Digitalization was one of the decisive factors in accelerating the transformation of multiple infrastructures such as telecommunication and banking & finance. To accommodate this move towards digitalization, many large data center investments have been implemented in the last few years despite the limited regulations available specifically on data centers and general electronic system electronic system organizers (“ESP”) regulations and data protection regulations were heavily relied upon.
Essentially a real estate asset, the legal implications of developing or investing in data centers extemd far beyond a traditional real estate transaction. In addition to often complex property issues, these projects will also require careful consideration of aspects such as, among others, information technology, power supply, regulatory licensing, financing, contracting, and data security.
Irrespective of the nature of the data center (carrier neutral or non-carrier neutral) or the type of investment and the counterparties to the project, a general legal checklist for data center review is expected to cover at least the following key topics:
- Title over the Premises
Given the significant investments this asset class requires, a data center will likely require a long-term land and building title over the premises.
Thus, the most common method would be obtaining a Right to Build title (Hak Guna Bangunan) that has a validity period of 80 (eighty) years in total, divided into: (i) a 30 (thirty)-year maximum for the initial period, (ii) an extension of a 20-year maximum, and (iii) a renewal of a 30-year maximum (after the expiry of the extension period),[1] or at least a long-term lease agreement under a Right to Lease (Hak Sewa) with an option for the lessee to extend the term of the lease pursuant to the validity period of the land owned.[2] Holding real title over the premises will be decisive for obtaining construction permits, while lease or concession structures will prompt discussions on the ultimate benefit over the investments made in the data center. Often, investors will also require an overview of the neighboring properties to evaluate the feasibility of possible extensions.
- Material Contracts
Considering that there are limited regulations specifically on data centers, companies that operate a data center or customers of data centers would heavily rely on their agreement to manage the relationship to secure their respective rights and/or obligations. Considering the fit-out costs incurred by a customer in establishing its presence in a data center, the risk of early termination of a service agreement should be within reasonable limits. Nevertheless, a large customer will likely be interested in retaining such an early termination right if it decides to develop its own storage facilit or if there is an increased need for capacity that the initial provider cannot service. Likewise, continued and flawless servicing will be critical for customers interested in negotiating strict clauses on the minimum service level, such as security standards (i.e., obtainment of certifications such as SNI 8799-1:2019),[3] throughout the agreement.
- Data Protection and Security
The biggest issue or obstacle for customers and/or investors in diving into the business of data centers is the reliability of the data center’s security. To set a high-security standard, data centers would opt to form partnerships and/or use the services of third parties such as personal data processors or other PSEs. Thus, customers and, when the time comes, investors will seek certainty over the terms of the third-party connectivity agreements to ensure that the data centers are reliable and can provide long-term, uninterrupted connections to their systems.
Under prevailing Indonesian regulations, data centers are defined as facilities used to install electronic systems and their related components for the purposes of data placement, storage, and processing.[4] However, in addition to this, data centers would also fall within the definition scope of ‘ESP’, ‘Personal Data Controller’, and/or ‘Personal Data Processor’. Thus, it is imperative for the operations and management of the data centers to be compliant with, among others, Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) and Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (“GR 71/2019”). Under such regulations, ESP data centers for public services used in personal data protection must be placed in the territory of Indonesia.[5] However, in the event that the retention technology is not available domestically, ESP in the public sector may store its electronic systems outside of Indonesia.[6] In contrast, EPS in the private sector may store its electronic systems outside of Indonesia but must ensure the effectiveness of supervision by the relevant Ministry/regulatory bodies and ensure access to the Indonesian authority for such supervision and law enforcement.[7]
Additionally, being high-value digital assets, data centers are prone to the risk of cyberattacks. This makes cybersecurity a key aspect to be considered in any development or investment into data centers. Just as when taking over traditional financial debt and liabilities, an investor in data centers will inherit all the cyber vulnerabilities of the respective business. Hence, an acquirer must be wary not only of failing to obtain the full value of what it seeks, but also of belatedly discovering the target to be burdened by cybersecurity shortcomings that create risks for the buyer. Such vulnerabilities may translate not only into increased costs to strengthen the security systems, but also into potential liabilities towards customers who may find their confidential or personal data at risk. Under the PDP Law, administrative sanctions and criminal provisions provide consequences for such cyberattacks. For example, in the instance that personal data is intentionally and unlawfully obtained or collected that does not belong to them to benefit themselves or other persons that may result in the loss of the personal data subject, the offender shall be sentenced to a maximum imprisonment of 5 (five) years and/or maximum fine of IDR5,000,000,000 (five billion Rupiah).[8] Further, noncompliance with some PDP Law provisions may result in a written reprimand, temporary suspension of personal data processing activities, erasure or removal of personal data, and/or administrative fines.[9]
Lastly, a thorough due diligence review of connectivity would not be complete without verifying the data centers’ energy supply. Uninterrupted supply is of utmost importance for these businesses, and interruptions may have a direct financial impact on their customer agreements. Data centers have been increasingly interested in reducing their dependency on third-party suppliers and developing their own energy sources as back-up, parallel or even exclusive solutions. The recent surge in energy costs and the data centers’ own commitments to sustainability have acted as catalysts in this direction. In the event due diligence is required, the scope will likely cover the review of power purchase agreements, regulatory licensing for their own renewable energy facilities, and connectivity to the grid.
Conclusion
As the world continues on its path toward ever-more digitalization, data centers will continue to be an attractive investment for infrastructure funds and strategic players. Planning to develop or invest in data centers may present a complex range of legal challenges requiring a holistic approach to both due diligence and transaction structuring.
For further information on these issues, please contact Ricky Firman at [email protected] or Shanaya Zakir at [email protected], visit us at www.budidjaja.law or inquire about our services at [email protected].
[1] Article 35 of Law No. 5 of 1960 on Basic Agrarian Principles (“Agrarian Law”).
[2] Article 44 of Agrarian Law.
[3] Page 100 of Appendix of Regulation of the National Standardization Agency No. 6 of 2021 on Conformity Assessment Scheme Against Indonesian National Standards for the Electrotechnical, Telecommunications and Optical Products Sector, as lastly amended by Regulation of the National Standardization Agency No. 5 of 2022
[4] Article 17 Paragraph (2) of Regulation of the Minister of Communications and Information No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI 20/2016”).
[5] Article 17 of
[6] Article 20 of GR 71/2019.
[7] Article 21 of GR 71/2019.
[8] Article 67 of the PDP Law.
[9] Article 57 of the PDP Law.