UK National Security and Investment Bill | Fewer tech transactions to be caught under revised scope of rules
Published on 12th Mar 2021
The government has revised the planned scope of new controls on investment into certain UK industries.
On 2 March 2021, the UK Department for Business, Energy and Industrial Strategy (BEIS) published revised draft definitions to shape the scope of the mandatory notification regime under the National Security and Investment Bill (the NSI Bill). The revisions tighten up the definitions. This reflects the UK government's aim to minimise the regulatory burden on businesses and investors, whilst safeguarding essential national security interests in exceptional cases. But areas of uncertainty remain, and the NSI Bill, currently making its way through the UK legislative process will still catch a significant swathe of deals in the Tech, Media and Communications (TMC) sector.
The changes have been made in response to the consultation launched by BEIS at the time of publication of the NSI Bill in November 2020. As we have reported, the NSI Bill will introduce powers for the UK government to review a wide range of transactions which could give rise to national security concerns. The mandatory notification regime is expected to cover 17 areas, many of which fall within the Tech, Media and Communications sector, namely: artificial intelligence, advanced robotics, communications, computing hardware, cryptographic authentication, data infrastructure, quantum technologies and satellite and space technologies. The changes to the definitions in these areas are outlined at the end of this article.
Risk of uncertainty
There is an inevitable tension between businesses' need for certainty around the legal risk and timeframes for their deals versus the flexibility to intervene which the government enjoys by leaving definitions broad or somewhat unclear. It is to be hoped that any uncertainty in the final definitions will be tempered by transparency in the government's decision-making under this new regime. Although some sensitive deals will require confidential treatment, where possible fully reasoned decisions should be published (which is not the case for current national security decisions under the merger control regime). This would enable businesses and their advisers to draw on the government's reasoning in past cases in order to make an informed assessment of the likely risk of intervention in a planned transaction.
The consultation response provides useful confirmation that although there are overlaps between a number of the definitions, this will not result in any difference in reporting a transaction which sits across more than one area.
Areas of concern
BEIS's concerns are focused on technology that could compromise UK security by, for example, being repurposed for military use or other purposes that present a strategic threat to the UK. Surveillance, data gathering, cybersecurity, security of information and communications networks, and advanced automation are themes which run through the definitions. Nevertheless, technology designed for applications that are not in themselves likely to give rise to national security concerns may fall within these definitions if that technology could be repurposed for more sensitive ends. Facial recognition software is a clear example of this.
A second area of focus is the protection of the UK’s digital infrastructure and supply chain.
The definitions will be issued in delegated secondary legislation, issued by the government. This will enable them to be reviewed and reissued more easily over time (usually involving public consultation of proposed changes) as technology progresses and, potentially, if government concerns and priorities shift. BEIS may well use this flexibility, in particular for rapidly developing areas such as artificial intelligence and quantum technologies.
Osborne Clarke comment
We welcome the refinement to the scope of mandatory notification. This will increase clarity, but there is no doubt that the new NSI legislation will still affect a significant number of transactions in the TMC sector. This will oblige many companies to spend time and money on mandatory notifications where the risk to national security is open to debate. Financial penalties, criminal sanctions and the risk of a void, or legally invalid, transaction mean that it will be high risk to ignore a mandatory notification obligation.
The definitions discussed in this article drive the scope of the mandatory notification requirement under the new NSI regime. But the government will also have wide powers to scrutinise completed or planned transactions that fall outside these definitions but which raise potential risks to UK national security. To avoid the uncertainty that a deal might be called in for scrutiny, parties are able to make a voluntary notification (explained further in our earlier article).
It is to be hoped that, particularly in pioneering areas of new digital technology, the new prior authorisation regime does not have a chilling effect on investment in technology, certainly in the mid to long term. The likely short term impact should reduce – hopefully before too long – as businesses and their advisors familiarise themselves with the workings of the new regime and the decision-making policy of the UK government.