MIDDLE EAST FOCUS: Diplomatic Immunity for Data and Bahrain’s Data Embassy Law

The practice of cloud computing by using a network of remote servers hosted on the Internet to store, manage and process data, rather than a local server or PC, is increasingly commonplace. However, storing data on the cloud has its potential downsides and countries have tried to implement new laws to protect important information.

As Bahrain has moved towards becoming a cloud computing hub, it extended its innovative scope in 2018 by implementing new legislation that allows foreign parties to store their data in data centres located in Bahrain under what is known as a ‘data embassy’. This blurs the legal lines of national borders and sovereignty. When fully implemented it will allow consumers to store their information in data centres in Bahrain while having the comfort of their data being governed by the domestic data protection law of their residence.

What is a Data Embassy?

A Data Embassy is a relatively new legal concept. It was first introduced in 2017 through a bilateral agreement between the governments of Estonia and Luxembourg.

In 2007, Estonia reportedly fell victim to ‘distributed denial-of-service attacks’ by Russian attackers which took a number of government and bank websites offline and threatened to make Estonia’s entire public sector data communications network inoperable.

The Estonian Government’s response was to strengthen their protection against such attacks, penalisation for cybercrime, and to develop the concept of an out of country ‘data embassy’. Estonian data and related systems are stored in Luxembourg’s government owned data centre. As with physical embassies, the Estonian state owned servers resource outside its borders are considered sovereign embassies in the Luxembourg data centres.

The Cloud Computing Services Law in Bahrain

In 2018, Bahrain implemented the Legislative Decree No. 56 In Respect of Providing Cloud Computing Services to Foreign Parties (‘Cloud Law’). The Cloud Law’s purposes is to ‘provide a legal framework that encourages Foreign Parties use of an investment in Cloud Computing Services within Data Centres.’

Under Article 3 of the Cloud Law, the data stored in data centres by overseas consumers of cloud services in Bahrain will be subject to the domestic law in the ‘Foreign State’ where the relevant consumer resides (or is incorporated in cases of legal persons). They will therefore be subject to the jurisdiction of that Foreign State’s courts, and other competent authorities.

Furthermore, the courts and other competent authorities of the consumer’s Foreign State are empowered to issue binding judgments with respect to any dispute which may arise between the overseas consumer and the domestic service provider. For example, orders for providing access, disclosure, preserving or maintaining the integrity of the consumer’s data.

This means that competent courts and competent public authorities have to issue binding orders in the event of a dispute arising between an overseas consumer and the domestic service provider in Bahrain, “including orders for providing access, disclosure, preserving or maintaining the integrity of the Customer Content.”

A service provider is obliged to inform the Attorney General in writing “as soon as practicable” when they have received an order from a competent court or competent public authority of a Foreign State and must provide a copy of the order.

The competent judge and Attorney General in Bahrain can order the enforcement of any executable order, “which is final and not subject to further appeal” concerning matters relating “to providing access, disclosure, preserving or maintaining the integrity of Customer Content, or any matter in connection with Customer Content (…).”

What does it mean for cloud service customers?

Consumers worry about the safety of their data being held outside of their reach while awareness of the possible vulnerabilities of data increases.

The Cloud Law addresses the risk that a country’s protection is not at the same level as your own. Further, it clarifies who can have access to it.

However, the law is not yet fully effective. The Cloud Law only applies to:

  •     Data Centre:  defined as any data centre designated under Article 4 of the Cloud Law that is physically located in the Kingdom and which provides Cloud Computing Services to Customers; and
  •     Foreign State: defined as any foreign state, including where applicable any of its territorial units which has its own laws, designated under Article 4 of the Cloud Law

Bahrain’s Council of Ministers shall issue a resolution to designate local Data Centres subject to the Cloud Law and Foreign States which have jurisdiction to issue judgments in connection with foreign consumers’ data. To date no such resolutions have been issued.

Accordingly, the data embassy concept is still very new and not yet fully developed. At the same time, there appears to be an increasing number of data localisation laws being introduced.

Data Localisation Law

In contrast to the concept of data embassies, a data localisation or data residency law mandates that data about a country’s citizens or residents be collected, processed, and /or stored inside that country. Businesses operating on the Internet must store and process data within the relevant country.

By way of example, under the UAE’s Federal Law No. 2 of 2019 Concerning the use of Information and Communications Technology in HealthCare, it is not permitted to store, develop or transfer health data outside of the UAE that is related to health services provided within the UAE. An exception is granted where the relevant health authority and the Ministry of Health and Prevention have passed a resolution to allow specific data to be handled outside of the UAE.

The common justification for data localisation laws is that data stored onshore ensures security and privacy.

However, data localisation laws clearly create barriers and pose a threat to the free flow of information across borders on the internet as well as the maintenance of global supply chains, in a world increasingly relying on e-commerce.

Fit for purpose

The Cloud Law’s purpose is to “provide a legal framework that encourages Foreign Parties use of an investment in Cloud Computing Services within Data Centres.” (see Article 2).

In July 2019, Amazon Web Services (AWS) opened three data centres in Bahrain, the company’s first in the region, bringing its global network to 69 centres in 22 locations.

This is indicative of the growing success of Bahrain’s innovative strategies to encourage cloud computing services.

Written by Martin Hayward, Middle East based lawyer, regional Head of Technology and Media & Telecommunications practice at Al Tamimi & Company.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.