The devil's in the data: How FIRB's proposed national security test may impact on businesses dealing with 'sensitive data'

In this next edition of our FIRB Reforms Article Series, we drill down deeper on the Commonwealth Government's proposal to include sensitive data as a key consideration in their expanded focus on sensitive national security businesses.

As we discussed in our first article in this series, which you can read here, the release of the Commonwealth Government's discussion paper on 5 June (Discussion Paper) proposes to introduce a new category of approval requirements based around national security considerations. The intention behind this change is to ensure the Foreign Investment Review Board's (FIRB) remit captures those investments into sensitive national security businesses which, under the current regime, do not always require approval because they fall below the relevant monetary thresholds.

With the release of exposure drafts of the proposed amendments to the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA) and Foreign Acquisitions and Takeovers Regulations 2015 (Cth) (FATR) on July 31, we now have a clear indication of what will amount to sensitive data and how this may impact foreign investors.

The current approach to data

While the storage, access to, and control of data is not specifically addressed under the FATA and associated regulations, it is certainly one of the issues that FIRB currently considers under its 'national interest' test. This has been increasingly apparent in recent years, and will continue to be the case following the introduction of the new 'national security' FIRB rules which will simply add a separate layer of approval requirements to transactions that are currently below the standard FIRB review thresholds.

While there are no standard data-related conditions imposed by FIRB in no-objection notifications, some examples of conditions that may be imposed on a case by case basis to ensure a proposed transaction is not contrary to Australia's national interest include:

  • requiring data to be stored only in Australian facilities;
  • restricting access to sensitive data from overseas locations or by certain representatives of the foreign investor (or where such access is not restricted, maintaining adequate records of all foreign access to the data);
  • mandating certain certifications be held by the data storage facility or otherwise requiring it to be on a list of pre-approved providers maintained by the Australian Signals Directorate; and
  • providing FIRB with reports on compliance with these data conditions.

This expanded focus on data security is not surprising given previous comments from the FIRB Chair, Mr David Irvine AO, and the establishment of the Critical Infrastructure Centre (CIC) in 2017, which provides a whole of government approach to identify and manage risk across critical infrastructure (including telecommunications). Importantly, as outlined by Mr Irvine in a speech to the Australia China Business Council last year, FIRB's approach remains that "consistent with [its] preference for mitigation, rather than prohibition, the development of data security conditions continues to be a key area of focus for the FIRB".

How will things change?

Under the proposed new national security test, the acquisition of a direct interest (generally, an acquisition of at least 10% interest or where the acquisition provides some measure of control) by a foreign investor in a national security business, regardless of the monetary threshold, will be the subject of mandatory notification to FIRB. Additionally, where a business or entity owned by a foreign person starts to carry on a national security business it will also be mandatory to notify FIRB of the proposed change in the nature of the business.

The draft bill for the proposed reforms (available here) to the FATA and FATR indicates that the Commonwealth has opted for a reasonably restrictive definition of 'national security business' in so far as the collection, storage or access to data is concerned.

Under the draft bill, a business will be a 'national security business' in relation to data where the business:

  • stores or has access to information that has a security classification; or
  • collects, stores, maintains or has access to personal information of defence and intelligence personnel, which if accessed or disclosed could compromise Australia's national security.

With respect to information that has a 'security classification' this will not only apply to classified information of the Australian Government but also the classified information of other countries.

The Commonwealth has limited the range of 'personal information' to which these new rules apply such that it must be the personal information of defence and intelligence personnel which has been collected by, or as part of an arrangement with, the Australian Defence Force, the Defence Department or an agency in the national intelligence community, and be capable of compromising Australia's national security. The Commonwealth has indicated that it is not only concerned with the release of identifying personal information but also on the usage of the broader dataset to derive an advantage from knowing aggregate statistics about the defence force or intelligence community.

The term 'defence and intelligence personnel 'is defined by reference to the categories of persons who may be involved in activities that are particularly important for Australia's national security and includes contractors and service providers to defence and agencies in the national intelligence community.

Importantly for businesses which have no connection to the defence force or intelligence community, commercial datasets are not captured by the proposed reforms. The example used in the explanatory memorandum is that the dataset associated with a supermarket rewards program that may be used by many defence personnel is not captured in this definition, because it is not information that is collected by, or as part of an arrangement with, the Australian Defence Force, the Defence Department or an agency in the national intelligence community.

On the other hand, if a contractor to the defence force is required under that contract to provide medical records of their personnel to Defence, then the relevant medical service provider, and even an off-site data storage centre where those records are held for the medical service provider, would presumably both be national security businesses, even if they are not aware of the nature of the data they are collecting or storing.

For foreign investment into businesses that collect, store or have access to the personal information contemplated above, all transactions will be subject to prior FIRB approval (regardless of value) and we expect if that investment is approved, it will be subject to specific data conditions and those conditions will be increasingly restrictive.

For existing foreign owned or controlled business involved in data collection or storage, the new FIRB rules relating to national security are likely to be even more difficult to navigate because that business will need to obtain FIRB approval before it starts to carry on a national security business. Using the example above, if a foreign owned, external data storage provider has an existing contract to supply data storage services to a medical centre, and that medical centre subsequently collects personal data of defence personnel, collected as part of an arrangement with the Australian Defence Force, the data storage provider will be in breach of its FIRB obligations as it will have started to carry on a national security business without FIRB approval. Given that breaches of the new FIRB rules will carry criminal penalties (including imprisonment for up to 10 years), the impossibility of compliance in circumstances such as these is very concerning.

As would be expected, it is not just the collection and storage of data that has been addressed by the new national security FIRB rules, but also its transmission. Although not limited to concerns about data security, the new categories of national security business that relate to critical infrastructure extend to businesses that are carriers (e.g. operators of telecommunications networks and infrastructure) or carriage service providers (e.g. users of those networks to provide services such as phones and internet) to which the Telecommunications Act 1997 applies. As a consequence of the obvious national security concerns that arise from foreign involvement in the telecommunications network, these rules are far broader than those relating purely to data.

The changing nature of data

A key consideration for foreign investors will be the potential implications of their storage of, or access to, data which may in the future fall under the ambit of 'sensitive data' due to either the nature of the data stored or the risk profile of those people or entities to which the data relates.

The gradual increase of the scope of 'sensitive data' in an international context was seen in 2019 when the Committee on Foreign Investment in the United States determined that Chinese gaming company Beijing Kunlun Tech Co Ltd's ownership of Grindr LLC constituted a national security risk. While the reasons for this forced divestment were not published, it was widely understood to be due to the potential for the misuse and expatriation of personal data, particularly where such data may relate to military or intelligence personnel.

It appears the new national security FIRB rules, as they relate to data, will not have a similarly broad application as a result of the exclusion of commercial datasets, but these changes make it clear that the Australian government is increasingly focused on the risk to Australia's national security (and broader national interest) posed by foreign access to Australian data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.