In her last Budget, Finance Minister Nirmala Sitharaman announced that India would facilitate the establishment of ‘data embassies’. Globally, data embassies have become a viable option to store copies of critical state information extra-territorially – in case the main servers back home get compromised.
Maintaining such databases, which are essential to keep government services running, in a secure overseas location may help in retrieving them in the event of a national emergency.
How do countries evaluate their best option for ‘digital continuity solutions’?
First, governments can enter into agreements with technology companies for the storage of sensitive sovereign data. For instance, cloud service providers (“CSPs”) have been empanelled with India’s Ministry of Electronics and Information Technology (“MEITy”) for disaster recovery and backup services, among other uses. State departments may contract with CSPs directly after procuring a suitable cloud package through the government’s e-marketplace platform.
However, such agreements have shortcomings. For instance, after testing this option in 2014 with Microsoft, Estonia realised that it did not have the kind of control it was looking for. After all, Estonia’s threat model included a complete shutdown of local data centres due to attacks from Russia, for example.
The second option is to host sovereign data in a diplomatic embassy abroad. However, embassies may not have the required security specifications.
The third option is to acquire server space in an existing data centre in a ‘friendly’ country. The challenge here is the need for a ‘diplomatic mission’ status to make the data centre eligible for protection under international law. Even if the provisions of the Vienna Convention – which outline a framework for diplomatic and consular relations – are interpreted creatively, uncertainties remain. For example, can diplomatic immunity be applied to digital databases?
Irrespective of the Vienna Convention, countries can enter into consensual arrangements to establish a separate legal framework among themselves. Following a bilateral agreement in 2017, a backup of the Estonian government cloud is stored in a Luxembourg data centre. In return, Luxembourg agrees to protect the inviolability of Estonia’s ‘premises’ (namely data) in the spirit of the Vienna Convention. A similar agreement in 2021 established Monaco’s e-embassy in Luxembourg, hosting a digital twin of the Monegasque sovereign cloud.
LESSONS FOR INDIA
What makes Luxembourg attractive is its modern data centres with robust business continuity, communications infrastructure, and disaster recovery functions. A few such centres are operational at GIFT City in Gandhinagar, Gujarat, where India intends to roll out its data embassies. To become a cloud computing hub, India could pass a separate legislation – like Bahrain did (Cloud Law) – that encourages foreign entities to invest securely. Information stored in Bahraini data centres are subject to the domestic laws of the foreign entity.
Since the draft of India’s Digital Personal Data Protection Bill, 2022, deals exclusively with digitised personal data, a bespoke data embassy policy that envisages the storage of non-personal data would require a different law – such as the proposed ‘Digital India Act’. MEITy could draw from international precedents in this regard.
This insight has been authored by Deborshi Barat (Counsel); he can be reached at firstname.lastname@example.org for any questions. It was first published by The Hindu Businessline on May 7, 2023. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.