Data centres are mission-critical buildings and all stages of their lives are marked by careful assessment and prevention (or reduction) of risk. Therefore, any decision at the stages of siting, design and construction will be underpinned by suitable legal advice. This article looks briefly at some of the key legal issues including those concerning:
- Procuring a project
- Local land use, titles and conditions
- Energy consumption and efficiency
- Data transfer and sovereignty
- Attention to the particular legal requirements of different types of company data
How will the project be procured? The contractual framework has changed as client companies develop greater in-house expertise and as some look for greater flexibility and a more genuine ‘partnership’ than is usually the case with the more established design – bid – build model. This latter model allows the customer to maintain control over the project while the separation of responsibilities between suppliers creates a degree of validation and quality control through the process. This means of procurement puts the onus on the client to manage the process and, historically, this process within the construction industry has been fraught with contractual and budget variation as issues are passed from one stage to the next. While the rationalisation of the supply side into a single provider may reduce the prospect of revisions, it also reduces the opportunity to add different perspectives through the process. Taken a step further, procuring from a data centre developer will externalise the construction process. The legal implications of these different approaches need to be considered along with the needs and the project management capabilities of the commissioning organisation.
Titles and Conditions
Legal considerations at the planning stage for a data centre will impact through its life. For example, if the objective is to offer a Tier IV data centre, then there needs to be some formal and binding agreement with local utilities for sufficient power to enable dual supply. While commercial property codes are long established in law, they will need to be considered carefully in light of the purpose of the data centre. A data centre that provides cloud or other services digitally is very different to a colocation facility where customers may need to access their IT within the facility. Permitted usage will depend upon the owner of the land; the form of title; whether the project is a new build or the re-purposing of an existing building; the nature of the lease, license or management agreement; the specific provisions for space use and fit out (including ‘grey’ space), and for services into the site (power etc.).
One case that illustrates this is that of the Tseung Kwan O Industrial Estate run by Hong Kong Science and Technology Parks by way of Government lease. This prohibits subletting, parting with possession and sharing occupation, causing potential difficulties for any co-location facility operating there. This provision goes back before the data centre era to the status of the site as ‘common land’ held by the Government on behalf of Hong Kong citizens and therefore not to be sublet for profit. There are a dozen multi-tenant data centres on the site and whether they are breaking that prohibition has been debated for most of the decade and seems to centre on the definition of whether these data centres are providing services rather than subletting space or equipment. There is, however, a further issue of access that the colocation provider may not give over the control of access to any third party, even if that third party may have purchased a dedicated cage or suite to prevent access. This is not a situation unique to this one particular site as there are local legal idiosyncrasies in other cities where data centres are located, but it does illustrate that ambiguity in legal status can run counter to the certainty that a data centre requires.
Energy Consumption and Efficiency
There is some need for clarity about the extent to which data centres will be legislated into efforts to reduce energy consumption and carbon footprint. As buildings that use considerably more energy than commercial office space, data centres may fall under legislation designed to reduce energy consumption, or specific steps may need to be taken in design and operation to avoid penalties for what is judged to be ‘excessive’ energy consumption. Headlines such as data centres consuming 1/5th of the world’s power by 2025 or all of it by 2040 indicate why data centres are in the frame. The context of ambitious climate change pledges made by the EU and across most other developed markets is likely to put pressure on governments to impose mandatory regulations in terms of energy efficiency and the reduction of carbon emissions.
As part of this, legislation to control data centre energy consumption has been debated in most markets where data centres are located. This has raised a number of issues – should a large energy-efficient data centre be penalised over a smaller and less efficient one? Is the driver reduced consumption or greater efficiency (or both)? If an enterprise wants to reduce footprint can it close its in-house facilities and pass the footprint to a colocation provider? What should be the balance between incentive and penalty, education and legislation, voluntary and compulsory? Legal advice in these situations is likely to take the form of scenario planning.
Data Sanctity and Sovereignty
The legal considerations concerning data when selecting the location for a data centre have become more complex as they have become networked, often across national borders. The growing use of cloud services and virtual environments means that the concept of linking data to a single physical location may be difficult. Safe Harbor was a legal framework that was agreed initially between the EU and US Government as far back as 2000 to establish principles whereby companies might transfer data on EU citizens from the EU to the US while complying with EU Data Protection legislation. It was overturned by the European Court of Justice in October 2015 based on the challenge of an Austrian campaigner who challenged the sanctity of his own data on Facebook and stored within the EU. One of the key learnings from the demise of Safe Harbor was that legislation is ineffective if it cannot keep up with the technologies that store, process and transfer data.
As more countries introduce data sovereignty, legal issues may be as much about where the data is coming from and going to as where the environments that house it are located. The Safe Harbor ruling demonstrated that the area of data sovereignty is one liable to sudden and profound change. This makes data treatment a legal priority – non-compliance with the EU’s General Data Protection Regulation (GDPR) can lead to fines of up to 20 million euro (around USD 24 million) or 4% of global annual turnover. The often-discussed idea that the EU’s GDPR will emerge as a default global standard for data sanctity is a response to a situation where different standards will affect the flow of data around the world.
The enterprise data centre will be designed to meet its compliance and customer delivery requirements. Service data centres targeting particular sectors will also be mindful of these requirements. For financial institutions in the wake of the Global Financial Crisis, standards of accountability, reporting, solvency and risk management have created new requirements for electronic data storage, security and analysis. Other sectors where personal information is created and stored – healthcare, social services, retail transactions – require facilities and systems within them that can maintain data sanctity in line with legal responsibilities and customer expectation. As the architects of data sovereignty, Governments will themselves need to ensure that they are sensitive to data protection – in one recent example of this, the Australian Department of Defence announced that it would move its data back in-house out of a service data centre which became 49% owned by a Chinese consortium at the end of 2016.
Disclaimer: The information contained herein is of a general nature and no one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Neither Enterprise Ireland nor DCD nor any person acting on behalf of either is responsible for the use which might be made of the information here.
Learn about the top five trends affecting the future data centre design and construction in our FREE white paper below.