UK National Security and Investment Bill | Fewer tech transactions to be caught under revised scope of rules
Published on 12th Mar 2021
The government has revised the planned scope of new controls on investment into certain UK industries.
On 2 March 2021, the UK Department for Business, Energy and Industrial Strategy (BEIS) published revised draft definitions to shape the scope of the mandatory notification regime under the National Security and Investment Bill (the NSI Bill). The revisions tighten up the definitions. This reflects the UK government's aim to minimise the regulatory burden on businesses and investors, whilst safeguarding essential national security interests in exceptional cases. But areas of uncertainty remain, and the NSI Bill, currently making its way through the UK legislative process will still catch a significant swathe of deals in the Tech, Media and Communications (TMC) sector.
The changes have been made in response to the consultation launched by BEIS at the time of publication of the NSI Bill in November 2020. As we have reported, the NSI Bill will introduce powers for the UK government to review a wide range of transactions which could give rise to national security concerns. The mandatory notification regime is expected to cover 17 areas, many of which fall within the Tech, Media and Communications sector, namely: artificial intelligence, advanced robotics, communications, computing hardware, cryptographic authentication, data infrastructure, quantum technologies and satellite and space technologies. The changes to the definitions in these areas are outlined at the end of this article.
Risk of uncertainty
There is an inevitable tension between businesses' need for certainty around the legal risk and timeframes for their deals versus the flexibility to intervene which the government enjoys by leaving definitions broad or somewhat unclear. It is to be hoped that any uncertainty in the final definitions will be tempered by transparency in the government's decision-making under this new regime. Although some sensitive deals will require confidential treatment, where possible fully reasoned decisions should be published (which is not the case for current national security decisions under the merger control regime). This would enable businesses and their advisers to draw on the government's reasoning in past cases in order to make an informed assessment of the likely risk of intervention in a planned transaction.
The consultation response provides useful confirmation that although there are overlaps between a number of the definitions, this will not result in any difference in reporting a transaction which sits across more than one area.
Areas of concern
BEIS's concerns are focused on technology that could compromise UK security by, for example, being repurposed for military use or other purposes that present a strategic threat to the UK. Surveillance, data gathering, cybersecurity, security of information and communications networks, and advanced automation are themes which run through the definitions. Nevertheless, technology designed for applications that are not in themselves likely to give rise to national security concerns may fall within these definitions if that technology could be repurposed for more sensitive ends. Facial recognition software is a clear example of this.
A second area of focus is the protection of the UK’s digital infrastructure and supply chain.
The definitions will be issued in delegated secondary legislation, issued by the government. This will enable them to be reviewed and reissued more easily over time (usually involving public consultation of proposed changes) as technology progresses and, potentially, if government concerns and priorities shift. BEIS may well use this flexibility, in particular for rapidly developing areas such as artificial intelligence and quantum technologies.
Osborne Clarke comment
We welcome the refinement to the scope of mandatory notification. This will increase clarity, but there is no doubt that the new NSI legislation will still affect a significant number of transactions in the TMC sector. This will oblige many companies to spend time and money on mandatory notifications where the risk to national security is open to debate. Financial penalties, criminal sanctions and the risk of a void, or legally invalid, transaction mean that it will be high risk to ignore a mandatory notification obligation.
The definitions discussed in this article drive the scope of the mandatory notification requirement under the new NSI regime. But the government will also have wide powers to scrutinise completed or planned transactions that fall outside these definitions but which raise potential risks to UK national security. To avoid the uncertainty that a deal might be called in for scrutiny, parties are able to make a voluntary notification (explained further in our earlier article).
It is to be hoped that, particularly in pioneering areas of new digital technology, the new prior authorisation regime does not have a chilling effect on investment in technology, certainly in the mid to long term. The likely short term impact should reduce – hopefully before too long – as businesses and their advisors familiarise themselves with the workings of the new regime and the decision-making policy of the UK government.
The changes in detail
- Advanced robotics >
- Artificial Intelligence >
- Communications >
- Computing hardware >
- Cryptographic authentication>
- Data infrastructure >
- Quantum technologies >
- Satellite and space technologies >
The definition of advanced robotics is now focused on developers, producers and the supply chain for robotics that are autonomous and/or can be used for surveillance or data collection. This is intentionally broader than robotics incorporating artificial intelligence (see below), although there is clearly significant overlap.
Consumer robotics are expressly excluded from the definition, as are "smart" household appliances and industrial automation robots used widely in manufacturing (such as pre-programmed systems and those without an ability to react autonomously to a change in circumstances).
The definition of artificial intelligence has been redrawn to encompass three areas:
- "The identification of objects, people, and events". While the identification of objects and people appears fairly specific clearly catching image recognition and facial recognition systems the concept of identifying "events" is very loose and potentially much wider than visual systems. If an AI system logs that certain data has been registered (for example, certain movement sensors have been activated) that together indicate that a particular activity is underway, would that amount to the identification of an "event"?
- "Advanced robotics". Advanced robotics is a category within the mandatory notification regime in itself (see above), but where such automated systems are driven by artificial intelligence, they are doubly within scope of the NSI Bill.
- "Cyber security", meaning activities to protect networks and information systems, their users and other parties from cyber threats. This in turn is defined as damage, disruption or other adverse impacts on the networks, systems, users or other parties.
Businesses that purchase or license artificial intelligence (without further developing it) are excluded from the definition.
Overall, the revised approach is a significant improvement on the previous definition (focused simply on "technology designed to approximate cognitive abilities"), but it remains very broad. Artificial intelligence is capable of such a vast range of applications across all sectors that there remains a material risk that transactions with little risk of generating national security risks could be caught within this definition.
Following criticism that the original proposed definition was broad enough to capture most transactions in this sector, the government has sought to focus it on public communications networks, services and associated facilities, as well as seeking to make its application to the communications supply chain clearer.
Data centres that are part of core public communications networks are considered to fall within the definition (such as those which host internet exchange points, or 5G core networks), as are business that provide repair, maintenance and upgrade services to public communications networks. Providers of broadcasting infrastructure are within the definition, but providers of broadcast content services are not.
Various de minimis thresholds have also been introduced to exempt smaller or less significant businesses.
This definition has been tightened up and clarified, rather than materially changed. The focus of BEIS's concerns is to prevent the loss of intellectual property within the computing hardware supply chain to hostile actors, rather than protecting the end hardware products themselves. Protecting the UK's position in relation to advanced computing hardware manufacturing techniques is a second priority.
Products designed for use in consumer products have not been excluded, given the potential for repurposing them for applications that would raise national security concerns.
The revised definition seeks to narrow the scope to products which have authentication (of identity, origin or content) as their primary function, using cryptography, and which are not ordinarily designed for sale to consumers.
BEIS's stated intention in the consultation response is to catch only those applications that are to be used in systems critical for national security. That said, there is no reference in the definition to such systems, only an express exclusion for consumer applications. So this definition could still catch businesses researching, developing or producing cryptographic authentication products that are not used by consumers but also not used in systems that are critical for national security.
The definition now makes it clear that data infrastructure will not be caught unless it:
- handles relevant data in respect of which the owner, operator, manager or certain defined service providers in relation to the infrastructure have a direct contractual relationship with a critical sector entity (also defined). Relevant data is defined as digital data used for the operation of a critical sector entity; or
- is used by public communications providers for peering, interconnection or exchange of data; or
- connects international cabling routes.
The definition has also been amended to remove entities with a connection to relevant data infrastructure but that do not have physical or administrative access to it (such as land owners).
Quantum technology covers a wide number of fields. Some are long-established but still making breakthroughs (such as atomic clocks or quantum sensors), while others are in their early pioneering days (such as quantum computing and quantum-resistant encryption). The focus for the NSI legislation is expressed to be "all areas of second-generation quantum technology development", on the basis that all fields carry dual use risk.
The definition for this area is intentionally wide, so as to cover this broad range of applications, but has nevertheless been narrowed. It now applies to entities that develop or produce one of the quantum technologies listed in the definition. This approach is intended to exclude research entities (including academia) and businesses that only use quantum technology to enable them to deliver a service.
BEIS also plans to narrow the way in which the definition applies to the supply chain for quantum technology. This remains a work in progress and the consultation response expressly contemplates adding some essential supply chain components for quantum tech, narrowing its scope either by way of a limited list of such components or by using performance thresholds.
Satellite and space technologies
BEIS has reworked the definition to exclude various areas that overlapped with other defined technologies (particularly the communications definition discussed above). Nevertheless, it still captures a wide range of satellite and space technologies, mainly because of their potential for dual use.