Creating a data center is among the most common projects which companies undertake as part of their digital transformation strategies. Centralizing IT services into a state-of-the art data center or cloud solution offers a number of advantages, including cost savings, improved efficiency, reduced duplication and better IT security. For global businesses, by setting up regional data centers in strategic locations, companies can provide 24/7 IT support to their offices around the world – leading to better customer service.
As a result, Europe has seen rapid growth in the market of data center services, either in the form of data centers as a service (DCaaS) or Infrastructure as a service (IaaS). Frankfurt, London, Amsterdam and Paris are the most popular locations for data centers within Europe primarily due to their proximity to large financial markets. These locations also offer well developed infrastructure and direct access to leading internet exchanges, such as DE-CIX in Frankfurt, AMS-IX in Amsterdam, LINX in London and France-IX in Paris.
Build, outsource or buy?
When establishing a data center, there are three main strategies to choose from:
- Build your own data center
- Outsource to a traditional data center or cloud provider
- Buy an existing data center
The choice of strategy depends on the needs and competencies of your business. For example, a larger company might have the critical mass and IT know-how to operate its own data center economically, while a smaller business might be better off outsourcing. A company which is growing quickly may prefer the flexibility and scalability of a cloud-based solution. Certain companies, which hold very sensitive data on their customers, might prefer to operate a data center in-house so that they can directly control the location and processing of that data. Whatever strategy you choose, each has its own legal challenges, which you will need to address. These are examined in detail below.
Building a data center
When thinking about building a data center, there are numerous considerations regarding location. Depending on the size and complexity of your business, you may consider leveraging space in existing premises to manage cost or reduce the complexity of introducing another property. There are many factors to consider when exploring your options, including cost, complexity, connectivity, power, jurisdiction, zoning, availability of talent, accessibility, stability, taxation, and outside risks or influences (for instance, risk of civil unrest, natural disaster).
If your business is located close to your data center, there may be opportunities to reduce some expenses such as connectivity, but you may find yourself paying a premium for space and utilities. On the other hand, locating your data center in a more remote location, you could save on these areas but increase your telecommunication or travel expenses. This can be a difficult decision with long¬term impacts. Enlisting assistance to help with your assessment may prove beneficial, in particular when considering the potential zoning, tax, jurisdictional, and other legal implications.
Purchase and lease of equipment
Once you have decided where to locate your new data center, it is time to consider its build. Delivering a well-designed data center capability can be expensive and complex, involving numerous technologies to deliver robust security, flexible racking, redundant power (ups, generators), cooling and connectivity. When making the decision to purchase or lease the infrastructure required you should consider potential tax implications, potential changes to your requirements over time (due to evolving business needs or regulatory requirements) and the financial implications of each option. You may discover that aspects of your infrastructure are better aligned with one approach over another.
Security and privacy
The physical security of your data center is as important as the security of your systems. It is vital to clearly understand your legal and regulatory requirements, ensuring that you deliver capabilities to meet or exceed these requirements. Where appropriate, contractual agreements with third parties – such as maintenance providers or data center staff – should include appropriate clauses to address your responsibilities. The physical design of your space may also be influenced by these requirements, such as segmentation between areas within the data center, or the introduction of security systems and/or processes.
When staffing your new data center you should consider a combination of internal staff and third party support. You will need to complete the appropriate background checks, put non-disclosure agreements in place, and ensure that everyone is operating under a set of policies clearly defining acceptable use. It’s essential to ensure careful alignment of employment practices alongside local laws and the regulatory requirements specific to your business. When considering third party support, risk assessments should be completed and agreements should ensure adequate legal coverage that clearly define service levels, liability and other applicable legal considerations. These individuals may have access to some of your most sensitive digital assets and should be treated accordingly.
Outsourcing to a traditional data center or cloud provider
When a business is considering outsourcing custodianship over its data and systems, it is important to understand explicitly what access the provider will have to the information. In many outsourcing relationships, the provider may have no direct access to your systems and data. In other situations, the provider may be more directly responsible for the management of your systems, with access to the underlying information. In either case, it is important that you contractually reinforce your ownership and rights over your business data. Some cloud providers have established business models based on the monetization of information, so you need to ensure that no extended rights have been inadvertently granted to the provider for any other purposes.
Service level agreements
Depending on the outsourced provider, you may be in a position to negotiate service levels to meet your specific requirements, which typically comes at an increased expense. With other providers, service level agreements may not be negotiable as they are core to a provider’s business model and shared by the entire customer base. With many providers, service levels are dependent on your understanding of the platform’s technical capabilities and whether you have designed your systems to deliver highly resilient services. In essence, if you do not setup your systems correctly according to the requirements, you void your warranty!
It is a common misconception that when a business outsources its datacenter to a “cloud” provider, its actual location is ambiguous. Not unlike a traditional data center provider, most cloud providers are able to explicitly detail where your information will be stored, or provide you with that direct control. When selecting a provider make sure to clearly understand how your systems and data are stored and what control you retain. When appropriate, you should also ensure that contractual restrictions are in place to ensure future changes on the provider’s platforms do not negatively influence your business. Be careful to examine not only how production systems are stored, but also backup systems, including backed up data. These are commonly stored in separate physical locations, potentially in other countries.
Data protection and privacy
Regardless of the nature of your outsourcing arrangement, data protection and privacy is a shared responsibility between your business and the provider. By leveraging an outsourced provider, there is an opportunity to increase your security by leveraging capabilities the provider can deliver, but this will never absolve you from your responsibilities. Again, this is dependent on clearly understanding a provider’s capability and designing your systems to take advantage of these. For instance, most providers today will encrypt your data while stored on their systems. However they could provide you the extended capability to encrypt your data using your own “keys”. This extended capability could be the difference between meeting some regulatory requirements or not. You must ensure that perspective provider’s capabilities align with your unique business requirements and that you take advantage of them.
In terms of data privacy, again, clearly understanding the nature of the relationship with a provider, and their access to your systems and data, is important to also understanding how your obligations extend to them. In terms of regulations such as GDPR, this understanding is critical. For instance, if your provider has access to your systems and the underlying data, they may be considered a data “processor”. If they have no access, this may absolve them from these regulatory responsibilities. Any contractual agreements should factor in specific legal requirements related to data protection and privacy regulations.
Liability for service failures or security breaches
Service failures – worse yet – security breaches, are almost inevitable. Good planning and carefully selecting a provider who aligns with your requirements will reduce this risk and even mitigate the potential impact, but not eliminate it altogether. While negotiating with perspective providers, always ensure that you clearly define and understand limits of liability. You should obtain proof of insurance and update it regularly. With this understanding, you should also review your own business insurance to ensure adequate coverage.
Data portability and handover protocols
As with any business relationship, you should always have an exit strategy. This is no different with outsourced data centers or cloud providers. Your provider may be in possession of some of your most sensitive data, so you should ensure that you have contractually protected yourself in the event that the relationship breaks down, or you simply make the decision to move. Consider potential financial obligations, time commitments and processes as these relate to transitioning your systems and data. Having these more difficult discussions up front, while the relationship is being established, and ensuring that they are documented contractually, can help to prevent a potentially sensitive situation in the future.
Buying a data center – M&A considerations
Asset or share deal
There are basically two ways of structuring a transaction: an asset deal or a share deal. In an asset deal, the purchaser acquires certain assets of a seller and assumes certain liabilities. In a share deal, the purchaser acquires a business via its shares or interests, comprising all its assets, liabilities, rights and obligations. While the choice of structure depends on the circumstances of the transaction, the decision is often driven by tax implications, complexity and the desire to avoid the assumption of certain liabilities. Data center transactions are typically structured as asset deals.
Preliminary agreements – such as non-disclosure agreements, letters of intent, memoranda of understanding, and term sheets – are entered into at an early stage in order to protect confidentiality and set out the key terms and timelines of the contemplated transaction. In addition, the purchaser may seek exclusivity for a certain period of time.
To get a better understanding of the target business and identify any potential risks, a prudent purchaser will conduct due diligence, focusing on legal, financial, tax, environmental and commercial areas. In data center acquisitions, the focus of the legal due diligence will be on real estate, in particular compliance with public building law. It will also focus on contractual issues resulting from the target’s relationships with its customers, suppliers and other business associates, as well as corporate, tax and financing issues. Due diligence should also examine compliance with data protection and security requirements.
Definitive sale and purchase agreement
Once the parties have agreed on the legal and commercial terms of the transaction, they will enter into the definitive sale and purchase agreement. This contains such provisions as representations and warranties, indemnities, covenants and other obligations of the parties in connection with the sale. In some cases, the sale and purchase agreement may contain conditions, which must be fulfilled in order to close the transaction, such as governmental approvals (e.g. merger clearance), third party approvals (e.g. regarding the transfer of the contractual relationships), or waivers of change of control termination rights.
The legal remedy in case of a breach of the guarantees is damages. These are usually capped with a lower cap for the breach of operative guarantees (e.g. contracts, employees, assets) and a higher cap, typically amounting to the purchase price, for the breach of fundamental guarantees, (e.g. title to the assets or shares).
Tax structuring is a key consideration in an acquisition and a tax-efficient structure should be sought at the outset of the transaction. The transfer of real estate triggers real estate transfer tax. Share deals and asset deals are usually VAT-exempt, as long as the latter relates to the sale of an entire business or a business unit, which is considered a going concern. Tax risks associated with the target and its business operations acquired are typically governed by the sale and purchase agreement in the form of specific indemnities and guarantees. In an asset deal, a prudent purchaser will exclude any types of tax liability attaching to the assets or the business from transferring and will seek indemnity from and against any tax liabilities.
Establishing a high quality data center – whether internally or outsourced – is a major investment and undertaking on behalf of your company. If done right, it can bring significant cost and efficiency benefits to your company, while ensuring consistent, stable and reliable service to your customers. On the other hand, if such a project goes wrong, it can be extremely expensive to your business and disruptive to your customers.
A successful data center project requires close collaboration between your IT, legal and risk management departments, as well as active input from your line departments as internal customers. There are multiple, IT, legal and risk management considerations which you need to take into account, and therefore we strongly recommend seeking legal and tax advice early on, and throughout the project.