Data embassies: Protecting nations in the cloud
What is the data embassy?
In the classical sense, embassies have always served as shelters for the people they represent, thereby helping to reduce the risks their citizens may face when living and travelling outside their state. However, in addition to protecting their citizens, in the age of digitalisation, the priority of states is also to protect their data from malicious threats, misuse, and malfunction. A very useful project for increasing cybersecurity and protecting against cyberattacks is the data embassy. The latter includes a group of servers in the receiving state, which stores data belonging to the sending state and under its jurisdiction. This means that the data archives of the sending state, stored in its data embassy in the receiving state, ​​are inviolable by the receiving state, in which case they are exempt from search, requisition, attachment, or execution. The functioning of this project is entirely dependent on trust and transparency built between the sending state and the receiving state.
The data embassy represents an innovative project from an intergovernmental, legal, and technical perspective. It should be emphasised that this project implements the following rules established by international law, respectively the Vienna Convention on Diplomatic Relations (VCDR):
- The premises of a diplomatic mission of the sending state, whether they are buildings, parts of buildings or ancillary land, regardless of the mission’s purposes for use, are inviolable by the receiving state, which must necessarily have the permission of the sending state to enter them.
- Article 24 of the VCDR specifies that the archives and documents of the diplomatic mission of the sending state, including electronic ones, are inviolable by the receiving state.
- The first paragraph of Article 22 of the VCDR stipulates that the receiving state must take all necessary steps to protect the premises of the diplomatic mission of the sending state from any kind of interference or damage. The inviolability of diplomatic premises extends to computers, printers, and other digital objects located on the premises of the mission.
- One of the postulates of diplomatic law states that diplomatic missions enjoy the right to free, unmonitored, unimpeded communication, without surveillance or interference.
What should be considered when implementing the data embassy?
Physically storing one state’s data in another represents a very considerable option. This is especially true for a state that is internationally recognised as an advanced digital society and for small states that may be threatened by cyber risks, but also by natural disasters and armed conflicts. However, the state that receives the data embassy must be maximally trustworthy for the sending state, a trust that can be built through strong collaboration between technologists and lawyers. The project in question is accompanied by several legal challenges, linked to the way of guaranteeing the confidentiality and security of critical data, as well as their adaptation to domestic law. Therefore, a bilateral agreement should be signed between the two governments of the sending state and the receiving state, which would assign immunity to the data embassy. A successful bilateral agreement to overcome the legal challenges of this project must necessarily include two points: guaranteeing access rights by the receiving state to authorised representatives of the sending state; and data management according to the laws of the sending state.
However, there are also technological challenges associated with protecting the integrity and confidentiality of critical data outside the sending state, but also with redesigning information systems to work reliably in a globally distributed environment. Maintaining the physical infrastructure, ensuring strong security measures, and creating a secure and resilient data protection infrastructure are paramount for the country hosting the data embassy. Therefore, for the receiving state, a ‘Tier level 4’ is required, which marks the highest level for data facilities that offer security, speed, and reliability with the aim to protect sensitive data and prevent unauthorised access. They have an uptime of 99.995%, and this means no more than 26.3 minutes/year. Regardless of the situations or emergencies that may hit local data centres, the data embassy is an innovative project worth implementing to ensure the continuity and functionality of states.
Which states have authorised the data embassy project?
Estonia is internationally recognised as the most advanced digital society, with 99% of public services available online 24/7, saving over 1,400 years of work time each year. In 2007, it was faced with cyberattacks, which managed to simultaneously bring down important public and private sector websites. As a country entirely dependent on digital services, Estonia assessed the risk of these cyber threats and authorised the data embassy, thus becoming the first state in the world to authorise such a project. It signed a bilateral data embassy agreement with Luxembourg in 2017. Based on this agreement, the resources of the data embassy are under the control of Estonia, and they are capable of providing data backups along with operating the most critical services.
As a small state, the Principality of Monaco became another example that authorised the data embassy. This project resulted from a bilateral partnership reached with Luxembourg in 2021. For the Principality of Monaco, protecting data from cyberattacks and natural disasters was strategically important. The sustainability of cybersecurity is very difficult to guarantee for a state that covers an area of ​​no more than 2.08 km2. Therefore, following Estonia’s example was considered a highly favourable option for protecting data from any kind of threat.
Which country is considered an example of a data embassy receiving state?
The two mentioned states have reached bilateral agreements with Luxembourg for this project, as the state has become the location of data embassies due to its high technological capacities. Through these partnerships, Luxembourg has become a leader in creating a unique and innovative way of ensuring digital continuity in the world. In the role of the receiving state, in both cases, it has to offer guarantees for immunity and the preservation of delicate data. Luxembourg is favourable for the implementation of these two innovative projects as the receiving state for two reasons: it has extensive and proven experience in cybersecurity and a telecom network connected to major internet access centres in other states.
The cases of Estonia and Monaco have shown that keeping data localised within a single facility or a specific geographic boundary can be at risk from a variety of crises, whether they are cyberattacks, natural disasters, or armed conflicts. Although not an embassy in the traditional diplomatic sense, the data embassy is fully under the control of the sending state and has the same rights as physical embassies in terms of immunity, for the provision of which the receiving state has full responsibility. As a golden opportunity for the protection of the cybersecurity of states, the data embassy project has opened a new page in international law. Such a project enables the testing, but also the implementation of new technological solutions. Luxembourg, as an example of the receiving state of several data embassies, has proven to be a promoter of this new technological concept that also contributes to the deepening of bilateral diplomatic relations. to be a promoter of this new technological concept that also contributes to the deepening of bilateral diplomatic relations.
Subscribe to Diplo's Blog
Leave a Reply
Want to join the discussion?Feel free to contribute!