Key issues

India is one of the world's most promising and dynamic markets.  Its low cost base and huge domestic market lure many international investors, but its unique regulation and market practice make India easy to get wrong.  Some of the key considerations on deals such as STT's joint venture with Tata Communications data centre business are:   

• FDI and other regulatory restrictions – Acquisitions of "IT" businesses (broadly defined) by foreign investors fall within complex foreign direct investment restrictions in India and require prior government approval. Other Indian regulators such as the Department of Telecommunications often take an interest in IT based FDI transactions.
  
  Specific advice on these points should be sought early and updated regularly as the transaction progresses.  Most India deals will require split signing and completion to deal with these points – investors should build this into their deal timelines from the start, and should argue that the India based party is better placed to bear the risk of any regulatory requirements in the transaction documents.
  
  
• Asset acquisitions – Sales of business units or assets (as opposed to share sales) have special considerations in India.  One issue in particular is the transfer of employees; unlike in the European context, there is no legislation in India which allows for the mass transfer of employees in connection with a business sale.  To minimise the risk of post-deal employee disputes, we recommend each employee signs a standard form employment transfer letter.  This can be a significant undertaking and must be managed carefully to avoid protracted negotiations with a large number of individuals.
  
  India also differentiates between an asset sale and a "slump sale", the latter being a sale of a going concern business without cherry-picking assets.  Tax structuring advice will be key here – for example, tax losses will only be carried forward by the new entity if the transaction is structured as a slump sale.
  
  
• Promoter/incumbent advantage – India is a tightly connected market.  International investors can face power and information asymmetries when working opposite local players, especially local promoters with strong personal ties to the business. 
  
  Robust international counsel with deep local insights and connections will help to mitigate this risk. As non-compete and non-solicit obligations can be difficult to enforce in India, investors should focus on providing key promoters or management with the appropriate incentives to stay focused on the business.

Key issues

Exits are a crucial time for investors, as they mark the culmination of years of work and will ultimately determine the return achieved. Substantial investments in this region almost always involve multiple cross border elements, as was the case on the sale of ST Teleport to Hong Kong based (but ASX listed in Australia) Speedcast International, which was subject to Singapore regulatory approval from the Singapore Info-communications Media Development Authority. Key issues for STT to keep in mind in this type of deal include:

• Working with a listed buyer – A listed buyer will be subject to a higher level of scrutiny and internal approvals than a privately owned buyer. There may be significant deal risk if the buyer's ownership is spread between various shareholders and shareholder groups who must approve the deal.
  
  The buyer may try to push this risk onto the exiting investor as being out of the buyer's direct control. An exiting investor should insist that the buyer bears this risk as it only arises because of the buyer's status and characteristics.

• US investor base – Whenever there are significant numbers of investors in a target or buyer (and especially where investors may easily change through transactions on a listed exchange), the parties should consider US securities rules. These rules are often extra-territorial in scope and can apply even with a limited US nexus, which can be triggered simply where there are a number of investors which are beneficially owned by US persons.
  
  US securities lawyers should be consulted if there is any perceived US nexus to the deal, so any compliance risk can be commercially evaluated. Certain US securities rules have timing impacts (for example, US tender offers must be kept open for a certain period) which will need to be factored into the overall deal timetable.

• Begin with the end in mind – The exiting investor should consider the mechanism for and terms of exit at the very start of its investment, and at every stage thereafter in the target's lifecycle.
  
  A particular pain point here is fundraising – if the target needs new funding from an additional investor, it may be tempting to agree only what is needed to get the current fundraising deal done, without closely guarding future rights on exit. We have seen this approach result in very complex and unclear documentation, where rights of investors in different series are simply stacked in further fundraising rounds. Investors should never lose sight of the end game or kick the can down the road on key rights, even when exit still seems far away.

Key issues

Several of STT's portfolio businesses, including Armor Defense Inc, are at the forefront of technological innovations in cloud-based enterprise cybersecurity. Data protection and cyber security regulation are fast moving areas of the law and the combined effect of the implementation of GDPR, leading US-based vendors' implementation of NIST-compliant cyber security solutions, China's Cyber Security Law and the rising tide of comprehensive, European-style data protection regulation in the Asia-Pacific region is that STT's multi-national client base are increasingly expecting vendors to offer global solutions that reflect the developing convergences in regulatory standards in these areas. In order to keep on the right side of regulators and protect its investment, STT will need to keep in mind key regulatory changes such as:

• GDPR and the NIST Directive – The implementation of GDPR this year has had a profound impact on companies across virtually all ranges of business. The impact on business services providers has been challenging, as the starting position for many European headquartered businesses, in particular, is to demand that their vendors certify that they are "GDPR compliant" on a world-wide basis, even if GDPR has no application given the nature of the processing. Whether or not the push for GDPR compliance is well-founded in specific cases, it is clear that the stakes of getting it right are very high. The prospect of penalties reaching four percent of worldwide turn-over has caught the attention of company boards, and so we are seeing a move by multi-nationals to raise data protection and cyber security standards globally, potentially to the high water mark of GDPR, with significant impacts for data processing and cyber security solution providers on the ground in the Asia-Pacific region. The deadline for national law implementation of the NIST Directive has had a less obvious impact but still represents the raising of the compliance bar across the global regulatory landscape.
  
  The GDPR is clearly a catalyst for change. Lawmakers and data protection authorities across the Asia-Pacific region are studying GDPR with a view to reforming their own laws, though a cherry-picking approach is often used, adding to the complexities of compliance. For example, Australia, New Zealand and the Philippines have all recently introduced mandatory data breach notification laws similar to the concept in GDPR, and such rules are also planned to be rolled out in Singapore in the medium term.
  
  In the face of regulatory patchwork on data protection which is especially prevalent in Asia, we often see clients take the "gold-plating" or "high water mark" approach of bringing all their global businesses up to the highest applicable standard. While a GDPR standard of compliance is unlikely to be practically achievable for many businesses operating in the Asia-Pacific region, the market expectation is increasingly a factor that must be addressed.  

• China Cyber Security law – The Cyber Security Law implemented in 2017 was a key shift for the region, but like many laws and regulations in China, critical areas of the law remain vague and subject to regulatory clarifications through various implementing measures. Though it is not yet clear, it is very likely that some level of data localisation will be required under the law, and international experts fear that the law may be used (explicitly or by implication) to close the Chinese market to foreign technology and services.
• Implementation in May 2018 of the Information Security Technology Personal Information Security Specification GB/T 35273-2017 – Developments in China require constant supervision for exposed international investors – not just developments in the form of new legal rules but in the many other ways in which China establishes the parameters of doing business, including attitudes to enforcement and idiosyncratic approaches by local authorities.
• Emerging Cyber Security Standards – from a European perspective, there is scope under the GDPR for organisations to adhere to an approved code of conduct or certification mechanism in respect of its security of processing under Article 32. Until codes of practice and/or certification mechanisms are approved and in place, and these are judged appropriate in specific cases, the most relevant guidance relating to Article 32 compliance may be found in publications by the European Union Agency For Network and Information Security ("ENISA").

Key issues

In this fast growth industry, the delivery of reliable capacity to clients is a key commercial driver. Equally, impressive returns can be garnered from a successfully executed speculative build. Sourcing debt that gives access to "fast" money with limited drawing conditions and ongoing reporting covenants can assist with this aim. We believe that the interests of stakeholders are best served when management teams are focused on running the business, rather than keeping their lenders satisfied. The methods of achieving this successfully are dependent on the lifecycle stage of the business at the time the debt is incurred and the jurisdictions in which the business is located.

• Individual sites/early stage financing – In the initial phase of any co-location data centre business a key legal issue is the volume of documentation required to complete a financing. This differs according to jurisdiction and documentation standards in that jurisdiction. In the London market, standards are rigorous and secured construction/development facilities require intensive reporting to lenders over the life of the financing. This is an involved and time consuming process.
  
  By comparison, in Asia-Pacific, where the real estate debt financing markets are less sophisticated, terms may be less onerous: initial documentation is pared down, scope of recourse to "real property" can be more limited (due in part to the unavailability of various classes of security interests) and ongoing reporting to lenders is less prescriptive.
  
  Instructing legal counsel with an appreciation of these factors is important to prevent operational delays. At the outset of any transaction there is value in testing lender needs from a credit perspective. Our experience in stress-testing requirements at term sheet stage, before credit approvals have been sought, can streamline the execution process. This in turn provides the business prompt and efficient access to capital to meet the necessary ramp-up speed required to be a significant presence in this market.
  
  Sponsor support may also assist to accelerate the timetable by allowing lender credit teams to soften their focus on property valuations and control of capex spends. We have significant experience of "squaring the circle" between sponsors' desire for limited recourse financing and lenders' demands for committed support.

• Multiple sites/later stage financing - As the business matures, bundling up of fully operational data centres within the same debt package permits stable cash-flows to support new centres. Moving away from lender reliance on property mortgages and related rights gives access to cheaper, quicker money.
  
  From a legal angle, to leverage this effect as far as possible, "client agreements" will be needed on 'bankable' terms. Lenders will be focussed on termination rights, force majeure, change of control as well as the legal nature of the client's occupation (i.e. lease / licence / agreement).
  
  The debt structuring possibilities available range from multi-facility packages secured on the sites but with loosened-terms to reflect increasing operational cash-flows, to a full-scale securitisation with cash-flows being the only source of creditor recourse. 

Key issues

Establishing a data centre presence in a new market requires navigating a myriad of complex regulatory and commercial challenges. We have significant experience in assisting clients with data centre acquisition and expansion throughout the region which we can draw on.

• Regulatory restrictions – There are varying levels of regulatory scrutiny on the data centre industry, with unique complexities across the region. For example telecommunications licenses may be required, or foreign investment restrictions may apply.
• Contracting arrangements – Balancing risk allocation between suppliers and customers is a delicate process, with varying industry standards across the region. Contracts with telecommunications providers and security and maintenance firms for example will need to be entered into, and standard customer terms may need to be drawn up, with service level and other liability to be back-to-backed across the chain.
• Legal restrictions – There may be complex financing or property related hurdles specific to the financing arrangement or jurisdiction. The data centre operator will need to ensure it is able to balance potentially competing property interests and rights of access in accordance with the relevant local legal requirements and industry practice.