Navigating The Challenges Of Data Center Growth – Focus Issue: Off World Compute, Earthly Laws: Comments On Service Interruptions, Collision Risk, And Data Processing For Extraterrestrial Data Centers

Foley Hoag is publishing a series of articles on the legal issues confronting the data center industry. Part 1 examined energy usage challenges. Part 2 examined water, community, land use, and e-waste challenges. As part of the series, we're focusing on specific, emerging aspects of the industry. This is the first such focused article. Stay tuned for additional posts as we continue our deep dive into these critical topics.

Key Takeaways:

• Advantages of data centers in space include easy access to plentiful solar energy, efficient cooling, and no land-use constraints.
• While the legal infrastructure applying to satellites is relatively mature, aspects of it have not been tested: it may be extraterrestrial data centers that test them.
• The use of extraterrestrial data centers is likely to give rise to new, and potentially larger, liabilities than present satellite use.
• Data centers will further contribute to the accelerating growth in the volume of satellites in orbit, risking more collisions.
• Cross-border interplay between national data protection laws - the CLOUD Act, GDPR, PIPL etc. - is complex on Earth: introducing data centers in space will further complicate it.

Off-World Data Processing Is Having A Moment.

The exponential demand for data center capacity—along with competition for terrestrial electricity capacity, constraints on land use, and cooling requirements—are generating increasing interest in placing data centers in outer space. Last month, Starcloud, a NVIDIA-backed startup, launched the first satellite data center, and SpaceX intends to offer this service in the future.

As Google recently explained, "in the right orbit, a solar panel can be up to 8 times more productive than on Earth, and produce power nearly continuously, reducing the need for batteries." Data centers in space may produce fewer carbon emissions than their terrestrial siblings and eliminate the need for water cooling, as IBM has observed. Starcloud has "project[ed] the energy costs in space to be 10x cheaper than land-based options." Jeff Bezos believes "[w]e will be able to beat the cost of terrestrial data centers in space in the next couple of decades."

The Established Legal Infrastructure Governing Satellites.

The legal landscape in which satellites are manufactured, launched, and employed is, after 60-plus years, relatively well established. Under the Outer Space Treaty and related UN instruments, activities in outer space are "national activities," requiring authorization and supervision by a state, and attaching international responsibility and liability to that state. To date, this liability infrastructure has been little used, but with the number of objects in orbit increasing rapidly, this may not remain the case for much longer. Under Article VI, national law then fills in how private operators are licensed and supervised. At the commercial level, the industry is marked, to an extent, by dispute avoidance, with a great many satellite agreements containing cross-waiver clauses, further to which each party assumes its own risks. When disputes do occur, given the international and cross-jurisdictional nature of the business, arbitration is often chosen over domestic courts.

How Will Extraterrestrial Data Centers Fit With The Existing Legal Regime?

In many respects, extraterrestrial data centers will be like other satellites, and the treaties, national laws and types of contracts that govern existing satellites will continue to function well. That said, launching data centers into space will likely test certain aspects of the existing legal architecture in novel ways. This article describes some of the legal challenges extraterrestrial data centers present:

I. Interruptions to Satellite Services Are Likely to Trigger Greater Liabilities.
Satellite services can be interrupted and degraded by various risks: debris strikes, solar storms, spectrum interference from third parties, and hardware and software malfunctions. At present, for the most part, as satellites focus on transmission of data, the impact of these issues is normally temporary.

Data centers store data on a permanent basis: a debris strike could permanently compromise a customer's data (especially if the data is generated in space and has not been backed-up elsewhere), with potentially catastrophic implications for its business.

This will place greater strain on the mechanisms managing such risks. Careful attention should be paid to the following risk-management mechanisms, among others:

• Data preservation warranties: Are they realistic in, and adapted to, the outer space environment and its additional risks for data integrity, such as higher radiation exposure and risks of solar storms?
• Force majeure clauses in contracts between data center operators and their customers: Are they duly adapted to cover the events that can affect data centers in space? How do they define "reasonable efforts" to overcome impediments in view of the prohibitive costs and difficulties of carrying out repairs in space?
• Mechanisms to address long-duration outages or permanent degradations in operability: Is there a point at which rights to termination arise, or at which other doctrines such as frustration may be invoked to end the relationship? In such circumstances a structured escalation regime can be effective to reduce litigation risk. For instance, temporary relief; redesign and repurposing obligations; price reopening; and, termination rights are potential options.
• Insurance: Specialized insurance can be obtained to cover, inter alia, the cost of damage itself, business interruption losses, and the losses caused to third parties. Conditions of coverage will need to be carefully considered.

II. A Further Significant Growth In The Volume Of Material In Orbit Risks More Collisions.

According to the European Space Agency ("ESA"), over 23,770 satellites have been launched, of which around 15,860 are still in orbit around the Earth, and of which around 12,900 are still functioning. The majority of these were launched in the last five years. There are more than another hundred slated for launch in December 2025 alone. Over time there have been more than 650 "break-ups, explosions, collisions, or anomalous events resulting in fragmentation," with the result that there are over 40,000 tracked objects orbiting the Earth.

The addition of data center satellites will further increase the traffic orbiting the Earth. Notably, some of these satellites will be much larger than existing satellites. "Starcloud plans to build a 5-gigawatt orbital data center with super-large solar and cooling panels approximately 4 kilometers in width and length"; by comparison, the International Space Station's solar array is 109 meters. As satellite size, and satellite traffic, particularly in the desirable dawn–dusk sun-synchronous low Earth orbit, increases, the potential for collisions increases. To date, the limited number of collisions have not tested the legal architecture designed to handle them. According to Lloyds of London, there has never even been an insurance claim based on a satellite collision.

Were an extraterrestrial data center to be involved in a collision, the 1972 Convention on International Liability for Damage Caused by Space Objects provides that the "launching State" would be liable for damage caused to the space objects of another launching State "if the damage is due to its fault or the fault of persons for whom it is responsible." The "launching State" can include the State that launches or procures the launch or from whose territory or facility an object is launched. As such, more than one launching State may exist.

Because this is a State-State liability mechanism, a data center operator would have to persuade (one of) its launching State(s) to pursue its claims. States may be reluctant to go to bat for the companies they host, in what would be a somewhat unusual step. On the other hand, there is precedent in the law of the sea, where flag States pursue claims for actions taken against vessels flying their flags. Taking a page out of that book, a State demonstrating a willingness to bring cases on behalf of data center operators for whom it serves as a launching State could attract investors in the space industry.

Establishing fault for collisions is likely to be a complex endeavor. The recent exchange between the ESA and Starlink about a potential collision between Aeolus Earth and Starlink44 demonstrates this. It showed that (i) there was no established protocol to determine which satellite on a collision course should move, (ii) no consensus on what likelihood of collision (1/10000? 1/1000?) justified an evasive maneuver, (iii) that calculations of the likelihood of collision depend heavily on the source(s) of data used, and (iv) there is a meaningful chance for miscommunication. Holger Krag, the ESA's Head of Space Safety described how this potential incident was averted through "exchanging emails — an archaic process that is no longer viable as increasing numbers of satellites in space mean more space traffic," though not before "a 'bug' in [Starlink's] on-call paging system prevented its Starlink operator from realizing the risk of collision had increased." Mr. Krag ultimately concluded "[n]o one was at fault here," though one imagines that, if a collision had occurred, picking over these facts to determine fault, if any, would have been a challenging task.

III. What Data Protection Laws Apply In Outer Space?

Extraterrestrial data center operators will also need to confront and manage the extent to which various data protection, data localization, and data sovereignty regimes apply to them, and interact with each other. While extraterrestrial data centers will physically exist in outer space, an area beyond national jurisdiction, they will still be subject to the regulatory authority of their launching State(s), at a bare minimum. Given the possible diversity of launching States, as well as the diversity of customers, data may be subject to multiple overlapping jurisdictions. We provide three examples below, but laws of this type have been passed in Australia, Brazil, Canada, India, the UK and elsewhere:

• The US Stored Communications Act and CLOUD Act: The US Stored Communications Act allows US law enforcement agencies to compel, via warrant or subpoena, providers of certain electronic services to provide data stored on their servers. As noted above, Article VI of the Outer Space Treaty means that a U.S.-launched data center would remain under U.S regulatory authority. In 2018, the Clarifying Lawful Overseas Use of Data (CLOUD) Act explained that the procedures under the US Stored Communications Act applied regardless of whether the "communication, record, or other information is located within or outside of the United States" (as well as creating architecture for closer cooperation with foreign law enforcement agencies). Outer space likely would fall under the description "outside of the United States." As such, any party launching a data center from US territory must be aware that the information it stores will remain subject to these laws.
• The EU's GDPR: The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law, effective since 2018. It applies to the processing of personal data of individuals located in the EU, and by an establishment of a data controller or data processor in the Union. The GDPR's application to outer space raises some issues. While Article 3 is explicit that processing by an establishment of a data controller or data processor in the EU is covered by the GDPR "regardless of where the processing occurs," no equivalent language is included in respect of the "processing of personal data of individuals located in the EU." Moreover, Chapter 5 of the GDPR, which governs "[t]ransfers of personal data to third countries or international organizations," is silent with respect to transfers of data to outer space. It too is framed in terms of transfers "to a third country," and so would not obviously apply to transfers to, or within, outer space. It is also unclear how the current EU-US Data Privacy Framework would apply to extraterrestrial transfers. An operator seeking to circumvent GDPR by using an outer space data center would be taking a meaningful regulatory risk.
• People's Republic of China's PIPL: The Personal Information Protection Law (PIPL), which came into force on November 1, 2021, is the nation's comprehensive data protection regime, somewhat comparable to the GDPR. The PIPL applies broadly to any business or organization that collects, stores, uses, shares, or sells personal data from individuals in the People's Republic of China, regardless of whether the organization has a physical presence in China. Unlike the EU and US equivalents, Article 38 of the PIPL implements strict data localization requirements. Personal data collected and generated in China must be stored locally and cannot be transferred outside Chinese borders unless strict conditions are met (for instance, specific authorizations from the authorities, or a standard form contract issued by the Cyberspace Administration of China being signed with the foreign recipient). For space-based data centers, China's localization requirements create a distinct compliance challenge. The PIPL's requirement that critical data remain within Chinese territorial borders—when combined with the fundamental principle that space objects fall under the jurisdiction of their launching State—suggests that a Chinese-launched space data center could theoretically comply with localization requirements, despite physical data storage in orbit, though the involvement of other launching states would likely be impermissible.

The coexistence of multiple, overlapping data protection regimes creates significant legal complexity, especially for cross-border data flows. Existing jurisdictional conflicts demonstrate the complexity that space-based infrastructure will only amplify. For instance, US law enforcement can serve legal orders on US-based providers for data under their control, even if physically hosted in the EU. This directly conflicts with GDPR Article 48, which requires that court orders requesting data transfer outside the EU be grounded on an international agreement (such as a Mutual Legal Assistance Treaty). When the US Department of Justice attempted to compel Microsoft to produce emails stored in Ireland, the Irish government backed Microsoft, creating a legal standoff between allied nations that ultimately prompted refinement of the CLOUD Act to include a "comity" process allowing providers to challenge disclosure orders that conflict with foreign law. Similarly, China's data localization mandates and the CLOUD Act are fundamentally incompatible. China requires personal data of Chinese citizens to remain within China; the US requires US-based providers to disclose data under their control regardless of location. Thus, a US-based provider with Chinese customer data could face an unresolvable conflict.

IV. Issues On The Horizon.

The risks we identify above are likely to manifest in the near to medium term.

As extraterrestrial data centers reach the end of their lives, attention will need to be given to decommissioning and deorbiting satellites too; for example, the US Federal Communications Commission currently requires satellite operators to deorbit their satellites within five years of completing their missions. Third-party providers may be engaged by data center operators to assist in deorbiting. These contracts will need to clearly stipulate that deorbiting providers follow relevant protocols (which may evolve over time) and make provisions for unforeseen difficulties or delays in carrying out the deorbiting process.

Contracts will also have to allocate responsibility for, inter alia, risks of damage to other satellites during the deorbiting process, risks of harm to those on Earth if any satellite fragments reach Earth. In this regard, the Liability Convention provides for absolute liability of a launching State for harms caused on earth or to aircraft in flight. Contracts will also have to incorporate compliance with the environmental impact assessment requirements imposed by their launching State by virtue of the Agreement on Marine Biological Diversity of Areas beyond National Jurisdiction (BBNJ Agreement) if any part of the satellite is planned to be disposed of in the high seas.

Another set of issues further over the horizon concerns the in-space manufacturing of data centers components. A significant limiting factor in operating a large extraterrestrial data center is the high launch cost, including of components such as solar panels. So, data center operators may eventually explore in-space components production, potentially using materials extracted from celestial bodies or recycled from decommissioned satellites. The former materials are subject to non-appropriation and free access norms under the Outer Space Treaty, and the rights to the latter would need to be governed by agreements involving the owners of the decommissioned satellites, service providers, and the ultimate end-users. We will explore the legal issues surrounding such endeavors in a future post.

Conclusion

Extraterrestrial data centers may present an attractive opportunity for the industry, which is adapting to a number of terrestrial challenges. . The law will need to keep up with, duly adjust to, facilitate, and regulate, these new technologies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.