At the beginning of January 2024, a data services company commissioned a ₹500 crore data centre in GIFT City, which can function as a potential data embassy. The International Financial Services Centres Authority (IFSCA), a regulatory body for the GIFT City, is readying a framework for setting up a single window clearance system for data embassies. As per the Interim Budget announcements, the establishment of data embassies in GIFT IFSC will be facilitated through bilateral agreements between India and interested countries. Their promotion in the GIFT City was first announced during the 2023-24 Budget.
This revolutionary concept, still in its early stages globally, has the potential to redefine how nations safeguard their essential digital assets. This piece delves into the origins, advantages, challenges, and legislative framework required to establish data embassies, focusing on pioneering countries such as Estonia and Bahrain.
A data embassy is a novel approach to securing a country’s critical digital data amid evolving cyber threats and geopolitical complexities. It involves distributing a nation’s critical data and information systems across secure locations in collaboration with other countries.
The primary advantage lies in creating an additional layer of protection against cyber threats. By distributing critical data to remote locations, a country can ensure the continuity and security of its essential information systems, even in the face of large-scale cyberattacks or geopolitical conflicts. This remote backup, situated beyond a country’s physical borders, protects against data integrity, availability, or confidentiality threats. The operational advantages extend to providing additional support during times of high demand, such as election seasons or tax return filing periods.
The pioneers
Estonia, a pioneer in data embassies, experienced a transformative event in 2007 when a cyber attack targeted its governance and banking systems. In response, Estonia signed an agreement with Luxembourg in 2017 to establish a data embassy, setting a precedent for other nations. This embassy, located within a dedicated government-operated data centre in Betzdorf, Luxembourg, is a secure backup for critical datasets, including the e-file court system, treasury information system, and population register.
Similarly, Bahrain enacted a “Cloud Law” in 2018 to encourage data embassies, aiming to position itself as a cloud computing hub. This legal framework provides a basis for hosting foreign data within the country’s territorial limits, promoting cross-border data storage and management.
The challenges
While promising, the implementation of data embassies presents multiple challenges. Legal challenges involve adapting international systems to govern conflicts, data sovereignty, jurisdiction, privacy laws, and cross-border data transfer regulations. Questions arise regarding the applicability of existing international conventions, such as the Vienna Convention on Diplomatic Relations to data embassies. Moreover, the absence of specific domestic legislation tailored for data embassies may lead to contradictions and challenges. For example, the existing domestic laws in many countries must cover scenarios involving storing and processing sensitive information in foreign countries, resulting in data sovereignty and privacy ambiguity.
Operational challenges include setting up and maintaining physical infrastructure, ensuring robust security measures and addressing complex issues related to communication and coordination between countries. On the other hand, the geopolitical risks introduce another layer of challenges. It necessitates identifying trustworthy host countries, requiring meticulous diplomatic considerations.
Overcoming the challenges requires appropriate legislation to address legal aspects associated with data embassies. A comprehensive legal framework is essential to define rights and responsibilities and clarify jurisdictional boundaries and mechanisms for dispute resolution. This involves clearly defining the ownership and control of the data stored in embassies and establishing principles of data sovereignty. The framework is also critical to establish the legal basis for data protection, privacy, and cybersecurity within data embassies.
Operational guidelines: Legislation can provide operational guidelines, including criteria for selecting host countries, technical specifications for data centres, cybersecurity standards, disaster recovery plans, and ongoing maintenance guidelines.
Compliance and accountability: Legislation should outline the responsibilities and liabilities of all parties, monitor compliance, conduct audits, and enforce accountability.
International governance and standardisation: Legislation can contribute to international governance structures and standardisation efforts for data embassies, promoting best practices, guidelines and consistency across countries. Standardisation efforts can ensure interoperability and enhance cybersecurity practices. It requires collaboration between governments, international organisations, and industry stakeholders.
Data embassies represent a groundbreaking approach to securing critical digital data in an interconnected world. As nations navigate the complexities of the digital age, data embassies offer a glimpse into the future of secure and collaborative data management, reshaping the global landscape of digital security.
Aspiring to become a global hub for data embassies, India faces the challenge of formulating comprehensive policies and legal frameworks. However, with a growing economy, international standing, and a focus on digitisation and data privacy, India can position itself as a leader in secure data storage by actively addressing challenges and allocating resources.
By establishing data embassies, India can attract foreign and private sector investments, boost its digital economy, and highlight the quality of its IT sector. Additionally, the initiative can create employment opportunities, contributing to India’s efforts to become a global hub for data storage.
Mittal is District Collector, Jashpur, and Singhal has over 15 years of experience in large-scale digital transformation projects. Views are personal