Data embassy

A data embassy is a solution traditionally implemented by nation states to ensure a country's digital continuity with particular respect to critical databases. It consists of a set of servers that store one country's data and are under that country's jurisdiction while being located in another country.

Purpose

Data embassies are regarded as a tool to ensure a government's digital continuity, meaning the survival of critical databases to allow the continuation of government even in a situation where governing from within the country's borders is no longer an option. Among threats that might lead to such situation are natural disasters, large-scale cyberattacks, and military invasion. In the worst-case scenario, a data embassy could enable government to provide its digital services without the national territory under its control.^[1] This makes data embassies particularly attractive to countries that have already digitalized their most crucial databases and are situated in the vicinity of the aforementioned threat vectors. Additionally, data embassies can offer additional computing power for heightened server traffic, for example during election season or the period of electronic tax return filing.^[2]

History

The 2007 cyberattacks on Estonia disrupted websites of Estonian organizations including the Estonian parliament as well as newspapers and banks. Furthermore, Estonia has implemented a stringent paperless policy, meaning that many crucial databases only exist in a digital format. Tasked with ensuring the security and immutability of these databases, the ministries looked towards data embassies as a possible solution for digital continuity. This was crucial not just for Estonia's own citizens but also for e-Residents who rely on these services around the world. These efforts were also written down in the Estonian Cyber Security Strategy 2014-2017 which created an outline for ensuring the digital continuity of the state.^[3]

In 2013, then-CIO of the Estonian government Taavi Kotka made active efforts to determine, in which constellation a data embassy would be the most useful and effective. The Estonian government also collaborated with Microsoft on two studies to determine the feasibility of virtual data embassies.^[4][5] The government decided against the option of converting selected Estonian embassies into data embassies because embassies did not possess the necessary technical and crisis response competence, were reliant on whatever telecommunications services they would be offered by virtue of their environment, and were not physically constructed according to safety criteria that datacenters could fulfil.

On 14 November 2016, the Estonian Ministry of Economic Affairs and Communications and Luxembourgish Ministry of Media and Communications signed a Memorandum of Understanding about the hosting of data and information systems. On 20 June 2017, Prime Minister of Estonia Jüri Ratas and Prime Minister of Luxembourg Xavier Bettel signed the agreement to establish an Estonian data embassy in Luxembourg.^[6][7] This agreement was ratified by the parliaments of Luxembourg and Estonia in 2018. In its first iteration, the Estonian data embassy in Luxembourg currently acts as a backup and source of additional computing power for the following datasets that are considered critical for the functioning of the state: e-file court system, treasury information system, e-land register, taxable persons’ register, business register, population register, state gazette, identity documents register, land cadastral register, and national pension insurance register.^[8]

In 2018, Bahrain implemented the so-called Cloud Law which allows data stored in Bahraini datacenters to be subject to the domestic law in a third country.^[9]

Legal basis

Initially, academic research also considered the application of the 1963 Vienna Convention on Consular Relations or the 1961 Vienna Convention on Diplomatic Relations to ensure the protection and inviolability of data but found that these conventions would require significant changes.^[1] As a result of the lack of international legal precedent, data embassies have thus far only been created on the basis of bilateral agreements that are inspired by the wording used in the Vienna Conventions. These bilateral agreements also usually require ratification from the parliaments of the partnering countries.

Sources

1. Kask, Laura; Robinson, Nick (January 2018). "The Estonian Data Embassy and the Applicability of the Vienna Convention: An Exploratory Analysis". Icegov'19 – via www.academia.edu.
2. Kotka, Taavi; Liiv, Innar (September 15, 2015). "Concept of Estonian Government Cloud and Data Embassies". In Kő, Andrea; Francesconi, Enrico (eds.). Electronic Government and the Information Systems Perspective. Lecture Notes in Computer Science. Vol. 9265. Springer International Publishing. pp. 149–162. doi:10.1007/978-3-319-22389-6_11. ISBN 978-3-319-22388-9.
3. https://www.mkm.ee/sites/default/files/cyber_security_strategy_2014-2017_public_version.pdf Archived 2021-02-12 at the Wayback Machine ^{[bare URL PDF]}
4. https://www.mkm.ee/sites/default/files/implementation_of_the_virtual_data_embassy_solution_summary_report.pdf Archived 2021-03-08 at the Wayback Machine ^{[bare URL PDF]}
5. https://www.mkm.ee/sites/default/files/transforming_digital_continuity_-_joint_research_report_finaly_may_20.pdf Archived 2021-03-08 at the Wayback Machine ^{[bare URL PDF]}
6. https://www.riigiteataja.ee/aktilisa/2280/3201/8002/Lux_Info_Agreement.pdf ^{[bare URL PDF]}
7. "Loi du 1er décembre 2017 portant approbation du " Agreement between the Grand Duchy of Luxembourg and the Republic of Estonia on the hosting of data and information systems ", signé à Luxembourg, le 20 juin 2017. - Legilux". legilux.public.lu.
8. "Data Embassy – the digital continuity of a state". e-Estonia. December 9, 2019.
9. "Diplomatic immunity for data: Bahrain's Data Embassy Law | Lexology". www.lexology.com. March 2020.