Australia - Use Of Patient Data By Foreign Acquirers Of Healthcare Companies.
Legal News & Analysis - Asia Pacific - Australia - Corporate/M&A
3 May, 2018
In a cross-border healthcare acquisition, a key issue for a foreign acquirer to consider is the government consents required.
There has been a growing trend of regulators imposing conditions relating to the use of patient data by foreign acquirers of healthcare businesses. We believe that this trend is likely to continue, particularly where a foreign acquirer is a state-owned enterprise or where there is a risk that the foreign acquirer could be subject to state influence.
The risk of regulatory concerns relating to patient data arising is exacerbated if the patient data may include information about "politically sensitive persons", including politicians, senior public servants, senior defence personnel or other people who could potentially be influenced through the use of their personal data.
Examples of this trend
Australia encourages foreign investment and, unlike many countries, allows foreign investment in all sectors of the economy. The Australian Foreign Investment Review Board (FIRB) reviews proposed acquisitions and approves over 99% of applications, but often imposes conditions on the acquisition.
FIRB Chairman, David Irvine, recently flagged a new approach to the protection of patient data in a speech in May 2018:
"Security of data is a growing area of sensitivity. The Government has an obligation to promote the protection of the private or personal data of Australian citizens. How and where it is stored and who has access to it. The obligation becomes relevant for FIRB as a result of growing foreign investor interest in data sensitive assets such as health care services and data centres. Again, the approach to managing these issues has been to develop and impose data security conditions rather than blocking foreign investment."
Mr Irvine is the former director-general of the Australian Security Intelligence Organisation (ASIO) and the Australian Secret Intelligence Services (ASIS). He has also previously served as Ambassador to China.
This new policy is currently playing out in the AUD 2 billion (USD 1.5 billion) takeover bid by China's Jangho Group for ASX-listed Healius Limited (previously known as Primary Healthcare Limited), a company which holds medical records on millions of Australians through its 2,400 pathology clinics and 70 medical centres. As a condition of approval for the takeover, FIRB may require that Jangho places restrictions on access to the patient data held by Healius. It was reported that, in a prior acquisition in Australia, Jangho offered to FIRB to self-impose such a restriction.
It is also reported that the Australian government is considering the introduction of a national data policy. The goal for such a policy would be to assist FIRB and law enforcement agencies better adjudicate on sensitive cases.
Canada's government has echoed similar views to those of FIRB. In December 2018, the head of the Canadian Security Intelligence Service (CSIS), David Vigneault, stated in his first public speech:
"CSIS has seen a trend of a state-sponsored espionage in fields that are crucial to Canada's ability to build and sustain a prosperous, knowledge-based economy. I'm talking about areas such as AI, quantum technology, 5G, biopharma and clean tech. In other words, the foundation of Canada's future growth."
There have been a string of transactions in the US in recent years which have faced regulatory scrutiny over concerns around sensitive personal data, and which, while not in the healthcare sector, provide useful insight into how the Committee on Foreign Investment in the United States (CFIUS) approaches such issues.
In January 2018, CFIUS rejected Ant Financial's proposed acquisition of US money transfer company, MoneyGram International Inc., for USD 1.2 billion, despite proposals by Ant Financial to address concerns around the safety of data that can be used to identify US citizens.
The blocked deal was viewed by many to be a clear signal that the US had broadened the "national security" test applied by CFIUS to include the acquisition of personal data by foreign firms.
However, in June 2018, China Oceanwide Holdings Co. Ltd's managed to buck the trend when its proposed acquisition of US life insurer, Genworth Financial Inc., for USD 3.8 billion was eventually approved by CFIUS (over 20 months after it was announced), after Oceanwide and Genworth agreed to collectively take special measures to safeguard customer information, including Genworth agreeing to use a US-based, third-party service provider to manage the personal data of its US policyholders.
A new law adopted in February 2019 and regulating the use of information technology and communication in the healthcare sector has formalised a long time informal regulatory policy that health data from patients in the UAE must be processed and stored inside the UAE. Certain exceptions are being envisaged that would allow such data still to be transferred subject to the control of the relevant health authority. The details of such exceptions are yet to be enacted in implementing regulations. The impact of the law is potentially big for any investors in the healthcare sector in the UAE, be it hospital operators, tele-health providers, CROs or drug and medical devices manufacturers. While there is likely to a grace period at the early stages of implementation, non-compliance with this new law can carry hefty fines and criminal sanctions. It is part of a growing trend in the region where we see governments increasingly taking control of sensitive data.
How does this affect cross-border investors?
While there has been an increasing trend in the past few years of deals being blocked over data concerns, there has also been an increasing willingness (at least in some instances) by governments and regulators to address data concerns through the use of specific data control conditions.
In Australia, these conditions have included obligations on foreign investors to ensure that data is stored locally or, where cloud based, held by providers who are certified by the Australian Signals Directorate (an Australian government intelligence agency). Conditions can also be more specific, for example, restricting the access of directors or other officers of the foreign parent to sensitive data held by a local target.
As healthcare data continues to assume more importance, regulators around the world will impose additional restrictions on access to healthcare data. Potential acquirers should look to engage with Government regulators in the early stages of acquisition planning, to understand any likely restrictions.
For further information, please contact:
Ben McLaughlin, Partner, Baker & McKenzie
 Foreign Investment Review Board, Annual Report 2016-17 (8 May 2018) <https://cdn.tspace.gov.au/uploads/sites/79/2018/05/FIRB-16-17-Annual-Report.pdf>.
 David Irvine, 'Address by David Irvine AO, Chair of the Foreign Investment Review Board' (Delivered at the International CEO Forum, Sydney, Australia, 16 May 2018) <https://firb.gov.au/2018/05/international-ceo-forum/>.