Restrictions on Chinese SOE Investments for Data Security Reasons: The Case of Australia

A. Overview of Australia's FIS Framework

The general rule of Australia's FIS regime is that foreign investment is permitted (and indeed encouraged) unless it is considered to be contrary to Australia's national interests. The 2021 reforms enhance the regime through three means: introducing a new national security test in addition to the existing national interest test to capture investments associated with national security risks; enhancing the compliance and retrospective review powers to ensure continuous risk management after the establishment of investments and streamlining review processes for foreign investment in non-sensitive businesses.

Under the amended FATA, foreign acquisitions are subject to mandatory pre-notification for a national interest test by the FIRB only when the transaction value exceeds specified monetary thresholds (referred to as a ‘notifiable action’ in the framework). ¹⁹ Lower monetary thresholds generally apply to investments in sensitive businesses, ²⁰ agribusinesses and mining and production tenements and land. However, a zero-dollar threshold applies to investments made by foreign government investors (FGIs). ²¹ A foreign investment that would result in substantial foreign influence over Australian businesses and their assets (referred to as a ‘significant action’) does not require mandatory pre-notification unless it is a notifiable action. But unless otherwise notified, the Treasurer can prohibit or retrospectively prohibit the investment if it is determined to be against the national interest. In addition, the 2021 FIS reforms allow the Treasurer to ‘call in’ an FDI transaction for retrospective screening under a national security test within 10 years after the action has been completed if national security risks emerge. ²² Foreign investment in a ‘national security business’ and ‘national security land’ (referred to as a ‘notifiable national security action’) is subject to pre-notification for a national security test. ²³ Foreign investment which is not captured by the rules mentioned above but which may nonetheless raise national security concerns (referred to as a ‘reviewable national security action’), is also subject to the Treasurer's ‘call-in’ power. ²⁴ In addition, Australia's amended framework also includes a ‘last-resort’ allowing the Treasurer, in exceptional circumstances, to unilaterally review investments that were lawfully admitted on the grounds that national security risks have since emerged. ²⁵

The Treasurer has the sole discretion to determine whether an investment is contrary to Australia's national interest or security, and he or she is not obliged to publicize the decisions nor to explain the reasons. ²⁶ Notably, neither the FATA nor FATR defines ‘national interest’ or ‘national security’. Although the concepts are defined in some other Australian laws, they are tailored to the specific legislative purposes. One example is the Broadcasting Service Act 1993, which defines ‘national interest’ centring on the potential impact on Australia's international relations. ²⁷

Despite the lack of a definition of national security, the FATR defines ‘national security business’ as assets and entities covered by the Security of Critical Infrastructure Act 2018 (SOCI Act) and the Telecommunications Act 1997, ²⁸ and ‘national security land’ as defence premises governed by the Defence Act 1903. ²⁹ Only the SOCI Act provides a definition of ‘national security’, which broadly encompasses ‘Australia's defence, security or international relations’. ³⁰ The Treasury's Policy provides an indicative list of general factors to be considered in the FIRB national interest review, which serves as a guide to the fundamental concepts. ³¹ The factors include national security implications, competition implications, impacts on other Australian government policies (including tax), consequences on the Australian economy and community and the character of the investor and the target business, ³² reflecting the broad meaning of ‘national interest’ under the foreign investment framework. In addition to the general factors, the Policy also outlines special factors for investment in certain businesses (including agriculture, media, land) or investments made by FGIs. ³³

Suppose the Treasurer determines that a transaction is contrary to Australia's national security or interest. Such a determination could result in an outright rejection of the investments, approval subject to investment-specific conditions, or, if the investment has already been made, a request for condition changes, divestment or undoing. In general, the Treasurer's decisions are final. The decisions are statutorily exempt from administrative review, ³⁴ and Australian case law indicates that courts tend to uphold the Treasurer's broad discretion to decide on the admission of foreign investment under the FATA. ³⁵

B. Regulatory Hurdles for Chinese SOEs under the FIS Regime

Australia's foreign investment framework requires that all proposals from FGIs to acquire a direct interest (which is an interest of no less than 10 per cent, or 15 per cent subject to specific conditions) in an existing business, ³⁶ obtain an interest in Australian land or establish a new business in Australia must undergo FIRB review prior to establishment, irrespective of the deal value or industry. ³⁷ The term FGI is defined in Section 17 of the FATR as:

a foreign government;

Upon reviewing FGI investments, the FIRB will look beyond the general considerations as outlined earlier to determine whether the transactions are purely commercially motivated or driven by broader political or strategic objectives. This includes determining whether the FGI is subject to actual or potential political control through governance or funding arrangements. ⁴⁰ In addition, the Policy specifies that, for FGIs not wholly owned by a foreign government, the FIRB will ‘consider the size, nature and composition of any non-government interests, as well as any restrictions on the exercise of their rights as interest holders’. ⁴¹

This catch-all approach does not necessarily reflect an antipathy towards FGI investments. The development of the FIS policy signifies that Australia has embraced a realistic approach to foreign SOE investors regarding the requirements for their political independence and commercial motivations. In 2008, the then-Treasurer Wayne Swan issued guidelines for evaluating proposals from foreign SOEs, with the first criterion emphasizing SOE investor's operational independence from its government owner. ⁴² In 2009, Patrick Colmer, then-Executive Member of the FIRB, described this criterion as follows:

The reality is that any government-owned entity will not be independent from the government. The questions that we look at are: What is the government of the entity, how does it operate and can we see that it is operating independently and without direct and continuing government control because any government entity will have a relationship with its government? ⁴³

In the 2010 Policy, the Treasury further clarified this operational independence criterion for foreign SOEs by stating that the Australian government does not have a policy prohibiting investments proposed by FGIs that ‘are not operating on a fully arm's length and commercial basis’; instead, the transactions can be approved if the Treasurer determines they are not contrary to Australia's national interest. ⁴⁴ This statement is maintained in the 2023 Policy section of special considerations for FGI investments. ⁴⁵ In addition, the Policy states that ‘the Australian Government also considers … if the [foreign government] investor may be pursuing political or strategic objectives that may be contrary to Australia's national interest’. ⁴⁶ The particular choice of words could be interpreted as allowing the admission of FGI investments that serve non-commercial objectives, so long as those objectives do not conflict with Australia's national interests.

Concerns expressed in the Policy regarding the potential conflict between the foreign policy of FGIs’ home states and Australia's national interests are pertinent to what appears to be a more cautious approach adopted by the Australian government in applying its FIS regime to Chinese SOE investments over the past decade, a period during which the relationship between Canberra and Beijing shifted significantly, which are discussed in detail in Section III.

C. The Role of Data Security in Australia's FIS Regime

Australia's 2021 FIS reforms give a particular weight to data security in the newly introduced national security test and the retrospective review mechanism. In contrast to the national interest test, the Policy does not guide the factors to be considered in the national security test. Instead, it vaguely describes national security as ‘Australia's ability to protect its strategic and security interest’. ⁴⁷ Despite the absence of a specific definition in the FATA or FATR, the Policy implies that the notion of ‘national security’ is within the implication of ‘national interest’ under the FIS regime, as national security is listed as one of the general factors to be considered in national interest test. ⁴⁸ Accordingly, the national security test is narrower than the national interest test.

According to the Policy, data security is a substantial element in the domain of ‘national security’. As noted earlier, FDI in ‘national security business’ and ‘national security land’ would trigger a national security test by the FIRB. The Policy provides an exhaustive enumeration of ‘national security businesses’, which can be summarized as follows:

a responsible entity for or an entity that has a direct interest in a ‘critical infrastructure’ governed by the SOCI Act;

In addition, as noted earlier, the amended FATA confers ‘call-in’ and ‘last-resort’ powers to the Treasurer to initiate a retrospective review of a lawfully admitted FDI on the grounds that the transaction raises national security concerns. Given that the generality of ‘national security’, which leaves the Treasurer with broad discretion in exercising the powers, the FIRB provides an extensive list of assets across a wide range of industries where FDI may raise national security concerns. ⁵² The list includes not only widely recognized national security-related assets such as critical minerals, defence providers and infrastructure, but also a variety of data-related assets, including informational technology (IT) and data services, data centres and cloud providers. ⁵³ The FIRB justifies the inclusion of the assets on the grounds that ‘the access and control afforded by foreign investment [in the assets] may create opportunities for foreign actors to harm national security’. ⁵⁴

Aside from the FATA, Chinese SOEs operating in Australia are also subject to data security laws with FIS implications. Australia does not have an umbrella data security law like Europe's General Data Protection Regulation. It does, however, have a set of sector-specific data protection laws that apply to all businesses operating in those sectors, such as the SOCI Act, the Healthcare Identifiers Act 2010, the Telecommunications Act 1997 and the Freedom of Information Act 1982. ⁵⁵ Notably, the 2021 amendment to the SOCI Act allows the Federal Government to intervene in any transactions involving critical infrastructure that pose a threat to national security, with a particular reference to data security. ⁵⁶

As of June 2024, the Australian government has not initiated a retrospective review of Chinese SOE FDI based on data security concerns. However, in 2021, the National Security Committee of the Cabinet commissioned a Department of Defence review under the FATA to reassess the potential national security risks of the Chinese investor Landbridge's lease of the Port of Darwin. ⁵⁷ In 2022, Prime Minister Anthony Albanese launched the second security review of the 99-year lease of the Port of Darwin under the SOCI Act. ⁵⁸ Though Landbridge is not an SOE, and both the retrospective reviews concluded that there was no national security justification for unravelling the deal, the reviews highlight the possibility that the Australian government can impose restrictions on Chinese SOE investment based on national security (data security) during both the pre-entry and post-establishment phases. This therefore necessitates a thorough investigation into how Australia's growing data security concerns may influence its application of the FIS regime to Chinese SOE FDI in data-intensive industries, which is presented in the following section.

A. Chinese SOE FDI under Australia's FIS Regime in Practice

According to the FIRB, the Treasurer makes decisions on over 10,000 investments every year, ⁶⁰ though only a small portion of the decisions are made public. Most of the published decisions are conditional approvals or rejections, while unconditional approvals are typically not published. Therefore, the Treasury's specially published decisions can be interpreted as an indication of the government's stance on particular types of investment.

Table 1 compiles all the decisions on Chinese FDI published by the Treasury on its website since 2008. The list contains basic information about the transactions, including targets, investors, types of investors, sectors, published explanations or conditions attached to the approvals (if any). Table 1 uses the year 2013, the first year the Xi Jinping administration took office, as a dividing line to facilitate the analysis of Australia's shifting attitude towards Chinese SOE FDI. Chinese FDI transactions that were rejected or restricted based on data security concerns are highlighted in grey.

OPEN IN VIEWER

Table 1.

Treasury-Published Decisions for Chinese Investments since 2008.

No.	Time	Target	Investor(s)	Investor Type	Decision	Published Grounds/Conditions
1	July 2008	Midwest Co.	Sinosteel Corporation	Central SOE	Approval	Undisclosed
2	August 2008	Rio Tinto Plc	Aluminium Corporation of China	Subsidiary of central SOE	Approval	Conditions: foreign ownership restriction; restrictions on board seats
3	September 2008	Murchison Metals	Sinosteel Corporation	Central SOE	Approval	Condition: foreign ownership restriction (up to 49.9%)
4	March 2009	Album Resources Private/OZ Minerals	China Minmetals Non-ferrous Metals	Subsidiary of central SOE	Rejection	Ground: involving prominent hill operations located in the WPA
5	March 2009	Fortescue Metals Group	Hunan Valin Iron and Steel Group	Local SOE	Approval	Ground: partially due to data security concerns. Conditions: code of conduct for Hunan Valin-appointed directors; conflicts of interest notification; information segregation arrangements
6	April 2009	Album Resources Private/OZ Minerals	China Minmetals Non-ferrous Metals	Subsidiary of central SOE	Approval	Conditions: commercial objective requirement; Australian-dominated management team; maintaining production and indigenous employment
7	May 2009	Gindalbie Metals	Anshan Iron and Steel Group Corporation	Central SOE	Approval	Condition: development undertakings; foreign ownership restriction
8	October 2009	Felix Resources	Yanzhou Coal Mining	Local SOE	Approval	Conditions: operating through an Australian subsidiary; Australian-dominated management and sales team; director/executive nationality requirements; market-based pricing requirement, etc.
9	July 2010	IMX Resources and Outback Iron	Taifeng Yuanchuang International Development	Privately owned	Approval	Condition: department of defence’ written confirmation that it has no security concerns over access to the WPA
10	December 2010	Album Resources Private/OZ Minerals	Minmetals Resources	Subsidiary of central SOE	Approval	Conditions: same as the Minmetals-Album/OZ Minerals acquisition above
11	March 2012	Gloucester Coal/Felix Resources	Yancoal Australia	Local SOE	Approval	Conditions: listing requirement; shareholding reduction commitment; market-based pricing requirement; Australian-dominated management and sales team; director/executive nationality requirements, etc.
12	August 2012	Asset of Cubbie Station	Shandong RuYi Scientific & Technological Group and Lempriere	Privately owned	Approval	Conditions: shareholding reduction commitment; operating through an Australian subsidiary; board composition requirements; maintaining employment, etc.
2013
1	December 2013	Gloucester Coal/Felix Resources	Yanzhou Coal Mining	Local SOE	Decision change	Remove foreign ownership restriction
2	December 2013	SP AusNet	China State Grid	Central SOE	Approval	Condition: director nationality requirements
3	April 2015	John Holland Group	China Communications Construction	Central SOE	Approval	Unconditional
4	November 2015	S. Kidman and Co.	Genius Link Group and Shanghai Pengxin	Privately owned	Rejection	Grounds: the significance of the portfolio of Kidman along with the security issues around access to the WPA
5	November 2015	TransGrid	China State Grid and China Southern Grid	Central SOE	Rejection	Grounds: data security concerns over foreign ownership of TransGrid
6	February 2016	Assets of the Tasmanian Land Co.	Moon Lake Investments	Privately owned	Approval	Conditions: taxation conditions; maintaining employment; future investment undertakings; maintaining supplies in Australia
7	August 2016	Ausgrid	China State Grid and Cheung Kong Infrastructure Holdings	Central SOE	Rejection	Ground: data security concerns similar to that about China State Grid’ bid for TransGrid above
8	April 2016	S. Kidman and Co	Dakang Australia Holdings Pty Ltd and Australian Rural Capital	Privately owned	rejection	Ground: same as the Genius Link/Pengxin-S. Kidman rejection above
9	December 2016	S. Kidman and Co.	Outback Beef Pty (partially owned by Shanghai CRED Real Estate)	Privately owned	Approval	Conditions: operating through Australian-owned Hancock; remaining headquartered and managed in Australia
10	November 2019	Bellamy's Australia	China Mengniu Dairy	Subsidiary of central SOE	Approval	Conditions: Australian-dominated management team; remaining headquartered in Australia; future investment undertaking
11	August 2020	Northern Minerals	Baogang Group Investment	Subsidiary of central SOE	Rejection	Undisclosed
12	August 2020	AVZ Minerals	Yibin Tianyi Lithium Industry	Privately owned	Rejection	Undisclosed
13	August 2020	Lion-Dairy and Drinks	China Mengniu Dairy	Subsidiary of central SOE	Rejection	Undisclosed
14	January 2021	ProBuild	China State Construction Engineering Corp.	Central SOE	Rejection	Ground: data security concerns related to potential foreign access to sensitive information

A quick count of decisions listed in Table 1 suggests that in terms of the type of investors, 19 out of 26 decisions responded to applications from Chinese SOEs. The 19 SOE decisions included 12 conditional approvals, six rejections and one decision on condition changes. Given that Australia has only rarely rejected investment proposals, ⁶¹ it can be safely assumed that the rejection of a proposal is a sign of high-level concerns from the government. As shown in Table 1, before 2013, Australia published only one rejection decision on Chinese FDI, which pertained to the takeover bid of Australian mining firm Album Resources Private Ltd/OZ Minerals by Chinese state-owned miner China Minmetals Non-ferrous Metals. ⁶² According to the FIRB, from 2013 to 2021, only 15 investment proposals were rejected. ⁶³ Table 1 shows that eight of the 15 rejection decisions were made against Chinese investments, with five were against SOE investments, among which three were issued in the last 4 years. This indicates that the Australian government's concerns about Chinese SOE investments have grown significantly in recent years.

Australia's successive Treasurers have consistently refrained from disclosing specific grounds in their published decisions, unless the grounds are obvious (such as being directly related to defence issues) or have guiding significance for prospective investors and relevant stakeholders. Given this, Table 1 provides further evidence supporting the growing importance of data security as a justification for Australia's restrictions on Chinese SOE FDI. As shown in the table, only seven published decisions (one before 2013 and six after 2013) explicitly cited explanations. Four of the decisions concerned Chinese investments involving access to Australia's massive weapons range, the Woomera Prohibited Area (WPA). The remaining three – all made after 2013 – were rejections of Chinese SOE investments, all explicitly citing data security concerns. Notably, the FIRB has only blocked five Chinese SOE investments since 2013, three of which were based on data security concerns. The rejected investments include the bids from Chinese state-owned energy giants State Grid Corporation of China (China State Grid) and China Southern Power Grid for a 99-year lease of TransGrid, the New South Wales (NSW) electricity transmission network, in 2015, ⁶⁴ China State Grid's bid for a 99-year lease of 50.4 per cent of Ausgrid, the NSW electricity distribution network, in 2016 ⁶⁵ and CSCEC's bid to acquire ProBuild, one of the largest construction service providers in Australia, in 2021. ⁶⁶

Given the growing importance of data security as a legal basis for Australia's restrictions on Chinese SOE FDI in the practical application of the FIS regime, the following sub-sections provide in-depth analyses of how the basis has been applied to justify Australia's restrictions on Chinese SOE investments in different sectors in practice.

B. Data Security-Based Restrictions in the Infrastructure Sector

In the digital era, IT, data and cloud services essentially underpin the effective operation of a country's infrastructure, such as power grids, nuclear plants, telecommunications and transportation networks. ⁶⁷ Infrastructure operations typically involve collecting, storing and processing sensitive data, such as operational data and personal information about their clients, which may be of interest to foreign intelligence services or used to support foreign interference activities. ⁶⁸

As noted earlier, Australia has rejected two infrastructure investments proposed by Chinese SOEs explicitly based on data security concerns, which are China State Grid/China Southern Power Grid–TransGrid transaction in 2015 and China State Grid–Ausgrid transaction in 2016. The then-Treasurer Scott Morrison justified his rejection of the TransGrid transaction by stating that due to the critical nature of TransGrid as a national infrastructure, the control of its telecommunications and transmission businesses, as well as the electricity supply data and personal information it held, must be retained solely within Australia. ⁶⁹ He similarly justified his rejection of the Ausgrid transaction by stating that national security risks had been identified in Ausgrid's electricity and communication services businesses, and there were no suitable mitigations that would adequately address the risks. ⁷⁰

TransGrid and Ausgrid are both Australia's major electricity distribution companies, owning, maintaining and operating the electrical networks that serve millions of people across the country. Given this level of criticality of the targets, even though Morrison did not express any concerns about China State Grid and China Southern Grid, their status as being directly owned and supervised by the Chinese central government clearly added to the sensitivity of the investments.

However, the TransGrid and Ausgrid rejections sharply contrast with Australia's previous permissive attitude towards Chinese SOE infrastructure investments. Before 2015, China State Grid had acquired controlling stakes in critical infrastructure assets across Australia, including 60 per cent of Jemena, an energy company that owns and operates vast electricity, gas and water transportation assets across the east coast, 50 per cent of ACTEW AGL, the electricity and gas provider for Canberra and 46.56 per cent of ElectraNet, an electricity transmission company in South Australia. ⁷¹ Notably, the then-Treasurer Wayne Swan announced to approve China State Grid's acquisition of a 19.9 per cent stake in Victoria's largest energy delivery services company, SP AusNet (now AusNet Services) in 2013. ⁷² AusNet is comparable to Ausgrid and TransGrid in terms of business scope, size and significance. The Treasurer did not, however, express concerns regarding unauthorized access by foreign government to the sensitive data held by AusNet or the infrastructure mentioned above.

It should be noted that the Treasurer did not condition the above investments on China State Grid's commitment to sell its ownership in the future, as was the case with Yanzhou Coal Mining's investments in Felix Resources and Gloucester Coal (through Yancoal Australia) in 2009 and 2012, as well as Shandong RuYi Group's acquisition of the Cubbie Station asset in 2012, as shown in Table 1. However, given the growing importance of data security as a justification for Australia's restrictions on Chinese SOE FDI, it is reasonable to expect the Australian government to exercise its last-resort power under the enhanced FIS regime to require China State Grid to sell its stake in the Australian infrastructure assets on the grounds that the investments raise national security concerns.

Changes in geopolitical circumstances may have contributed to Australia's shift in stance on Chinese SOE infrastructure investments. As explained in Section II, when reviewing an FGI investment, the FIRB will consider whether the FGI's potential policy objective is compatible with Australia's national interests. Chinese SOE investors’ previously unfettered access to Australian infrastructure may be attributed in large part to the relative optimism in Australia–China relations at the time, which arguably peaked in 2015 with the conclusion of ChAFTA and has since cooled. ⁷³ However, the subsequent rise in Sino–Western geopolitical tensions seems to have prompted the Australian government to be concerned about the data security implications of Chinese SOEs’ involvement in Australian infrastructure.

The Australian Security Intelligence Organisation’s (ASIO) 2016–17 annual report confirmed the government's growing concerns on data security. The report highlighted that Australia's overall security was at risk from foreign intelligence services seeking to ‘access privileged an or classified information on Australia's international diplomatic relationships, economic and military issues, energy and mineral resources and technological innovations’. ⁷⁴ Although the ASIO did not explicitly name China, the risk was highlighted during a media blitz in Australia that extensively reported cyber infiltrations by Chinese hackers of sensitive government agencies such as the Bureau of Meteorology. ⁷⁵ In addition, the US Donald Trump administration's 2014 executive order prohibiting US companies from using information and communications technology from Chinese telecommunications giant Huawei on the grounds of espionage concerns may have contributed to Australia's sudden escalation of data security concerns regarding Chinese SOE infrastructure investments. ⁷⁶ Huawei, despite not being an SOE, is widely suspected of having ties to the Chinese military or government (although no conclusive evidence has been disclosed). ⁷⁷

In recent years, Australia has increased its emphasis on cyber and data security in its infrastructure regulatory framework. In 2021, as noted earlier, Australia amended the SOCI Act to expand the coverage of critical infrastructure governed by the law to specially include communications, data storage and processing. ⁷⁸ In the same year, the Australian government established the Cyber and Infrastructure Security Centre (CISC) to assist in managing the evolving security risks to Australia's critical infrastructure. ⁷⁹

The CISC's latest Critical Infrastructure Resilience Strategy highlights the increasing susceptibility of Australia's critical infrastructure to attacks by foreign state-sponsored actors in the current volatile geopolitical environment as a result of the expanding interconnectivity among services and systems. ⁸⁰ Therefore, it is reasonable to expect that data security will become an impassable obstacle for Chinese SOEs seeking to invest in Australia's critical infrastructure in the future, particularly if current Sino–Western geopolitical tensions persist.

C. Red Flags on the Rise: Commercial Construction, Resources and Beyond?

Aside from the infrastructure sector, the FIRB has determined other sectors that were not previously considered data-intensive as involving sensitive data, and thus imposed restrictions on Chinese SOE FDI in these sectors – commercial construction and resources sectors are notable examples.

In January 2021, Australia blocked the bid from CSCEC's to acquire an 88 per cent of stake in ProBuild. ⁸¹ CSCEC is the largest construction company in the world by revenue owned by the Chinese central government. The then-Treasurer Josh Frydenberg justified his decision by citing concerns that the deal would give foreign intelligence services access to information about ProBuild's sensitive projects, such as the designs of Victoria's police headquarters and vaccine laboratories. ⁸² The ProBuild rejection, which is the first decision published by the Treasury immediately after the enactment of the 2021 FIS regime, strongly communicated to the public the Australian government's vigilance towards foreign erosion of data security.

Notably, ProBuild was a commercial construction company with over 90 per cent of its businesses has been for private sector clients. ⁸³ The fact that it held contracts with Australian government agencies and critical infrastructure providers, however, has raised a red flag regarding CSCEC's takeover bid during the FIRB review. The FIRB's Guidance 8 confirms the commonality of this red flag in the commercial construction sector, stating that:

Commercial construction firms which develop assets for sensitive clients may have access to sensitive information, through building blueprints or building information management systems. Such information may be of value for foreign intelligence services. Foreign intelligence services may also pre-position for future intelligence activities – such as by building surveillance equipment into the premises during construction to gather information on intended sensitive tenants. ⁸⁴

Notably, in 2015, the FIRB granted another Chinese state-owned construction conglomerate, China Communications Construction Company (CCCC), unconditional approval to acquire Australia's leading construction company, John Holland. ⁸⁵ From a national security perspective, John Holland is far more sensitive than ProBuild, as it had been engaged in a wide variety of projects for the Australian government, such as Federal Parliament House, Victorian Heart Hospital and critical infrastructure like Metro Trains Melbourne and Sydney Bus Network. ⁸⁶ Nevertheless, the FIRB raised no data security concerns about the transaction at all. The contrasting outcomes of the CSCEC–ProBuild and CCCC–John Holland transactions should be attributed to Australia's increasing concerns about data security in recent years, which have been exacerbated by the evolving geopolitical environment, as discussed above. The statement in the FIRB's Guidance 8 and the ProBuild rejection, however, suggest that Chinese SOE investors targeting Australian commercial construction firms holding contracts with public sector clients will have a diminished chance of gaining admission approval.

Before Sino–Western tensions rose, the Australian government had expressed information-related concerns about Chinese SOE FDI in the resources sector. In 2009, the then-Treasurer approved Chinese state-owned mining company Hunan Valin's (Valin) acquisition of a 16.5 per cent stake in Australian iron ore miner Fortescue Metals (Fortescue). ⁸⁷ According to the published decision, Valin's status as a significant Fortescue customer raised concerns from the FIRB that, should it secure board seats at Fortescue, it would be able to access and exploit Fortescue's confidential information for its own gain or sharing the information with affiliated Chinese companies seeking iron ore from Fortescue. ⁸⁸ The transaction was approved with a condition of an information segregation arrangement between the parties that barred the Valin-appointed directors from participating in board discussions regarding marketing, sales, customer profiles, price setting and cost structures, as well as circulating any relevant information. ⁸⁹ In substance, this concern is primarily about the economic effects of the investment, rather than data security alone. However, this raises the possibility that future Chinese SOE investments in Australia's resources sector will encounter comparable obstacles regarding the protection of sensitive commercial information.

Australia's data security concerns about Chinese SOE investments have extended beyond traditional data-intensive sectors. In addition to sectors discussed above, the FIRB has identified other sectors that may pose data security risks, such as domain name systems, commercial real estate, healthcare and any other sector that relies heavily on IT, data centres and cloud services. ⁹⁰ This suggests that there is a likelihood that Chinese SOE FDI in these sectors will encounter more restrictions in the future based on data security concerns.

A. The Strengthened Political Ties of Chinese SOEs

In the Chinese socialist economy, SOEs are inextricably linked to the political system. China has been reforming its SOEs since 1978, with the latest round of the reforms beginning in 2012. ⁹¹ Over the past four decades of the reforms, China has made significant strides in aligning its SOE governance practices with the OECD Guidelines on Corporate Governance of State-Owned Enterprises. ⁹² In 2009, the Australia China Business Council asserted in its submission to the Australian Senate Economics References Committee for the report on investments by foreign state-owned entities that:

[There is] growing evidence that corporate China is behaving commercially, or, as the Chinese would say, they are following a policy of ‘Zhengqi Fenkai’ – proper separation of government functions from business operations. ⁹³

The major policies of China's ongoing SOE reforms, on the other hand, appear to contradict this proposition. A comprehensive examination of the policies suggests that the latest round of SOE reforms in China has substantially enhanced political control over SOEs, primarily through the three mechanisms outlined below.

First, China's latest round of SOE reforms has integrated the Chinese Communist Party's (CCP) control into SOEs’ internal governance structure. Since the 1990s, the Chinese government has mandated that SOEs implement a global-standard corporate governance system (primarily consisting of a board of directors, a board of supervisors and a senior management team). ⁹⁴ In 2016, President Xi introduced a modern SOE governance system with ‘Chinese Characteristics’, which he has explained as a reference to the mandate that the CCP lead SOEs and integrate CCP leadership into the SOE corporate governance system. ⁹⁵

The distinctive system requires the establishment of a CCP cell known as the ‘Party Committee’ within SOEs as an additional decision-making organ with ultimate authority in discussing and deciding on major corporate issues, which particularly include ‘large investment of corporate assets’. ⁹⁶ This means that a Chinese SOE's board of directors cannot pass a resolution to make a particular FDI until it has received approval from the Party Committee. In addition, the system requires that the Party Committee secretary and the chair of the board of directors be the same person, as well as the general manager and deputy secretary. ⁹⁷ This mandatory cross-office holding between the Party Committee and regular governance organs reinforces the CCP's control over SOE governance.

This newly introduced SOE governance system has been codified in China's 2023 amended Company Law, which will come into effect on 1 July 2024. ⁹⁸ Major Chinese SOEs – including those investors subject to restrictions under Australia's FIS regime – have revised their Articles of Association to reflect their adoption of the governance system with ‘Chinese Characteristics’, indicating their commitments to the CCP leadership in operations. ⁹⁹

Second, China's latest round of SOE reforms establishes a tightened external government supervision system for SOEs. In China, SOEs are organized in the formation of a business group, which is a multi-layered ownership-based structure with a core companies (i.e. the parent companies of the group) at the apex. ¹⁰⁰ These business groups are overseen by the State-owned Assets Supervision and Administration Commissions (SASACs) at various levels, which are government agencies that specialize in supervising SOEs in their respective regions as both shareholders and regulators. ¹⁰¹ China's latest round of SOE reforms, however, is prompting the decentralization of (some of) SASACs’ shareholder functions to the core companies of state-owned groups for their subsidiaries. ¹⁰² This raises expectations that the government is loosening its grip on SOEs. Nonetheless, the decentralized supervision system aims to strengthen the government's ability to supervise SOEs.

Specifically, under the system, core companies are directly accountable to the supervising SASACs for ensuring that their subsidiaries’ business activities comply with state policy. In particular, they are required to maintain effective control over their group members’ outbound FDI activities by establishing an intra-group pre-investment approval system and exercising comprehensive control over the post-establishment process of their overseas operations via methods such as random inspections and expatriate executives. ¹⁰³ The core companies are then obligated to report to the supervising SASACs of major affairs pertaining to the groups’ overseas operations, including the use of large funds, executive management and changes in the shareholding structure. ¹⁰⁴ This SASAC–core company–SOE supervision system established in the latest round of SOE reforms allows the Chinese government to rely on a handful of core companies to more closely oversee the vast number of SOEs and their overseas operations.

In the latest round of SOE reforms, as the third mechanism, the Chinese government has explicitly entrusted specific types of SOEs with policy tasks. Since 2014, the Chinese government has designated some major SOEs that dominate critical industries, such as energy, transportation and infrastructure, as ‘State-owned Capital Investment Companies’ (SCICs) to serve as professional platforms for the operation of state-owned capital. ¹⁰⁵ The Chinese central government has publicly tasked SCICs with making investments in accordance with major national strategies and government directives. ¹⁰⁶ In addition, in the ongoing SOE reforms, the government has classified SOEs based on their social and economic contributions to the country so as to implement differentiated supervision approaches and reform policies. ¹⁰⁷ To the extent that it is relevant to this article, SOEs operating in critical industries are generally classified as ‘Special Commercial’. ¹⁰⁸ These SOEs have also been tasked with primarily serving a variety of policy tasks in their operations, such as implementing national strategies, protecting national security and supporting national economy. ¹⁰⁹

These special types of SOEs with direct political ties warrant special attention because they are predominantly active global investors – including those that have raised data security concerns in the FIRB review. For example, China State Grid and China Southern Grid were both classified as ‘Special Commercial’. The Chinese government designated CCCC as an SCIC in 2014. ¹¹⁰ Despite being among the world's leading multinational corporations, their special identities suggest that their FDI may be primarily aimed at advancing policy objectives rather than pursuing financial gain.

The analyses above demonstrate that, in the latest round of SOE reforms, Chinese SOEs are subject to political ties that have been significantly strengthened as a result of the CCP leadership being embedded in their governance practices, the pseudo-decentralized government supervision system and the government-assigned policy tasks (if they are classified ‘Special Commercial’ or designated as SCICs). As a result, it is increasingly likely that Chinese SOE FDI is motivated, at least in part, by policy objectives. This highlights the importance of investigating China's data-related laws and policies, which may have an impact on Chinese SOE investments in Australia and, potentially, raises data security concerns in the FIRB review.

A case of data leakage by a Chinese SOE that is suspected to have been directed by the Chinese government lends credence to this suspicion. In 2020, Australian cybersecurity consultancy Internet 2.0 revealed that ShenZhen Zhenhua Data Information Technology Company (Zhenhua Data), a Chinese company ultimately owned by the Chinese central SOE China Electronics Corporation (CEC), had secretly established a vast database profiling 2.4 million people worldwide that was believed to be used by China's intelligence service. ¹¹¹ The database contains information on over 35,000 Australians, as well as classified operations of the Commonwealth Scientific and Industrial Research Organisation, the Australian government's scientific research agency. ¹¹² Despite Zhenhua Data's denial of any operational ties with the Chinese government, CEC has been classified as ‘Special Commercial’ and designated as an SCIC in the latest round of SOE reforms. ¹¹³ In addition, Zhenhua Data's primary client is the People's Liberation Army.

Zhenhua Data and CEC have not made any known investments in Australia – even if they do, the FIRB is unlikely to approve them due to their political alliances, sensitive business sectors and Australia's prominent data security concerns regarding FDI. Nonetheless, it is important to note that as part of China's ongoing SOE reforms, the central SASAC is reportedly planning to merge CEC with another central SOE, the China Electronic Technology Group Corporation. This central SOE has made significant FDI in Australia, including a jointly established research innovation centre with the University of Technology Sydney. ¹¹⁴ The Zhenhua Data case highlights the significant risk that the Chinese government could utilize SOEs to gain access to sensitive data in foreign countries – the strengthened political ties of Chinese SOEs as a result of the ongoing SOE reforms have made this risk more pressing than ever.

B. China's Enhanced Data Security Regime

China's data protection regime has undergone significant improvements over the last 5 years. The improvements are aimed at two directions: first, to protect sensitive data from unauthorized foreign access, which is comparable to Australia's concerns under the FIS regime; and second, to promote outbound FDI in foreign data-intensive sectors. Given the strengthened political ties of Chinese SOEs in the context of China's SOE reforms, this may exacerbate the Australian government's data security concerns regarding Chinese SOE FDI.

China has embarked on a succession of legislative efforts in establishing a comprehensive data protection framework which primarily consists of the 2016 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Informational Protection Law. The framework prioritizes the prevention of sensitive data leaks abroad, requiring data processors operating in China to localize personal information and critical data. ¹¹⁵ In addition, it requires that operators of critical information infrastructure and data processors holding personal information of specified numbers of users submit any requests for cross-border data transfer to the Cybersecurity Review Office for a cybersecurity review jointly administered by 13 government departments and/or to the Ministry of Internet Information Technology for a security assessment on data outbound transfer. ¹¹⁶ China's security review regime for data outbound transfer may be viewed as a response to the high-profile cases such as DiDi, China's largest ride-hailing company, providing the US authorities with over 1 billion users’ personal information and high-precision map information for its listing on the New York Stock Exchange in 2021, ¹¹⁷ and Bytedance, the Chinese owner of TikTok, seeking to sell TikTok's US operations and critical data involved to Microsoft or Walmart before the Chinese government halted the sale in 2020. ¹¹⁸ In addition, like Australia's FIS regime, China's recently reformed FIS regime also reflects a growing concern about the data security risks associated with FDI. The draft Foreign Investment Law, published in January 2015 for public comment, specifically identified information and cyber security as a factor to be considered in the national security review for FDI (Article 57). ¹¹⁹ China's 2020 FIS reform expanded the list of sectors in which foreign acquisitions of actual controlling power of Chinese businesses are subject to mandatory pre-notification for a national security review to include IT and internet products and services. ¹²⁰

In conjunction with the efforts to prevent unauthorized foreign access to sensitive data, the Chinese government is encouraging companies to invest in foreign data-intensive sectors. Specifically, China's 13th and 14th Five-Year Plans, the country's supreme national strategic development plans for the period from 2016 to 2020 and 2021 to 2025, encourage outbound FDI in ‘strategic emerging industries’ as a way to promote domestic growth of these industries. ¹²¹ In 2018, the Chinese government updated its 2012 list of ‘strategic emerging industries’, notably adding 12 IT-related industries, including, but are not limited to, information security equipment manufacturing, cloud computing and big data services and network and information security software development. ¹²²

This policy stance should have a significant impact on Chinese SOEs’ FDI activities. As noted earlier, Chinese SOEs classified as ‘Special Commercial’ or designated as SCICs have taken on policy tasks. One of the tasks that has been assigned to them is to support the growth of China's strategic emerging industries. ¹²³ In addition, the CCP leadership embedded in SOE governance system and the tightened SOE supervision regime could ensure that the enterprises make FDI in accordance with national policy. Therefore, it is to be expected that Chinese SOEs will increase their FDI in the designated industries.

It is worth noting that China's 2015 National Security Law Article 77 and 2017 National Intelligence Law Article 14 oblige all Chinese citizens and organizations to support, assist and cooperate with China's national intelligence institutions upon request. These obligations boost the prospect that Chinese SOEs operating in Australia may be required to share sensitive data with Chinese intelligence services, confirming Australia's data security concerns about Chinese SOE FDI discussed above.

China's increased emphasis on data security, as evidenced by its strengthened data protection framework, suggests a rising data security confrontation between China and Australia in the context of foreign investment policy. Given the strengthened political ties of Chinese SOEs the latest round of SOE reforms, this confrontation could possibly influence Australia's application of its FIS regime, leading to more restrictions on Chinese SOE investments across a broader range of industries based on data security concerns. This, however, may impede the recovery of the investment relations between Australia and China after years of diplomatic freeze.

A. Recommendations for Prospective Chinese SOE Investors

Chinese SOEs seeking to invest in Australia should consider several factors when determining FDI strategies and transaction structures. These factors may help to prevent and mitigate the impact of the Australian government's data security concerns in the FIRB review.

First, before proceeding with an FDI transaction, a Chinese SOE should assess the target Australian company's potential involvement with sensitive data. As pointed out in Section III, businesses that may raise data security concerns in the FIRB review are not limited to ‘national security businesses’, but also include critical infrastructure, commercial construction, healthcare and others.

Second, if the preliminary assessment indicates that the investment may involve sensitive data, the SOE investor should consider incorporating proactive measures into the investment structure to mitigate any data security concerns that the FIRB may raise in the review. Chinese SOE investors should first consider the mitigation arrangements outlined in the Treasurer's Policy, such as limiting the size of the acquisition to a minority or non-controlling level, investing with external (local) partners and maintaining the target's publicly listed status on a recognized exchange. ¹²⁴ In addition, the investor should include further arrangements that specifically designed to address the FIRB's potential concerns about the investment affording the Chinese intelligence services access to sensitive data held by the target. Such arrangements may include, for example, a commitment to keep and process relevant data solely within Australia, a commitment to have the target business operated by Australian partners after the acquisition and an information segregation agreement that prohibits the Chinese SOE investor from accessing certain types of information.

In addition, as noted in Section II, Australia's amended FATA has enhanced the retrospective review mechanism, allowing the Treasurer to review admitted FDI if the transaction raises national security concerns. Therefore, it is recommended that Chinese SOE investors maintain the mitigation arrangements in place throughout their operations in Australia. Their political ties may result in their investments more susceptible to retroactive scrutiny in the digital era.

B. Recommendations for Australia's FIS Administrators

Australia's FIS system has received criticism for failing to follow best practices for foreign investment policy, owing to a perceived lack of transparency, accountability and predictability in operations. ¹²⁵ The increasing significance of data security as a legal justification for Australia's restrictions on Chinese SOE investments may exacerbate the unpredictability for future Chinese SOE investors and, potentially, FGIs from other countries. This could result in Australia losing Chinese SOEs as significant sources of capital to competitor countries. To avert the accusations of abusing the concept of data security as a means to pursue protectionist goals or to politicize the FIS decisions, it is recommended that the Treasurer, when deciding to restrict a Chinese SOE investment based on data security concerns, to consider the following improvements.

First, the Treasurer, as well as the FIRB, should consider identifying the specific data security concerns that prompted them to restrict the investment in their published decisions. Although it is a standard practice in the world to keep national security-related information confidential, ¹²⁶ however, given the pervasiveness of sensitive data across industries in the digital era, the identified data security concerns can serve as a guide for future foreign investors to ensure that their FDI proposals do not trigger similar concerns in the FIRB review.

Second, as demonstrated in Section IV, China's latest round of SOE reforms has evidently resulted in strengthened political control over SOEs. This hence poses a significant national security risk to Australia, as Chinese SOE investors may gain access to sensitive data in Australia at the government's direction as part of the country's enhanced data security regime. Given this context, it is recommended that the FIRB implement stringent pre-investment screening and post-investment monitoring for Chinese SOE FDI involving sensitive data to prevent data leakage. Significantly, upon reviewing a Chinese SOE investment, the FIRB should thoroughly evaluate the extent of political control exerted over the investor, as opposed to simply assuming that all Chinese SOEs have comparable levels of government control, which could aid in the precise detection of potential sources of risk while maintaining a generally favourable stance towards Chinese SOE investors. This could be accomplished through, for example, investigating whether the SOE was classified as ‘Special Commercial’ or designated as an SCIC in the latest round of SOE reforms and how its Articles of Association describe the role of the CCP in the governance system. Based on these findings, the FIRB will have a better ground to assess the risks of the investment as allowing Chinese intelligence services access to Australia's sensitive data.