Data embassies may only be allowed to store non-personal information

A senior govt official says MeitY plans to draft a separate Policy for Data Embassies, instead of including it in Digital Personal Data Protection Bill, 2022

The government likely to allow only non-personal datasets to be stored in data embassies — the physical data centres of trusted nations which enjoy diplomatic immunity from local laws — as part of an upcoming policy, sources said.
 
 A senior government official said the Ministry of Electronics and Information Technology (MeitY) plans to draft a separate policy for data embassies, instead of including it in the Digital Personal Data Protection Bill, 2022.
 
Non-personal data refers to any dataset that does not contain information that can be used to identify an individual. These datasets could be consumer shopping trends, vehicle registration figures, tax collection information, etc.
 
The development comes days after Finance Minister Nirmala Sitharaman, while presenting the Budget for 2023-24, said the government would facilitate the setting up of data embassies at Gujarat International Finance Tec-City International Financial Services Centre. They will be for nations looking for digital continuity solutions.
 
A data embassy refers to server resources owned and maintained by a nation-state outside its territorial boundaries, according to its own laws. The idea is to ensure the normal functioning of a state and its digital services in case of situations like a cyberattack or a natural disaster.
 
“Data embassies will be safe zones to store data for friendly nations without any interference from local laws. This will be beneficial for countries wanting to diversify locations of their data storage without losing jurisdictional control over it. But we believe it should only include non-personal data,” the official said on the condition of anonymity. He added the policy will bring new opportunities for Indian companies and investments in setting up data centres and digital infrastructure management.
 
 However, experts say the nature of data stored in a data embassy generally remains in the control of the source country. “According to the concept of a data embassy, countries that want to offshore their critical national infrastructure will decide what data or their national asset they want to protect outside their territory,” a data security expert said.
 
The Vienna Convention on Diplomatic Relations, 1961, grants diplomatic agents safe passage and freedom of travel in a foreign land and protection from local lawsuits and prosecution. Such benefits largely depend on the principle of reciprocity of the privileges. Similarly, the data stored in data embassies is governed based on trust in reciprocity with the laws of the foreign country.

 
Estonia was the first country to set up a data embassy outside its territory — in Luxembourg in 2017 — because of its “high-quality technical capacity”, as well as its openness to work with this new concept.
 
According to official records, the embassy keeps a backup of Estonia’s 10 strategic data sets. This includes the country’s population registry, state gazette, identity documents registry, treasury information system, national pension insurance registry, and even the e-file court system. The contents of the data embassy are regularly updated based on need.
 
Bahrain introduced a similar law in 2018 that says the data on the cloud should be subject to the exclusive jurisdiction of the data principal’s domicile country. Experts believe many other such countries could be storing their critical national data outside their territories, which is not known in the public domain due to security reasons.
 
Sunil Gupta, CEO & co-founder, Yotta Data Services, said: “Successful implementation of this policy in India could mean a paradigm shift in the country’s positioning on the global data infrastructure map. Similar to the immunity from local laws for foreign missions in India, the framework will extend immunity from local data laws to foreign data stored in Indian data centres – thus encouraging countries to look at India as a safe haven for data storage and processing.”