article / 10 Jun 2020
Finding the right partner in times when cyber security threats and protectionism/national security is on the agenda – a matter for companies to prioritise
Digitisation is probably the biggest factor of change in our time and it has affected every part of modern society. At a staggering rate, it has paved the way for huge advances in many fields, such as communications, fintech, healthcare and scientific research. The advances in technology have also improved availability and ensured operational benefits at reasonable costs. In this COVID-19 era it has never been more relevant, and it will be interesting to see what post COVID-19 will offer.
Around the world, companies, banks and authorities are seeing the benefits of using streamlining technology – such as cloud services – in their day-to-day business. However, the increased use has resulted in a debate, both in Sweden and within the EU as well as in the USA, of whether such usage – where cloud service providers are located outside of the EU – is consistent with national and EU law with regard to matters such as privacy and classified information. The debate has in turn contributed to raise the level of awareness among companies and authorities that are about to enter into new collaborations.
In general, there is a high maturity on the market when it comes to negotiating new cooperation and commercial agreements. Provisions that govern issues such as service levels, liability, strategies for exit etc. can typically be found in any template cooperation agreement. The importance of addressing such issues is thus widely known. At the same time, we believe that issues of equal importance are often overlooked. While a tailored and airtight agreement can serve as a stable foundation for a new partnership, it is just as important to bear the bigger picture in mind, to look beyond the written agreement and to consider issues such as finding the right partner and making high-level risk assessments, even for issues/circumstances which have not been on the agenda historically but certainly is on the agenda today.
Another issue that in our view, at least in the past, has been devoted little attention is cyber security. Due to the increasing number of Swedish companies that have experienced repeated exposure to cyber attacks – not seldom from foreign, state owned companies – it has become a hot topic for discussion. Among the issues that currently and for some time are debated is the suitability of Swedish companies and authorities providing data (perhaps even data that can be critical to the public) to private companies or other countries. Transfer of such data could open up for a general vulnerability, increased risks for unauthorised access and difficulties with security clearance. In order to minimize such risks, the Swedish legislature has in recent years taken steps towards passing a number of laws that directly aim at cyber security and the possibilities of reviewing foreign direct investment in Swedish companies.
Conflict of interest between cyber security and foreign direct investment
With cyber security raised on the political agenda, issues such as outsourcing and ownership of procured companies are discussed at an ever-growing rate, not only in Sweden but within the EU. The issues discussed are also intertwined with the question of foreign direct investment in IT infrastructure and businesses related to activities that are, or can be, of a security sensitive nature.
For a country like Sweden – with a small open economy – trade with other countries is essential for maintaining high competitiveness. Trade is also a prerequisite for making the economy grow and develop. Economic growth is in turn dependant on foreign direct investment since it helps create new jobs and increase incentives for employment in general.
Even though foreign direct investment is important and contributes to a flourishing economy, higher attention has been brought to the risks involved when foreign companies (with a large state ownership) acquire or invest in companies who are active in more security-sensitive sectors, such as IT and communications services or construction of defence facilities. Depending on the activity in question, foreign ownership could potentially have a lasting impact on a country’s cyber security and general vulnerability. The weighing of such factors thus creates a conflict of interest between, on the one hand, attracting greater foreign investments and, on the other, keeping a robust cyber security and reducing the general vulnerability.
The rise in discussions regarding cyber security and foreign direct investment in recent years has prodded the Swedish Government to initiate a series of Official reports in order to propose new mechanisms for screening foreign direct investment.
Current legislation on screening mechanisms in Sweden
In Sweden, screening mechanisms that restrict the right for companies to transfer or acquire certain property are uncommon. Unlike other European countries, Sweden has no general mechanism for screening investments in all security sensitive or supply critical business areas. Furthermore, Sweden has no tradition of applying so called ”golden shares” that hold special rights and would entail, for instance, that the government would have control over the ownership structure and/or decision-making in a company.
During the 1980’s, provisions in the Act (1982:617) on Foreign Acquisitions of Swedish Companies etc. made it possible for the Government to restrict foreign companies from purchasing shares in limited companies, partnerships and businesses conducted in Sweden. The screening mechanism applied, however, only to the purchase of shares in existing companies; there were no limitations on the right to form new companies.
The Act from 1982 was repealed a decade later after a new Government had taken office. At the time, the Government’s outspoken goal was to fully bring Sweden into the European Community and to break the economic stagnation and re-establish Sweden as a business nation with a strong and growing economy. Investments in the country were therefore considered to have precedence over the screening mechanisms that previously had been introduced.
At present, there are only limited possibilities to influence or prevent foreign direct investment in companies or businesses that handle critical infrastructure and security sensitive data and technologies. Swedish authorities have however, for a long time emphasised that security issues may arise when foreign companies invest in security sensitive sectors. They have also addressed the lack of a regulated screening mechanism as a significant shortcoming.
Development within the EU
The development within the EU in recent years has resulted in an increasing number of Member States to introduce, or that are about to introduce, screening mechanisms for direct investment from third countries. The European Commission has also highlighted that the new international investment patterns, from e.g. state controlled and state funded companies, impose increased demands on ensuring that foreign direct investment does not threaten public security or public order in the EU and its Member states.
It is against this background that the European Parliament on 19 March 2019 adopted Regulation (EU) 2019/452 on establishing a framework for the screening of foreign direct investment into the Union. One of the main goals of the regulation is to create a legal framework for the screening of foreign direct investment in the Union with regard to security or public order. The regulation clarifies the legal situation regarding the right of Member States to introduce, maintain and amend national screening systems. It also establishes certain minimum requirements. For example, the regulation stipulates that member states have the right to review foreign direct investment for security or public order in accordance with the general and security exceptions provided for in the WTO agreements. Apart from security and public order concerns, reviews of foreign direct investments would thus be permitted if a member state deems it necessary in order to protect human or animal life or health, the privacy of individuals in relation to the processing of personal data and confidentiality of individual records and accounts, etc.
The regulation does not require member states to introduce national screening mechanisms for foreign direct investment. Nor does it circumvent the right of the member states to decide for themselves which foreign direct investment that should be allowed in their territory. However, if the Member states intend to introduce national screening mechanisms, the regulation provides that national legislation must comply with the requirements of the regulation.
The regulation furthermore requires that all member states, upon request, provide information to the other member states or the European Commission on planned or implemented foreign direct investment in the member state. The duty of disclosure relates to details such as the ownership structure of the foreign investor and the company covered by the investment, the business activities of the parties, the investment value and financing, the products and services sold, as well as information in which member states they conduct relevant business activities. In addition to this disclosure, member states shall attempt to provide supplementary information to the extent available. The regulation also gives member states the right to request the same information as was requested from the foreign investor or from the company covered by the investment.
Member states, which have implemented national screening mechanisms, shall report annually on their application. All member states are also required to report, at an aggregated level, the investments made in their territories and to provide information on the petitions received from other member states in accordance with the information requirements of the regulation.
The regulation entered into force on 11 April 2019 and shall apply from 11 October 2020.
New legislative steps taken in Sweden
It is not only at an EU level that the new international investment patterns have led to an increase in legislative initiatives. Over the past year, no less than five official reports relating to the issues of foreign direct investment, its potential impact on securitysensitive activities and the introduction of screening mechanisms have been initiated by and presented to the Swedish Government. The Government has also, as a direct consequence of the new EU Regulation and COVID-19, presented many legislative proposals on the matter.
- In an official report regarding Sweden’s total defence, the appointed commission of inquiry has proposed that a government controlled screening mechanism should be introduced, giving the Government the possibility to review and ultimately condition or prohibit transfers of property that is considered to be of material interest to total defence. Such a screening system would apply to ports, airports and real estate in areas with geographical conditions of vital importance to the military defence.
On 22 August 2019, the Government appointed an inquiry chair to investigate, analyse and give proposals as to the design of a Swedish screening mechanism for foreign direct investment. The purpose of the screening mechanism is to control the strategic acquisitions of companies based in Sweden whose business or technology has significance for security or public order.
Under the Government directive, the inquiry chair shall present proposals as to
– which foreign direct investment should be subject to a screening mechanism,
– the conditions under which foreign direct investment could be prohibited and the possibilities to impose conditions for allowing a foreign direct investment,
– which existing authority should be responsible for reviewing foreign direct investment,
– necessary adjustments and supplementary provisions for the application of the EU regulation on establishing a framework for the screening of foreign direct investment into the Union, and
– the adoption of necessary statutory regulation.
The inquiry chair shall present its final proposals regarding the implementation of a Swedish screening mechanism by 2 November 2021.
- On 1 December 2019, new prerequisites for obtaining permission to use radio transmitters and permission to transfer or lease such permits were introduced in the Swedish Communications Act (2003:389). The law now provides that a permit to use radio transmitters shall be given if the radio use presumably will not cause harm to Sweden’s security. The law further states that a permit may be combined with certain requirements that are of importance to Sweden’s security. A permit or certain requirements may, however, be revoked or changed immediately if the radio use has harmed Sweden’s security or it can be assumed that the radio use will cause such harm.
- On 6 March 2020, the inquiry chair presented proposals on adjustments and supplementary provisions for the application of the EU Regulation. The inquiry chair also proposed that the Inspectorate of Strategic Products (“ISP”) should be the contact point in Sweden for issues related to the EU Regulation and the responsible authority in a future Swedish screening mechanism.
- On 4 June 2020, the Government instructed the Swedish Defence Research Agency to conduct a study regarding foreign direct investments in security sensitive activities in order to improve the knowledge of, and identify risks related to, such investments. The study is to be conducted in collaboration with the ISP, the Swedish Security Service and the Swedish Armed Forces. The study aims at presenting the inquiry chair with information regarding foreign direct investments in the work leading up to the final proposal in November 2021. The study will be concluded by 30 November 2020.
- The Government has further decided to follow the inquiry chair’s recommendation to appoint the ISP as contact point under the EU Regulation and has instructed ISP to make the necessary preparations for that assignment. In relation to this decision, the Government has issued a legislative proposal to the Council on Legislation, which includes provisions on the ISP’s mandate to request the foreign investor or the undertaking in which the foreign direct investment is planned, to provide certain information or documentation. The new legislation is proposed to enter into force on 1 December 2020.
The Government will also present new legislation that will give supervisory authorities the possibility prohibiting sale of companies, conducting businesses crucial to Sweden’s national security. Any sale of such a company in violation if the authority’s prohibition will be considered invalid. A legislative proposal to amend the Protective Security Act is to be presented after the summer.
Why cyber and national security may be a matter of priority for Swedish companies
From our view, it is apparent that the recent change in international investment patterns, along with an increase of cyber attacks, has attracted the attention of the European Parliament as well as the Swedish Government and legislature. With an increased interest in the implementation of new screening mechanisms, it is also possible to detect a shift from the more investment friendly position in the early 1990’s, to a more protectionist approach.
As we have just stepped into a new decade of the 21st century, digitisation is moving faster than ever. Apart from the vulnerability of cyber security, digitisation has brought with it issues regarding privacy, processing of personal data and surveillance. Issues that are becoming increasingly important to ordinary citizens. Digitisation together with new investment patterns from countries like China and Russia – where matters regarding surveillance and privacy is handled somewhat questionable – has led to a higher awareness among EU member states. This awareness and reflection over the potential risks with foreign investments has in turn contributed to the demand for a new regulation.
While it still is important for Swedish companies to keep on being competitive and attract foreign investment in order to generate growth, the legislative steps taken recently both on a national and EU level, illustrate that it is of equal importance that companies make high-level risk assessments (especially with regard to cyber security) before entering new collaborations. Finding a trustworthy partner is just as important as managing the finer details of cooperation and commercial agreements. The pending legislation may serve as a foundation for reducing the general vulnerability from cyberattacks and unwanted influences from foreign states, but at the end of the day, it will still be up to the companies themselves to ensure that adequate measures are put in place to protect information that might be crucial to the company’s business or its customers. Measures that by default focus on cyber security should therefore not only be a matter of priority for the legislatures, but also among Swedish companies.