The mandatory storage of data within strict geographical boundaries is fast becoming a hurdle to maintaining the security level and the resilience of data and “government as a service”. In a world entangled by algorithms and AI, cyberterrorism is a global security and data threat. In 2007, Estonia was a victim of the first distributed denial of service (DDoS) attack in history. The attack rendered Estonia’s entire public sector data communications network inoperable. Key servers of banks, the office of the president, and government agencies capitulated to the attack.
At the 62nd session of the UN General Assembly (2007-2008), the President of Estonia shared the Estonia experience and exhorted the international community “to cooperate in legal matters in questions concerning cybersecurity”, and “to establish an appropriate legal space” and “to accede to the Convention on Cybercrime of the Council of Europe”. At the General Assembly of the UN on 22 July 2015, the President of Estonia said that, in the future, cyberattacks may, in the hands of criminals or terrorists, become a substantially more pervasive and hazardous weapon than they are today.
On 20 June 2017 in Luxembourg, the government of Estonia signed an agreement with the Grand Duchy of Luxembourg on the hosting of data and information systems. This Agreement was the first bilateral arrangement to establish a new institution — the Data Embassy. The Agreement also reaffirmed the effectiveness of cooperation in combatting the criminal misuse of information technology and in building a global culture of cybersecurity. The establishment of the Data Embassy offers an innovative response to making cyberspace stable and reaffirms the effectiveness of cross-border cooperation in creating a global culture of cybersecurity and in combatting the illegal targeting of data.
The European Patent Organisation and the Grand Duchy of Luxembourg signed the Complementary Agreement on 5 March 2018 in Luxembourg concerning the inviolability of the archives of the European Patent Organisation. The agreement entered into force on 25 July 2018. It is the second arrangement in the world that establishes a site where entire archives, documents, photographs, films, recordings, computer and media data, data carriers and, any other similar content or material belonging to or held by the European Patent Organisation will be hosted.
The Data Embassy of the Republic of Estonia as well as the Data Embassy of the European Patent Organisation are both located in premises provided by the Grand Duchy of Luxembourg. The implicit hope is that such premises should arguably benefit from special protection. This in turn provokes the question as to the legal status of these premises – and also whether they should have the same level of international protection as that given to diplomatic mission premises or consular buildings and grounds.
The Preamble to the Vienna Convention on Diplomatic Relations (VCDR) provides that one of the purposes of the “privileges and immunities is not to benefit individuals but to ensure the effectual delivery of the functions and duties of diplomatic missions as representing States. Article 1(i) of the VCDR defines the premises of a mission as the buildings or parts of buildings and the land ancillary thereto, irrespective of ownership, used for the principal purposes of the mission, including the quarters of the head of the mission.
One of the most potent provisions of the VCDR is Article 22. This article concerns the inviolability of the premises. Article 22(1) of the VCDR mandates that the compound and buildings of the mission shall be inviolable. This inviolability extends to the archives and the documents of the mission. The residence of a diplomatic agent should also be private and inviolable The receiving State does not have any right to enter into the premises of the mission unless the consent of the head of the mission is expressly given.
The Vienna Convention on Consular Relations defines “consular premises” as “the buildings or parts of buildings and the land ancillary thereto, irrespective of ownership, used exclusively for the purposes of the consular post”. It should be noted that the protection provided by the VCCR is more limited than that given to diplomatic premises and does not include a consular residence. As it pertains to the security of consular premises, the provisions are also different from those in the VCDR.
Data embassies offer sovereign and resilient infrastructure. Localizing data storage within a single facility or a set geographical boundary could pose a security risk during civil unrest, armed conflict, tsunamis, earthquakes, volcanic eruptions, and flooding caused by atmospheric rivers. The diplomatic agreement between the home and host countries establishes three pillars of sovereignty on the recovery site: 1) Data Sovereignty; 2) Operational Sovereignty and, 3) Software Sovereignty.
This sovereignty approach through the data embassy model contrasts with the sovereignty requirements blossoming elsewhere that advocate for data residency as a strict requirement. The two implementations do not address the same risks but the goal of preserving digital sovereignty is identical. Since the beginning of the war in Ukraine, the risk dashboard of countries that advocate for data residency have changed focus. On the recovery site, data embassies are built on three pillars of sovereignty: Data Sovereignty, Operational Sovereignty, and Software and Hardware Supply Chain Security.