With the continuing focus on digitisation accelerated by Covid lockdowns and rising demand for sustainability and green goals, there is an increase in activity relating to data centres for operators and investors as well as policymakers and regulators.  In order to attract investment in data centres in India with a vision "to make India a global data centre hub", the new Government policies intend to provide various incentives and exemptions to promote data centre industry growth.  In the recent past, several multinational and domestic companies have set up data centres in India.  In the 2022 budget speech, the Finance Minister announced that data centres will be considered as "infrastructure" to facilitate credit availability.  In addition to this classification, two other policy initiatives announced in the budget speech which are expected to incentivize data centre investments are the 5G spectrum auction and the widening footprint of optical fibre.

Current Regulatory Framework

India permits 100% foreign investment in data centres, subject only to the condition that investments by an entity of a country which shares land border with India (each such country, a "Restricted Country") or where the beneficial owner of an investment into India is situated in or is a citizen of any such Restricted Country will require prior Government approval.

In November 2020, the Department of Telecommunications ("DoT") issued the New Guidelines for Other Service Providers (OSPs) ("New OSP Guidelines") which specifies that no registration certificate will be required for OSP centres in India. Pursuant to the New OSP Guidelines, "Other Service Provider" has been defined as "...an Indian company, registered under the Indian Companies Act, 2013 or an LLP (Limited Liability Partnership) registered under LLP Act, 2008 or a partnership firm or an organization registered under Shops and Establishment Act or a Legal Person providing voice based Business Process Outsourcing (BPO) services" (emphasis added).  Accordingly, the scope of the New OSP Guidelines do not appear to extend to companies engaged in data-related services. Prior to the issue of the New OSP Guidelines, companies providing data centre services obtained registration as an Other Service Provider from the Telecom Enforcement, Resource and Monitoring Cell of the DoT. 

In November 2020, the Ministry of Electronics & Information Technology also issued a Draft Data Centre Policy 2020 applicable to data centre park developers, data centre operators as well as the allied ecosystem of the data centre sector and took feedback from all stakeholders. The detailed scheme specifying implementation guidelines and incentives (fiscal and non-fiscal) is yet to be published. The Draft Data Centre Policy proposes a policy framework for various structural and regulatory interventions, investment promotion in the sector, possible incentivization mechanisms along with an institutional governance mechanism, such as publishing a list of approvals required for operationalization of data centres along with defined timelines and granting a single window clearance in a time bound manner by State Governments and Union Territories for setting up data centres/data centre parks. The Draft Data Centre Policy also contemplates setting up of at least four Data Centre Economic Zones in India under a central scheme as well as demarcation of specific zones by the States for setting up data centre parks, which will provide inter-alia pre-provisioned land, power availability at low rates and pre-approved clearances. Further, the Draft Data Centre Policy provides that it seeks to encourage joint ventures between foreign investors and domestic companies in the development of data centres.

While certain states such as Karnataka are finalizing their state-specific data centre policy, other states such as Maharashtra, Telangana, Tamil Nadu and Uttar Pradesh have adopted their respective state data centre policies which seek to provide various concessions and incentives to operators, including real estate support and faster clearances. Maharashtra's policy 2016 provides certain fiscal incentives (such as stamp duty exemption, electricity duty exemption, VAT refund and property tax benefits) for data centres fulfilling certain eligibility criteria. Telangana's Data Centres Policy 2016 provides fiscal incentives (such as power incentives, building fee rebates and land at subsidized costs) as well as non-fiscal incentives (such as exemption from the purview of the Telangana Pollution Control Act (unless otherwise specified), exemption from statutory power cuts, exemption from inspection under specified labor legislations and permissions to file self-certificates). The Tamil Nadu Data Centre Policy 2021 offers a single window facilitation portal to ensure time-bound processing of applications and coordination with various agencies and departments to get clearances from them, provides incentives (such as electricity tax subsidies on power, concessional open access charges and cross subsidies, dual power and stamp duty concessions) and permits self-certificates in relation to compliance with maintenance of statutory registers and forms under applicable labor legislations. The Uttar Pradesh Data Centre Policy 2021 provides for various incentives to data centre park developers as well as data centre units, such as interest/capital subsidy, land subsidy, stamp duty exemptions and dual power grid network, as well exemption from inspection under specified labor legislations and permissions to file self-certificates.

Due Diligence Considerations

Set out below are certain relevant considerations in a legal due diligence exercise involving acquisitions of, or investments in, data centres:

Material Contracts

In order to maintain the customer base, agreements with customers need to be reviewed to ascertain the remaining term of the agreement, consent requirements for the proposed transaction as well as termination rights of the customers and any associated termination charges. Where a significant number of the customer contracts are due to expire soon after the proposed transaction or the proposed transaction requires consent from a material customer, the acquirer/investor could consider including renewal of such material customer contracts and obtaining such third party consents as a condition to closing in the transaction documents. In addition, the extent of any financial liabilities of the data service provider under the customer contracts as well as the circumstances under which such liability may arise should be reviewed as a part of the legal due diligence exercise. 

Similarly, contracts with the third party service providers (such as agreements with internet service providers, connectivity providers and security providers as well as management and maintenance agreements and power supply agreements which ensure continuous access to power) should be reviewed for their tenure, consent requirements, termination rights and liabilities of the parties to understand the potential risks involved in the business.

Real Estate

The property agreements should be reviewed for the type of property, i.e., freehold versus leasehold. In case of freehold property, independent local counsel opinions should be considered for purposes of title verification. In case of leasehold property, the term of the agreement, renewal options, rent escalation and termination rights of the parties need special attention. Further, the agreements should be reviewed for any consent requirements in case of any change of control or management of the data centre provider.

Permits and Approvals

Data centres in India require a number of permits and approvals from the central and state governments for its operationalization. Such permits and approvals should be reviewed for its validity and consent requirements. Further, as a part of the legal due diligence exercise, the data centre provider could be requested to confirm compliance with the terms of such permits and approvals.  

Compliance with Applicable Data Protection Laws

In India, under the [Indian] Information Technology Act, 2000 and the [Indian] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, each as amended, in the event that any body corporate possessing, dealing, or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such person will be liable to pay compensation to the person so affected. A body corporate shall be considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.  In this regard, past breaches or any ongoing investigation or litigation involving non-compliance with applicable data protection laws should be reviewed to identify any associated risks. In addition, a separate technical due diligence may be useful to ascertain if the data service provider has adopted "reasonable security practices and procedures".

Environment, Health and Safety (EHS)

While the validity of EHS permits and any past or ongoing investigations or litigations involving non-compliances in relation to environment, health and safety laws can be identified during legal due diligence, separate EHS audits by external agencies could be considered to identify potential operational risks and to recommend remedial measures.

Employees and Employee Benefits

Employment due diligence must involve a review of the employment contracts and employment policies of the data service provider to ascertain the annual cost to company, employer-employee obligations (including confidentiality obligations) and other terms of employment.

Additionally, any implications of the proposed transaction pursuant to applicable Indian labor legislations, including the [Indian] Industrial Disputes Act, 1947, as amended, should be considered. Further, companies in India are liable to pay social security contributions under the [Indian] Employees' Provident Funds and Miscellaneous Provisions Act, 1952 and the [Indian] Employees' State Insurance Act, 1948, each as amended. The data centre provider could be requested to confirm if it provides any other benefits to its employees so that all accrued amounts (including in respect of accrued but unused leave) payable to the employees until the date of transfer are paid prior to closing.

Conclusion

The Report of the Joint Committee on the Personal Data Protection Bill, 2019 dated December 2021 recommended that India must gradually move towards data localization and the Government should ensure that a mirror copy of all sensitive and critical personal data already stored abroad be mandatorily brought to India and as such, the Government should prepare a data localization policy which covers aspects like development of adequate infrastructure for safe storage.  Given the focus on data localization, there appears to be significant potential for growth for the data centres industry. In this background, the Government's move to grant 'infrastructure' status to data centres and introduce a national data centre policy are welcome measures which will promote investments in data centres in India. 

This insight/article is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.