Abhijeet Shrivastava* and Rudraksh Lakra**
The concept of ‘data embassies’ is increasingly becoming attractive for states seeking digital continuity, and likewise as a business prospect for host states. However, the underlying legal implications of international diplomatic law over this concept remain understudied. This article attempts to understand what states mean by “data embassies”, asking whether and how they are regulated by diplomatic law. Similarly, it considers how the problems inherent to the field of diplomatic law affect the prospects and risks of data embassy projects.
Introduction
In early 2023, India announced its intention to become a host for “data embassies” for states seeking “digital continuity solutions”. While serious discussion of the topic did not follow afterwards, this declaration was reportedly in pursuit of India’s goal to gain international renown in financial circles for its physical and digital infrastructure.
It is unclear what was meant by this reference to “data embassies”. One possibility is that the term was deployed as only a rhetorical device. Alternatively, India may be willing to assume the legal implications of a building being designated as an embassy. However, the emergence of the novel concept of data embassies features many understudied implications flowing from the long-standing regime of diplomatic law in international law. These ramifications arise from the Vienna Convention on Diplomatic Relations (“VCDR”), as well as its sister treaty on consular relations (“VCCR”). The interaction of this regime with data embassies demands regulatory dialogue “before technology and events outpace lawyers’ ability to do so”.
In this vein, we begin this piece by trying to understand what the few states that have been vocal about the concept have imagined as “data embassies”, reflecting on where the future uses of such establishments lie, thus setting the stage for the legal context at play. Following this, we turn to problematising the concept in international law, asking whether data embassies could be conceived of as creatures of existing diplomatic law or of bilateral agreements between states framing these projects. Finally, we turn to a key contribution of this article, which concerns an overview of the problems faced by the field of diplomatic law as such that might affect the prospects and risks of a data embassy project. This critical evaluation will allow stakeholders, including any states which find the concept to be an attractive business initiative, to understand the weight and breadth of legal obligations they would assume in such an initiative.
Modern Problems Require Modern Solutions?
The idea of data embassies today has precedents; the most prominent and the very first being the Estonian data embassy established in Luxembourg. The story of data embassies is generally narrated as beginning in 2007 when Estonia faced a series of destabilising cyberattacks after deciding to relocate a Soviet-era war memorial. This incident was monumental in shaping Estonian policy on cybersecurity moving forward given its unique position as a society that, even more so today, depends significantly on digital infrastructure for streamlining crucial state services, telecommunication, and the like. Among many other initiatives, Estonia conceived of the concept of data embassies, where it would store “critical” digital information that would allow the continuity of governance even if digital infrastructure within Estonian territory were to collapse after cyberattacks. Possibly, the facility could allow the attempts towards the recovery of that infrastructure if it were synchronised to that end. The larger aim, then, was to support the resilience of this technology-dependent society when faced with existential threats.
In 2017, Estonia’s search for technologically capable “friendly states” seeking to strengthen their diplomatic ties in this way culminated in a bilateral agreement with Luxembourg on “the hosting of data and information systems”. As per Article 2(1), Luxembourg undertook to provide Estonia with “premises” containing data service facilities for the storage of the latter’s data and information systems. The Preamble of this treaty articulated that it was “in the spirit of the” VCDR, while Article 3 expressed the status of these premises as “inviolable”, exempting them from “search, requisition, attachment or execution”. This arrangement was followed in 2021 by the creation of a similar data embassy for Monaco in Luxembourg. Furthermore, Dr Kaljung argues that Estonia’s data embassies were foreseen as informational safety valves against any future occupation of the state, akin to the historical Soviet occupation of Estonia, thus helping preserve “unoccupied” data. It could allow the functioning of a government-in-exile.
This backdrop reveals the sensitivity and consequential importance of the information envisioned to be stored in data embassies. Such initiatives should not be conflated with similarly worded concepts like “e-embassies” or “digital embassies” when used by actors like the United States, which constitute efforts to make provisions for the usual services offered by embassies without having a physical establishment. Closer to the gravity attached to data embassies is Tuvalu’s recent project towards becoming a “digital state”. Knowing that it is a small island state highly vulnerable to sea-level rise, Tuvalu has begun uploading information about the country, its history, and cultural heritage digitally in a symbolic and pragmatic effort to preserve its existence in some form. It is conceivable that the data embassy concept would be an attractive prospect for Tuvalu in this endeavour.
Although the concept originated in Europe, it could potentially be captivating for states in the Global South that are increasingly reliant on technology for important state affairs. This is particularly so given the threats of interference they face from technologically advanced states in the Global North, including in the conduct of high-stakes events like elections. While India, as a potential host state, used the terminology of “digital continuity”, it is unclear if severe contexts like these formed its impetus. It may be that India wishes to welcome any “foreign entity” willing to invest in Indian infrastructure, including commercial or personal data; much like Bahrain, which enacted a domestic law on the subject. This is where it becomes important to assess the international legal framework accompanying data embassies that are conceived of in terms of diplomatic law, and what its sources are.
The Legal Basis of Data Embassies
What is it about the vocabulary of an embassy that makes it appealing to states seeking foreign data service centres? The legal counterpart of an embassy is the terminology of a “mission” used in the VCDR, a treaty universal in acceptance, and which substantially reflects customary international law. As discussed earlier, the Estonian data embassy is “inviolable” under the bilateral agreement with Luxembourg. This term draws from the VCDR, especially Article 22(1), stating the inviolability of the premises of the mission. The legal effect of this protection is twofold in negative and positive respects. First, the receiving state (Luxembourg) is obligated not to enter or interfere with the functioning of the mission of the sending state (Estonia). Second, it must take protective steps to ensure the safety and functioning of the mission, for instance, by taking steps to prevent violence against the mission by third parties. In the infamous Tehran Hostages crisis, Iran’s failure to prevent student militias from storming and taking hostages in the United States mission was found to violate this protective duty by the International Court of Justice (“ICJ”). The logic behind inviolability is that the missions and staff of a sending state are vulnerable in the absence of their sending states’ protective infrastructure. To denote diplomatic law to the data embassy project, then, emphasises the seriousness of the protective obligation assumed by the host state.
However, not only the premises but also their contents, such as the “archives and documents of the mission”, are inviolable (Article 24), given their link to the functioning of the mission freely and without fear. Leading experts on the applicability of international law to cyberspace consider that this protection would apply in contemporary times even to computers, hardware, pen drives, and other digital infrastructure within missions (Tallinn Manual 2.0, p. 216). The question naturally arises then as to why Estonia and Luxembourg felt the need to make a separate treaty on data embassies, or in other words, where the VCDR was lacking.
The very first reason is likely a matter of bare fact. While Estonia could simply have chosen to transfer digital infrastructure to its existing missions (indeed, it tried), the data embassy concept imagines an establishment devoted only to containing servers and other technology for data storage purposes. As Dr Robinson and others argue, this is not a task for which traditional missions were technically and spatially equipped, particularly when compared to a high-tiered data centre. Another reason to seek special missions to this end could be an aim to alleviate a receiving state’s anxieties from the fear, suspicion, and distrust that could ensue from discovering missions equipped with extraordinary digital infrastructure, suggesting that their premises were being used for purposes outside the functions of a mission. The harbouring of such distrust would counter one of the foundational goals of the VCDR as stated in its Preamble: “the development of friendly relations”.
This, finally, brings us to the legal problems with conceiving data embassies within the existing diplomatic law regime. The framework of the VCDR is designed to ensure, among other things, “the efficient performance of the functions of diplomatic missions”. These functions are spelt out in Article 3, like representing the sending state in the receiving state, negotiating with its government, and so forth. Article 1(i) defines the “premises of a mission” as locations “used for the purposes of the mission”. The storage of data, while of importance to the sending state’s self-interest, does not discharge any such functionality. In other words, any attempt to use a mission’s premises as defined under the VCDR inherently seems to leave open room for disputes as to whether the mission is being used for its intended purposes and if the digital infrastructure would be protected at all, creating scope for conflict.
Similarly, as highlighted by Dr Sierzputowski, no such mission was contemplated during the negotiations of the VCDR, meaning that it neither contains any arrangements like the provision of data infrastructure by the receiving state to the sending state nor discusses contemporary concerns of cybersecurity. Considering these factors, it was wise for Estonia and Luxembourg to formulate a bilateral agreement on the subject. Thus, its data embassies should be considered as creatures of that agreement rather than the VCDR, even if the former is in “the spirit of” the latter. That is certainly the impression one gets on reading the self-description of this project as an “innovation”. However, the concept of data embassies is nascent, and while it seems to promise much success, the legal drawbacks it risks remain to be appreciated.
The Problems of Diplomatic Law
The regime of diplomatic law is far from seamless; indeed, it is fundamentally trapped in the tensions between the interests of the sending and the receiving state. Consider, for instance, the Equatorial Guinea v. France case before the ICJ, which concerned the unilateral designation by a sending state of a building as part of its mission. The building, in turn, allegedly contained evidence linked with the evasion of taxes, embezzlement, and fraud committed by key political figures of the sending state. Contexts like these may be characterised as “abuse” of privileges, which the Preamble of the VCDR anticipated by cautioning that its norms are not meant to “benefit individuals”, but to support the functions of missions. In the cyber context, the Tallinn Manual experts similarly underscore that using the cyber infrastructure of a mission to “transmit espionage malware into computers in the receiving State…is an abuse of the diplomatic function” (p. 211). Indeed, digital infrastructure may be deployed for a variety of harmful and cybercriminal activities, even against third states. Any data privilege, then, comes with the risks of abuse.
How does the Estonia-Luxembourg agreement tackle this possibility? Article 7 caveats that the premises “must not be used in any manner incompatible with the purpose laid down in this Agreement or by other rules of international law” (emphasis ours). It was foresightful of the drafters to reference not only the objects of the agreement itself but also international law generally. This is particularly because the “purpose” of this agreement in itself does not seem as limiting as the VCDR, the latter of which specifies a list of “purposes” expected of the mission. In fact, the agreement does not textually specify the “purpose” for which data and information systems are anticipated to be used (we can infer this, however, from Estonia’s public statements).
Nevertheless, the consequence of the data embassy being used for promoting cybercrime is not specified. Article 8 of the agreement provides for dispute settlement procedures in case of such conflicts, in which case arbitrators may presumably specify what reparations are appropriate for a supposed violation of the agreement. In the case of Estonia and Luxembourg, given their friendly relations and the apparent unlikelihood of such abuse, this issue may not have been pressing during their negotiations and would probably have been counterproductive to dwell on. If so, this would still not take away from the risks of abuse inherent to the concept of a data embassy but rather show that any such risks may be calculatedly assumed. In any case, Article 10 facilitates a termination process from the agreement, which would take effect 24 months after notification. It is important, however, that the inviolability of the mission’s archives and documents as under Article 6 would continue to apply even after the mission ceases to exist (if one accords the same extent of protection to this term as specified in the VCDR).
It is in this respect that another complication arises: the possibility of a government using data embassies to conceal crucial data on government policy from its public or denying its access to actors like courts when it could constitute material evidence (like in Equatorial Guinea). As a traditional example, the fact that diplomatic privileges have been cited to seek the removal of important evidence from the judicial record is well-known, as seen in the Bancoult case in the United Kingdom, which concerned documents obtained from WikiLeaks. In a similar vein, Dr Benvenisti and Dr Lustig highlight how governments often use international law as a tool and tactic against their domestic opponents in power contestations. Thus, such uses of data embassy facilities would not be surprising.
Yet another regard in which data embassy management may become complex is in any situation that affects the working of a traditional mission, like debates over who the legitimate representative and government of the sending state is in cases like the coup in Myanmar. The answer would affect, in turn, who eventually gets access to the inviolable data and premises of the data embassy. The likelihood of these heightened tensions through domestic circumstances can, of course, be evaluated and measured when deciding on a bilateral agreement with differently placed states. The point we are trying to make through this overview is that the viability of data embassies will necessarily depend on a variety of contingent factors, legal and political. What does this mean for states like India, which aspire to become hosts of data embassies?
Concluding Thoughts
The focus of this piece has been an evaluation of the data embassy concept when perceived from an interstate legal framework. For any state that already pursues or seeks to establish data embassy collaborations, our analysis shows that it is important to inquire whether the legal and political risks of such an initiative are outweighed by its gains on the facts and circumstances of each potential collaboration. If, however, India means something entirely different in its conception of data embassies, such as welcoming foreign private entities for cross-border data flow, thus using the word “embassy” only for a rhetorical push, then the law applicable would inevitably be distinct.
In the interstate framework too, perhaps one may ask if the reliance on diplomatic law is the best approach for regulating data embassies. For situations like Estonia’s and Tuvalu’s, where the aim is to provide a safety net for states facing existential concerns, this diplomatic law method may be appropriate. Yet, for any state seeking to store data other than critical and sensitive state information, it may be worthwhile to consider qualified versions of inviolability or less demanding protections as such. Perhaps “data consulates” could be envisioned, borrowing from the frameworks of the VCCR, which offer relatively constrained protections compared to those offered to missions under the VCDR. As an example, Article 1(j) of the former defines “consular premises” as being “used exclusively for the purposes of the consular post” (emphasis ours).
Alternatively, perhaps a legal instrument could draw from the best of these regimes while addressing their problems, or imagine something new altogether. It could also be worth contemplating whether data embassy-like arrangements are unfeasible models for most of the world when they are presently imagined in contexts like highly friendly relations between technologically advanced states like Estonia and Luxembourg. There is, evidently, immense room for conversation on the legal basis, practical viability, and accessibility of data embassies, and we hope this piece helps spur debates on this front.
*Abhijeet Shrivastava is an LLM candidate at the University of Cambridge and a B.A., LL.B. (Hons.) graduate of JGLS.
**Rudraksh Lakra is an Associate at Ikigai Law and a B.A., LL.B. (Hons.) graduate of JGLS.
Image Credits- Yes Punjab
