To facilitate seamless data transfers and ensure business continuity for other nations, Ms. Nirmala Sitharaman in her budget speech this year announced establishment of ‘Data Embassy’ in the country. Data embassy is an innovative solution to cater to digital continuity needs of nation-states by offering extensions of a nation-state’s cloud through state-owned server resources outside of the nation-state’s physical territorial boundaries.
Data embassies serve the dual purpose of data protection from external cyber and physical threats and grant immunity from the application of local laws of the host country. Considering current geo-political developments, it may be stated that in times to come data embassies are going to play a pivotal role in diplomatic relations between countries.
This is an encouraging move whereby establishment of data embassies in India may facilitate data center business. However, to accelerate the pace, there is a need to bring in investments, and one of the ways to attract foreign investments is to leverage Indian start-up ecosystems to inter-governmental cloud architecture environment offered by data embassies. Further, national monetary and financial policies also aid to huge growth potentials of Indian start-ups.
Needless to say, the data embassies are built around ‘corridors of trust’ and India needs to strongly build environment of trust by ensuring strong cyber security paradigm and enhanced privacy assurance to data stored within these data embassies.
To secure trust and promise privacy assurance, it is imperative that India have a transparent and robust mechanism ensuring efficient data back-up and fail-over in case of any mishap.
[1] At a micro level, data embassies also need to have an agreement with a trusted partner that covers technical and contractual measures to impose confidentiality, integrity, and availability of the data stored in that facility. Importantly, the agreement governing data-embassy relationship may also need to delegate a certain level of control over the data to the host country to expedite recovery and back up process.
Potential data security threats may be both physical and virtual, therefore India may need to uniformly distribute the physical location of data embassies across the country and thus, establishing it solely in Gujarat GIFT City may not be a good idea. Establishment of data embassies across India would facilitate nation-wide technological development, and will allow data centers to take advantage of global infrastructure that provides maximum reliability and resiliency through a distributed data storage architecture.
This will in turn help ensure trust, privacy, security and assurance required for establishment of data embassies in the country.
Legal protection to data stored within data embassies may also form a basis of trust, in establishing international relations for data embassies, so India needs to build in robust data protection framework within its legal systems. As far as international relations are concerned, conventionally it is governed by Vienna Convention on Diplomatic Relations, 1961 (VCDR) that ensures diplomatic immunity to premises and staff of embassies, etc. However, unlike physical embassies data embassies are not going to be within physical notional extensions of user states, and hence VCDR may not cater to the requirement. [2]
Perhaps, this was the reason that Estonia and Luxemburg entered into a bilateral agreement to manage their relations for Estonian data embassy established in Luxemburg for the very first time in 2017. [3]
As India pioneers to be a global hub for data embassies, it is imperative to build ‘global trust’ that India devise a legal framework to overcome the uncertainties surrounding data and information system hosting beyond national borders under Vienna Convention. The framework may specify the means for effective cooperation, support and operations regarding the premises in the dedicated government-operated data center whilst also governing the legal status of the premises, guaranteeing the necessary immunities and privileges based on existing national and international law.
Some of the other trust building measures may be ensuring non violability of applicable data protection/ privacy/cyber laws, enhanced cyber security measures, physical location of data centers and their security and effective BCP and DR process. Further, to strengthen the diplomatic relations between India and user states, it is also warranted that Indian policies regarding data embassies also establishes three pillars of data/digital sovereignty on the recovery site, viz.
- Data Sovereignty: The home country retains access and control over its data, which is protected and not subject to the host country’s jurisdiction. This can be accomplished through the nation’s control of the encryption keys used to unlock the data.
- Operational Sovereignty: The home country has continuous visibility and control over the provider operations and can maintain its services even during extreme scenarios.
- Software Sovereignty: The home country can choose the technical stack on which it operates, without depending on the provider’s software. [4]
It is expected that such a cohesive policy may help Indian vision of data embassies and data storage business potentials operationalize to fullest extent in near future.
References:
[1] https://www.deccanherald.com/business/union-budget/india-to-set-up-data-embassies-for-digital-continuity-with-world-fm-1186719.html
[2] https://complexdiscovery.com/data-embassies-sovereignty-security-and-continuity-for-nation-states/
[3] https://e-estonia.com/solutions/e-governance/data-embassy/
[4] https://cloud.google.com/blog/products/identity-security/data-embassies-strengthening-resiliency-with-sovereignty