain access to a server or data centre if necessary.

38 Norton Rose Fulbright – 2013

Data centres unboxed

This lack of visibility or transparency may cause a particular issue for customers at the end of the outsourcing arrangement (whether due to breach or upon expiry of the contract). Data extraction and data migration issues can be complicated and expensive. Extraction of data may take longer than anticipated, particularly if the outsourced platform does not provide for the easy extraction of data stored using the platform. Customers should consider the impact that this process will have on their business, especially if there will be an associated extended “downtime”.

After the necessary data has been extracted, there is the further question of where the data will go. Generally speaking, the data will either be taken back in-house or the data and services moved to an alternative supplier. Again, data migration is likely to be a lengthy and expensive process.

Regulatory risksRegulatory restrictions and requirements are a particular concern for customers who use data centres located in another country or jurisdiction. “Long arm” statutes such as the US Patriot Act may impact the type of data security a supplier is legally able to guarantee. For example, under the Patriot Act, a data host may be required to disclose information to the US Government in certain circumstances. In many cases, a customer does not have to be informed of the request or the disclosure and the data host may even be forbidden to notify the customer of the request. Recent interpretations of the Patriot Act have indicated that the US Government would be able to compel compliance with orders for the disclosure of information held outside of the US, provided that there is a sufficient connection to the US. This may apply to foreign subsidiaries of US companies operating in regions outside the US or to the foreign owners of US subsidiaries. This particular regulatory concern will be important for those customers who are deciding whether to enter into arrangements with data centres located in the US, or with data centres linked to a US company or agency.

Regulatory guidelines for outsourcing in certain industry sectors (e.g. financial institutions; health care) may be complex and could:

• prohibit the outsourcing of core functions;

• prohibit the outsourcing of a disproportionate part of the customer’s business, particularly if offshore;

• require that material data be retained onshore; and

• require extensive risk management, audit, termination rights, business continuity and disaster recovery provisions.

On a more general note, a data centre may be located in a jurisdiction which either has limited regulatory or legal protection for information privacy or does not have any privacy regime at all. Africa, for example, is a largely unregulated territory in the field of data protection but is an increasingly attractive investment destination, with its vast resources, sizeable population and comparatively untapped markets. Nevertheless, the approach of African countries to privacy and data protection remains inconsistent, with some countries having barely any privacy laws and some having constitutional protections that give only limited protection.

In the case of data and services that are distributed across several jurisdictions, it may not be immediately clear which privacy regime a service provider or data controller will need to follow. A customer may need to inform itself of the relevant regulations or take legal advice. The range of cross-jurisdictional issues that impact a customer’s choice to outsource services to a data centre may also vary across areas such as environmental standards, building regulations, intellectual property, employment and labour law and financial regulations.

In addition to security or privacy regulation, many jurisdictions have stringent controls over the types of services that may be outsourced (particularly where the services will be outsourced to an overseas location or business). For example, in Australia, the Australian Prudential and Regulatory Authority has a standard in relation to outsourcing of the material business interests of certain regulated financial institutions. This standard ensures that any outsourcing arrangement entered into by a regulated institution is subject to appropriate due diligence, approval and on-going monitoring. In China, the China Insurance Regulatory Commission’s recent November 2011 guidelines require insurance companies to retain the central equipment room and disaster recovery centre in China and outsource only to a qualified contractor incorporated in China.

Norton Rose Fulbright – 2013 39

Outsourcing and offshoring

Reputational damage In some countries, consumers can be hostile to companies who offshore jobs. Additionally, service levels or customer satisfaction levels may drop when IT services are outsourced, (such as in the case of offshore call centres or technical support). This has led to the repatriation of some customer-facing functions as a reaction to such issues.

Reputational damage may be a less relevant consideration when it comes to IT services, as the outsourcing of these systems may impact fewer employees than other outsourcing arrangements (for example, in the manufacturing industry). The outsourcing of some IT functions is often transparent to employees of the customer company or the ultimate consumers of the customer’s goods or services.

Possible risk mitigation strategiesIn light of these risks, it would be prudent for customers to consider the risk mitigation strategies available to them. Some of these strategies include the following:

• conducting due diligence prior to the selection of a service provider, both in relation to the service provider’s capabilities and their key personnel, is a valuable tool for customers. Due diligence processes should be devised by customers to ensure that potential service providers are properly evaluated and tested, and may include site visits and speaking to other customers of the service provider;

• the use of key performance indicators, service credits and liquidated damages is a typical mechanism for ensuring that critical outputs and deliverables are successfully achieved;

• the use of project management techniques, proper governance regimes and regular reporting on performance of the outsourced services; and

• exit planning, including the development and regular review of a proper transition out plan.

• One of the primary mechanisms for managing the relevant risks and allocating responsibility is to address them in the contract with the service provider. Other than due diligence enquiries, which would be typically conducted before a contract is negotiated, the outsourcing agreement between the service provider and the customer should contain provisions incorporating each of the above risk

Jurisdictional and enforcement issuesWhen outsourcing to an offshore location, customers will need to consider a variety of possible jurisdictional and enforcement issues. The laws of the host country with regard to intellectual property, privacy and security of information may be radically different from the associated laws in the customer’s own jurisdiction and there is a possibility that low cost data centres may be located in jurisdictions with less sophisticated legislative regimes. Even if a customer has negotiated contractual provisions guaranteeing a certain level of protection, or has selected an offshore location with a suitably comprehensive legislative regime in place, a customer may face difficulties or delays in enforcing its rights due to the various practical realities of contractual or legislative enforcement in these different jurisdictions.

The political situation of a potential data centre location must also be considered when deciding whether or where to offshore services. In areas of political instability, the risk of service disruption or data loss due to external events may be greater and problems of customer access to data and centres may be made more difficult.

Insolvency risksIf either the outsourced service provider or a third party supplier to that service provider becomes insolvent, a customer’s access to the data centre may be terminated immediately or at very short notice. For example, where a service provider uses servers in a data centre that are the subject of an equipment lease, the equipment supplier may decide to take possession of the servers immediately upon an event of default. This will not only cause a disruption to the customer’s business, but can also be difficult for them to resolve or manage as they would generally have no right of access to the data centre or the servers to be able to recover its data. As mentioned previously, if a customer is unaware of the operating structure of the service provider, it may not even know which data centre to visit in the event of a disruption.

If a customer manages to obtain access to the data after the insolvency event, it may run into difficulties if the data has been distributed. Recreation of the dataset may be impossible or the customer may not have the software to perform the extraction and recreate the data.

40 Norton Rose Fulbright – 2013

Data centres unboxed

• Security and data protection – the cloud’s defining characteristics mean that an organisation putting data into a cloud service may not know where the data is, who has access to it and whether the data has been properly deleted when the service contract ends. The lack of control over the data centre and lack of transparency with regard to the service delivery make the risk of security breaches more acute. Customers can also be affected by the rogue activities of other customers who use the same cloud, particularly in the case of public clouds. In addition, the ability to conduct an audit or inspection of the data centre or to prepare for disaster recovery purposes may be hindered due to its location.

Regulatory and compliance issues in cloud computingThe customer will remain ultimately responsible for regulatory and compliance issues and must therefore ensure that the cloud service provider complies with the necessary requirements. As with outsourcing to data centres at a general level, compliance issues relating to cloud computing are often dependent on the customer’s industry and jurisdiction. There has been an increasing focus on the protection of consumer data and in some cases significant fines for losses of consumer data are imposed. On a global level, there is an inconsistent level of regulation and protection of privacy and data security across different jurisdictions, ranging from comprehensive legislation to non-mandatory codes to no legislation or codes at all.

Regulatory authorities, such as the Monetary Authority of Singapore, impose additional requirements on their regulated entities when those entities are proposing to outsource to a cloud solution.

Regulatory and compliance issues are especially complicated by the fact that a cloud service provider often has data centres in different locations. Customers may be subject to all or some of the compliance and regulations in all the jurisdictions through which the cloud passes. Customers must determine the jurisdictions that the data passes through and the regulations that must be complied with in each of those jurisdictions.

Adoption of cloud computingCustomers should be aware of these risks and decide how material they are for their business. For example, businesses which do not process personal or sensitive data may be far more willing to use a cloud solution than organisations

mitigation strategies. The contract should also address other key risks such as privacy, confidentiality, intellectual property and general liability issues.

Particular issues and risks for cloud computing

Cloud computing is a relatively recent development in the context of IT outsourcing and offshoring.

Benefits of cloud computingCloud computing provides the customer with a number of opportunities and benefits:

• Cost savings and flexibility – the use of shared infrastructure enables cloud providers to reduce their costs and presents customers with an opportunity for cost savings.

• Reduced complexity – customers are able to have one contract with the cloud service provider, rather than separate software licenses, maintenance agreements and support agreements.

• Rapid and potentially unlimited scalability – the cloud services can be scaled to meet the short and long term business needs of the customer.

Risks in cloud computingThere are a number of particular risks that are associated with cloud computing that customers must consider:

• Lack of transparency – the cloud abstracts away many of the details regarding the implementation of the services and the solvency of the cloud service provider. This lack of transparency creates risks and issues for customers. This is particularly true for customers in regulated industries, such as financial institutions and health care.

• Being locked into cloud provider or technology – the data extraction and migration issues facing data centre customers are made even more complicated with the use of cloud computing. Whilst it is relatively easy to migrate into the cloud, because of the increased complexity of cloud computing arrangements, many customers may experience difficulties in migrating to a new provider or bringing the services back in-house once the service contract has come to an end.

Norton Rose Fulbright – 2013 41

Outsourcing and offshoring

whose business involves processing of highly confidential personal or financial information. It may be the case that some businesses decide that certain types of information may be stored in the cloud but that other more sensitive data should not.

Other considerations in the outsourcing and offshoring of data centres

As discussed above, there are a number of benefits and potential risks that must be considered in relation to the outsourcing or offshoring of data centres. Cloud computing, as a specific service that may involve both outsourcing and offshoring, can present particular issues and challenges for companies. Mitigation strategies can be used for many service-related risks.

Generally speaking, outsourcing and offshoring have been given a negative press in some countries due, in part, to the assumption that they will result in reduced levels of service in a search for cost savings. However, in the particular context of data centres, information regarding the storage of data and other IT services is typically not provided to the end user of such services. Accordingly, the user is likely to be unaware of the physical location of the servers that store their data and applications, and whether the party responsible for providing those services is the user’s own organisation or a third party provider.

In other words, provided that quality of service issues such as latency and transmission speeds are addressed, it does not matter to an end user if a server storing their files is located one floor below them in the company’s IT department or in India at the premises of an IT outsourcing provider. For this reason, the outsourcing or offshoring of data centre resources is perhaps less controversial than a full scale outsourcing of an entire business process or an internal function such as IT support.

As mentioned, access to appropriate communication infrastructure, including network speed and response or latency times, is a key requirement. For onshore data centres, including those used by outsourced service providers and nationally consolidated internal data centres owned by the relevant organisation, this will typically be less problematic. However, these quality of service factors remain dependent on the national communications infrastructure of the

organisation’s home country. In contrast, offshore data centres are more dependent on geographical location and proximity to customers’ home countries, which will also be affected by the structure and path of land-based and submarine communications cables and other parts of the communications network.

Ultimately, the decision to outsource or offshore certain IT functions depends on the individual circumstances of each organisation. The use of data centres will form a critical part of such outsourced or offshored services and the particular location and other characteristics of any data centres will have a substantial impact on the nature and provision of such services.

42 Norton Rose Fulbright – 2013

Data centres unboxed

7Shared services

Norton Rose Fulbright – 2013 43

Shared services

In this Chapter we explain what shared services are and consider some of the advantages and disadvantages of shared services. In the private sector, more than 75 per cent of Fortune 500 companies report having some form of shared services; from accounts payable to IT and HR functions to call centres and R&D facilities. The public sector has also adopted the shared services model in countries where governments are implementing cost reduction programmes. The provision of IT services from a shared data centre offers the potential for substantial efficiency gains and service enhancement through the reduction of duplication, standardising processes and maximising economies of scale.

What are shared services?

Shared services describes the provision of common support functions by one or more specialist centres to a number of divisions or departments within an organisation or across a number of organisations. Functions which are duplicated across departments/ organisations are provided through a shared services data centre which operates as a free standing entity. In the public sector, this could mean, for example, the provision of a data centre by a single organisation to each division within a government department, as opposed to each division having its own data centre. In Canada, for example, the federal Government has announced that it will reduce the number of its data centres from 30 to less than 20. In the UK, a number of universities are committed to sharing a data centre. Equally, private sector companies are starting to consolidate their data centres and share their use.

There are a number of different business models which can be used to provide IT services from a shared data centre. These are discussed in more detail below.

Benefits offered by shared services

The use of a shared data centre offers the potential to achieve the following efficiencies:

• Reduced input efficiency – costs are reduced by eliminating duplication of staff and assets such as property and IT systems (hardware and software).

• Lower price efficiency – economies of scale and leveraged purchasing power resulting from the introduction of a single shared data centre may provide for lower price efficiency.

• Increased service efficiency – this may be achieved though the adoption of best practice and the standardisation of services. By bringing all services up to the same and equal standard, and through the use of specialist personnel, service quality should be enhanced. Moreover, the promotion and adoption of common infrastructure and technology should also promote greater flexibility and responsiveness and increased service quality.

Commercial models

Establishment of a shared services data centreIn order to benefit from a shared services platform, the personnel and infrastructure required to provide the shared IT services need to be brought together in a data centre.

The creation of a shared services data centre, from determining location, design (both of the building and the supporting IT infrastructure), build and fit out are key to achieving the potential benefits of shared services.

Shared services modelsA shared services model can be established by using a number of different structures. The structure selected will depend upon the resources, time and experience available to the relevant organisation and its short, medium and long term strategy. A description of the three most common models is set out below.

Captive modelA captive data centre is one which either forms part of or is owned by the public/private sector body or bodies (the Customer organisation) it serves. This may be a single government department or a number of different public authorities or group companies. In the latter cases the ownership issues may result in the captive model being more akin to the joint venture model described below.

Shared services

44 Norton Rose Fulbright – 2013

Data centres unboxed

Creating a captive entity to provide services is also known as in-sourcing. Where a single Customer organisation in-sources services, the existing Customer organisation employees will typically staff the data centre.

AdvantagesFrom a cultural perspective in-sourcing is attractive (particularly in the public sector) because it minimises some of the political, trade union and internal workforce issues which would be experienced if services were provided by an external third party provider. In-sourcing also has the advantage of allowing staff expertise to be retained. This enables existing relationships between those providing the services and the Customer organisation to be maintained. It also minimises data privacy and confidentiality issues.

DisadvantagesThe benefits of continuity of personnel may also prove to be a major drawback in implementing a successful shared services model. Existing personnel may not have the necessary business transformation, change management, and organisational and IT skills to ensure the successful provision and implementation of a shared services model. Lack of specialist knowledge and skills is one of the main reasons why an organisation looking to set up a shared services function may consider private sector involvement. This is typically done through a joint venture with a private sector company, or by outsourcing the entire responsibility for the provision of the service to a private sector provider. The joint venture and outsourcing models are discussed in greater detail below.

Legal structure• Picking the right structure – the legal structure of

in-sourced entities varies. The Customer organisation may be satisfied that an adequate degree of separation can be achieved by creating a new department within the existing organisational framework. However, if the Customer organisation wishes to clearly separate the new entity from the old and outsourcing at a later date is a possibility, then it may be more effective, where legislation allows, to establish the captive entity as a separate legal entity.

• Dealing with assets – the transfer of assets and staff from across a Customer organisation’s existing departments to the new entity will give rise to a number of considerations, although these are likely to have less of an impact where the new entity is set up as a new department within the

existing Customer organisation, as opposed to a separate legal entity. These issues are discussed further in the section headed “transfer issues”.

• Internal service levels – even where the shared service provider is a captive it will be appropriate to document in a separate agreement the services to be provided and the standards to which they will be provided.

Joint venture modelA joint venture model may be attractive in two circumstances:

• Where a number of public or private sector organisations wish to establish jointly a shared data centre.

• Where a Customer organisation does not possess the resources, skills or experience necessary to plan and effectively execute the provision of shared services. In the public sector, this would usually involve the relevant Customer organisation entering into a joint venture arrangement with the private sector. The private sector party would provide relevant expertise and share risk.

AdvantagesThere are a number of advantages to using the joint venture model:

• Retaining a degree of control – the joint venture structure allows the Customer organisation to maintain a greater degree of direct control than would be available under a traditional outsourcing model (see page 50). The exact level of control will depend on the relative ownership share, as well as the governance structure, of the joint venture. For example, it would be common for a Customer organisation, even if a minority shareholder, to negotiate a number of “reserved matters” for which its consent must be obtained. Reserved matters may include a range of matters relating to ownership and financing of the service provider, the nature or extent of the services provided to the Customer organisation, and other matters which might reasonably be considered to significantly affect the nature of the operation of the service provider and the risks associated with it from the Customer organisation’s perspective.

• Access to third party expertise – by working with a private sector partner the Customer organisation may access expertise in certain critical areas, such as change management, technology and procurement.

Norton Rose Fulbright – 2013 45

Shared services

• Deadlock and exit – given the joint ownership and control interest in the joint venture model, the practicalities of dealing with any significant disagreement between the Customer organisation and the private sector entity, particularly in the case of deadlock (where neither party has the sole right to take the joint venture entity along its proposed course of action), can be more complicated, as can the procedures for unwinding the joint venture where the Customer organisation (or the private sector entity) wishes to exit the agreement.

Legal structure• Picking the right structure – while it is not strictly

necessary for a joint venture to take the form of a corporate entity, in practice this will often be the case. A common joint venture vehicle for collaboration between a Customer organisation and a private sector party will be a private limited company, in which both the Customer organisation and the private sector partners are shareholders.

• Levels of ownership – the private sector entity and the Customer organisation will each need to consider the level of ownership and the level of control it requires over the joint venture company. The levels of ownership and control may well differ, and the rights of the respective parties to receive profit from the entity may also be determined on a different basis. In many circumstances, either because each party owns 50 per cent of the shares or because of the rights granted to each party under the articles of association or by contract, neither party will have control of the company, either generally or in relation to certain matters, and in such circumstances the company is said to be deadlocked. The Customer organisation will therefore need to consider the areas of the joint venture’s operations over which it wishes to have either positive control or negative control, and include provisions in either (or both) the articles of association and the shareholders’ agreement restricting the actions which the company can undertake without its explicit consent.

• Dealing with assets – the transfer of assets and staff from across the Customer organisation’s existing departments to the new joint venture will give rise to a number of considerations. These issues are discussed further in the section headed “transfer issues”.

• Reduction in costs – where legislation allows, the joint venture entity itself may seek to sell its services to unrelated third parties. While the benefits for the private sector partner are an increase in revenue, this increase may either be shared with the original Customer organisation by direct payments or through reductions in the joint venture’s costs.

• Sharing of risk – by engaging with a private sector partner the Customer organisation may be able to share some of the risk relating to the build and operation of the data centre.

DisadvantagesThere are a number of disadvantages inherent to a joint venture structure:

• Time and commitment – the principal disadvantage of the joint venture structure is that it will require substantial and ongoing commitment from the Customer organisation in respect of the governance of, and interaction with, the joint venture entity.

• Directors’ liability – representatives of the Customer organisation will very often be members of the Board of the joint venture, and will fulfil, in that capacity, certain directors’ duties. The liability attaching to these duties will lie personally with each director.

• Cost of joint venture – the ongoing compliance costs of running the joint venture, over and above those costs associated with the setting up of a captive data centre, also have to be factored into the financial business case for establishing the shared services facility. These costs may include, for example, directors’ and officers’ insurance and increased administration costs. Tax issues will also need to be considered.

• Private sector v public sector – there may be a tension between the aims of the Customer organisation, perhaps to obtain high quality services as cheaply as possible, and those of the private sector party, which will want to maximise profit. This tension, plus the potential culture clash between government and private sector working procedures and staff, requires careful management for the joint venture to prove successful.

46 Norton Rose Fulbright – 2013

Data centres unboxed

— transfer of assets, including IT systems, property, intellectual property, know-how and supporting contracts, to the private sector supplier;

— establishment of appropriate physical and logistical security procedures which also deal with confidentiality and data protection issues; and

— obtaining necessary Government consents.

• Ongoing management – in the ongoing management phase, the emphasis will be on ensuring that performance standards are maintained. Accordingly, the services agreement will have to deal with the following issues:

— appropriate service levels and a regime of service credits to ensure that service levels are met. In addition to service levels, appropriate warranties as to performance will also be sought;

— governance procedures which allow for the appointment of project managers, steering committees and projects boards. These should meet on a regular basis and provide a mechanism for managing disputes without the immediate need to resort to the courts;

— as the needs of the Customer organisation will change throughout the life of the arrangement, a mechanism which allows for change; and

— in order to ensure that the arrangement remains competitive throughout its term, provision should also be made for benchmarking where the Customer organisation can go out to the market to assess the competitiveness, or otherwise, of the private sector provider’s offering.

• Exit – one of the key considerations will be planning for termination of the services agreement. Both parties will need to set out the measures to be taken to ensure the preparation of a workable exit plan. Accordingly, the services agreement must deal with:

— rights of termination, including the circumstances in which a party can terminate the agreement and on what notice; and

• Arm’s length agreement – an arm’s length agreement on commercial terms will need to be put in place between the joint venture shared services entity and the Customer organisation which it serves. These terms will be similar in nature to those found in a direct outsourcing relationship and are discussed below.

Outsourcing modelAt the opposite end of the spectrum to the establishment of a captive data centre will be the outsourcing of the required data centre services to a private sector third party. However, this may in practice involve establishing a shared services captive data centre first which can then be outsourced to a private sector partner. Once the service is outsourced the services are provided by the third party partner under an arm’s length services agreement. Staff and other assets used to provide the IT services prior to the outsourcing are transferred from the Customer organisation to the new third party provider. The benefits and risks associated with outsourcing are discussed in detail in Chapter 6 on outsourcing and offshoring.

Legal structureWhere shared services are provided under an outsourcing arrangement the Customer organisation will need to enter into an arm’s length services agreement with the private sector provider. This services agreement should set out the terms upon which the services will be provided. Broadly speaking, the services agreement can be split into three phases: entry, ongoing management and exit.

• Entry – in the entry phase of the arrangement, the services agreement should address a number of issues. These include:

— the appointment of the private sector provider on an exclusive or non-exclusive basis;

— scoping of the shared services requirements. These will be defined in a detailed services specification;

— migration of the shared services from the Customer organisation to the private sector provider;

— transfer of personnel to the private sector provider;

Norton Rose Fulbright – 2013 47

Shared services

owned by an entity to consider carefully how to protect its position should the joint venture or outsourcing fail – hence the requirement for an exit plan to be put in place prior to the arrangement commencing).

Leasing assetsThe problems associated with losing ownership of assets can be avoided through leasing the equipment to the service provider. However, there is a clear tension between the establishment of a stand alone data centre and the retention of assets by the Customer organisation, and for it being responsible for ongoing maintenance and updating. In most instances, therefore, the sale of assets to the newly established shared services provider is the more suitable option.

Dealing with intellectual property rightsThe advantages and disadvantages of assigning intellectual property rights, as opposed to licensing their use, are similar to those for other assets: sale or assignment provides a cleaner break, but could cause problems later on, and licensing allows ownership to be retained at the expense of retaining ongoing responsibility. Assignment of intellectual property rights by government departments to private sector providers is extremely rare and it would be far more usual for the service provider to be granted a right to use rights under licence. Assignment may be appropriate where a captive structure is adopted. Of potentially more concern is ownership of intellectual property rights developed as a consequence of the provision of services. In a joint venture or outsourcing situation, the private sector joint venture partner or shared service provider may feel aggrieved should the government insist on owning such intellectual property. This will usually be a matter of commercial negotiation between the parties. A possible compromise solution may be the grant of an irrevocable licence to use the intellectual property to whichever party does not ultimately obtain ownership.

Transfer of peopleThe transfer of personnel to the new shared service provider, including a consideration of the political ramifications of any forced redundancies, will be one of the key issues in any move towards a shared services environment

— the provision and implementation of an exit plan. This should address whether staff will transfer back to the Customer organisation or a new service provider on termination. The exit plan should also set out how assets will be dealt with and the payment of any early termination charges.

Transfer issues

Transfer of assetsWhichever shared services structure is adopted, it will be necessary to transfer assets from the Customer organisation to the newly established shared data centre. Transfer of assets under the joint venture and outsourcing models will necessarily involve the transfer from the Customer organisation to a separate corporate entity. This will also be the case where the captive structure has been adopted, if it is intended that the entity be incorporated as a private limited company. Where assets are to be transferred to separate corporate entities, it will be necessary for the relevant contractual provisions to clearly set out what is transferred, how it is transferred, what price is to be paid and what happens if the assets don’t work or the agreement is terminated.

Sale of assetsThere are two main ways in which the new shared service provider can obtain the use of assets owned by the Customer organisation: the organisation may sell the assets or lease them. One of the advantages of selling is that the Customer organisation will receive payment. However, this may only result in a real cash-flow benefit if the outsourcing structure has been adopted; in the captive or joint venture models, the Customer organisation would pay (at least part of) the price for the assets acquired as it will own or have a stake in the joint venture vehicle company.

A sale will be more appropriate where the service provider is to be responsible for upgrading equipment at the data centre. This will be the case in most shared services arrangements as one of the aims of setting up a shared services entity is to pass responsibility for service provision to a new, stand-alone provider. The downside to selling the equipment in a joint venture or outsourcing scenario is that it will no longer be owned by the Customer organisation (or at best will be

48 Norton Rose Fulbright – 2013

Data centres unboxed

Transfer of contractsWhichever shared services model is chosen, the different Customer organisations which are to receive the benefit of shared services may already have various contracts in place with existing third party providers. In order to achieve the aim of rationalising the provision of services and making them more efficient, the Customer organisation will need to carefully review each of these contracts and develop a clear plan with regard to which are to be novated or assigned and which are surplus to requirements. Early termination charges will need to be taken into account in the shared services business plan.

Obtaining third party consent in relation to the transfer of necessary licences or the novation of existing contracts, especially in relation to cross-departmental services, can be extremely time consuming and costly, and should be carefully managed in order to ensure a smooth transfer. Where the new service provider is required to take out new licences or enter into new contracts to provide the services, this cost will usually be met by the Customer organisation.

Final thoughts

Public and private sector organisations are coming under increasing pressure to achieve efficiencies and cost reductions. Shared IT services provided from a common data centre offer the potential to increase efficiency and reduce staff numbers, a fact which has already been recognised by many public and private sector organisations.

Norton Rose Fulbright – 2013 49

Shared services

50 Norton Rose Fulbright – 2013

Data centres unboxed

8Data privacy

Norton Rose Fulbright – 2013 51

Data privacy

Data privacy laws focus on the collection, storage, use, disclosure and retention of personal data. Data centres may store and process data in the cloud. If the data involved is personal data, that is data relating to an identified or identifiable individual, cloud computing can present a number of challenges from a data privacy perspective. This Chapter examines those challenges.

Under the EU Data Protection Directive, the EU has some of the most stringent requirements relating to the processing of personal data in the world. As a result this Chapter will focus on the requirements of the EU Data Protection Directive relating to the processing of data in the cloud and in particular on the requirements relating to the export of data from the European Economic Area (EEA) to the rest of the world. The Chapter will make comparisons with Asian and Canadian requirements.

Basic data privacy concepts

The basic structure of data privacy legislation generally requires organisations to have; first, a good understanding of what personal data they collect or receive, how they collect it and for what purpose, where they store it and for how long, who it is accessed by or transferred to (and where that person is located) and what security measures are in place against unauthorised access or disclosures; second, a good understanding of the data protection obligations they must meet and the areas where the consequences of non-compliance are most acute; and third, policies and procedures to allow them to meet these requirements and mitigate high risk areas.

Europe, unlike some other territories, distinguishes between data processors and data controllers. The person who determines the purpose and means by which data is processed is a data controller, whilst the person who processes the data controller’s data under the data controller’s instruction is a data processor. In most European countries, privacy laws only apply to data controllers (who are liable for the acts and omissions of their data processors) and who are therefore responsible for ensuring that their data processors comply with privacy legislation through contractual controls and monitoring. In Europe therefore, a data controller customer remains liable for the acts and omissions of the cloud service provider data controller.

Proposed reforms to the European data protection regime would also impose liability on data processors which will be extremely significant for service providers (particulary as breaches can be sanctioned by up to 2 per cent of worldwide turnover). As these reforms are unlikely to be enacted before the end of 2014, this Chapter sets out the existing EU position.

In other countries, such as Canada and Australia, every organisation that collects stores or discloses personal data is responsible for complying with data privacy legislation. This would include data centre service providers.

Cloud computing and data privacy

The cloud’s defining characteristics mean that an organisation putting data into a public cloud service may not know, with the same precision it would have with tethered service offerings, (a) where the data is or where it has been and (b) who has or has had access to it, particularly when a cloud service provider uses a number of subcontractors.

Issues if the cloud remains within one territoryIf a cloud is tethered within one jurisdiction (i.e. a data centre is located wholly within one jurisdiction) this could raise the following practical EU data protection compliance problems:

SecurityUnder the EU Data Protection Directive a data controller must be satisfied that the data processor has adequate security measures to protect personal data against unauthorised use, access or disclosure. The concept of security spans several disciplines; it is about keeping premises and information assets free from unauthorised access or alteration, and people free from harm. This is achieved through a combination of technical IT controls, physical premises controls, and wider information security controls that focus on people and processes. The broad nature of security means that achieving an appropriate level requires a co-ordinated approach across these disciplines.

The security threats that organisations face are diverse and increasingly sophisticated, ranging from simple employee errors to co-ordinated criminal activity. The likelihood of these threats being realised is increasing; recognition of

Data privacy

52 Norton Rose Fulbright – 2013

Data centres unboxed

The data controller must be able to audit and ensure the security measures are being complied with. Auditing a complex public cloud solution itself will usually be impractical and public cloud service providers cannot allow every customer to audit them.

Independent third party audits across all customers of a data centre and certification are the practical solutions to both security and audit issues but are not always offered by cloud service providers.

Issues if cloud crosses the EU borderApplicable lawUnder the EU Data Protection Directive the data protection law that must be applied to the processing of the personal data is the law that applies to the data controller of that personal data. In a cloud scenario this is generally the customer not the service provider.

This means that if a French data controller uses a US cloud service provider, in order for the French data controller to comply with its data protection obligations it must impose French data protection obligations on the US cloud service provider (regardless of whether the cloud service provider has any presence or uses any infrastructure located in France).

An EU Member State’s data protection rules also apply where a data controller is not established in any EU Member State but uses equipment in the EU Member State to process personal data. Where the data controller’s agent/data processor uses equipment on the data controller’s behalf (which it will do in a cloud service offering), this is likely to be treated as equipment used by the data controller. So a Japanese data controller engaging a US cloud service provider which processes the Japanese personal data on infrastructure located in France (other than for transit purposes only) will become subject to French data protection obligations and will also need to impose those obligations on the US cloud service provider.

Export outside the EEAIn addition to privacy laws, banking legislation, financial services supervisory roles and laws specifically passed to block the transfer of information for certain purposes can also restrict the export of data from one country to another. The EU legal problem becomes even more complex due to the restrictions on export of personal data outside the EEA by data controllers subject to EU data protection laws (both the French and Japanese entities in the earlier examples).

the potential value of sensitive information; rapid up-take of new technology; and the demand for information to be available at the touch of a button from anywhere in the world are just some of the contributing factors. This places more emphasis on individuals to keep information secure, as well as on organisations to provide the technology, processes and training to support them.

Given the diversity of the threats faced, the methods available to achieve an appropriate level of security also cover many different aspects. They range from technical controls such as mobile device encryption and network protection to process and people controls such as policies and procedures, user awareness, staff vetting and third party management.

Usually data controllers satisfy themselves that their data processors have adequate security measures by conducting due diligence and obliging the service provider to meet a set of prescribed security requirements. However, in a cloud service, understanding the architecture and the security may be a challenge and public cloud service providers may be reluctant to provide too much detail, indeed, many refuse to commit to the level of security a large multinational would require. Furthermore, in a public cloud with layers of subcontractors, even if a multinational managed to impose its own security requirements on the public cloud service provider, that service provider would find it difficult to flow down different specific obligations to each of its subcontractors and undertaking non-desk based due diligence is probably impractical.

AuditAlthough in general, privacy legislation tends to be similar country to country, there can be significant variation in specific requirements. This is true even within the EU where the EU Data Protection Directive was designed to harmonise requirements. Organisations, therefore, must be familiar with local legislation and regulations, and understand local enforcement priorities.

The first step in complying with privacy legislation is an audit: to understand what personal data the organisation collects or receives, how it is collected, the purposes it is intended to serve, where the data is stored and for how long, who accesses it or to whom it is transferred, and the security measures in place to protect against unauthorised access or disclosures. The second step is to understand applicable privacy obligations. The third step is to identify any gaps in compliance. Finally, the organisation must establish policies and procedures to ensure compliance with its legal obligations.

Norton Rose Fulbright – 2013 53

Data privacy

• Standalone EU Commission approved model clauses – the EU Commission has approved certain model clauses which, when incorporated into contracts between each EEA exporter and each non-EEA importer will allow for export outside the EEA. The clauses impose on the non-EEA importer rules substantially equivalent to the protections contained in the EU Data Protection Directive. They must be adopted without amendment to allow a compliant transfer.

• EU Commission approved model clauses framework deed – given the number of transfers among the different entities that comprise a multinational group of companies, stand-alone model clauses for transfers between all such entities soon becomes very unwieldy. This practical hurdle can be overcome by entering into a framework agreement covering all transfers between each EEA exporter and each non-EEA importer affecting such transfers under the correct set of EU Commission approved model clauses. This obviates the necessity of executing separate standalone clauses between all the entities of the multinational.

• Binding Corporate Rules (BCR) – multinationals can achieve compliance by adopting internal corporate binding rules which impose an EU level of data protection for the handling of specified segments of personal data. The BCRs must be approved by the regulator in each EEA exporter country and be legally enforceable by the organisation’s employees and other individuals to whom the data relates. This is the most comprehensive and onerous way to achieve compliance but arguably the most compliant. This could be a solution for multinationals implementing a private cloud structure.

• Processor Binding Corporate Rules (PBCR) – in June 2012 the EU data protection authorities approved a variation on BCRs which could be put in place by data processor service providers to legitimise transfer of their EEA customers’ personal data to locations outside the EEA. The service provider must submit its PBCR to EEA regulators and may export its customers’ personal data from the EEA countries which approve the PBCR without the need for the customer to put in place one of the preceding export options. This will be extremely beneficial to EEA customers but imposes a high level of regulatory scrutiny and imposes liabilities on service providers that they would not otherwise incur and therefore will not be universally adopted by service providers targeting the EEA market.

There are seven potential solutions available to organisations wishing to export personal data from the EEA:

• White List Countries – there are no restrictions on transferring personal data to jurisdictions that the EU Commission has ruled have equivalent protections (White List Countries). The list in March 2012 is short: Andorra, Argentina, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Switzerland and Canada. In the case of Canada, however, the personal data transferred must be handled by organisations engaged in a commercial activity and not constitute employee data1. It is also possible to transfer certain categories of personal data to the US if the importer falls within the US Safe Harbour scheme. It should be noted that not all organisations or types of data processing can be brought under the US Safe Harbour scheme.

• Consent – it is acceptable to transfer personal data outside the EEA if the individual concerned has been properly informed of the transfer to a country with lower standards of protection and has unambiguously consented to the transfer. The main drawback with this route is that the individual can always refuse to give consent, or, once given, can withdraw consent. Furthermore, many EU countries consider that employees cannot freely consent to demands of this type from their employers for fear of losing their jobs, thereby effectively eliminating a consent-based solution for employee data.

• Another exemption – there are a number of other exemptions where the export is necessary for certain purposes. Most EU regulators, however, take a very narrow view of what is necessary. For example, one exemption is where transfer of the individual’s data “is necessary for the performance of a contract with the individual”. By way of example, most regulators would consider a transfer of EU personal data to India necessary if the individual concerned was booking a holiday in an Indian hotel, but not if it was for processing of his health insurance application on servers located in that country.

1 The Canadian statute, An Act Respecting the Personal Information Protection and Electronic Data (PIPEDA) has been judged equivalent by the European Commission but only applies to personal data of federally governed employees and when collected by organisations engaging in commercial activities. Consequently, personal data to which the law does not apply must be protected by one of the solutions applicable to Non-EEA importers.

54 Norton Rose Fulbright – 2013

Data centres unboxed

implements measures to supervise the contracted entity’s handling of the personal data; or (b) to a specific entity or individual that will jointly use the personal data (e.g. an affiliate), and this (and other information) is notified or made readily accessible to the individual in advance.

For highly regulated countries such as Australia, Hong Kong, Malaysia, New Zealand and Taiwan, there are specific restrictions or prohibitions for offshore data transfers unless limited exemptions apply. These exemptions vary from country to country, but in keeping with EU principles the transfer is generally permitted with express consent of the individual or pursuant to a data processing agreement that at least meets the local legal requirements of the transferor.

Particular issues vary from country to country and specific advice should be sought in the in-bound and out-bound jurisdictions. For example:

• In Hong Kong, section 33 of the Personal Data (Privacy) Ordinance prohibits transfers of personal data outside of Hong Kong except in stated circumstances. However, this section has not yet (as at May 2013) come into force.

• In Taiwan, the government authority may limit cross border transfers of data in certain circumstances including where the transfer involves major national interests or where such a transfer may harm the interests of the relevant individual.

• In China, there are specific requirements relating to the confidentiality of employee information and potential liabilities under civil law which will require specific forms of consent in order to effect the transfer. Transferors should also be aware of the broad State Secrets Law which may capture transfers of certain data.

• In Singapore, the Personal Data Protection Act came into force in January 2013. The Personal Data Protection Act is an omnibus data protection law setting out rules for the collection, processing and storage of personal data. Under the Personal Data Protection Act, transfer of personal data outside Singapore is permitted but such transfer must be in accordance with prescribed requirements to ensure that personal data remain subject to an adequate level of protection that is comparable to the protection under the Personal Data Protection Act. However, this requirement will only come into force in the middle of 2014.

These solutions can be difficult to apply in the context of cloud computing. Obtaining adequate consent from the relevant individuals may be impractical or certain of the infrastructure destinations in the cloud may not be White Listed or, in the US, not Safe Harbor self-certified; if so, the only option is for the data controller to impose a set of EC Commission approved model clauses on the cloud service provider who will then, in turn, have to impose these requirements on its subcontractors/sub-processors in the cloud stack. Whilst this does represent a solution, the time, technical knowledge and effort required to implement it can be prohibitive and is not often complied with. Against this background, cloud service providers which gain Processor Binding Corporate Rules approval will simplify their EEA customers’ data protection compliance issues considerably.

Finally, the ability of regulators, law enforcement agencies and civil litigants to gain access to data held by the service provider, due to where the service provider is established or where it locates the data, must be taken into account where such disclosure would impact the individuals concerned. The EEA position on whether transfer can be made to a service provider that is subject to such obligations is not settled and various EEA jurisdictions such as the Netherlands and Germany have suggested that such transfers may offend their local data protection legislation (although such transfers do occur in both the private and public sectors).

Restrictions on cross border transfers from AsiaIt is not only the EU which imposes restrictions on the export of personal data. Restrictions on transfer of data offshore vary across Asia with different legislative regimes imposing different requirements. Although there may be no express legislation in some countries prohibiting data export, general legal principles may apply (including confidentiality laws and national security laws) and it is usually recommended that consent from the relevant individual be obtained for any data transfer. Once again this may be impractical in the context of cloud computing.

In some jurisdictions, the individual’s consent may be implied in limited circumstances. For example, in Japan, consent is required for the transfers unless the individual knows when the personal data is collected that it will be necessary to transfer it to a third party and the organisation has notified the individual about the specific details of the personal data collected. Transfer is also permitted in Japan where the organisation provides the personal data (a) to a contracted entity entrusted with the handling of the personal data within the scope necessary for the achievement of the purpose of use and where the organisation effectively

Norton Rose Fulbright – 2013 55

Data privacy

Restrictions on cross border transfers from CanadaCanada makes no distinction between data processors and data controllers. Any organisation collecting, possessing or disclosing personal information, without distinction, must comply with all aspects of privacy legislation. The export of data, even to the US, is permitted if appropriate contractual measures are put in place between the exporting organisation and the importing one2. While there are no model clauses required, all such agreements must contain elements which demonstrate that the importing organisation will limit access to the information to those whose functions require it; use the information only for the original purposes for which it was acquired; disclose it with consent or where otherwise permitted by law; implement appropriate security measures to ensure that the information is not improperly disclosed; notify the Canadian organisation of any data breaches promptly and to institute appropriate measures to contain and eliminate the source of the breach3; and, where applicable, that rights of access and rectification will be afforded to the individual concerned. Such contracts typically include representations and warranties to the effect that the data was legally collected and that the exporting country shall have rights to audit, upon reasonable notice, compliance with the contract. They further provide for the return of all personal data, or its destruction to the satisfaction of the transferor, upon termination of the contract or as otherwise required by law.

While there is no need to register this transfer with a data protection authority, or to have such contractual measures pre-approved, an organisation is well advised to have a robust contract in place. Notably, a well-drafted contract governing the export of personal data can prove useful in the wake of a security breach when dealing with privacy commissioners and possible litigation, including class action litigation. A well-drafted agreement helps demonstrate that all appropriate, reasonable and necessary measures have been put in place by the organisation, thereby reducing the risk of negative findings by one of Canada’s privacy commissioners or the risk of compensatory or punitive damages by way of ordinary or class action.

2 Save British Columbia and Nova Scotia, both of which have legislation prohibiting the transfer to the United States of personal data held by their respective Crown corporations, save in certain limited exceptions. In all other cases, notification must be given to the individuals concerned, although their consent is not required.

3 At present, only the province of Alberta has general legislation requiring that security breaches be notified to its privacy commissioner and, in some cases, to the individuals concerned. However, federal privacy legislation has been tabled that foresees similar obligations and the provinces of Ontario and New Brunswick have mandatory reporting of breaches respecting health information.

56 Norton Rose Fulbright – 2013

Data centres unboxed

9Hot topics and regional trends

Norton Rose Fulbright – 2013 57

Hot topics and regional trends

• In Taiwan, the Personal Data Protection Act restricts the international transmission of personal data without government approval (however, there are certain exceptions to this rule); and

• In South Korea, the Personal Information Protection Act contains provisions restricting the transfer of personal data offshore subject to certain exceptions.

Other countries do not have specific restrictions and instead have general data privacy principles that apply to the disclosure or use of data whether within the country or offshore:

• In Indonesia, there are no specific restrictions, however the transfer of data offshore may be considered to be a “use” of data and customer consent would ideally be obtained prior to transfer;

• In Japan, there are no specific restrictions, however, disclosure to a third party whether within Japan or offshore must comply with general data privacy principles;

• In the Philippines, there are no specific restrictions, however the transfer of data offshore will be subject to general principles of data privacy; and

• In Singapore, the Personal Data Protection Act 2012 (PDPA) requires data users to ensure that personal data transferred outside Singapore must be in accordance with prescribed requirements to ensure that personal data remain subject to an adequate level of protection that is comparable to the protection under the PDPA (not yet in force as at May 2013). As of May 2013, only a limited number of the provisions of this Act have commenced.

At the other end of the spectrum, countries such as China, India, Thailand and Vietnam have no specific restrictions on the transfer of data offshore and no general data privacy laws. However, national security laws and regulations and guidelines in those countries specific to certain industries, in particular financial institutions and telecommunications, may operate to prevent the disclosure or transfer of particular types of data.

Hot topics and regional trends

Asia-Pacific: cross-border data flows

The Asia-Pacific region has recently seen a growth in the market for data centres and cloud computing services. In conjunction with this, general public awareness of data privacy issues has been on the rise in recent years. As a result, service providers and data centre operators have had to deal with the compliance and regulatory risks of cross-border data flows in a region with no uniform requirements governing cross-border data flows.

Current trends At present, there are noticeable differences in the level of regulation of cross-border data flows and data privacy generally across the Asia-Pacific region. Given the diversity and different degrees of legal regulation of Asia-Pacific nations, this is unsurprising.

Some highly regulated countries have adopted overarching data protection laws which include specific restrictions on the transfer of data to other jurisdictions:

• In Australia, the Privacy Act contains a National Privacy Principle which restricts the transfer of data offshore subject to certain exceptions. On 12 March 2014, the National Privacy Principles will be replaced with a new set of Australian Privacy Principles which, amongst other things, will impose greater restrictions on the transfer of personal information offshore;

• In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of certain data offshore unless certain exceptions apply (not yet in force as at May 2013). Currently, data users are required to comply with general requirements of the PDPO when transferring data offshore;

• In Malaysia, the Personal Data Protection Act restricts the transfer of data offshore, subject to certain exceptions (as at May 2013, the commencement date of this legislation has been delayed, and a new date has not been announced by the relevant Ministry);

• In New Zealand, the Privacy Act allows the Privacy Commissioner to issue a transfer prohibition notice to prevent the transfer of data offshore;

58 Norton Rose Fulbright – 2013

Data centres unboxed

Future directionsIn the future, we expect to see more countries in the Asia-Pacific region adopting data privacy legislation as their economic development accelerates and their legal and regulatory systems become increasingly sophisticated. In line with the increasing global focus on privacy issues, we also expect that countries in the Asia-Pacific region will continue to build on and refine the existing data privacy rights enshrined in their legal systems.

The Singapore PDPA came into effect in January 2013. However, many of the operative provisions of this Act, including a restriction on the transfer of personal data outside of Singapore, are yet to commence (as of May 2013). The PDPA consists of two parts, the first being the Do Not Call (DNC) registry provisions and the second being the data protection rules (the Rules). The PDPA will be implemented in phases with the DNC registry provisions coming into force early 2014 and the Rules coming into force in the middle of 2014.

As noted above, the Australian Privacy Act was recently substantially amended. These amendments will come into effect on 12 March 2014 and will result in significant changes to the protection of personal information in Australia. The current National Privacy Principle dealing with transborder data flows will be replaced with a new Australian Privacy Principle that further restricts the disclosure of personal information offshore. Additionally, a new provision has been introduced to render Australian entities which disclose personal information to third parties located offshore liable, in certain circumstances, for any privacy breaches by that third party. This provision will potentially apply to data centres that are located offshore and operated by third parties which provide services to Australian companies.

A common feature of much of the data privacy legislation that exists in various Asia-Pacific nations is that cross-border data flows may be permitted where the country that the data is being transferred to has an equivalent level of protection for data privacy as that of the transferring country. However, the specific requirements of each country for this exception to apply vary slightly, so individual consideration is frequently required. As more countries in the Asia-Pacific region enact specific data privacy legislation, there may be an increasing level of reliance on such an exception in order to facilitate the use of data centres across the region.

Canada: regional overview

Until about ten years ago, Canada was a territory and jurisdiction that was systematically overshadowed by its southern neighbour when it came to finding a new location for establishing a data centre in North America. However, the events of September 11 and their aftermath, including the enactment of the Patriot Act in the US, created a shock in the industry that triggered an analysis of disaster recovery plans, the need for mirror sites and other issues related to the disclosure of confidential information and data to the US government. This analysis then created an environment where locations outside of the US were looked at more closely by businesses operating data centres or wishing to establish new ones.

Secure, green, neutral and competitiveSeizing on the opportunity provided by this new business and legal environment, several Canadian businesses and governmental authorities have, over recent years, tried to highlight to local and foreign operators of data centres the advantages that several regions of Canada offer as locations for data centres. These advantages include: low energy costs, a climate permitting “free cooling” (i.e. servers are cooled in part by using the cold air from outside rather than air conditioning), reliable public utilities, the availability of international bandwidth, the ease of doing business and, finally, a low historic frequency of natural disasters. In an international survey published in 2011, Cushman & Wakefield and Hurleypalmerflatt ranked Canada as one of the least risky locations in the world to establish a successful data centre operation, second only to the US.

Certain businesses that have established data centres in Canada have identified the fact that Canada has been ruled by the EU Commission as a jurisdiction offering equivalent protections to the EU Data Protective Directive (White List Countries) as an important factor in the selection of the location. For some European operators, this represents a competitive advantage by not subjecting the data to the jurisdiction of the US government while hosting from a site very close to the US market and users.

Initiatives in the province of Québec In this context, provincial and local governments have undertaken different initiatives to attract data centres to their territories through various tax incentives and, in the case of public utilities owned directly or indirectly by the government, through energy policies and pricing aimed at providing a favorable financial environment for data centres.

Norton Rose Fulbright – 2013 59

Hot topics and regional trends

Data demandSeveral factors have combined to create an explosion in data demand across the Middle East during the last decade. As well as the development of major business and financial hubs, rapidly increasing internet penetration rates (the UAE rate rose from less than one per cent in 2005 to more than 11 per cent by the end of 2010 according to various reports) and a young, tech-savvy population that is eagerly consuming digital content have all contributed to a sharp rise in internet traffic.

Competition in the telecoms sector has also served to improve the technological infrastructure and increase access to capacity and, as a consequence, this has further driven demand for data. Several mobile operators in the Gulf have launched 4G services since 2011 and Abu Dhabi claims to be the world’s first capital city to be fully covered by a fibre-to-the-home (FTTH) network following Etisalat’s roll-out.

A key area hampering customer experience in the region, though, is the lack of publicly available data space compared to other global business centres such as London and Singapore. In addition, the Middle East also suffers from a limited number of internet exchange points (the physical locations at which internet service providers interconnect and exchange traffic between their networks).

Customer experience and costData centres enable local web pages to be hosted on local servers, rather than in an offshore location. Offshore web pages can also be copied (or “cached”) and stored on a local server. In this manner, local users can access such Internet content locally without the need for traffic to be routed to an offshore location.

Internet exchanges similarly enable data passing between end users on different networks within the region to be exchanged locally, rather than via an offshore location. Local Internet traffic may be exchanged under a peering relationship between local networks in which no charges are paid for the exchange of local traffic. In this manner, local networks can avoid routing local traffic via an offshore provider and hence avoid the wholesale data access charges they would otherwise pay to that provider to exchange the relevant traffic. As the data traffic is routed directly between the networks, both parties also experience reduced latency and packet loss.

In the province of Quebec, entities such as Hydro-Québec (a public power utility) and Investissement Québec (an entity promoting investment in the province) have been involved over the years in data centre projects. The strategic position of the province in the data centre business is clear from the perspective of these two entities as Quebec provides competitive energy pricing (industrial pricing generally ranging from 4,5 to 5,5 cents/kwh), renewable and green energy (hydro power), an electrical network isolated and independent from the interconnected network of neighbour provinces and northern states of the US, a climate suitable for free cooling, proximity to the US market (6 microseconds from New York) and a jurisdiction not subjected to the Patriot Act.

Middle East: regional overview

Notwithstanding the difficulties faced by the global economy since 2008, there has been continued investment in telecommunications and data centres in many parts of the Middle East to support the ongoing development of the region.

The governments of the Gulf countries such as Qatar and the United Arab Emirates have been consistently positioning their major centres – including Doha (Qatar), Abu Dhabi and Dubai (both UAE) – as strategic business hubs for the Middle East. This is part of a long-term strategy to diversify their economies away from oil and gas into business, technology and tourism. Those charged with implementing these strategies recognise that high specification data centres and telecoms networks will be part of the package necessary to attract leading international businesses.

Other countries in the region have been seeking to carve out more specialist roles for themselves, such as Egypt’s drive to become a centre for IT outsourcing services and Jordan’s heavy promotion of itself as an information, communication and technology hub for the Middle East. Again, much of the success of such initiatives will depend on an appropriate national and regional physical infrastructure and legal frameworks to facilitate fast, efficient and cost-effective data storage and sharing.

60 Norton Rose Fulbright – 2013

Data centres unboxed

and robustness and helping to provide reliable connectivity within the GCC.

In relation to data centres, a study of global practices in data centre management by Oracle, published in January 2012, revealed that companies in the Middle East had improved their overall IT systems management capabilities. The previous study had placed the region at the bottom in terms of systems management, but that position had been improved as it was noted that the global financial crisis had caused Middle East companies to become more focused on achieving operational efficiencies, including through better management and utilisation of systems. Analysts also pointed to the lack of legacy data centre infrastructure as a potential advantage: companies in the Middle East are building their own data centres and this greenfield approach can allow for a more tailored, best of breed solution. However, while this may be an option for larger institutions, many smaller companies do not have the budget to develop a data centre from scratch and continue to wait for better solutions to come to market.

Europe: Cybersecurity strategy

In February 2013 the European Commission (EC), together with the High Representative of the Union for Foreign Affairs and Security, published a cyber-security strategy alongside a Commission proposal for a directive on network and information security. Similar initiatives have emerged in some Member States. These developments are also likely have a considerable impact on the operators of data centres.

The cyber-security strategy entails specific actions which are supposed to enhance cyber resilience of information systems, reduce cybercrime and strengthen EU international cyber-security policy and cyber defence. The strategy is not merely targeted at public institutions but also at key internet enablers and critical infrastructure operators.

The draft of the directive contains several provisions applying to the mentioned private entities. The two main obligations under the directive are described in a general way in its recitals 23 and 24: Key providers of information society services which underpin downstream information society services or online activities such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, and application stores shall take appropriate measures to safeguard their integrity and security. The directive also requires these entities to notify

In this manner, data centres and internet exchange points (IXPs) are important to the overall customer experience for three key reasons. First, the local exchange of data or hosting of content assists to reduce the time taken for data to pass across the Internet (or latency) because the data passes via a more direct local route. Second, the use of a more direct route reduces packet loss, in turn increasing data transfer speeds and quality. Third, local Internet providers can reduce their upstream data transit download charges payable to offshore wholesale internet access suppliers, thereby reducing their operating costs. Accordingly, local Internet users can receive a faster and higher quality Internet browsing experience at a lower cost.

Unfortunately, the major cities of the Gulf did not factor the building of public data centre space into their planning during the peak construction years of the 1990s and early 2000s. The information website datacentermap.com listed only 59 colocation data centres across 14 Middle East countries in May 2013. This compares to 182 across 12 countries in Asia, 842 across 23 countries in Western Europe and 1,223 in North America. With just four colocation data centres listed in the UAE, this is less than Jersey (5), Cyprus (7) and the same as Taiwan.

The combination of a lack of quality data centre space and limitations on the easy exchange of local traffic means that local business is comparatively poorly served for data traffic despite the otherwise modern environments of the major commercial centres in the region. The limitations of the current regional infrastructure lead to customers in the Middle East suffering from sub-optimal speeds, lower quality and more expensive internet connections than many other parts of the world.

Future developments for the Middle EastIn some areas, the local regulators are moving to address some of the issues noted above. In October 2012, the UAE’s Telecommunications Regulatory Authority (TRA) launched UAE-IX, an internet exchange in Dubai. Developed in partnership with Germany’s DE-CIX, it will provide a neutral internet traffic exchange for the country. The establishment of UAE-IX should reduce the extent to which local internet traffic is routed via Europe, the US and Asia, ultimately resulting in lower costs for the Internet end users in the Middle East and a more satisfactory browsing experience. At launch, the TRA claimed that UAE-IX would reduce latency times by up to 80 per cent and costs by up to 70 per cent for GCC providers, as well as improving IP network resilience

Norton Rose Fulbright – 2013 61

Hot topics and regional trends

Latin America: regional overview

There has been continued investment in data centres in many countries of Latin America to support the ongoing development of the region. There has been more investment in IT and telecommunications infrastructure to accommodate the growing number of data centres in some countries. Additionally the enactment of new business rules in some countries that now require better protection of data, has resulted in the demand for data centre services to grow exponentially. For example in Colombia the Superintendencia Financiera (equivalent to a financial agency) has required that all financial institutions utilise better and more secure processes in order to give greater assurance of security and compliance to their customers.

Although data centres are not new to Latin America, they have recently blossomed into one of the most competitive telecommunications and IT business sectors. For example international companies such as Telmex, Global Crossing and Terremark, and local companies such as ETB and Une Telecommunications in Colombia, have all made significant investments in data centres in Latin America. We have given examples of current data centre developments in Latin America on the following page.

Even though in Latin America companies can build and adapt their own data centres, generally they outsource to specialised companies. As mentioned generally in Chapter 6 on outsourcing and offshoring, Latin American companies benefit from outsourcing because this results in reliance on third parties to handle information management and operation, which improves safety levels, lowers the required investment and does not distract companies with processes that have nothing to do with their core business.

Data centres in Latin America are usually strategically located in the outskirts of main cities or in locations where construction costs are lower, which in turn reduces operational costs, and therefore increases the potential to attract new customers. Executives in charge of implementing these strategies recognise that high specification data centres and telecom networks will be an important part of the package necessary to attract leading international businesses.

public authorities of security breaches and integrity threads. These obligations will be extended to public administrations, and operators of critical infrastructure which rely heavily on information and communications technology and are essential to the maintenance of vital economical or societal functions such as electricity and gas, transport, credit institutions, stock exchange and health. The directive itself contains several provisions which shall implement these obligations. Pursuant to the draft Article 14, appropriate technical and organisational measures shall prevent and minimise the impact of incidents affecting the networks and information systems and ensure the continuity of the services underpinned by those networks and information systems. Furthermore a detailed procedure for the notification of competent authorities after an incident will be defined.

Member States shall provide the competent authorities with all the powers necessary to investigate cases of non-compliance with these obligations pursuant to Article 15. Market operators and public administrations will be required to provide the information needed to assess the security of their networks and information systems, including documented security policies, and undergo security audits carried out by a qualified independent body or national authority and make the results thereof available to the competent authority. The authorities, in turn, shall have the power to issue binding instructions. Finally all the described obligations shall be subject to judicial review.

Similar national initiatives are being set in motion across the EU. For example the German Federal Government proposed a comparable national law in March 2013 and the UK announced a UK Cyber Security Strategy as early as November 2011.

Many data centre operators will be subject to these requirements; be it because their customers or they themselves fall within the scope of the directive. They will therefore have to check all infrastructure, processes and guidelines and where necessary revise and document them in order to implement the directive in their daily business. Furthermore operators of data centres should prepare themselves for security audits by their customers and further investigations by the competent authorities.

62 Norton Rose Fulbright – 2013

Data centres unboxed

ArgentinaIPLAN is constructing its fifth data centre, to be opened in June 2012. The centre was designed in accordance with Tier III requirements and CISCO will finish the technological infrastructure on behalf of IPLAN.

United States: Regional overview

Among the hot topics regarding data centers in the United States are “big data,” e-discovery in the cloud, “green” data centers, and environmental risks.

Big Data As companies continue to generate and receive more data than ever before, one issue is how to extract information from this unstructured data. The sheer volume of such data makes it difficult to handle as many current IT administration skills do not scale well to this level, which makes hiring and retaining employees with those skills very important. Securing the data and limiting access only to those authorized to view it can be a legal/regulatory requirement that frequently is challenging to implement. Placing “big data” in data centers can subject the data owner to jurisdiction and potential regulation in all of the locations where the data centers are located, which can lead to potentially inconsistent laws being applied to the data.

E-Discovery in the CloudThe global trend toward cloud computing in the United States has collided directly with the broad pre-trial discovery requirements in U.S. civil litigation, leading to increasing costs and complex questions related to “control,” collection, admissibility, and authentication. Even as companies push more and more data beyond their firewalls and further attenuate business users from how the company’s data is actually stored, U.S. courts are pushing the envelope regarding what data is under the control of the corporation. These broader definitions of control, coupled with the general obligation of a party to a U.S. litigation to take reasonable steps to preserve, collect and produce all relevant information regarding a particular matter, has increased the burden on companies who have entered the cloud, especially if they did not create plans, procedures or processes in their cloud contracts.

All data centres in the region have been developed under Tier specifications. For example Telmex allocated US$27 million for the construction near Bogotá of what is considered by many to be the largest and most secure data centre in South America. Most companies that offer data centre services have Tier II and Tier III facilities, but at the date of writing Telmex’s data centre is touted as the only Tier IV system in South America. Other international standards and certifications are also applied such as the International Computer Room Experts Association (ICREA), a group of engineers who specialize in the design, construction, operation, maintenance, acquisition, installation and auditing of data centres.

Future developments Brazil This is the most popular market for data centres in the region. In general, connectivity out of the region (i.e. to the US) is quite good.

ChileProbe recently announced an investment of US$ 20 million to build in Quilicura one of the most advanced data centres in the world. This project will strengthen the country’s position “as a centre for regional operations for multinational companies”.

ColombiaSura Group, UNE EPM Telecomunicaciones and the Mexican company KIO Networks has teamed up to build one of the largest data centres in Latin America. The project, to be called Kio Colombia, involves an investment of more than US$ 80 million and will seek to provide technological support for outsourced data management and a variety of technology services not only to Colombia but to the entire region. The project will be ready in late 2012 or early 2013.

In Columbia, although there is no specific regulation on data centres, general international principles have been adopted that determine the framework for the formulation of public policies governing the IT and Communications sector. For example, there is a state policy promoting research and development of IT and Communications in the country.

Norton Rose Fulbright – 2013 63

Hot topics and regional trends

Since the cloud will become the repository of most electronically stored information that is needed in a litigation or investigation, cloud service providers and their clients must carefully plan how they will be able to cost effectively identify relevant documents that pertain to a case, preserve them, and collect them in a reasonably complete and accurate manner. The cloud service client and provider need to consider the following issues in matters where a client is subject to a discovery request and potentially relevant data exists with the cloud provider: possession, custody and control, preservation, collection, direct access, native production, authentication, admissibility and credibility, cooperation between provider and client in discovery. As cloud service providers and subscribers are becoming more sophisticated regarding the impact of discovery on their relationship, we are starting to see more and more sophisticated and detailed pricing schedules and service level agreements around the preservation and collection of information in the advent of litigation. We are also seeing retail cloud providers implement integrated applications into their cloud services to allow users to conduct some discovery operations on their own, thereby reducing the cost for the user (and, more particularly, the cloud provider).

‘Green’ data centersBecause data centers typically use a lot of power to cool the equipment located there, there are some data centers being built where the mechanical, lighting, electrical and computer systems are designed for maximum energy efficiency and minimum environmental impact. Some governmental authorities offer incentives to build and maintain ‘green’ data centers.

Environmental risksSevere weather in the past few years has prompted additional concerns relating to the location of the data centers as well as the means to achieve business continuity. Should employees be instructed to take home their work computers during a flood advisory, when home is in a flood plain? Should data centers be located in an area subject to tornados? Should data be moved to the cloud? What happens when employees are without power for several days? There is no perfect solution, but a variety of creative approaches can help alleviate some of the risks and improve the likelihood of business being able to continue.

64 Norton Rose Fulbright – 2013

Data centres unboxed

10Concepts and glossary

Norton Rose Fulbright – 2013 65

Concepts and glossary

Concepts and glossary

For those less familiar with data centres and cloud computing, we set out below a brief summary of key concepts:

Air flow – sufficient air flow is required in a data centre environment. Rack mount servers are designed to push the air not only out of their own case, but also out of the rack itself. Computer room air conditioners (CRACs) push cold air into the cold aisle, which flows through computer and network equipment into the hot aisle, where it returns to the CRAC. Cooling is usually the largest contributor to facility overhead energy/cost. The “Cold Aisle” is the aisle between two rows of racks, that is intentionally cold and supplies cold air to the servers in adjacent rows. The “Hot Aisle” is the aisle between two rows of racks that is intentionally hot because the servers in adjacent racks are feeding warm air into it.

Cloud – the network of remote servers through which a customer can store and process data. The data is stored in a remote data centre and sent to the client’s device (such as a smartphone, PC or laptop) over the internet rather than being stored on a local server or personal computer.

Cloud computing – cloud computing is essentially delivering computing as a service. Whilst there are many definitions of what constitutes cloud computing, a typical cloud computing service would involve:

• storage and network infrastructures being used to store and process data and share applications amongst users;

• IT infrastructure being located in one or more different sites/countries and not collocated with the users of that infrastructure; and

• the ability to move the data between locations/countries in order to make best use of latent capacity in the cloud provider’s IT infrastructure.

A data centre is typically the physical site where the necessary hardware to provide cloud computing services is located. Accordingly, a data centre is a necessary component of cloud computing.

It should also be noted that there are a number of different cloud structures used:

• private cloud – where all the data and infrastructure is owned by and controlled by the same organisation;

• public cloud – where the infrastructure is owned by a service provider and made available or rented to customers to put applications and data into; and

• hybrid cloud – where an organisation combines a private cloud with a public cloud, perhaps for disaster recovery purposes or to deal with peaks in demand where its private cloud has insufficient capacity.

Particular models of cloud computing may require different implementations in the data centre that the cloud computing services are provided from, such as physical segregation of servers, dedicated servers for a particular customer or even a discrete data centre for a secure private cloud.

Data centre – a data storage facility housing various computer equipment including servers and associated connectivity, power and storage systems, cooling infrastructure in a secure environment.

Dedicated servers – a dedicated server is an item of hardware supplied by server hosting companies to simplify the colocation process, typically the server hosting company would purchase the server on the client’s behalf and maintain its hardware for the duration of the contract. A colocation centre is a type of data centre where equipment space and bandwidth are available for rental to retail customers. Colocation facilities will provide space, power, cooling, and physical security for the server, storage, and networking equipment.

Rack – a rack (typically 19-inch) is a standardized frame or enclosure for mounting multiple equipment modules. A rack may sit within cages which in turn sit within data centre suites and halls.

Tiering – tiering refers to the storage of data in the most appropriate medium based on its intended use. Data needed on demand would be top-tier and stored on solid-state or fast disks. Data rarely needed would be archived on the lowest tier, usually optical disks or tape (perhaps even offline).

66 Norton Rose Fulbright – 2013

Data centres unboxed

A four tier system has been adopted that provides a simple and effective means for identifying different designs of data centre site infrastructure. The Uptime Institute’s tiered classification system is an industry standard approach to site infrastructure functionality and takes into account benchmarking standards commonly adopted. The four tiers, as classified by The Uptime Institute include the following:

• Tier I is composed of a single path for power and cooling distribution, without redundant components.

• Tier II is composed of a single path for power and cooling distribution, with redundant components.

• Tier III is composed of multiple independent distribution paths with all IT equipment being dual-powered, but only one active path has redundant components and is concurrently maintainable.

• Tier IV is composed of multiple active power and cooling distribution paths, has redundant components, and is fault tolerant, providing 99.995 per cent availability.

UPS – Uninterruptible Power Supply. This provides power to a mission critical load in the event of a mains power failure. The UPS itself is either powered by a fuel cell, battery or rotary energy store. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide instantaneous or near-instantaneous protection from input power interruptions by means of one or more attached batteries and associated electronic circuitry for low power users, and/or by means of diesel generators and flywheels for high power users. The on-battery runtime of most uninterruptible power sources is relatively short – 5 to 15 minutes being typical for smaller units – but sufficient to allow time to bring an auxiliary power source on line, or to properly shut down the protected equipment. A rotary UPS uses the inertia of a high-mass spinning flywheel (flywheel energy storage) to provide short-term power in the event of power loss. The flywheel also acts as a buffer against power spikes and sags, since such short-term power events are not able to appreciably affect the rotational speed of the high-mass flywheel. There may also be a “Standby Generator” – an engine with a large alternator attached to generate electrical current, in our case used to power the entire building or critical data infrastructure. “Run Time” and “Autonomy” – are terms used to describe how long a UPS or generator can run without interruption.

Uptime Institute – an independent organisation, which provides education, publications, consulting, certifications, conferences and seminars, independent research and thought leadership for the enterprise data centre industry and for data centre professionals. The Uptime Institute promotes the Tier system noted before.

Very Early Smoke Detection Apparatus (VESDA) – most smoke detectors rely on smoke to rise to them in order to detect a fire. This means a fire could be taking hold while smoke is rising. VESDA sucks air across a detector to reduce the time it takes to detect smoke.

In addition to the concepts described above, the following terms are used frequently in this guide:

Access control – access control systems both control access (much like a key would) but also record access so it will be recorded if one tries to open your door regardless of whether permitted to enter.

Biometric – personnel security is often managed by a biometric system such as your finger print, palm scan or iris, which is recorded and used to prove your identity.

Blade server – a blade server is a small computer, typically used in arrays mounted together in a frame that fits into a standard rack. This type of server often supports a modular and/or scalability approach to data centre operation.

Carrier neutral – collocation providers who do not restrict or limit with who or how you get your connectivity to the data centre.

Data Centre Infrastructure Management (DCIM) – DCIM comprises software tools for discovering, monitoring and controlling assets forming a data centre, including both power and computing resources. An effective DCIM is essential to the proper management of costs and power consumption.

Developer – the party considering building and ultimately owning a data centre. It is also known as a provider, landlord or owner.

Enterprise users – commercial enterprises using hardware and software developed for the commercial market.

Norton Rose Fulbright – 2013 67

Concepts and glossary

Power Usage Effectiveness (PUE) – a ratio measuring the power feeding into the data centre to the power consumed by the IT equipment. A 1-to-1 ratio is a practical impossibility because lighting and air-conditioning also use power.

Power usage efficiency – a ratio indicating a data centre’s efficiency by calculating the amount of power required to service the load. A power usage efficiency of 2 would be 1kW of computing load and 1kW of cooling/lighting. The lower the power usage efficiency, the more efficient the facility. Design power usage efficiency and operational power usage efficiency can often vary.

Private developer – a developer who will use the data centre for its own purposes. Also referred to as an “owner occupier”.

Purchaser – a party considering buying an existing data centre.

Resiliency – the ability of a data centre to maintain service in spite of problems such as power outages, server failures or network link failures.

Seller – a party who owns a data centre and is considering selling it.

Service Level Agreement (SLA) – an SLA is an agreement negotiated between the IT department and a user or a vendor that specifies how a service will be delivered in terms of response times, maximum allowable downtime and other performance parameters.

Single point of failure – a component in any system which if it should fail will break the entire system. No single point of failure means any component can break without affecting the overall systems performance (a characteristic of higher Tier data centre design).

Virtualization – virtualization involves the encapsulation of an application, operating system and memory as a self-contained software unit, known as a virtual machine (VM), which can reside with other VMs on a single server. A VM is not tied to a particular physical machine and can move easily from machine to machine based on load balancing, backup or recovery needs.

Wide Area Network (WAN) – a backbone network that serves users that are geographically remote, consisting of a combination of dedicated lines, virtual networks over the internet and wireless technologies.

EU Data Protection Directive – Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Exabyte – 1 million terabytes.

Fibre – a high-speed data network technology commonly used for storage area networks within data centres.

Floor loading – the maximum mass the floor can support, normally measured in kN per SqM (kilo newtons per square meter)

Host developer – a developer will act as a “host” and provide data centre services to third party customers.

Lender – financial institution lending towards the purchase of the relevant land or the construction costs of the data centre.

Media Access Control (MAC) address – a MAC address is a unique identifier added to network interface cards by the manufacturer that is necessary for communicating on networks.

Network Access Point (NAP) – often characterised by the convergence of telecommunications infrastructure and is an influential factor in data centre site selection.

N+1 – where N is the requirement (i.e. what the data centre needs to function), +1 is the spare capacity. This may be in the form of an oversized unit, with spare capability, or hot/cold spare units.

N+N – where N is the requirement, +N is the separate and equally sized backup system capable of meeting that requirement.

Peering point – an area where fibre connectivity is highly favourable.

Points of Presence (POP) – a smaller networking room is sometimes called a POP. POPs are similar to millions of small and medium-sized data centres around the world.

Powered shell – commercial space with a sufficient power supply and suitable for fitting out as a data centre. Developers without the specialist skill and experience to bring forward a data centre will typically handover a development project at this stage.

68 Norton Rose Fulbright – 2013

Data centres unboxed

11Contacts

Norton Rose Fulbright – 2013 69

Contacts

Contacts

Asia Pacific

Nick Abrahams Sydney Norton Rose Fulbright AustraliaTel +61 2 9330 [email protected]

Richard Lewis MelbourneNorton Rose Fulbright AustraliaTel +61 3 8686 [email protected]

Michael ParkMelbourneNorton Rose Fulbright AustraliaTel +61 3 8686 [email protected]

Keith Redenbach Sydney Norton Rose Fulbright AustraliaTel +61 2 9330 [email protected]

Canada

Jacques LemieuxMontréal Norton Rose Fulbright Canada LLPTel +1 514 847 [email protected]

Harry LudwigCalgaryNorton Rose Fulbright Canada LLPTel +1 403 267 [email protected]

Robert L PercivalTorontoNorton Rose Fulbright Canada LLPTel +1 416 216 [email protected]

Marc A TremblayMontréal Norton Rose Fulbright Canada LLPTel +1 514 847 [email protected]

France

Marc d’HaultfoeuilleParisNorton Rose Fulbright LLPTel +33 1 56 59 53 [email protected]

Germany

Jamie NowakMunichNorton Rose Fulbright LLPTel +49 89 212148 [email protected]

Middle East

Hannah Thomas DubaiNorton Rose Fulbright (Middle East) LLPTel +971 4 369 [email protected]

Dino Wilkinson Abu DhabiNorton Rose Fulbright (Middle East) LLPTel +971 2 615 [email protected]

Nordic region

Tomas Gardfors LondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

70 Norton Rose Fulbright – 2013

Data centres unboxed

South Africa

Rohan Isaacs JohannesburgNorton Rose Fulbright South Africa(incorporated as Deneys Reitz Inc)Tel +27 11 685 [email protected]

Bradley Scop JohannesburgNorton Rose Fulbright South Africa(incorporated as Deneys Reitz Inc)Tel +27 11 685 [email protected]

Glenn Stein JohannesburgNorton Rose Fulbright South Africa(incorporated as Deneys Reitz Inc)Tel +27 11 685 [email protected]

South America

Mauricio Zagarra-Cayon BogotáNorton Rose Fulbright Colombia S.A.S.Tel +571 746 [email protected]

Netherlands

Jeroen LubSenior associate, AmsterdamNorton Rose Fulbright LLPTel +31 20 462 [email protected]

United Kingdom

Neil Biswas LondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

Marcus Evans LondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

Caroline MayLondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

Sean Murphy LondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

Mike Rebeiro LondonNorton Rose Fulbright LLPTel +44 20 7444 [email protected]

United States

Sue RossNew YorkFulbright & Jaworski LLPTel 212 318 [email protected]

David KesslerNew YorkFulbright & Jaworski LLPTel 212 318 [email protected]

Pamela Jones HarbourWashington DC and New YorkFulbright & Jaworski LLPTel 202 662 [email protected]

Erika Brown LeeWashington DCFulbright & Jaworski LLPTel 202 662 [email protected]

Keith AngleHoustonFulbright & Jaworski LLPTel 713 651 [email protected]

Norton Rose Fulbright

Norton Rose Fulbright is a global legal practice. We provide the world’s pre-eminent corporations and fi nancial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: fi nancial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offi ces and to maintain that level of quality at every point of contact.

Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients. This publication was produced prior to June 3, 2013 when Fulbright & Jaworski LLP became a member of Norton Rose Fulbright Verein.

References to ‘Norton Rose Fulbright’, ‘the law fi rm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affi liates (together ‘Norton Rose Fulbright entity/entities’). Save that exclusively for the purposes of compliance with US bar rules, where Robert Harrell will be responsible for the content of this publication, no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifi cations of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specifi c legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright.

Law around the worldnortonrosefulbright.com