Articles | |

We have the technology: software and data transactions under the National Security and Investment Bill


As we reported in December, the UK Government has recently published the National Security and Investment Bill ("the NSI Bill") – draft legislation designed to strengthen its powers to scrutinise transactions on grounds of national security.

The NSI Bill will broaden the range of investments which can be reviewed by the UK government, and introduce a statutory requirement for parties to notify transactions in the most sensitive areas of the economy.  Alongside a mandatory notification requirement, the government will also have a more extensive "call-in" power to enable it to assess deals which may give rise to national security risks.  

The NSI Bill is being introduced because the government considers that its existing national security review powers (set out in the Enterprise Act 2002) are no longer fit for purpose. In particular, despite having been expanded in the last two years (see our briefings of 29 June 2020 and 1 July 2018), the Enterprise Act powers still limit the number of sectors and the types of deals which the government can scrutinise on national security grounds.

The government has referred to "sweeping" technological changes in the years since the introduction of the Enterprise Act which justify the proposed new legislation, and those concerns about technology are threaded very clearly through both the NSI Bill and the proposed list of mandatory sectors.

In this briefing we take a closer look at which types of transactions could potentially fall within the scope of the NSI Bill, focusing particularly on the software and data space.

Intellectual property and other intangible assets which fall within the scope of the regime: voluntary notification

A notable aspect of the proposed new regime will be the government's ability to call-in acquisitions of control over assets, as well as entities (i.e. businesses).

At the moment, the NSI Bill does not envisage asset acquisitions as requiring a mandatory notification (even where the asset falls within the scope of the specified mandatory sectors).  Therefore as things stand, when the NSI Bill is passed, the principal question for parties in an asset-related transaction (and other types of acquisitions outside of the mandatory sectors) will be whether their deal merits an up-front voluntary notification to the government, to avoid the government calling-in the deal itself at a later stage. 

In this respect, it will be important for businesses in the tech sector to be aware of the following points:

  • Assets within the scope of the regime will include any "idea, information, or technique with industrial, commercial or other economic value".  Examples include: trade secrets; databases; source code; algorithms; formulae; designs; plans; drawings; specifications and software. 
  • The notion of "control" over an asset includes an acquisition of a right or interest in that asset, enabling the acquirer to: use the asset, or use it to a greater extent than prior to the acquisition; or to direct or control how the asset is used, or to direct or control how it is used to a greater extent than prior to the acquisition. This means that granting a licence of intellectual property rights in, say, software, in particular where that licence is granted on an exclusive basis, could fall within scope, and require consideration of whether a voluntary notification should be made. 
  • Overseas assets. The NSI Bill provides that acquisitions of relevant assets outside of the UK could still be reviewed if they are used "in connection with": activities carried on in the United Kingdom; or the supply of goods or services to persons in the United Kingdom.

By way of example of how this aspect of the NSI Bill might operate, during the Parliamentary debates, Nadhim Zahawi (the then Under-Secretary of State for BEIS) stated that "sales of software products to consumers by a software company would not be caught by the regime, but—this is important—it would not prevent a transaction involving the software company selling the underlying code base supporting that software to a buyer acting in a professional capacity from the possibility of call-in under the regime, where that might give rise to a national security risk."

In our view, the relevant provisions of the NSI Bill could capture a far wider range of asset acquisitions, including for example acquisitions of certain types of licences or transfer of relevant software or data, even where the software or data itself is situated outside the UK.

Mandatory notification: sectors relating to software and data

The aspect of the NSI Bill which has received the greatest level of publicity is the introduction of a requirement to make a mandatory notification where an acquisition of control over an entity (i.e. not an asset) relates to a specified sector. In broad terms, an acquisition of "control" may occur in the case of acquisitions of 15% or more of the shareholding or votes in the relevant entity.

Where a mandatory notification is required, the parties will not be able to close the transaction without having received approval from the government, and onerous penalties will be applicable for a failure to make a notification.

It is currently proposed that there will be 17 mandatory sectors, and the government is in the process of consulting on the extent of the mandatory regime and the definitions of the relevant sectors. 

From the perspective of software, telecoms and data-focused companies, as the definitions of the mandatory sectors are currently drafted, identifying in practice whether an acquisition falls into one of those sectors and therefore requires a mandatory notification could potentially be challenging in some instances. Acquisitions involving such companies could fall into any number of the defined sectors, which include: Advanced Robotics; Artificial Intelligence; Communications; Computing Hardware; Critical Suppliers to Government; Critical Suppliers to the Emergency Services; Cryptographic Authentication; Data Infrastructure; Defence; Energy; Military and Dual Use; Quantum Technologies; Satellite and Space Technologies. The difficulty is that companies which develop or supply software, or provide telecoms services or equipment, or operate in the data space, could carry out these activities in a material way in relation to any one of these sectors, such is the prevalence and reliance by almost all businesses and organisations, on software, telecoms and data. For example, an IT supplier which supplies critical IT and support services to a NHS ambulance trust could well fall within the sector which covers critical supplies to the emergency services.

In some areas, the connection to software or data may be quite obscure.  For example, while the Advanced Materials sector mainly focuses on the research, development or production of advanced materials, it also includes software / data which is used to support such activities.  Similarly, the Military and Dual-Use Goods sector covers (as well as the goods themselves) the "holding of information" in relation to such goods, including software. 

For the most part, however, the mandatory sectors are likely to have a clear, but wide-ranging and somewhat uncertain impact on software and data companies.  We have considered some of these sectors in greater detail below.

Advanced Robotics and Artificial Intelligence

The following two proposed mandatory sectors relate to artificial intelligence.

Advanced Robotics

Activities in the United Kingdom which consist in or include developing or producing advanced robotics (or underpinning components or capabilities) that use artificial intelligence to perform a complex task.

Artificial Intelligence

Activities in the United Kingdom which include developing or producing goods, software or information that use artificial intelligence to perform a complex task.

The definitions for "artificial intelligence" and "complex task" are:

  • Artificial intelligence.  Technology designed to approximate cognitive abilities including reasoning, perception, communication, learning, planning, problem solving, abstract thinking or decision making.
  • Complex task. Image recognition, object identification, natural language understanding, statistical prediction based on uncertain or incomplete information.

Artificial intelligence has in recent years become an established feature of the corporate landscape.  Some research indicates that as many as half of all businesses have now embedded AI in at least one of their business functions, and the use of AI by businesses can be expected to become almost commonplace in the near future. 

The rapid uptake of AI by businesses has been reflected in the growth of companies involved in the development and production of AI as well.  Based on the above defined sectors, acquisitions of such companies are, in our view, likely to fall within the scope of the NSI Bill and require mandatory notification once the NSI Bill is passed.   

Indeed, this appears to be the government's intention.  In relation to Advanced Robotics, for example, by the government's own admission the definition would capture domestic applications such as robot vacuum cleaners as well as more obviously sensitive applications.  Similarly, in the area of Artificial Intelligence, the government appears to accept that AI has multiple uses, is used across a wide range of sectors, and therefore could well result in a very large number of mandatory notifications. 

Balanced against this, the government believes that while there may be many notifications of acquisitions of AI businesses, only a minority of those cases would raise national security issues and therefore require closer review.

Data Infrastructure

The acquisition of a very wide range of businesses in the Data Infrastructure space will require a mandatory notification, apparently by design.

The Data Infrastructure sector will capture acquisitions involving an entity that carries out any of the following:

  • Owns or operates relevant data infrastructure or manages relevant data infrastructure on behalf of other entities.
  • Owns the site on or building in which relevant data infrastructure is located.
  • Through the provision of specialist or technical services to the above entities in, could access relevant data on relevant data infrastructure.
  • Provides services which give it privileged access to virtualised relevant data infrastructure, or produces or develops software designed for use in those services.
  • “Relevant data infrastructure” means physical or virtualised infrastructure which: hosts, stores, manages or processes or controls or transfers relevant data; or is used by public communications providers for peering; or connects any major international cabling routes; or employs software defined networking or network functions virtualisation.
  • “Relevant Data” means data used for the operation of essential services or business continuity of any entity that falls under the remainder of the mandatory notification regime (i.e. the other 17 mandatory sectors)
  • “Privileged access” means physical, logical and/or administrative access, where such access would otherwise be restricted or compartmented without such privileged access.

The intention behind the current proposed definition is to capture access to data where that arises through ownership, management or control of key data infrastructure, or by the provision of certain technical services. The government has specifically stated that national security risks can arise where an entity has access to infrastructure used to store large volumes of sensitive data and/or to facilitate connectivity. 

The government's main intention in relation to this part of the consultation seems to be to test whether the proposed definition is wide enough.  For example, the government requests input on:

  • whether it has appropriately covered relevant operating models, technical services, and virtualised services;
  • whether it has accurately covered the various operating and ownership models within the data infrastructure sector;
  • how data infrastructure owners / operators manage technical services within their facilities, and the extent to which these are provided by in-house staff or on an outsourced basis;
  • how many businesses provide various kinds of service to data centres and how important those services are;
  • how companies currently take measures to manage the national security risks to relevant data and relevant data infrastructure (e.g. site access, third party service provision, third party virtualised service providers).

There will be many businesses active in the data and software space, including an entire network of secondary suppliers into that space, whose activities may fall within the scope of this sector, and in light of the tone of this part of the government's consultation, we expect that acquisitions of businesses that work with providers in the data infrastructure space are likely to fall within scope and require mandatory notification under the NSI Bill.

What happens next?

Whether an acquisition requires a mandatory notification is a different question to whether the government will ultimately consider the deal to raise national security issues. 

In many cases, it is clearly the government's belief that acquisitions in the mandatory sectors that involve software and data companies do need to be reviewed, but are unlikely to have an adverse impact on national security. 

The scope of the mandatory sectors has received considerable criticism from some quarters, and no doubt the government will have received many responses to its consultation, which ended on 6 January 2021. The results of that consultation, which focussed in part on the definitions of the sectors, is expected in the coming weeks. However, regardless of the scope of the mandatory sectors, they will be here to stay once the NSI Bill is passed (it is anticipated that it will only be a matter of months before the legislation comes into effect, once it receives Royal Assent, which is expected in the first half of this year), and investors in the software / data space will need to take account of possible notification requirements and timing implications when assessing transactions.

Retrospective effect

Investors should also note, in relation to transactions which have/will take place between 12 November 2020 and the day before commencement of the NSI Bill (once passed), that the government has 6 months from the commencement date (or, if later, the date on which the government becomes aware of the transaction) to call-in the transaction under the NSI Bill. It is therefore possible that the NSI Bill will be applied to transactions concluded before it is passed.

Key contacts

Read Ingrid Hodgskiss Profile
Ingrid Hodgskiss
Read Dan Reavill Profile
Dan Reavill
Back To Top