Arindrajit Basu, Fellow, Datasphere Initiative
In February 2023, the Government of India indicated that it would soon publish a new policy that would allow both countries and corporations to set up “data embassies in India.” To enable this proposal and to attract investment in digital infrastructure, countries, and companies will be allowed to build data centers in specific Special Economic Zones. Officials indicated that data embassies would enjoy ‘diplomatic immunity’ from local laws much like physical embassies and create “bubbles of trust” amidst complex geopolitical equations.
While the concept of a ‘data embassy’ is relatively new and little has been written about it, several other countries have started experimenting with it.
For instance, Estonia has set up data embassies in other countries. Luxembourg and Bahrain have policies in place to host data embassies within their territory. These countries have mostly considered data embassies as a security enabler-‘digital continuity’ in the face of the increasing cyber and physical risks – including armed conflicts – to data infrastructure.
In this two-part blog post, I advance my Datasphere fellowship research on challenges and solutions concerning cross-border data flows and data security, thus unlocking the value of data for all. In the first part of this blog post, I explain the concept of data embassies and their present conceptions, benefits, and uses. In the second part of the blog post, I will argue for the expansion of data embassies to solve the challenges posed by the critics of cross-border flows and proponents of restrictions through data localization.
What are data embassies?
A data embassy entails a set of servers in a host country that stores data directly belonging to and under the jurisdiction of another country. The data archives of one country stored in its data embassy in another country are inviolable and thus exempt from search, requisition, attachment, or execution.
In a detailed law review article analyzing the Luxembourg-Estonia data embassy agreement, Sierzputowski (2019) applies guidance from existing international law – specifically the Vienna Convention on Diplomatic Relations¹ -to evaluate its legal characteristics. These include:
- Inviolability of premises: The premises of a mission, defined as buildings or parts of buildings and the land ancillary thereto, irrespective of ownership used for the purposes of the mission are inviolable. This means that the host country cannot enter the physical data embassy without the permission of the country setting up the data embassy.
- Inviolability of contents: The archives and documents of the mission are also inviolable. The host state does not have the right to enter the mission or to seize the papers. All data and information systems therefore form part of the archives of the mission and cannot be searched, requisitioned, attached, or executed. Any equipment deployed by the host state also should be regarded as assets of the host state.
- Protection of premises: The host state is obliged to take all appropriate steps to protect the premises of the mission against any intrusion or damage.
So far, the few existing examples of data embassies are of government systems and data. No example of data embassies for storing other private personal or non-personal data is in place.
Why are countries considering adopting ‘data embassies?’
Countries around the world are starting to consider adopting data embassies to better their data infrastructure resilience and improve the security of crucial government systems. An example is Estonia.
Estonia, one of the most advanced countries in the use of digital infrastructure, signed an agreement with Luxembourg to set up a data embassy back in 2016. This is a response to the increase in Distributed-denial-of-service (DDoS) against Estonia that allegedly have come from Russia. (Ottis, 2018)
The Estonian data embassy in Luxembourg hosts a range of critical government data including the e-file court system, e-land registry, treasury information system, business registry, population registry, and the land cadastral registry.
The Estonian data embassy in Luxembourg presents the first example of a country expatriating government-critical servers and data to a diplomatically-secure location. Following the Estonian example, Monaco also decided to set up a data embassy in Luxembourg to protect critical government data in case of a natural disaster.
From the Estonia and Monaco examples, and while what prompts governments to set data embassies may differ, three considerations were core in setting data embassies:
- High-level security: Data embassies should have a very high level of security (e.g. the Estonian data embassy in Luxembourg is Tier 4², which is the highest level in the case of the Luxembourg data embassies).
- Back-up infrastructure: Second, countries consider them as vital back-ups for critical government-collected data, copies of which already exist in the territory of the host country.
- Jurisdiction: Data embassies – like traditional embassies – operate as per the law of the country whose data is being stored in the data centre, not that of the host country. Data stored in these centres is also off-bounds from host state access, much like physical embassies.
Existing legal frameworks
The existing legal frameworks to host data embassies are varied and take the form of bilateral legal agreements in some cases as well as existing or proposed domestic law in others. Examples of existing legal arrangements are as follows:
Luxembourg (bilateral treaty with Estonia)
In June 2017, Estonia and Luxembourg signed a legal agreement on the Hosting of Data and Information Systems. The agreement codified the establishment of the data embassy along with immunity and inviolability of the data centre premises by any officials from Luxembourg while granting a right of access to authorized representatives of the Republic of Estonia.
In 2018, Bahrain passed a legislative decree in respect of Providing Cloud Computing Services to Foreign Parties to “provide a legal framework that encourages foreign parties use and investment in Cloud Computing Services within Data Centres”.
“It encourages ‘foreign parties’ which includes any private or public actor to enter into an agreement with Bahrain to set up data centres there.” On jurisdiction, Section 3 of the legislation clearly stipulates that the data (‘customer content’ as the provision words it) will be governed by the laws of the foreign state in which the customer is based.
India does not yet have a law for the hosting of data embassies. It has thus far been mentioned in the annual budget speech presented by the Finance Minister Nirmala Sitharaman “for countries looking for digital continuity solutions.” The Indian Minister of State for Information Technology Rajeev Chandrasekhar has provided some more details since. He suggested that “we have foreseen the future built around ‘corridors of trust’ and reciprocity implying that (Indian users’) data can be stored in foreign clouds as long as they are subject to Indian laws.” Interestingly, Chandrasekhar referred not just to critical government data but also to private personal and non-personal data in this statement. While it is too early to predict what form the law would take, Chandrasekhar has indicated that it may form a part of India’s forthcoming data protection legislation.
While these legal mechanisms are works in progress and will undoubtedly evolve and adapt to changing political and economic circumstances, they are innovative and grounded in pragmatic thinking and a sound application of legal concepts.
Conclusion: Innovative collaboration to unlock the value of data for all
Data security is paramount for ensuring that governments, private sector actors, and individuals are able to use and benefit from digital public and private infrastructure without fear. Yet, in today’s contested geopolitical climate, state-backed actors and cyber criminals alike frequently target digital infrastructure, undermining the trust reposed in digital systems.
The concept of a data embassy shows how nation-states and other stakeholders can collaborate and innovate to creatively interpret the law and technology to ensure that data is adequately protected, safeguarded, and backed up. This pragmatic reconfiguration of information and ideas is the ecosystem within the datasphere working at its best.
In this vein, the Bahrain and Indian proposals compel other imaginations of ‘data embassies’ which are not only set up for the purpose of protecting critical government data but also used to enable trusted regulatory convergence. These will form the basis of the second part of this blog post and their applicability to solving the conundrum around cross-border flows will be pivotal in my forthcoming work with this fellowship.
¹ While data embassies are already in operation, they were certainly not conceptualized when the Vienna Convention on Diplomatic Relations (VCDR) was signed back in 1961. Thus, the question remains open on how the VCDR, which governs the rights and obligations of diplomats and diplomatic missions in other countries, will apply to data embassies.
² Tier 4: A Tier 4 data center is built to be completely fault tolerant and has redundancy for every component. It has an expected uptime of 99.995% (26.3 minutes of downtime annually). https://www.hpe.com/us/en/what-is/data-center-tiers.html#:~:text=Tier%204%3A%20A%20Tier%204,26.3%20minutes%20of%20downtime%20annually).