The government has released draft legislation for proposed changes to Australia’s foreign investment regime that would force telcos and data centre providers that store classified information to seek approval for all prospective foreign investment.
An exposure draft of the legislation, published by the Attorney-General’s Department, was released for consultation late last week, outlining the finer details of the scheme, including the industry sectors that will likely be designated “sensitive national security businesses”.
Changes to the foreign investment regime was first flagged in June in response to increasing risks to Australia’s national interest posed by “rapid technological change and changes in the international security environment”.
Under the current framework, “sensitive businesses”, including those involved in telecommunications, encryption and security technologies and communications systems, only require approval where a foreign investment is worth more than $275 million.
But the new legislation will see a new “national security review and last resort power” introduced from January 2021, requiring sensitive national security businesses to notify and seek approval from the Foreign Investment Review Board (FIRB) on any foreign investment.
All “foreign interests acquired in Australia land” and “business acquisitions that require foreign investment approval”, will also be recorded in a new “Register of Foreign Ownership of Australian Assets”.
Businesses that fail to notify the government of any proposed investment not captured under the Foreign Acquisitions and Takeovers Act (FATA) risk being ‘called in’ for screening under the national security test.
The Treasurer will also have the power, in exceptional circumstances, to “impose conditions, vary existing conditions, or, as a last resort, force the divestment of any realised investment which was subject to the FATA where national security concerns are identified”.
Sensitive national security businesses
Under the exposure draft, all carriers or carriage service providers covered by the Telecommunications Act 1997 will be deemed a national security business if services are “carried on wholly or partly in Australia”.
Businesses that store, maintain or have access to information that has a security classification or is personal information belonging to defence or intelligence personnel, which if disclosed could jeopardise national security, will also be covered by the legislation.
Data centre providers that support defence or intelligence capabilities are likely to fall under the category after Prime Minister Scott Morrison last month said the sector would be one such area subject to the new rules.
Businesses that supply, develop or manufacture “critical technology that is, or is intended to be, for military use” will also need to abide by the rule.
Businesses that are either responsible for a critical infrastructure asset or are a “direct interest holder” in that asset, as defined in the Security of Critical Infrastructure Act 2018, will also be covered by the legislation.
Critical infrastructure operators, covering 200 critical electricity, gas, water and port assets across the country, are already required to detail their IT environments to the government, including whether they use any outsourcers or offshorers.
The government is planning to consult on the definition of sensitive national security businesses and the wider exposure draft until August 31, with legislation expected to be introduced to Parliament between September and November.
Treasurer Josh Frydenberg said the consultation process would reaffirm Australia’s “commitment to an open, transparent and non-discriminatory foreign investment review framework that also protects Australia’s national interest”.