In her Budget speech of February 1, 2023, India’s Finance Minister (“FM”) stated that the Indian government would facilitate the establishment of ‘data embassies’ for the benefit of countries looking for digital continuity solutions. Although certain stakeholders appear to think that a corresponding policy ought to aim for a nationwide rollout, such data embassies may be set up, at least to begin with, exclusively under the auspices of the Gujarat International Finance Tec-city (“GIFT”) – in India’s first international financial services center (“IFSC”), located between Ahmedabad and Gandhinagar.
Previously, through a state government undertaking, the Government of Gujarat had incorporated a company called Gujarat International Finance Tec-City Company Limited (“GIFTCL”). Subsequently, GIFTCL developed and at present, manages GIFT. Meanwhile, a statutory body (the “IFSC Authority”) established by the Central Government pursuant to a parliamentary enactment (the “IFSC Authority Act”) bears the mandate of generally governing Indian IFSCs. Accordingly, the IFSC Authority discharges all such functions which four separate regulatory bodies – the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), and the Pension Fund Regulatory and Development Authority (PFRDA) – previously performed in this regard (i.e., prior to 2020).
The IFSC at GIFT was approved by the Central Government pursuant to Section 18 of the Special Economic Zones Act, 2005 (the “SEZ Act,”) and each entity approved under such Act. While the GIFT IFSC serves as a central business district, the property related to SEZ is owned by a separate company – GIFT SEZ Limited (“GSL”). GSL was formed by GIFTCL with the express purpose of developing a multi-service SEZ in the region. Last year, GSL secured permission under Rule 11A of the SEZ Rules, 2006 with respect to the creation of a ‘dual use’ zone within the demarcated non-processing SEZ area. Pursuant to such permission, developers will be allowed to offer out premises to entities that are not operating in the SEZ itself.
THE IFSC AT GIFT
Over time, the IFSC at GIFT has been developed as a global hub for financial and information technology (“IT”) services. As a regional competitor to places like Singapore and Hong Kong, the IFSC at GIFT is expected to provide a cheaper alternative to foreign entities seeking to store and/or process critical data. However, according to a recent edition of the Global Financial Centres Index (“GFCI”), the IFSC at GIFT ranked 67th among 119 IFSCs surveyed globally, slipping four ranks from GFCI’s previous evaluation. Nevertheless, it did place third among 15 centers across the world identified as likely to become more significant in the next few years.
In addition, over time, successive budgets have promoted the use of GIFT in various but significant ways. For instance, in order to improve the ease of doing business at GIFT, the FM announced during the Budget this year that powers under the SEZ Act will be delegated to the IFSC Authority for the purpose of avoiding dual regulation, and spoke about the setting up of a single-window IT-based clearance system. In that regard, the FM also proposed statutory amendments to the IFSC Authority Act for arbitration and ancillary services.
Until now, in order to establish operations at GIFT, an entity was required to apply for no-objection certificates (NOCs) from several approving authorities. With single-window clearance, however, the existing system of multiple NOCs can be dispensed with, thus reducing compliance burdens and improving e-governance.
SETTING UP DATA EMBASSIES IN INDIA
According to post-Budget statements issued by representatives from the Ministry of Electronics and Information Technology (“MeitY”), in order to allow countries and international companies to set up data embassies within Indian territory, the Government may formulate a bespoke policy soon. To that end, MeitY may notify specific norms, such as with respect to (i) what a data embassy constitutes, (ii) the size of a data center necessary for such purpose, and (iii) whether data embassies can be virtual. Such norms are purportedly being drafted at present.
When passed, such a policy will be expected to offer diplomatic immunity with respect to Indian regulations as far as the sovereign and commercial digital data of establishing entities are concerned. While it is likely that the lure of regulatory immunity will promote significant investment in India’s data industry – especially from technology infrastructure providers and cloud storage companies – the proposed data embassy policy may even find its way (although it seems unlikely) into a revised iteration of the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) – which was released in November last year for public comments. Alternatively, the policy may get drafted separately, over and above DPDP, allowing for the storage of non-personal sovereign/commercial data only.
As such, the whole initiative with respect to facilitating the establishment of data embassies appears to be part of a larger plan to build a trusted data storage ecosystem in India. Provoked by several underlying concerns, certain technology infrastructure companies – which are currently engaged in building data centers locally – were purportedly seeking to petition the Government (only a few days before the last Budget announcement) for the purpose of achieving a mandate towards local storage of Indian user data, along with a request for including reciprocity in cross-border data flows. In essence, this purported demand suggests that Indian user data may be transferred only to such countries that allow personal (or anonymized) data relating to their own citizens to be sent to and/or stored in, India.
An earlier iteration of DPDP – the Personal Data Protection Bill, 2019 (“PDP 19”) – had sought to restrict the transfer, processing, and storage of data overseas, causing significant concern among large multinational companies in the technology sector, such as Meta, Google, Twitter, and Amazon. However, the current draft of DPDP allows for the possibility of storing and transferring personal data according to specified terms and conditions, albeit in certain notified countries and territories only – perhaps in locations that satisfy the Government in respect of ‘adequacy’ as far as data protection is concerned, and/or in such regions which the Government perceives as ‘friendly’ and strategically important (or otherwise conducive and aligned with India’s national interests).
In that regard, DPDP, along with the rules framed thereunder, may well include reciprocity as a central element of legislative and executive policy, especially when it comes to concerns among foreign data centers about local law being applied to business operations. In other words, just as Indian user data may be stored in a foreign cloud as long as such data remains exclusively subject to Indian law, foreign businesses and sovereigns may also be able to use Indian cloud ecosystems through a data embassy (where their own national laws apply) to store critical information for the purpose of business continuity and data recovery. Such reciprocal measures may be consistent with the Indian Government’s efforts to bolster the national cloud ecosystem, including via cloud computing initiatives such as ‘MeghRaj,’ launched through the National Informatics Centre (“NIC”) under MeitY supervision.
Indeed, MeitY aims to create the national government cloud to store India’s sensitive sovereign data locally, including in respect of matters impinging upon national security. Further, it appears that a network of large-scale data centers may be established to create this cloud. Already, offerings from various prominent Cloud Service Providers (“CSPs”) have been empanelled with MeitY for the benefit of government departments, and such cloud services are listed on the Government’s e-marketplace (GeM) platform for the purpose of procurement.
In this regard, various cloud deployment (public cloud, a virtual private cloud, as well as a government community cloud) and service models like infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) exist. Among several categories of services within such empanelment bouquet – such as basic and advanced cloud services – additional managed services comprising disaster recovery and backup are also included. Accordingly, a government department may decide to adopt such bespoke cloud services, undertake procurement on that basis, and subsequently enter into appropriate agreements with CSPs.
Furthermore, only a few months ago, MeitY issued a press release announcing its intent to transform the country into a cloud computing and data center hub. In addition, the Production Linked Incentive (“PLI”) scheme for IT hardware is expected to further incentivize some of the infrastructural components used by data centers in connection with developing a cloud ecosystem, the deadline to apply for which has now been extended until July 31, 2023. Such a new PLI scheme offers incentives to those original equipment manufacturers (OEMs) that incorporate locally designed intellectual property components into their products. Nonetheless, in the absence of a dedicated policy and/or supporting legal framework for the purpose of establishing a data embassy – including in respect of modalities and limits to central government-aided facilitation in this regard, it is unclear how variously aligned benefits may be eventually designed.
To that end, the framework designed for aircraft leasing under the IFSC Authority Act, along with its lessons and pitfalls, may serve as a template to design bespoke policy solutions in respect of data embassies in the future. While the IFSC at GIFT offers a competitive tax regime, certain other issues unique to data embassies might need to be resolved.
DATA CENTERS IN INDIA
With the aim of boosting investment into data centers in India, several government policies, including at the state level, seek to provide major incentives. Various companies, including foreign ones, have already set up data centers in the country. In her 2022 budget speech, the Indian FM announced that data centers would be provided the status of ‘infrastructure,’ at par with sectors such as railways, roadways, and power, for the purpose of facilitating long-term credit on improved terms.
India generally permits 100% foreign investment in data centres. In 2020, MeitY issued a Draft Data Centre Policy (“DDCP 2020”), necessitated in part by data localization mandates incorporated in PDP 19. Although a detailed scheme specifying implementation guidelines in respect of DDCP 2020 is yet to be notified even after stakeholder consultations have been conducted in this regard, such a scheme may be issued soon.
DDCP 2020 proposes a framework for various structural and regulatory interventions, such as expedited approval timelines and single window clearance, the establishment of data center economic zones and parks, as well as hyperscale data centres, along with special incentives involving subsidized land and power. Further, DDCP 2020 seeks to encourage joint ventures between foreign investors and domestic companies.
About a year ago, the Directorate of ICT & e-Governance under the Gujarat government’s Department of Science and Technology introduced a new IT and IT-enabled services (“ITeS”) policy (the “IT/ITeS Policy”), replacing an erstwhile version (2016-2021). This new IT/ITeS Policy is valid for a 5-year period, i.e., until March 31, 2027, unless a revised policy is declared before it lapses. Only those eligible entities which (i) apply for assistance on or before such deadline and (ii) commence operations on or before March 31, 2028, will be eligible for policy-related incentives.
Among other targets, the policy champions large-scale investments in the IT/ITeS sector through special provisions for mega projects, along with world-class IT infrastructure, data centers, and innovations in emerging technology. Specifically, the IT/ITeS Policy seeks to enable cloud computing by encouraging technologically advanced data centers. ‘Mega projects’ are defined as those where the Gross Fixed Capital Investment (“GFCI”) in IT/ITeS amounts to INR 2.5 billion or more, or where the project directly generates 2,000 or more IT-payroll employees.
Fiscal incentives in terms of support for capital and operational expenditure, respectively, may be provided under the IT/ITeS Policy across different investment categories. ‘Early mover’ projects may be given additional relaxations, where the first three eligible projects with a GFCI of INR 1 billion or more will be considered as mega projects for the purpose of benefiting from specified incentives under the IT/ITeS Policy.
In addition, there are separate incentive and support regimes for developing cloud ecosystems and establishing data centers, respectively, including in respect of power tariff subsidies as per implementation guidelines related to the policy. Importantly, while a data center has been generally defined as a facility that centralizes computing and networking equipment to collect, store, process, and disseminate a large amount of data, incentives will only be provided for setting up greenfield data centers that are ‘Tier 3’ or above (discussed below) with a minimum prescribed (i) built-up area of 4,000 sq. ft. and (ii) minimum 150 racks.
While investing in, and developing, large-scale data centers involve important practical considerations, including with regard to land, building, power supply, connectivity, and supporting infrastructure, the state government of Gujarat aims to facilitate such access – including in terms of land allotment – subject to availability and eligibility. In addition, IT/ ITeS units are allowed to self-certify without the usual mandatory inspections required under Indian law.
Among others, any IT/ITeS unit with at least 10 employees on its payroll that sets up operations in Gujarat during the operative period of the policy will be eligible to avail of applicable incentives. Nevertheless, to qualify as an eligible unit, an entity may need to be formed under Indian law and/or need to:
- set up, or
- conduct commercial operations, or
- invest in the IT/ITeS industry at a location
in the state of Gujarat (as opposed to operating under a foreign jurisdiction, as may be required for the purpose of setting up data embassies).
JURISDICTION AND DISPUTE RESOLUTION
Indian law permits foreign embassies to transfer immovable property in India, including via purchase or sale. However, necessary approvals need to be obtained from the Government’s Ministry of External Affairs in this regard. However, the IFSC at GIFT (i) caters to customers outside the limits of India’s domestic economy, and (ii) is envisaged to serve as a jurisdiction that provides services to non-residents (along with resident institutions) in foreign currency (i.e., other than INR).
Generally, dispute resolution policies and procedures may be specified by the IFSC Authority within the ambit of the IFSC Authority Act. However, there are no specialized commercial courts in place at GIFT so far, nor does a separate arbitration law exist as of date that provides a processual framework for enforcing arbitral awards (which process may, at the same time, restrict court interventions). In this situation, there might be lingering uncertainty about the legal and/or territorial status of GIFT, and, relatedly, about how awards stemming from disputes in this territory will be treated by courts – both Indian and foreign. Nevertheless, among other South Asia offices of the Singapore International Arbitration Center (“SIAC”), one is located at GIFT.
In 2016, GIFTCL and GSL had entered into a Memorandum of Agreement (“MoA”) with SIAC. Under the terms of this MoA, SIAC established a representative office at the GIFT IFSC in 2017 (in addition to the one opened in Mumbai in 2013) for the purpose of promoting the use of arbitration, mediation, and other alternative dispute resolution mechanisms to resolve international commercial disputes arising there.
The mission of this representative office is to promote SIAC’s international arbitration services to Indian users, especially in light of increased participation by international and domestic businesses at the GIFT IFSC, as well as on account of the growing popularity among Indian businesses to have their disputes resolved in accordance with the SIAC arbitration rules. It is expected that companies setting up operations at GIFT will incorporate the SIAC model clause into contracts, with arbitration being administered in Singapore. Access to SIAC’s dispute resolution services was expected to support GIFT’s ambition to encourage businesses to undertake large international financial transactions at its IFSC, thereby allowing GIFT to develop into a global financial hub along the lines of Singapore, Hong Kong, Dubai, London, and New York.
Further, about a year ago, during her previous Budget presentation, the Indian FM had announced the establishment of another international arbitration center at GIFT, similar to SIAC.
TIERS OF DATA CENTERS
‘Tiers’ with respect to a data center describe specific kinds of infrastructure. Thus, Tier 1 represents the simplest kind of infrastructure, while Tier 4 represents the maximum complexity and ‘fault tolerance’ (i.e., the ability to handle both planned and unplanned disruptions), including by having the most ‘redundant’ components.
Data redundancy is a condition created within a database or storage technology in which the same piece of data is separately held in two or more places. Data redundancy can be a deliberate feature for the purpose of backup and/or recovery. In the event of a cyberattack or data breach, for example, having the same information stored in different locations can be critical to ensure continuity of operations and to mitigate damage.
A Tier 4 data center has an expected ‘uptime’ – i.e., guaranteed annual availability – of as much as 99.995% (i.e., under 30 minutes of downtime a year to ensure minimal business disruption). New York-headquartered Uptime Institute (“UI”) sets performance standards for digital infrastructure – including for data centers – and assigns these tiers to various facilities based on a number of factors, including service availability/redundancy, fault tolerance, uptime guarantees, security, service cost, efficiency, sustainability, etc.
However, having a UI rating is optional. Accordingly, not all data centers have an assigned tier. Nevertheless, most major centers request an evaluation from UI since an official rating helps build credibility, improves the marketability of a facility’s capabilities, and builds trust – thus attracting clients.
Nevertheless, this tiering system does not require the use of any specific technologies or design choices.
DATA PROTECTION LAWS
Since DPDP deals exclusively with digitized personal data, a national data embassy policy that envisages the storage of non-personal sovereign data may have to rely on a different statute to reach legislative fruition – such as the Proposed ‘Digital India Act’ (“DIA”).
It appears that, pursuant to a few (additional) rounds of engagement with select stakeholders, a draft bill on DIA will be ready in a few weeks/months, while a revised iteration of DPDP is expected to be tabled before parliament soon. According to media reports, MeitY may frame rules for sharing non-personal data under DIA.
As a novel device under public international law, data embassies have only recently become a viable option, especially among vulnerable states that face multifaceted uncertainties with respect to cyberattacks and natural hazards, along with threats to sovereignty and territorial integrity. The idea of storing backups of critical state information within data embassies located abroad – especially for the purpose of operating such databases from a secure center beyond a state’s own borders – implies that such data remains available for retrieval in the event of a disaster or other emergency.
Vienna Conventions from the early-1960s provide a framework for diplomatic (“VCDR”) and consular (“VCCR”) relations, respectively, on the basis of consent between sovereign states. In the context of data storage, Article 24 of the VCDR, for instance, states that “[t]he archives and documents of the mission shall be inviolable at any time and wherever they may be”. Article 1(1)(k) of the VCCR, in turn, interprets these archives to include “all the papers, documents, correspondence, books, films, tapes and registers of the consular post, together with the ciphers and codes, the card indexes and article or furniture intended for the protection or safekeeping”. Further, in terms of data transmission, Article 27(1) of the VCDR states that “the receiving State shall permit and protect free communication on the part of the mission for all official purposes. In communicating with the Government and the other missions and consulates of the sending State, wherever situated, the mission may employ all appropriate means, including diplomatic couriers and messages in code or cipher…”
Thus, taken as a whole, the Vienna Conventions appear to establish that any relevant information, including modern forms of information storage, may be subject to its protection regime.
While the Vienna Conventions entered into force in the 1960s, international modes of communicating and transmitting data have dramatically changed. Accordingly, the terms ‘diplomatic correspondence’ and ‘consular archives’ encompass an entirely different range of activities today. Traditionally, the Vienna Conventions have dealt with analogue forms of communication, with the diplomatic ‘bag’ often being an integral component. Even today, the VCDR and VCCR, respectively, are deemed to apply within the context of a ‘traditional’ diplomatic mission only. Nevertheless, with the rise of alternative methods of diplomacy, especially within the context of a digital era, things such as ‘virtual embassies’ – which function as digital representations of the main diplomatic mission – have had occasion to evolve. The question, however, is: Can the Vienna Conventions be applied outside the context of a traditional diplomatic mission, such as in the context of a data center? Further, can protections such as diplomatic immunity be applied to data and information systems?
WHAT FEATURES DOES A DATA EMBASSY INVOLVE?
Unlike a conventional embassy, a data embassy might consist of nothing more than a room full of servers, storing data essential to keep a government and its core public services running should the country’s main servers get wiped out back home.
Data embassies are typically hosted in a different country, with the ‘host’ country providing the necessary infrastructure to ensure the safekeeping of data. Thus, such a host country must provide a secure and reliable data center, as well as resilient infrastructure to store critical data such that cyber and physical threats can be appropriately addressed. This includes power supplies, internet access, as well as secure data transfer and processing capabilities, along with a robust mechanism to ensure data back-ups. In addition, the host country must provide data privacy laws that meet international standards.
Data embassies must also have an agreement with a trusted partner that covers technical and contractual measures to ensure the confidentiality, integrity, and availability of the data stored in that facility. Importantly, the agreement must also delegate a certain level of control over the data.
Once the infrastructure is in place, the data embassy may be ready to accept data from its primary site. Such data is encrypted and securely transferred to the embassy, where it is stored in a secure environment. The embassy then provides a secure access portal, allowing users to access the data remotely. Indeed, data embassies can be used for a variety of purposes, including disaster recovery, archiving, and data storage.
While India contemplates the framing of a data embassy policy, it could look at certain international precedents.
Governments can enter into contracts with technology companies for cloud services to store sovereign data. However, such agreements can have important shortcomings. For instance, Estonia had considered putting its government data in a privately-owned public cloud. The option was tested in 2014 when the country embarked on a trial with a technology company, but the latter could not provide the level of control that Estonia was looking for.
In 2015, the Estonian government evaluated the risks it faced as a small country that was highly reliant on digital services. Accordingly, it determined that its unique threat model should include the shutdown of local data centers because of extensive denial-of-service attacks. To be able to recover from these scenarios, Estonia decided to host a backup of its most critical data in data centers abroad.
Thus, in 2017, the Republic of Estonia and the Grand Duchy of Luxembourg signed an agreement, establishing the world’s first data embassy in Luxembourg. In effect, this bilateral agreement laid the foundational structure from which the Estonian Government could begin to systematically backup its critical databases. Located within a dedicated government-operated data center in Luxembourg, the Estonian data embassy protects its information systems and data, similar to a traditional diplomatic mission.
Through the bilateral agreement, Luxembourg agreed to protect the inviolability of Estonian premises (and thus, its information systems and data) in the spirit of the Vienna Conventions. Accordingly, the premises of Estonia’s data embassy inside Luxembourg are inviolable, just like the premises of a regular embassy are – such that no official representative from the Government of Luxembourg will be able to enter the embassy or access its underlying data without Estonia’s approval.
A number of reasons justified the choice of Luxembourg as a partner for Estonia’s data embassy project. The number and efficacy of state-owned, high security ‘Tier 4’ data centers within the country were crucial, along with an efficient communications infrastructure that offers low latency and high resiliency across its colocation network. Conversely, for Luxembourg, this partnership helped it to position itself as a ‘hub’ for other data embassies in the future, while other governments could potentially follow Estonia’s lead. Sure enough, in late 2018, Luxembourg and Monaco announced a partnership to boost digital cooperation.
The Bilateral Agreement Approach
The Estonian data embassy project initially encountered legal challenges, which primarily revolved around guaranteeing the confidentiality and security of critical data lying within the jurisdiction of another state. To overcome these challenges, the governments of Estonia and Luxembourg signed a unique bilateral agreement that established immunity for the data embassy. Pursuant to such agreement, Estonian data and related systems are stored in Luxembourg’s government-owned data center. Thus, the data embassy is an extension of the Estonian government cloud, meaning that the Estonian state owns server resources outside its borders. As with physical Estonian embassies, the servers are considered sovereign embassies in foreign data centers. Luxembourg, in turn, guarantees that the data and servers are protected by the same legal guarantees as the data and servers in Estonia. The data saved in such embassies are copies of a country’s most sensitive and confidential data or even digital twins of a country’s sovereign cloud.
Similarly, a bilateral agreement signed in July 2021 established Monaco’s e-embassy in Luxembourg. Thus, Monaco and Luxembourg have finalized the storage of the former’s sensitive sovereign data. Pursuant to their bilateral agreement, Luxembourg now hosts a digital twin of the Monegasque sovereign cloud.
The idea of data embassies has found appeal among certain ambitious countries (and not just vulnerable ones) that seek to host others’ critical data. In addition, the use of cloud computing through a network of remote servers hosted on the internet to store, manage, and process data (rather than on a local server) is now common.
For example, like India, the Kingdom of Bahrain aspires to become a regional cloud computing hub. To that end, Bahrain passed a law in 2018 (the “Cloud Law”) to encourage foreign parties – including public or private juridical persons in, and government or non-government entities of, a foreign state – to use, as well as to invest in, cloud computing services within Bahraini data centers.
However, in order to attract investments, such data is subject to the exclusive jurisdiction of a customer’s own municipal legal system (as opposed to Bahrain’s own). Thus, under Article 3 of the Cloud Law, the data stored in local Bahraini data centers will be subject to the domestic law of the foreign state where the relevant consumer resides (or is incorporated).
This also means that the foreign data will be subject to the jurisdiction of the foreign state’s courts. Therefore, such foreign courts are empowered to issue binding judgments with respect to any dispute that may arise between the overseas consumer and the domestic service provider. Such foreign court interventions may include orders for providing access, disclosure, as well as preserving or maintaining the integrity of the consumer’s data.
Certain Tier 3 and Tier 4 data centers are already operational at GIFT with business continuity and disaster recovery functions, among other features. Data embassies, however, may require a new approach to securing data by leveraging diplomatic agreements bolstered by cloud technology solutions. Thus, India may need to develop a separate and specially tailored regulatory framework with respect to data embassies, including for the purpose of becoming a reliable host for foreign sovereign and commercial data.
This insight has been authored by Deborshi Barat (Counsel); he can be reached at email@example.com for any questions.A version of this insight was first published by Indian Journal of Projects, Infrastructure and Energy Law on July 28, 2023. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.
© 2023 S&R Associates