Understanding Data Embassies and Corridors

The following is a guest post to the FPF blog authored by Yeong Zee Kin, Chief Executive of the Singapore Academy of Law and FPF Senior Fellow. The guest post reflects the opinion of the author only and does not necessarily reflect the position or views of FPF and our stakeholder communities. FPF provides this platform to foster diverse perspectives and informed discussion.

Over the past few years, geopolitical contestations have increased the rhetoric over data sovereignty. Data sovereignty views data as another dimension of the state’s sovereignty that needs to be safeguarded from exploitation against the interests of the state. One natural response is to mandate the localization of data. 

The intensification of geopolitical tensions has also changed the tone of trade discussions. Countries that were once strident advocates of free trade have, to varying degrees, introduced some form of data localization policies. One example of recent regulatory developments that limit transfers of personal data to specific countries is from the US. The White House Executive Order 14117 has now been implemented into final rules by the Department of Justice¹; and the US Congress has also passed the Protecting Americans’ Data from Foreign Adversaries Act of 2024². These laws prohibit the transfer of personal data to certain countries that are deemed to be adversaries of the US in the interest of safeguarding US national security. At the same time, the US remains a strong advocate for cross-border transfer mechanisms such as the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP). 

With the increase in the number of data localization measures globally³, the concept of data embassy has been put forward as a solution by both governments and businesses. But are data embassies an appropriate solution? This paper examines the origin and varieties of data embassies, discusses the concept’s limitations to address data localization challenges, and proffers an alternative modelled after special economic zones.

Data localization 

Data localization is no longer associated only with trade protectionism but has taken on a security complexion. Data localization policies can be mapped on two dimensions — they may either prohibit the export of data, mandate local storage and processing of data, or both. It is possible to construct a two-dimensional matrix. 

The earliest implementations of data localization regulations were largely motivated by economic policies. For example, the belief that requirements for local storage and processing of data will spur investments in data centres and digital communications infrastructure; or the creation of data analytics and processing jobs that allow the domestic workforce to upskill and help develop its digital economy. However, research shows that data localization may have the countervailing effect of increasing data management costs by 15 – 55%⁴, thereby subtracting from the perceived industry development benefits by decreasing trade output, increasing costs for downstream industries, and decreasing productivity⁵.

Another reason that has been given for requiring local storage of data is to enable (easier) access by law enforcement and judicial authorities. In more recent years, security concerns have also given rise to localization policies that prohibit the export of data that can be potentially exploited to effect socio-economic harm or enable attacks on critical information infrastructure or foundational digital infrastructure. 

Efforts to preserve the free flow of data may be found in trade agreements, particularly digital trade agreements, and global norm-setting initiatives such as the G7’s efforts to ensure data free flow with trust. In gist, these policies seek to reduce hurdles to cross-border data transfers as indirect trade barriers by prohibiting signatories from imposing requirements of local processing or storage of data as a condition of doing business. Within these frameworks, restrictions to data transfers may only be imposed if they are necessary for achieving legitimate public policy objectives and even then, their scope must be proportionate to the identified harm.

Data embassy as a potential solution to data localization

Private international law supports the choice of law that governs private rights between commercial entities, the form of dispute resolution (e.g. litigation or arbitration), and choice of forum (and hence, the governing procedural rules). However, data localization requirements are in the realm of public law that cannot be contracted out of. The data embassy was initially developed as a government-to-government (G2G) arrangement. It has since seized the attention of businesses as a solution to circumvent data localization requirements. The primary motivation is to extend domestic laws and standards of protection to data that has been exported. What if data that has been exported is somehow still subject to the laws of the jurisdiction they originated from? If domestic laws and standards of protection follow the exported data, these overseas repositories of data will be like embassies in foreign countries that, despite their location overseas, are still treated as part of the home jurisdiction. 

This is attractive to businesses for a number of reasons. In one scenario, data centres or data processors hoping to win contracts may wish to assure their overseas customers that their data will be managed according to their laws. This typically plays out in scenarios where the data centre or processor is located in a lower cost jurisdiction that is perceived to have lower standards of data protection. From the perspective of the host state (i.e., where the data centre is built), data embassies have industry development potential by attracting foreign direct investments for the development of communications and digital infrastructure. In another scenario, corporations in a country with data localization requirements seeking to conduct business overseas may proffer the data embassy as a way of assuring domestic regulators that exported data will remain subject to their regulatory requirements and within their reach, while concomitantly inaccessible by the government of the host state. From the exporting state’s perspective, this solution could work if it is assured of cooperation from the host state when access is required; while from the host state’s perspective, it must be prepared to permit intrusion into its sovereignty. 

The origins of the concept and limitations of data embassies⁶

The concept of “data embassy”, while intellectually appealing, is based on a flawed understanding of how embassies function. A misapprehension that belies the issues associated with data embassies as a solution to data localization policies. Contrary to common misconception, embassies are not pockets of foreign sovereignty. While the sending state may own the land upon which the embassy stands, it is nevertheless subject to the laws of the receiving state. 

By international law and custom documented in the Vienna Convention on Diplomatic Relations (1961), the receiving state extends certain privileges to the embassy. First, diplomatic premises are inviolable in that the receiving state will refrain from exercising powers of search unless there is consent. Concomitantly, the receiving state has positive duties to protect the mission⁷. Second, the receiving state likewise refrains from exercising criminal jurisdiction or powers of arrest and detention over diplomatic agents⁸. Third, official communications from the mission are also protected⁹. Subject to these privileges, the law of the land applies. The mission is liable for injuries and harms that befall guests; and administrative, technical and service staff of the mission may not undertake unlawful activities within the embassy with impunity. Diplomatic agents who commit crimes will face prosecution in their home country even while they are not subject to criminal jurisdiction in the receiving country. 

Hence, the assumption that data stored in a data embassy is governed by the laws of the sending state (i.e., the state where the data originates) is deeply flawed. If we are to faithfully apply what we may legitimately glean from the way real-world embassies operate to data hosted in a data embassy, we may only arrive at the position that the receiving state (i.e., the state where the data has been exported to) accepts that it cannot access the data, must protect data-at-rest and ensure the security of data-in-transit. The quid pro quo is that the sending state must investigate data incidents and take appropriate enforcement action – not something that can be easily accomplished remotely. To be clear, these are public law obligations and not obligations that can be negotiated in the realm of private law.

Presently, there are two primary data embassy models: the security model and the developmental model. While they share a common name, they are very different creatures. 

Data embassy as a concept started with the Estonian implementation of the security model, which is perhaps the closest implementation to a real-world embassy. As a neighbor to a much larger and aggressive country, Estonia had its fair share of experiences with cyberattacks that have been linked to state-sponsored groups. After a particularly invidious incident¹⁰, it struck an arrangement with Luxembourg to host a copy of its public sector data in the latter. As part of the arrangement, Luxembourg undertook to preserve the inviolability of this data center from searches and entry, its protection from intrusion and the confidentiality of communications¹¹. In addition to Estonia, Luxembourg has also entered into a similar arrangement with Monaco¹². These are, in essence, G2G arrangements for off-site backup of government data. They are not particularly helpful for solving the commercial and regulatory compliance concerns of businesses.

The developmental model of data embassies attempts to extend the data embassy concept to attract foreign direct investments. Bahrain’s implementation exemplifies this model. It aims to attract investments in cloud infrastructure and support the development of cloud services. Bahrain passed Decree 56 of 2018 that allows the disapplication of domestic law to content hosted in designated data centers while concomitantly designating the foreign law, competent courts and public authorities that will have exclusive jurisdiction instead¹³. Such a designated data center (i.e., the data embassy) is designed to allow cloud service providers operating there to choose the law that will be applied to customer data stored on their cloud platforms. However, there are a number of challenges with this approach. 

While private international law allows contracting parties freedom of choice over governing law, dispute resolution mechanism and forum, data incidents have both private and public law consequences. Thus, the aftermath of a cybersecurity incident or data breach follows two tracks. First, breaches of contractual data protection and cybersecurity obligations between data center and customer can be enforced through private law. Second, the cybersecurity incident or data breach will also be investigated and enforced by the relevant data protection authority, and cybersecurity and law enforcement agencies of the jurisdiction where this incident occurred. 

It is troubling to conceive of a situation where the receiving state has disapplied its public laws and declines to investigate and take enforcement action. While at the same time, the foreign state whose cybersecurity and data protection laws were chosen to apply does not enforce them because it is ignorant of this choice, has not agreed to take on this role, or cannot practically do so. Offshore enforcement requires the foreign state to extend its investigatory and enforcement powers into the receiving state, which raises additional issues of sovereignty. It also requires the relevant data protection authorities, and cybersecurity and law enforcement agencies of the foreign state to have the capability of conducting investigations and collecting evidence remotely since the data repository is situated in another country. 

This data embassy design also fails to solve data localization issues. The localization requirements operate on the customers of the data center in the country where they are situated. Until and unless the state exempts these customers from localization requirements, they are not able to circumvent such requirements by selecting an overseas data centre that allows them to select their choice of law, even if they choose their own laws, both private and public. Unilateral action by the destination state for exported data does not provide a complete solution.

In an April 2025 public consultation, Saudi Arabia put forward another variation of the developmental model for data embassies under its draft Global AI Hub Law that seeks to support the Kingdom’s ambitions to develop into a global AI hub¹⁴. The building block appears to be a security-styled data embassy for public sector data (referred to as a private hub in the draft law). This may be extended to allow a foreign third-party operator to offer its services to other commercial customers (referred to as an extended hub in the draft law). The third variation allows service providers based in Saudi Arabia to offer hosting services to commercial customers in foreign states under the laws of those foreign states (referred to as a virtual hub in the draft law). G2G agreements are contemplated for both private and extended hubs. It appears that service providers are also required to enter into agreements with the competent authority (for extended hubs) or obtain ex ante ministerial approval (for virtual hubs). It remains to be seen whether the regulatory lacuna that had been discussed in relation to the Bahraini implementation are addressed when the Global AI Hub Law is finalized.

Corridors of trust to facilitate bidirectional data flows¹⁵

If data embassies are intended to provide a solution to data localization requirements, the solution must be bidirectional. It must be emphasized that private international law already permits data centers and customers to select their choice of law and jurisdiction to govern their contractual relationship. But data localization requirements are a matter of public law. Hence, a public law solution is required. The public law solution can take a leaf from arrangements that exist for special economic zones. 

For expediency, let us discard analogies with embassies. This public law solution must recognize that bidirectional data flow is a key design consideration and business requirement. (If all that is required is a secondary site for storing data with occasional repatriation, then perhaps the security model for data embassies is well-suited.) For data centers and their customers, data not only needs to flow between them inter se; data also needs to be transmitted to the end customers of the data center’s customers. For example, an e-commerce marketplace hosts its platform with a cloud service provider, but data also must flow from the marketplace to its end users. 

The public law solution needs to check a number of boxes. First, it needs to support a choice of law. Next, it needs to enable access by data protection authorities, cybersecurity and law enforcement agencies to support investigations and enforcement. Additionally, it should also clarify the rights of access by data subjects and data owners. The solution should be capable of functioning as a free-standing data transfer mechanism that can be deployed to support cross-border trade, such as between special economic zones. In such cases, it lowers compliance costs and promotes trade. Additionally, it can also support limited exemptions to data localization requirements in one or both of the participating states. In this case, it also supports trade by removing non-tariff barriers in the form of data localization requirements.

The first point to be clear about is that although the solution is a public law one, it can operate hand-in-glove with private law solutions. The participating states – figuratively, the two terminal points of this data corridor – must first calibrate their applicable laws and regulations. For example, the corridor can operate between two special economic zones. A feature of the special economic zones is that some laws, particularly those relating to customs and tariffs, are specially designed to promote trade. In like manner, the relevant laws for calibration to facilitate bidirectional data flows in a data corridor are likely to be cybersecurity and data protection laws (including any data localization requirements). One way of achieving this is to reference a neutral international data protection standard for both participating states to calibrate their data protection laws to conform with this standard. This is preferable to bilateral mapping as referencing an independent standard makes it easier to scale, such as when other states seek to join this corridor. It also avoids any uncomfortable qualitative assessments when differences are identified when two laws are compared directly.

If special rules are required after benchmarking against that international standard, they may be especially enacted and limited in application to the participating special economic zones. For example, special rules to recognize industry certifications for data protection or cybersecurity (e.g., ISO 27000 series) or cross-border transfers (e.g., Global CBPR and/or PRP) as meeting the requisite regulatory standards and requirements. In this context, special rules that soften data localization requirements may also be possible (e.g., permitting data export if the designated technical standards are met). Once this is achieved, the data center and its customers may then choose which of the participating state’s laws to apply.

Take the Johore-Singapore special economic zone as an example. Both Malaysia and Singapore are part of ASEAN. ASEAN member states have adopted a set of data protection principles – the ASEAN data protection framework – that can serve as the neutral mapping standard. In addition to the principles, ASEAN has also adopted a digital data governance framework and an AI governance framework. These provide a rich source of standards and practices that support implementation. For cybersecurity standards, there are ample technical industry standards that can be referenced. For cross-border transfers, ASEAN has also endorsed the Global CBPR and PRP certification standard.

The choice of law will govern both the private and public dimensions of the commercial relationship between a data center and a customer. In the event of a private dispute, private international law principles will be applied to respect the choice of law and jurisdiction in the resolution of the dispute by the court of the chosen jurisdiction. Should there be a cybersecurity incident or data breach, there needs to be an effective enforcement cooperation agreement between the two participating states. An enforcement cooperation agreement will deal with issues such as a protocol for mutual assistance in acquiring evidence and witness statements. Truth be told, the choice of law is limited to the participating states.

Picking a law of a different state will not work for the public law dimension of this solution for obvious reasons. (To be clear, the data centre’s customers and their end users are not thus restricted.) 

Access to data by regulatory, law enforcement and judicial authorities is another area of concern. There are multiple stakeholders with different interests. The state wants access when it needs to, in order to enforce its laws effectively. Data subjects and data owners want the assurance that access by the government is lawful and subject to independent oversight. Data center operators and cloud service providers want clarity of their roles and responsibilities so that they are not laden with unreasonable or numerous requests. In this space, there are also international and industry standards that can provide an independent and neutral standard that participating states in the data corridor may use as a mapping standard¹⁶. The OECD declaration on government access to data is an example of an international standard, whilst the Trusted Cloud Principles by the Trusted Cloud Initiative is an example of an industry standard¹⁷.

Conclusion

As data emerges as a pivotal factor of production in the 4th industrial revolution—mirroring the regulatory trajectories once charted for land, labor, and capital—it is inevitable that regulatory frameworks around data will intensify. This paper has explored how increasing data localization requirements, fuelled by shifting geopolitical landscapes and heightened security concerns, present significant challenges to the seamless flow of information essential for the digital economy. In response, policy innovations such as data embassies and data corridors offer promising, albeit nascent, pathways to reconcile the imperatives of cross-border data transfers with legitimate governmental interests. These concepts demand rigorous debate, targeted pilot initiatives, and continual refinement to ensure they effectively address both commercial needs and regulatory oversight. Ultimately, striking a careful balance between enabling global data flows and safeguarding national interests will be crucial to harnessing the full potential of the digital economy in this new era.

Yeong Zee Kin¹⁸

1. 28 C.F.R. Part 202. ↩︎
2. 15 U.S. Code Chapter 123. ↩︎
3. The nature, evolution and potential implications of data localisation measures (10 November 2023) OECD, pp 12 – 15. ↩︎
4. The nature, evolution and potential implications of data localisation measures (10 November 2023) OECD, p 3. ↩︎
5. Nigel Cory & Luke Dascoli, “How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them” (19 July 2021) Information Technology & Innovation Foundation, available at https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost. ↩︎
6. For further reading, see Data Embassies Issues Paper (January 2024) and Data Embassies: Purposes, Features and Limitations (February 2024), Asian Business Law Institute, available at https://abli.asia/abli-publications/abli-data-embassy-issues-paper/ and https://abli.asia/abli-publications/data-embassies-purposes-features-limitations. ↩︎
7. Vienna Convention on Diplomatic Relations (1961), Art 22. ↩︎
8. Vienna Convention on Diplomatic Relations (1961), Arts 29 & 31. ↩︎
9. Vienna Convention on Diplomatic Relations (1961), Art 27.
   ↩︎
10. Emma Savouroux, “A World First: Estonia Opens a ‘Data Embassy’ in Luxembourg” (25 July 2025), available at https://www.blue-europe.eu/analysis-en/short-analysis/a-world-first-estonia-opens-a-data-embassy-in-luxembourg/. ↩︎
11. Agreement between the Republic of Estonia and the Grand Duchy of Luxembourg on the hosting of data and information systems, available at https://www.riigiteataja.ee/aktilisa/2280/3201/8002/Lux_Info_Agreement.pdf.
    ↩︎
12. E-embassies in Luxembourg available at https://luxembourg.public.lu/en/invest/innovation/e-embassies-in-luxembourg.html. ↩︎
13. Legislative Decree No. 56 of 2018 in respect of Providing Cloud Computing Services to Foreign Parties, available at https://www.lloc.gov.bh/FullEn/L5618.docx.
    ↩︎
14. Brian Meenagh, Ksenia Koroleva, and Faisal Imam, Saudi Arabia Pioneers Data Embassies With Publication of Draft Global AI Hub Law, Global Privacy & Security Compliance Blog (18 April 2025), available at https://www.globalprivacyblog.com/2025/04/saudi-arabia-pioneers-data-embassies-with-publication-of-draft-global-ai-hub-law/. 
    ↩︎
15. For a specific design of such a corridor of trust, see https://abli.asia/abli-publications/principles-of-asean-framework-on-crossb-border-cloud-computing/; see also, “ASEAN endorses Malaysia-led Regional Framework on Cross-Border Cloud Computing” (26 February 2026) MDEC https://www.mdec.my/media-release/news-press-release/415/asean-endorses-malaysia-led-regional-framework-on-cross%02border-cloud-computing.
    ↩︎
16. Declaration on Government Access to Personal Data held by Private Sector Entities (14 December 2022) OECD/Legal/0487.
    ↩︎
17.  https://trustedcloudprinciples.com/.
    ↩︎
18. I wish to thank Ms. Catherine Shen for her assistance in reviewing an earlier draft of this paper. ↩︎