Data centers are now central to the digital economy, and as countries develop new forms of cooperation to accommodate infrastructure, new legal issues will arise.
Data centers' infrastructure and connectivity features pose logistical challenges such as physical space, power supply, and cybersecurity matters. In their provision of digital services, certain countries might still be vulnerable to these logistical issues and therefore unable to develop their own data center infrastructure.
Those countries are turning to international cooperation to address these challenges -- locating their data centers abroad. One example is the potential use of data centers in Australia by Pacific Island countries, made possible by the deployment of new South Pacific subsea cable connections.
Data can be as important as central bank reserves or a naval representation, so the need for legal protection through jurisdictional immunity is similar. But data is unique. The arrangements under which one sovereign state places critical data and data infrastructure within another country must be crafted to meet its unique features.
The advantages of locating data abroad shouldn't be undone by the risks of exposing the data to another country's legal system. Governments therefore look to have their data centers abroad enjoy "embassy" status -- that is, foreign sovereign immunity. How is this achievable? And what is the impact on international trade?
Data embassies aren't embassies or consulates in the traditional sense. Multilateral treaties on diplomatic and consular premises aren't designed to apply to data embassies or the data they hold. They only apply to traditional diplomatic missions, providing privileges and immunities for the mission itself, diplomatic staff, and communications. Relying only on these treaties for protection would be risky.
Realizing this, governments have begun to sign bilateral agreements to protect the hosting of data and information systems. An example is the 2017 Estonia-Luxembourg data and information system hosting treaty. This type of agreement can be vital for data center business ventures. What are the required steps and features to achieve appropriate legal protection?
First, the agreements must be legally binding. Government-to-government agreements should be concluded as international treaties. The formalities for entering into treaties may vary by state, with some nations allowing less rigorous formalities for "executive agreements." Not all national constitutions allow the direct application of treaties, so it is essential that the agreement is applicable within the host jurisdiction before the transfer of data to the data embassy.
Second, what terms would stakeholders expect to see in a digital center treaty? Those terms would align with the objective of granting the highest achievable level of jurisdictional immunity consistent with the operation of a data center.
The treaty would define the type of facility to which it applies. The overriding feature would be its purpose of hosting data and information systems, including equipment, licenses, and associated components such as telecommunications and storage systems. The host state would want to ensure that the facility isn't used in any manner incompatible with this purpose or other rules of international law.
The agreement would then provide how to establish the physical area of the dedicated data center where data, information systems, and equipment would be located. This would be the basis for stipulating jurisdictional immunities better known in diplomatic and consular relations.
The agreement would thus provide for the physical premises of the data center to be "inviolable," including being "exempt from search, requisition, attachment or execution." The data stored in the data center would be equated to the "archives" of the other state and therefore also inviolable and enjoying the same exemptions.
The host state would be obliged to protect the data center's premises, taking all appropriate measures to protect the premises against intrusion or damage within its territory. The storage and use of data depends on hardware and software, so the data center agreement would provide for immunity from legal process of the data center's equipment and licenses.
Third, as in the case of diplomats, there must be an off ramp. If the data center agreement is terminated, there needs to be provision for protecting data and associated assets while they are transferred to a new location.
Finally, there needs to be an appropriate way to settle disputes. Arbitration is a binding, time-tested method. Investment protection treaties could apply in parallel.
Data embassies could also have significant international trade considerations depending on the nature of the agreement. For example, if the home jurisdiction of a data embassy is subject to a comprehensive US trade embargo, but the data embassy itself is located in a country not subject to such comprehensive sanctions restrictions, the transmission of data or provision of services or funds related to the data embassy, among other things, could create significant trade compliance difficulties. This is especially true if the data embassy's home jurisdiction isn't immediately apparent to third parties.
Economic sanctions and export controls can significantly restrict the flow of data and technology. Persons subject to US jurisdiction or those potentially at risk for the imposition of secondary sanctions will need to be keenly aware of the transactions they undertake and data they receive to ensure their activities comply with US trade restrictions.
Housing governmental data or bulk sensitive personal data of a country's citizens can have trade control considerations as well. The US government has become increasingly focused on the storage of American governmental and bulk sensitive personal data.
As this area continues to evolve, the US government could implement future controls designed to regulate the storage of such data within data embassies. One can almost guarantee that trade restrictions will follow as these arrangements develop.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Alejandro A. Escobar is partner at Baker Botts, practicing in public international law and arbitration.
Joyce Adetutu is partner in Baker Botts' global projects department, assisting clients with understanding complex legal regimes.
Stuart Blythe is partner in Baker Botts' corporate practice, focusing on high-value commercial agreements, M&A, joint ventures, and restructurings.