{"id":7163,"date":"2023-07-28T12:00:00","date_gmt":"2023-07-28T06:30:00","guid":{"rendered":"https:\/\/ijpiel.com\/?p=7163"},"modified":"2023-08-07T08:57:36","modified_gmt":"2023-08-07T03:27:36","slug":"data-embassies-in-india","status":"publish","type":"post","link":"https:\/\/ijpiel.com\/index.php\/2023\/07\/28\/data-embassies-in-india\/","title":{"rendered":"Data Embassies in India"},"content":{"rendered":"\n

Abstract<\/span><\/strong><\/p>\n\n\n\n

In her last Budget speech, India\u2019s finance minister had announced that the Indian Government\nwould facilitate the establishment of \u2018data embassies\u2019 in the country. Globally, and for vulnerable\ncountries in particular, data embassies have become a viable option to store copies of critical\nstate information extraterritorially \u2013 in case the main servers get wiped out back home.\nMaintaining such essential government databases in a secure location beyond national borders\nincreases the likelihood that the underlying data may be retrieved in case of a national\nemergency.<\/span><\/p>\n\n\n\n

Nevertheless, how might countries looking for such \u2018digital continuity solutions\u2019 evaluate their\nbest option?<\/span><\/p>\n\n\n\n

Firstly, governments can enter into agreements with technology companies for the purpose of\nstoring sensitive sovereign data. For example, various cloud service providers (CSPs) have been\nempanelled with India\u2019s Ministry of Electronics and Information Technology (MEITy),\nincluding in respect of disaster recovery and backup services. Accordingly, Indian state\ndepartments may directly contract with CSPs after procuring a desired cloud package through\nthe Government\u2019s e-marketplace platform.<\/span><\/p>\n\n\n\n

However, such agreements have important shortcomings. For instance, having tested the option\nin 2014, Estonia realized that this arrangement did not provide the kind of control it was looking\nfor. After all, Estonia\u2019s threat model included the possibility of a complete shutdown of local\ndata centers further to attacks from hostile powers.<\/span><\/p>\n\n\n\n

The second option is to host sovereign data in a diplomatic embassy abroad. However, this, too\nposes problems. Among other things, traditional embassies do not typically meet the security\nspecifications necessary to house critical databases, including on account of location-specific\nlimitations in technical infrastructure.<\/span><\/p>\n\n\n\n

A third option is to acquire server space within an existing data center that is located in a\n\u2018friendly\u2019 foreign country. Therefore, unlike a conventional embassy, such a data center may\ncomprise only servers within a demarcated area in the \u2018host\u2019 state (i.e.<\/em>, the country where the data\nembassy is located). In turn, such an area may be deemed to be under the jurisdiction of the\n\u2018home\u2019 state (i.e.<\/em>, the country that \u2018sends\u2019 the data).<\/span><\/p>\n\n\n\n

However, Option 3 involves its own set of challenges. For instance, in order to avail of necessary\nprotections under international law, a regular data center needs to obtain the status of a\ndiplomatic mission. However, even if provisions of the Vienna Conventions \u2013 which provide a\nframework for diplomatic and consular relations \u2013 get interpreted creatively, residual\nuncertainties remain. For example, can protections such as diplomatic immunity be applied to\ndigital databases?<\/span><\/p>\n\n\n\n

Notwithstanding the Vienna Conventions, countries can enter into consensual arrangements\nwith each other to establish a separate bilateral legal framework. Accordingly, pursuant to a\nbilateral agreement signed in 2017, a backup of the Estonian government cloud is stored in a\nLuxembourgish data center. In turn, Luxembourg agreed to protect the inviolability of Estonia\u2019s\n\u2018premises\u2019 (i.e.<\/em>, its data) in the spirit of the Vienna Conventions. A similar agreement established\nMonaco\u2019s e-embassy in 2021, pursuant to which Luxembourg hosts a digital twin of the\nMonegasque sovereign cloud.<\/span><\/p>\n\n\n\n

What makes Luxembourg an attractive host is its state-of-the-art data centers, with robust\nbusiness continuity, communications infrastructure, and disaster recovery functions. Some such\ncenters are operational at GIFT City \u2013 where India intends to start its data embassy rollout. In\naddition, home states may choose a host based on the latter\u2019s (1) political neutrality and (2) focus\non data security and privacy laws.<\/span><\/p>\n\n\n\n

Further, to become a cloud computing hub, India could pass a separate legislation \u2013 like Bahrain\ndid (Cloud Law) \u2013 that encourages foreign entities to invest securely. Under Article 3 of the\nCloud Law, for example, information stored in Bahraini data centres remains subject to the\ndomestic laws of the home state of the foreign entity.<\/span><\/p>\n\n\n\n

Since the current draft of India\u2019s Digital Personal Data Protection Bill, 2022 deals exclusively\nwith digitized personal<\/em> data, a bespoke data embassy policy that envisages the storage of non-personal<\/em> data might need to rely on a different law \u2013 such as the proposed \u2018Digital India Act\u2019.\nMEITy could draw from international precedents in this regard.<\/span><\/p>\n\n\n\n

Introduction<\/span><\/strong><\/p>\n\n\n\n

In her Budget speech<\/a> of February 1, 2023, India\u2019s Finance Minister (\u201cFM<\/strong>\u201d) stated that the\nIndian Government would facilitate the establishment of \u2018data embassies\u2019<\/a> for the benefit of\ncountries looking for digital continuity solutions. Although certain stakeholders appear to think\nthat a corresponding policy ought to aim for a nationwide rollout<\/a>, such data embassies may be\nset up, at least to begin with, exclusively under the auspices of the Gujarat International Finance\nTec-city (\u201cGIFT<\/strong>\u201d) \u2013 in India\u2019s first international financial services center (\u201cIFSC<\/strong>\u201d), located\nbetween Ahmedabad and Gandhinagar.<\/span><\/p>\n\n\n\n

GIFT<\/span><\/strong><\/p>\n\n\n\n

Previously, through a state government undertaking<\/a>, the Government of Gujarat had\nincorporated a company called Gujarat International Finance Tec-City Company Limited\n(\u201cGIFTCL<\/strong>\u201d). Subsequently, GIFTCL developed and at present, manages GIFT. Meanwhile, a\nstatutory body (the “IFSC Authority”<\/a>) established by the Central Government pursuant to a\nparliamentary enactment (the “IFSC Authority Act”<\/a>) bears the mandate of generally governing\nIndian IFSCs. Accordingly, the IFSC Authority discharges all such functions which four separate\nregulatory bodies \u2013 the Reserve Bank of India (RBI), the Securities and Exchange Board of India\n(SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), and the\nPension Fund Regulatory and Development Authority (PFRDA) \u2013 previously performed in this\nregard (i.e.<\/em>, prior to 2020).<\/span><\/p>\n\n\n\n

IFSCs<\/span><\/strong><\/p>\n\n\n\n

The IFSC at GIFT was approved by the Central Government pursuant to Section 18 of the Special Economic Zones Act, 2005<\/a> (the \u201cSEZ Act<\/strong>,\u201d) and each entity approved under such Act. While the GIFT IFSC serves as a central business district, the property related to SEZ is owned by a separate company – GIFT SEZ Limited (\u201cGSL<\/strong>\u201d). GSL was formed by GIFTCL with the express purpose of developing a multi-service SEZ in the region. Last year, GSLsecured permission <\/a> under Rule 11A of the SEZ Rules, 2006<\/a> with respect to the creation of a ‘dual use’ zone within the demarcated non-processingSEZ<\/a> area. Pursuant to such permission, developers will be allowed to offer out premises to entities that are not operating in the SEZ itself. <\/span><\/p>\n\n\n\n

The IFSC at GIFT<\/span><\/strong><\/p>\n\n\n\n

Over time, the IFSC at GIFT has been developed as a global hub for financial and information\ntechnology (\u201cIT<\/strong>\u201d) services. As a regional competitor to places like Singapore and Hong Kong,\nthe IFSC at GIFT is expected to provide a cheaper alternative<\/a> to foreign entities seeking to store\nand\/or process critical data. However, according to a recent edition of the Global Financial\nCentres Index<\/a> (\u201cGFCI<\/strong>\u201d), the IFSC at GIFT ranked 67th<\/sup> among 119 IFSCs surveyed globally,\nslipping four ranks from GFCI\u2019s previous evaluation. Nevertheless, it did place third among 15\ncenters across the world identified as likely to become more significant in the next few years.<\/span><\/p>\n\n\n\n

In addition, over time, successive budgets have promoted the use of GIFT in various but\nsignificant ways. For instance, in order to improve the ease of doing business at GIFT, the FM\nannounced during the Budget this year that powers under the SEZ Act will be delegated to the\nIFSC Authority for the purpose of avoiding dual regulation and spoke about the setting up of a\nsingle-window IT-based clearance system.<\/a> In that regard, the FM also proposed statutory\namendments to the IFSC Authority Act for arbitration and ancillary services.<\/a><\/span><\/p>\n\n\n\n

Until now, in order to establish operations at GIFT, an entity was required to apply for no-\nobjection certificates (NOCs) from several approving authorities. With single-window clearance,\nhowever, the existing system of multiple NOCs can be dispensed with, thus reducing compliance\nburdens and improving e-governance.<\/span><\/p>\n\n\n\n

Setting up Data Embassies in India<\/span><\/strong><\/p>\n\n\n\n

According to post-Budget statements<\/a> issued by representatives from the Ministry of Electronics\nand Information Technology (\u201cMeitY<\/strong>\u201d), in order to allow countries and international companies\nto set up data embassies within Indian territory, the Government may formulate a bespoke\npolicy soon. To that end, MeitY may notify specific norms<\/a>, such as with respect to (i) what a\ndata embassy constitutes, (ii) the size of a data center necessary for such purpose, and (iii)\nwhether data embassies can be virtual. Such norms are purportedly being drafted at present.<\/span><\/p>\n\n\n\n

When passed, such a policy will be expected to offer diplomatic immunity with respect to Indian\nregulations as far as the sovereign and commercial digital data of establishing entities are concerned. While it is likely that the lure of regulatory immunity will promote significant\ninvestment in India\u2019s data industry \u2013 especially from technology infrastructure providers and\ncloud storage companies \u2013 the proposed data embassy policy may even find its way (although it\nseems unlikely) into a revised iteration of the current draft of India\u2019s Digital Personal Data\nProtection Bill, 2022<\/a> (\u201cDPDP<\/strong>\u201d) \u2013 which was released in November last year for public\ncomments. Alternatively, the policy may get drafted separately, over and above DPDP, allowing\nfor the storage of non-personal sovereign\/commercial data only.<\/a><\/span><\/p>\n\n\n\n

As such, the whole initiative with respect to facilitating the establishment of data embassies\nappears to be part of a larger plan to build a trusted data storage ecosystem in India<\/a>. Provoked\nby several underlying concerns<\/a>, certain technology infrastructure companies \u2013 which are\ncurrently engaged in building data centers locally \u2013 were purportedly seeking to petition the\nGovernment (only a few days before the last Budget announcement) for the purpose of\nachieving a mandate towards local storage of Indian user data, along with a request for including\nreciprocity in cross-border data flows<\/a>. In essence, this purported demand suggests that Indian\nuser data may be transferred only to such countries that allow personal (or anonymized) data\nrelating to their own citizens to be sent to and\/or stored in, India.<\/span><\/p>\n\n\n\n

An earlier iteration of DPDP \u2013 the Personal Data Protection Bill, 2019<\/a> (\u201cPDP 19<\/strong>\u201d) \u2013 had sought\nto restrict the transfer, processing, and storage of data overseas, causing significant concern\namong large multinational companies in the technology sector, such as Meta, Google, Twitter,\nand Amazon. However, the current draft of DPDP allows for the possibility of storing and\ntransferring personal data according to specified terms and conditions, albeit in certain notified\ncountries and territories only<\/a> \u2013 perhaps in locations that satisfy the Government in respect of\n\u2018adequacy\u2019 as far as data protection is concerned, and\/or in such regions which the Government\nperceives as \u2018friendly\u2019 and strategically important (or otherwise conducive and aligned with\nIndia\u2019s national interests).<\/span><\/p>\n\n\n\n

In that regard, DPDP, along with the rules framed thereunder, may well include reciprocity as a\ncentral element of legislative and executive policy, especially when it comes to concerns among\nforeign data centers about local law being applied to business operations. In other words, just as\nIndian user data may be stored in a foreign cloud as long as such data remains exclusively subject\nto Indian law, foreign businesses and sovereigns may also be able to use Indian cloud ecosystems\nthrough a data embassy (where their own national laws apply) to store critical information for the purpose of business continuity and data recovery. Such reciprocal measures may be\nconsistent with the Indian Government\u2019s efforts to bolster the national cloud ecosystem,\nincluding via cloud computing initiatives such as \u2018MeghRaj,\u2019<\/a> launched through the National\nInformatics Centre (\u201cNIC<\/strong>\u201d) under MeitY supervision.<\/span><\/p>\n\n\n\n

Indeed, MeitY aims to create the national government cloud to store India\u2019s sensitive sovereign\ndata<\/a> locally, including in respect of matters impinging upon national security. Further, it appears\nthat a network of large-scale data centers may be established to create this cloud. Already,\nofferings from various prominent Cloud Service Providers<\/a> (\u201cCSPs<\/strong>\u201d) have been empanelled<\/a> with\nMeitY for the benefit of government departments, and such cloud services are listed on the\nGovernment\u2019s e-marketplace (GeM)<\/a> platform for the purpose of procurement.<\/span><\/p>\n\n\n\n

In this regard, various cloud deployments (public cloud, a virtual private cloud, as well as a\ngovernment community cloud) and service models like infrastructure-as-a-service (IaaS),\nplatform-as-a-service (PaaS), and software-as-a-service (SaaS) exist. Among several categories of\nservices within such empanelment bouquet<\/a> \u2013 such as basic and advanced cloud services<\/a> \u2013\nadditional managed services comprising disaster recovery and backup are also included.\nAccordingly, a government department may decide to adopt<\/a> such bespoke cloud services,\nundertake procurement on that basis, and subsequently enter into appropriate agreements with\nCSPs.<\/a><\/span><\/p>\n\n\n\n

Furthermore, only a few months ago, MeitY issued a press release announcing its intent to\ntransform the country into a cloud computing and data center hub<\/a>. In addition, the Production\nLinked Incentive (\u201cPLI\u201d) scheme for IT hardware<\/a> is expected to further incentivize some of the\ninfrastructural components used by data centers in connection with developing a cloud\necosystem, the deadline to apply for which has now been extended until July 31, 2023. Such a\nnew PLI scheme offers incentives to those original equipment manufacturers (OEMs) that\nincorporate locally designed intellectual property components into their products. Nonetheless,\nin the absence of a dedicated policy and\/or supporting legal framework for the purpose of\nestablishing a data embassy \u2013 including in respect of modalities and limits to central government-\naided facilitation in this regard, it is unclear how variously aligned benefits may be eventually\ndesigned.<\/span><\/p>\n\n\n\n

To that end, the framework designed for aircraft leasing under the IFSC Authority Act<\/a>, along\nwith its lessons and pitfalls<\/a>, may serve as a template to design bespoke policy solutions in respect\nof data embassies in the future. While the IFSC at GIFT offers a competitive tax regime, certain\nother issues unique to data embassies might need to be resolved.<\/span><\/p>\n\n\n\n

Data Centers in India<\/span><\/strong><\/p>\n\n\n\n

With the aim of boosting investment into data centers in India, several government policies,\nincluding at the state level, seek to provide major incentives.\u00a0Various companies, including\nforeign ones, have already set up data centers in the country.\u00a0In her 2022 budget speech, the\nIndian FM announced that data centers would be provided the status of \u2018infrastructure,\u2019 at par\nwith sectors such as railways, roadways, and power, for the purpose of facilitating long-term\ncredit on improved terms.<\/span><\/p>\n\n\n\n

India generally permits 100% foreign investment in data centres. In 2020, MeitY issued a Draft\nData Centre Policy<\/a> (\u201cDDCP 2020<\/strong>\u201d), necessitated in part by data localization mandates\nincorporated in PDP 19. Although a detailed scheme specifying implementation guidelines in\nrespect of DDCP 2020 is yet to be notified even after stakeholder consultations have been\nconducted in this regard, such a scheme may be issued soon.<\/span><\/p>\n\n\n\n

DDCP 2020 proposes a framework for various structural and regulatory interventions, such as\nexpedited approval timelines and single window clearance, the establishment of data center\neconomic zones and parks, as well as hyperscale data centres, along with special incentives\ninvolving subsidized land and power. Further, DDCP 2020 seeks to encourage joint ventures\nbetween foreign investors and domestic companies.<\/span><\/p>\n\n\n\n

Gujarat<\/span><\/strong><\/p>\n\n\n\n

About a year ago, the Directorate of ICT & e-Governance under the Gujarat government\u2019s\nDepartment of Science and Technology introduced a new IT and IT-enabled services (\u201cITeS<\/strong>\u201d)\npolicy (the \u201cIT\/ITeS Policy<\/a>\u201d), replacing an erstwhile version (2016-2021). This new IT\/ITeS\nPolicy is valid for a 5-year period, i.e.<\/em>, until March 31, 2027, unless a revised policy is declared\nbefore it lapses. Only those eligible entities which (i) apply for assistance on or before such\ndeadline and (ii) commence operations on or before March 31, 2028, will be eligible for policy-\nrelated incentives<\/a>.<\/span><\/p>\n\n\n\n

Among other targets, the policy champions large-scale investments in the IT\/ITeS sector\nthrough special provisions for mega projects, along with world-class IT infrastructure, data\ncenters, and innovations in emerging technology. Specifically, the IT\/ITeS Policy seeks to enable\ncloud computing by encouraging technologically advanced data centers. \u2018Mega projects\u2019 are\ndefined as those where the Gross Fixed Capital Investment<\/a> (\u201cGFCI<\/strong>\u201d) in IT\/ITeS amounts to\nINR 2.5 billion or more, or where the project directly generates 2,000 or more IT-payroll\nemployees.<\/span><\/p>\n\n\n\n

Fiscal incentives in terms of support for capital and operational expenditure, respectively, may be\nprovided under the IT\/ITeS Policy across different investment categories. \u2018Early mover\u2019 projects\nmay be given additional relaxations, where the first three eligible projects with a GFCI of INR 1\nbillion or more will be considered as mega projects for the purpose of benefiting from specified\nincentives under the IT\/ITeS Policy.<\/span><\/p>\n\n\n\n

In addition, there are separate incentive and support regimes<\/a> for developing cloud ecosystems\nand establishing data centers, respectively, including in respect of power tariff subsidies as per\nimplementation guidelines related to the policy. Importantly, while a data center has been\ngenerally defined as a facility that centralizes computing and networking equipment to collect,\nstore, process, and disseminate a large amount of data, incentives will only be provided for\nsetting up greenfield data centers that are \u2018Tier 3\u2019 or above (discussed below<\/em>) with a minimum\nprescribed<\/a> (i) built-up area of 4,000 sq. ft. and (ii) minimum 150 racks.<\/span><\/p>\n\n\n\n

While investing in, and developing, large-scale data centers involve important practical\nconsiderations, including with regard to land, building, power supply, connectivity, and\nsupporting infrastructure, the state government of Gujarat aims to facilitate such access \u2013\nincluding in terms of land allotment \u2013 subject to availability and eligibility. In addition, IT\/ ITeS\nunits are allowed to self-certify without the usual mandatory inspections required under Indian\nlaw.<\/span><\/p>\n\n\n\n

Among others, any IT\/ITeS unit with at least 10 employees on its payroll that sets up operations\nin Gujarat during the operative period of the policy will be eligible to avail of applicable\nincentives. Nevertheless, to qualify as an eligible unit, an entity may need to be formed under\nIndian law and\/or need to:<\/span><\/p>\n\n\n\n

      (i) Set up, or<\/span><\/p>\n\n\n\n

      (ii) conduct commercial operations, or<\/span><\/p>\n\n\n\n

      (iii) invest in the IT\/ITeS industry at a location<\/span><\/p>\n\n\n\n

in the state of Gujarat (as opposed to operating under a foreign jurisdiction, as may be required\nfor the purpose of setting up data embassies).<\/span><\/p>\n\n\n\n

Jurisdiction and Dispute Resolution<\/span><\/strong><\/p>\n\n\n\n

Indian law permits foreign embassies to transfer immovable property in India, including via\npurchase<\/a> or sale. However, necessary approvals need to be obtained from the Government\u2019s\nMinistry of External Affairs in this regard. However, the IFSC at GIFT (i) caters to customers\noutside<\/em> the limits of India\u2019s domestic economy, and (ii) is envisaged to serve as a jurisdiction that\nprovides services to non-residents (along with resident institutions) in foreign currency (i.e.<\/em>, other\nthan INR).<\/span><\/p>\n\n\n\n

Generally, dispute resolution policies and procedures may be specified by the IFSC Authority\nwithin the ambit of the IFSC Authority Act. However, there are no specialized commercial\ncourts in place at GIFT so far, nor does a separate arbitration law exist as of date that provides a\nprocessual framework for enforcing arbitral awards (which process may, at the same time,\nrestrict court interventions). In this situation, there might be lingering uncertainty about the legal\nand\/or territorial status of GIFT, and, relatedly, about how awards stemming from disputes in\nthis territory will be treated by courts \u2013 both Indian and foreign. Nevertheless, among other\nSouth Asia offices of the Singapore International Arbitration Center (\u201cSIAC\u201d)<\/a>, one is located at\nGIFT.<\/span><\/p>\n\n\n\n

In 2016, GIFTCL and GSL had entered into a Memorandum of Agreement (\u201cMoA\u201d)<\/a> with\nSIAC. Under the terms of this MoA, SIAC established a representative office<\/a> at the GIFT IFSC\nin 2017<\/a> (in addition to the one opened in Mumbai in 2013) for the purpose of promoting the use\nof arbitration, mediation, and other alternative dispute resolution mechanisms to resolve\ninternational commercial disputes arising there.<\/span><\/p>\n\n\n\n

The mission of this representative office is to promote SIAC\u2019s international arbitration services\nto Indian users, especially in light of increased participation by international and domestic\nbusinesses at the GIFT IFSC, as well as on account of the growing popularity among Indian\nbusinesses to have their disputes resolved in accordance with the SIAC arbitration rules. It is\nexpected that companies setting up operations at GIFT will incorporate the SIAC model clause into contracts, with arbitration being administered in Singapore. Access to SIAC\u2019s dispute\nresolution services was expected to support GIFT\u2019s ambition to encourage businesses to\nundertake large international financial transactions at its IFSC, thereby allowing GIFT to develop\ninto a global financial hub along the lines of Singapore, Hong Kong, Dubai, London, and New\nYork.<\/span><\/p>\n\n\n\n

Further, about a year ago, during her previous Budget presentation, the Indian FM had\nannounced the establishment of another international arbitration center at GIFT<\/a>, similar to\nSIAC.<\/span><\/p>\n\n\n\n

Tiers of Data Centers<\/span><\/strong><\/p>\n\n\n\n

\u2018Tiers\u2019 with respect to a data center describe specific kinds of infrastructure. Thus, Tier 1\nrepresents the simplest kind of infrastructure, while Tier 4 represents the maximum complexity\nand \u2018fault tolerance\u2019 (i.e.<\/em>, the ability to handle both planned and unplanned disruptions), including\nby having the most \u2018redundant\u2019 components.<\/span><\/p>\n\n\n\n

Data redundancy is a condition created within a database or storage technology in which the\nsame piece of data is separately held in two or more places. Data redundancy can be a deliberate\nfeature for the purpose of backup and\/or recovery. In the event of a cyberattack or data breach,\nfor example, having the same information stored in different locations can be critical to ensure\ncontinuity of operations and to mitigate damage.<\/span><\/p>\n\n\n\n

A Tier 4 data center has an expected \u2018uptime\u2019 \u2013 i.e.<\/em>, guaranteed annual availability \u2013 of as much as\n99.995% (i.e.<\/em>, under 30 minutes of downtime a year to ensure minimal business disruption). New\nYork-headquartered Uptime Institute<\/a> (\u201cUI<\/strong>\u201d) sets performance standards for digital\ninfrastructure \u2013 including for data centers \u2013 and assigns these tiers to various facilities based on a\nnumber of factors, including service availability\/redundancy, fault tolerance, uptime guarantees,\nsecurity, service cost, efficiency, sustainability, etc.<\/span><\/p>\n\n\n\n

However, having a UI rating is optional. Accordingly, not all data centers have an assigned tier.\nNevertheless, most major centers request an evaluation from UI since an official rating helps\nbuild credibility, improves the marketability of a facility\u2019s capabilities, and builds trust \u2013 thus\nattracting clients.<\/span><\/p>\n\n\n\n

Nevertheless, this tiering system does not require the use of any specific technologies or design\nchoices.<\/span><\/p>\n\n\n\n

Data Protection Laws<\/span><\/strong><\/p>\n\n\n\n

Since DPDP deals exclusively with digitized personal<\/em> data, a national data embassy policy that\nenvisages the storage of non-personal<\/em> sovereign data may have to rely on a different statute to\nreach legislative fruition \u2013 such as the Proposed \u2018Digital India Act\u2019 (\u201cDIA\u201d)<\/a>.<\/span><\/p>\n\n\n\n

It appears that, pursuant to a few (additional) rounds of engagement with select stakeholders, a\ndraft bill on DIA will be ready in a few weeks\/months<\/a>, while a revised iteration of DPDP is\nexpected to be tabled before parliament soon. According to media reports, MeitY may frame\nrules<\/a> for sharing non-personal data under DIA<\/a>.<\/span><\/p>\n\n\n\n

Data Embassies<\/span><\/strong><\/p>\n\n\n\n

As a novel device under public international law, data embassies have only recently become a\nviable option, especially among vulnerable states that face multifaceted uncertainties with respect\nto cyberattacks and natural hazards, along with threats to sovereignty and territorial integrity.\nThe idea of storing backups of critical state information within data embassies located abroad \u2013\nespecially for the purpose of operating such databases from a secure center beyond a state\u2019s own\nborders \u2013 implies that such data remains available for retrieval in the event of a disaster or other\nemergency.<\/span><\/p>\n\n\n\n

Diplomatic Immunity<\/span><\/strong><\/p>\n\n\n\n

Vienna Conventions from the early-1960s provide a framework for diplomatic (\u201cVCDR<\/a>\u201d) and\nconsular (\u201cVCCR<\/a>\u201d) relations, respectively, on the basis of consent between sovereign states. In\nthe context of data storage, Article 24 of the VCDR<\/a>, for instance, states that \u201c[t]he archives and\ndocuments of the mission shall be inviolable at any time and wherever they may be\u201d. Article\n1(1)(k) of the VCCR<\/a>, in turn, interprets these archives to include \u201call the papers, documents,\ncorrespondence, books, films, tapes and registers of the consular post, together with the ciphers\nand codes, the card indexes and article or furniture intended for the protection or safekeeping\u201d.\nFurther, in terms of data transmission, Article 27(1) of the VCDR<\/a> states that \u201cthe receiving State\nshall permit and protect free communication on the part of the mission for all official purposes.\nIn communicating with the Government and the other missions and consulates of the sending State, wherever situated, the mission may employ all appropriate means, including diplomatic\ncouriers and messages in code or cipher\u2026\u201d<\/span><\/p>\n\n\n\n

Thus, taken as a whole, the Vienna Conventions appear to establish that any relevant\ninformation, including modern forms of information storage, may be subject to its protection\nregime.<\/span><\/p>\n\n\n\n

While the Vienna Conventions entered into force in the 1960s, international modes of\ncommunicating and transmitting data have dramatically changed. Accordingly, the terms\n\u2018diplomatic correspondence\u2019 and \u2018consular archives\u2019 encompass an entirely different range of\nactivities today. Traditionally, the Vienna Conventions have dealt with analogue forms of\ncommunication, with the diplomatic \u2018bag\u2019 often being an integral component. Even today, the\nVCDR and VCCR, respectively, are deemed to apply within the context of a \u2018traditional\u2019\ndiplomatic mission only. Nevertheless, with the rise of alternative methods of diplomacy,\nespecially within the context of a digital era, things such as \u2018virtual embassies\u2019 \u2013 which function\nas digital representations of the main diplomatic mission \u2013 have had occasion to evolve. The\nquestion, however, is: Can the Vienna Conventions be applied outside the context of a\ntraditional diplomatic mission, such as in the context of a data center? Further, can protections\nsuch as diplomatic immunity be applied to data and information systems?<\/span><\/p>\n\n\n\n

What Features Does a Data Embassy Involve?<\/span><\/strong><\/p>\n\n\n\n

Unlike a conventional embassy, a data embassy might consist of nothing more than a room full\nof servers, storing data essential to keep a government and its core public services running\nshould the country\u2019s main servers get wiped out back home.<\/span><\/p>\n\n\n\n

Data embassies are typically hosted in a different country, with the \u2018host\u2019 country providing the\nnecessary infrastructure to ensure the safekeeping of data. Thus, such a host country must\nprovide a secure and reliable data center, as well as resilient infrastructure to store critical data\nsuch that cyber and physical threats can be appropriately addressed. This includes power\nsupplies, internet access, as well as secure data transfer and processing capabilities, along with a\nrobust mechanism to ensure data back-ups. In addition, the host country must provide data\nprivacy laws that meet international standards.<\/span><\/p>\n\n\n\n

Data embassies must also have an agreement with a trusted partner that covers technical and\ncontractual measures to ensure the confidentiality, integrity, and availability of the data stored in\nthat facility. Importantly, the agreement must also delegate a certain level of control over the\ndata.<\/span><\/p>\n\n\n\n

Once the infrastructure is in place, the data embassy may be ready to accept data from its\nprimary site. Such data is encrypted and securely transferred to the embassy, where it is stored in\na secure environment. The embassy then provides a secure access portal, allowing users to access\nthe data remotely. Indeed, data embassies can be used for a variety of purposes, including\ndisaster recovery, archiving, and data storage.<\/span><\/p>\n\n\n\n

Precedents<\/span><\/strong><\/p>\n\n\n\n

While India contemplates the framing of a data embassy policy, it could look at certain\ninternational precedents.<\/span><\/p>\n\n\n\n

Estonia<\/em><\/span><\/strong><\/p>\n\n\n\n

Governments can enter into contracts with technology companies for cloud services to store\nsovereign data. However, such agreements can have important shortcomings. For instance,\nEstonia had considered putting its government data in a privately-owned public cloud. The\noption was tested in 2014 when the country embarked on a trial with a technology company, but\nthe latter could not provide the level of control that Estonia was looking for.<\/span><\/p>\n\n\n\n

In 2015, the Estonian Government evaluated the risks it faced as a small country that was highly\nreliant on digital services. Accordingly, it determined that its unique threat model should include\nthe shutdown of local data centers because of extensive denial-of-service attacks. To be able to\nrecover from these scenarios, Estonia decided to host a backup of its most critical data in data\ncenters abroad.<\/span><\/p>\n\n\n\n

Thus, in 2017, the Republic of Estonia and the Grand Duchy of Luxembourg signed an\nagreement<\/a>, establishing the world\u2019s first data embassy in Luxembourg. In effect, this bilateral\nagreement laid the foundational structure from which the Estonian Government could begin to\nsystematically backup its critical databases. Located within a dedicated government-operated data\ncenter in Luxembourg, the Estonian data embassy protects its information systems and data,\nsimilar to a traditional diplomatic mission.<\/span><\/p>\n\n\n\n

Through the bilateral agreement, Luxembourg agreed to protect the inviolability of Estonian\npremises (and thus, its information systems and data) in the spirit of the Vienna Conventions.\nAccordingly, the premises of Estonia\u2019s data embassy inside Luxembourg are inviolable, just like\nthe premises of a regular embassy are \u2013 such that no official representative from the\nGovernment of Luxembourg will be able to enter the embassy or access its underlying data\nwithout Estonia\u2019s approval.<\/span><\/p>\n\n\n\n

      \u25cf Why Luxembourg?<\/strong><\/em><\/span><\/p>\n\n\n\n

A number of reasons justified the choice of Luxembourg as a partner for Estonia\u2019s data embassy\nproject. The number and efficacy of state-owned, high security \u2018Tier 4\u2019 data centers within the\ncountry were crucial, along with an efficient communications infrastructure that offers low\nlatency and high resiliency across its colocation network. Conversely, for Luxembourg, this\npartnership helped it to position itself as a \u2018hub\u2019 for other data embassies in the future, while\nother governments could potentially follow Estonia\u2019s lead. Sure enough, in late 2018,\nLuxembourg and Monaco announced a partnership<\/a> to boost digital cooperation.<\/span><\/p>\n\n\n\n

      \u25cf The Bilateral Agreement Approach<\/strong><\/em><\/span><\/p>\n\n\n\n

The Estonian data embassy project initially encountered legal challenges, which primarily\nrevolved around guaranteeing the confidentiality and security of critical data lying within the\njurisdiction of another state. To overcome these challenges, the governments of Estonia and\nLuxembourg signed a unique bilateral agreement that established immunity for the data embassy.\nPursuant to such agreement, Estonian data and related systems are stored in Luxembourg\u2019s\ngovernment-owned data center. Thus, the data embassy is an extension of the Estonian\ngovernment cloud<\/a>, meaning that the Estonian state owns server resources outside its borders. As\nwith physical Estonian embassies, the servers are considered sovereign embassies in foreign data\ncenters. Luxembourg, in turn, guarantees that the data and servers are protected by the same\nlegal guarantees as the data and servers in Estonia. The data saved in such embassies are copies\nof a country\u2019s most sensitive and confidential data or even digital twins of a country\u2019s sovereign\ncloud.<\/span><\/p>\n\n\n\n

Monaco<\/em><\/span><\/strong><\/p>\n\n\n\n

Similarly, a bilateral agreement signed in July 2021 established Monaco\u2019s e-embassy in\nLuxembourg. Thus, Monaco and Luxembourg have finalized the storage of the former\u2019s sensitive sovereign data. Pursuant to their bilateral agreement, Luxembourg now hosts a digital\ntwin of the Monegasque sovereign cloud.<\/span><\/p>\n\n\n\n

Bahrain<\/em><\/span><\/strong><\/p>\n\n\n\n

The idea of data embassies has found appeal among certain ambitious countries (and not just\nvulnerable ones) that seek to host others\u2019<\/em> critical data. In addition, the use of cloud computing\nthrough a network of remote servers hosted on the internet to store, manage, and process data\n(rather than on a local server) is now common.<\/span><\/p>\n\n\n\n

For example, like India, the Kingdom of Bahrain aspires to become a regional cloud computing\nhub. To that end, Bahrain passed a law in 2018<\/a> (the \u201cCloud Law<\/strong>\u201d) to encourage foreign parties\n\u2013 including public or private juridical persons in, and government or non-government entities of,\na foreign state \u2013 to use, as well as to invest in, cloud computing services within Bahraini data\ncenters.<\/span><\/p>\n\n\n\n

However, in order to attract investments, such data is subject to the exclusive jurisdiction of a\ncustomer\u2019s own municipal legal system (as opposed to Bahrain\u2019s own). Thus, under Article 3 of\nthe Cloud Law<\/a>, the data stored in local Bahraini data centers will be subject to the domestic law\nof the foreign state where the relevant consumer resides (or is incorporated).<\/span><\/p>\n\n\n\n

This also means that the foreign data will be subject to the jurisdiction of the foreign state\u2019s\ncourts. Therefore, such foreign courts are empowered to issue binding judgments with respect to\nany dispute that may arise between the overseas consumer and the domestic service provider.\nSuch foreign court interventions may include orders for providing access, disclosure, as well as\npreserving or maintaining the integrity of the consumer\u2019s data.<\/span><\/p>\n\n\n\n

Conclusion<\/span><\/strong><\/p>\n\n\n\n

Certain Tier 3 and Tier 4 data centers are already operational at GIFT<\/a> with business continuity\nand disaster recovery functions, among other features. Data embassies, however, may require a\nnew approach to securing data by leveraging diplomatic agreements bolstered by cloud\ntechnology solutions. Thus, India may need to develop a separate and specially tailored\nregulatory framework with respect to data embassies, including for the purpose of becoming a\nreliable host for foreign sovereign and commercial data.<\/span><\/p>\n\n\n\n

Disclaimer<\/span><\/strong><\/p>\n\n\n\n

This post is intended only as a general discussion of issues and is not intended for any\nsolicitation of work. It should not be regarded as legal advice and no legal or business decision\nshould be based on its content.<\/strong><\/em><\/span><\/p>\n\n\n\n

About the Author<\/span><\/strong><\/p>\n\n\n\n

Dr. Deborshi Barat, Counsel, S&R Associates. He was formerly a faculty member at Jindal Global Law School and is an alumnus of the Fletcher School of Law and Diplomacy. <\/span><\/p>\n\n\n\n

Editorial Team<\/span><\/strong><\/p>\n\n\n\n

Managing Editor: Naman Anand<\/em>
Editors-in-Chief: Muskaan Singh & Jhalak Srivastava<\/em>
Senior Editor: Abeer Tiwari<\/em>
Associate Editor: Kaushiki Singh<\/em>
Junior Editor: Ishita Chandra<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Abstract In her last Budget speech, India\u2019s finance minister had announced that the Indian Government would facilitate the establishment of \u2018data embassies\u2019 in the country. Globally, and for vulnerable countries in particular, data embassies have become a viable option to store copies of critical state information extraterritorially \u2013 in case the main servers get wiped […]<\/p>\n","protected":false},"author":253,"featured_media":7271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":"","wp_social_preview_title":"","wp_social_preview_description":"","wp_social_preview_image":0},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/posts\/7163"}],"collection":[{"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/users\/253"}],"replies":[{"embeddable":true,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/comments?post=7163"}],"version-history":[{"count":51,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/posts\/7163\/revisions"}],"predecessor-version":[{"id":7546,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/posts\/7163\/revisions\/7546"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/media\/7271"}],"wp:attachment":[{"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/media?parent=7163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/categories?post=7163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ijpiel.com\/index.php\/wp-json\/wp\/v2\/tags?post=7163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}