ZDNet | Security

Can data embassies make cross-border AI safer?

gettyimages-1309251202

Richard Drury/Getty Images

Organizations are facing challenges navigating legislation as they look across borders for their artificial intelligence (AI) deployments. So-called “data embassies” could be a solution. 

Also: 25% of enterprises using AI will deploy AI agents by 2025

According to a January 2024 report co-authored by Asian Business Law Institute (ABLI) and Singapore Academy of Law, data embassies can support an organization’s desire to “insulate” its data from being accessed by the authorities of the embassy’s host country. 

Citing its interactions with public and private organizations, ABLI noted that a recurring challenge involving the transfer of data across borders comes from the reluctance of customers to grant access to their data. 

Once data is transferred to the host country, where the data center is located, it falls under the possession of the recipient — which leaves the customer transferring that data with limited ability to act if public authorities of the host country’s jurisdiction want access to it. 

Also: Mind the trust gap: Data concerns prompt customer caution over generative AI

One solution to this is to establish risk assessment and mitigation measures, ABLI said, while another is to establish data embassies. The latter allows for a balance between the customer’s need to protect their data and the host country’s need to exercise sovereignty over the territory on which the data embassy is located. 

“[It is] all happening against the backdrop where countries globally are racing to establish themselves as technology or digital economy hubs by playing host to data centers,” ABLI wrote. 

According to the law institute’s report, a data embassy can allow the host country to remove concerns that its enforcement bodies will enter a data center, search it, and seize storage devices. 

Also: Gen AI could speed up coding, but businesses should still consider risks

“The host state wishes to allow the laws of another state (the guest state) to govern the activities of the parties and/or the data of the data center, so that a customer, such as a tech conglomerate, is more willing to transfer data to a data center located in its territory,” the report noted. “The host state wants to allow the laws of a state with which the customer is more familiar to govern the data center. In this way, the customer would only need to comply with the laws of the guest state and not the laws of the host state.”

The cloud service provider and the customer of a data embassy may also be free to agree on the state which laws apply to their cloud services contract, ABLI wrote. 

Data embassies build on a legal framework that mirrors some aspects of a traditional diplomatic mission, just applied to data centers, the law institute said. It added that countries such as Estonia and Bahrain have already adopted the model, while others, such as India and Malaysia, are mulling its adoption. 

Need for standard legislation to ease cross-border AI

A data embassy can also ease friction in a global environment where AI laws differ and are difficult to navigate across borders.

Also: Anthropic warns of AI catastrophe if governments don’t regulate in 18 months

There is currently no consistent position on who owns the output of AI, said Bryan Tan, a partner at law firm Reed Smith who works in the entertainment and media group. Does the person who ran the AI algorithm own it? Or does the one who created the LLMs (large language models), or the user who puts in the prompt? 

Even when legislation has been established to address that question, laws vary across borders, Tan told ZDNET. Businesses still want to tap AI, so there are concerns around how they should handle these challenges.

Ideally, their AI processes remain in the same jurisdiction so the problem can be addressed. Alternatively, there can be international collaboration to harmonize the rules, much like copyright laws, so it is easier for organizations to manage, Tan said. 

Also: Your AI transformation depends on these 5 business tactics

However, he added that whether there is potential for this to take place remains to be seen, since the European Union already established its own AI Act while the US federal legislative route is uncertain under the incoming Trump administration. 

Meanwhile, Tan suggested that other global markets like Asia could align their laws with those of the EU or the US to establish more consistency and ease cross-border concerns.

The optimal goal is to have one set of laws, which sets the path toward the data embassy concept, he said. It reduces friction and enables scalability, since organizations can choose to host their AI data in different locations under one set of legislations.

Also: DeepSeek challenges OpenAI’s o1 in chain of thought – but it’s missing a few links

For example, Tan highlighted the potential for regional blocs like the Association of Southeast Asian Nations (ASEAN) to come together and ink multilateral agreements to create data embassies for the region. 

Assuming the aim of a data embassy is to ensure data is only subject to the laws of its state of origin, its advantages would include reducing friction of the data owners in moving the data into the host state, he said. While hybrid cloud can address some of the issues, the bulk of LLMs run on public cloud platforms, Tan noted — making it inefficient for organizations to replicate the models and run their AI algorithms in private clouds, in every local market they operate.

Also: FTC says AI company Evolv ‘falsely hyped’ its security scanners

An April 2024 report from IDC highlighted growing interest among Asia-Pacific governments for sovereign cloud solutions due to geopolitical disruptions, changing data protection regulations, growing cyber threats, and shifts in digital trade policies. 

“Governments also see sovereign cloud as an economic advantage, encouraging investments from hyperscalers in local data centers to enhance the digital economy and industry prospects,” IDC said. The research firm estimated that 17% of government organizations in Asia-Pacific already use sovereign cloud services, while a third plan to do the same within two years. 

However, while these organizations see benefits from doing so — such as compliance with data residency regulations — they face significant challenges, including high implementation costs, complexity, and potential constraints on innovation, IDC said.

Risk assessment is still the key

Ilias Chantzos, Broadcom’s global privacy officer and head of EMEA government affairs, acknowledged that there are added concerns over putting data on the cloud or outside an organization’s local jurisdiction. Companies worry whether their data is used to train other AI tools or retrained for other purposes, how secure it is, and what happens to it.  

Among other issues, they also have concerns about who possesses the AI model and what data is extracted from it, Chantzos said in a video interview.

Also: Businesses still ready to invest in Gen AI, with risk management a top priority

It is pushing organizations to opt for hybrid or private cloud models, so they can implement controls around the data and how it is utilized, he said. 

Ultimately, companies need to discuss their data and the risks they are prepared to take before deciding on the right AI framework. 

This is critical for whether or not they decide to run their applications on data centers across borders, he noted. Their assessments should include an understanding of the legislation governing the markets in which the data centers are located as well as the limitations in their local jurisdictions that may prevent cross-border data transfers.

Also: AWS says its AI data centers just got even more efficient – here’s how

“Choose the jurisdiction you trust,” Chantzos said. 

When asked about the potential of data embassies, he said this could provide a strong legal construct, but there are questions that will need to be addressed. For instance, can the concept scale, and what will it cost? What are its limitations, and how will it be enforced? 

Also: IT leaders worry the rush to adopt Gen AI may have tech infrastructure repercussions

The data embassy model also cannot be adopted if the organization must comply with data sovereignty laws issued by its government, in which it is required to store certain data locally, Tan said. Data sovereignty rules are typically enforced for certain verticals, such as financial services.

It also remains unclear how data embassies will be enforced, though the tech lawyer suggested this could be done through bilateral agreements or treaties, similar to an extradition treaty. 

Govind Choudhary, Digital Realty’s Asia-Pacific vice president of strategy and business development, added that different guidelines can be established for regulated sectors, such as financial services, to manage more sensitive data. 

For now, at least, the data embassy approach is a little far ahead for businesses that still are more concerned about how to stop their employees from uploading corporate data into ChatGPT, said Daniel Ong, Digital Realty’s Asia-Pacific director of solutions architecture. 

Robust data management is just as important

Data and the ability to leverage good data, including new datasets, are central to an organization’s generative AI (gen AI) strategy, Choudhary said in a video interview. He added that companies are trying to figure out the best ways and environments to manage this, whether it is in a private, public, or hybrid cloud infrastructure. 

Hybrid cloud, in particular, is emerging as the business choice, he said. “[Organizations] don’t necessarily want compute in one location…because data is generated all over the world, they need to have compute in different locations [to process the data],” he said. 

Also: Time for businesses to move past generative AI hype and find real value

A hybrid cloud environment will enable organizations to run their AI applications across multiple locations, with the ability to move data seamlessly and securely via private connections, where necessary, he said. 

Organizations typically have data spread across 10 to 12 locations, Ong added. He noted that unlike hyperscalers and AI service providers, which need to crawl the web for data and run heavy AI training loads, enterprises typically need to do more AI inferencing. So they need to align their data needs with compute infrastructure requirements and, from there, decide whether a private or public cloud infrastructure is more suitable, Ong said. 

He noted that few are willing to push data that contains their IP into a cloud that does not operate within a domain of their control. These concerns drive their decision on whether to push such AI workloads into a cross-border data center, with most choosing a hybrid cloud approach so they can retain certain data in their local domain, he explained. 

Also: 4 ways the tech we buy is designed to fail, and why you should be furious

Such decisions also are pushing hyperscalers and cloud vendors, such as Google and Amazon Web Services, to launch regions and zones in more locations to meet the growing demand, Choudhary said. This also addresses any latency concerns in the customer’s local markets, he added. 

Also: Fight for global AI lead may boil down to governance

In Asia-Pacific, 72% of organizations are incorporating data location strategies into their AI plans, according to a global survey released by Digital Realty. The study polled 2,254 IT leaders across 21 countries in Europe, the Americas, and Asia-Pacific, including India, Japan, Singapore, and South Korea. 

The distributed data approach allows enterprises to tap high-density storage and processing capacity in key locations to optimize AI performance, the report noted. 

Some 56% of Asia-Pacific respondents plan to expand their infrastructure to one to five more locations within the next two years. This would enable them to adhere to data sovereignty regulations and scale AI workloads, according to the Digital Realty report. 

As it is, 56% believe they lack the digital infrastructure needed for data and AI success, with 64% citing insufficient data storage for large AI datasets as a key infrastructure challenge.

Also: Safety guidelines provide necessary first layer of data protection in AI gold rush

Another 55% point to inadequate computational power for AI processing, while 49% highlight reliable connections to distribution data sources as a key infrastructure challenge. 

Broadcom’s Chantzos noted that the global landscape will continue to evolve and become more complex as more countries, such as Japan, Australia, and South Korea, release their own AI laws. He advised organizations to build a robust governance framework and understand their AI use cases, including the technology and data used to support their AI applications. 

He advocates again for the importance of risk management, including data risk management, and assessing the organization’s risk profile as well as understanding local jurisdictions of the global markets in which its data centers operate. 

“[Organizations] have to put in the right risk assessment and, as laws evolve, go back in and reassess and identify what needs updating,” he said. 

READ MORE HERE