Data Sovereignty
Core Definition (BLUF)
Data sovereignty is the principle that data generated within a state’s jurisdiction is subject to that state’s laws and governance — and, by extension, that the state has the right to require that such data be stored, processed, or accessible within its borders (data localisation). It is the data-layer expression of the broader Cyber Sovereignty doctrine: just as Cyber Sovereignty asserts state control over the information environment, data sovereignty asserts state control over the informational substrate on which that environment depends. These principles are promoted most aggressively by the People’s Republic of China and the Russian Federation but have been partially adopted by democratic states in different registers.
Governance Variants
Data-sovereignty doctrine fractures into several distinct governance models with different motivations:
| Model | Primary Proponent | Core Motivation | Instrument |
|---|---|---|---|
| Authoritarian sovereignty | PRC, Russia, Iran | Domestic control, intelligence collection, censorship | Data localisation mandates, national routing (RUNET), Great Firewall |
| Regulatory sovereignty | EU | Privacy, rule of law, consumer protection, economic leverage | GDPR, Standard Contractual Clauses, adequacy decisions |
| National security sovereignty | US (sector-specific), Australia, India | Supply-chain security, FDI screening, trusted-vendor rules | CLOUD Act, CFIUS, Clean Network initiative |
| Development sovereignty | India, Indonesia, Brazil | Digital industrialisation, data as economic asset | National data governance bills, sector-specific localisation |
Assessment (Medium): the convergence of authoritarian control-motivation and democratic national-security motivation has produced what scholars call “splinternet” dynamics — a fragmentation of the global digital infrastructure along geopolitical lines that mirrors Cold War bloc logic.
PRC Data Architecture — Paradigm Case
The PRC’s data-sovereignty architecture is the most comprehensive and operationally significant:
- Cybersecurity Law (2017) — mandates “important data” storage within PRC borders; requires “network security reviews” for cross-border data transfers.
- Data Security Law (2021) — classifies data by national-security importance; “core state data” subject to stricter controls.
- Personal Information Protection Law (PIPL, 2021) — modelled partly on GDPR but with state-access carve-outs absent from the EU version.
- Cross-border data transfer restrictions — export of “important data” requires security assessment; standard contracts or certification for personal information.
- State access — intelligence and security agencies retain authority to access any data held within the PRC regardless of ownership or encryption, under the National Security Law and related instruments.
The practical effect: any firm operating in the PRC under these laws must make its data available to the Chinese state on demand. This creates structural intelligence access for the PRC to data generated by foreign companies, their employees, and their Chinese customers — regardless of corporate nationality.
CLOUD Act and Extraterritorial Reach
The US Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) allows US law enforcement to compel US-based cloud providers to produce data stored overseas, subject to bilateral executive agreements with partner countries. It is the US analogue to PRC state-access provisions — premised on jurisdiction over the company (nationality principle) rather than jurisdiction over the data location (territoriality principle). The tension between CLOUD Act extraterritoriality and EU data-sovereignty requirements (GDPR, Schrems II) has produced sustained transatlantic legal friction.
Strategic Implications
- Intelligence collection through data localisation: adversary states that mandate local storage of foreign-firm data gain covert intelligence access to commercial, diplomatic, and personal data at scale. This is a structural intelligence advantage that does not require active espionage operations.
- Digital Silk Road as data-sovereignty export: Chinese-built telecommunications infrastructure along BRI routes (Huawei 5G, undersea cables, data centres) extends PRC data-access reach into partner-state networks, effectively projecting PRC data-sovereignty norms beyond its own borders.
- Splinternet as power structure: fragmentation of the internet into jurisdictional segments is not merely a regulatory inconvenience but a structural shift in the global information environment — determining whose legal norms govern which data flows, and whose intelligence services benefit.
- EU as third pole: GDPR-based data sovereignty represents a third governance model that neither accepts US extraterritoriality nor authoritarian control, but its enforcement has been inconsistent and its strategic implications (limiting US cloud dominance in Europe) are only partially realised.
Key Connections
- Cyber Sovereignty — parent doctrine; data sovereignty is its data-layer expression
- Great Firewall — technical centrepiece of PRC data-sovereignty enforcement
- Digital Silk Road — export vector for PRC data-governance norms and infrastructure
- Computer Network Exploitation — state data-access mandates as structural CNE enabler
- Revisionist-Powers — PRC and Russia as principal data-sovereignty advocates
- Belt and Road Initiative — infrastructure layer enabling data-access projection
- People’s Republic of China — paradigm practitioner
Sources
- PRC Cybersecurity Law (2017), Data Security Law (2021), PIPL (2021) — official statutory texts. Confidence: High — primary sources.
- US CLOUD Act (2018), Public Law 115-141. Confidence: High — primary source.
- European Commission, GDPR (Regulation 2016/679) and Schrems II judgment (C-311/18, CJEU 2020). Confidence: High — primary legal instruments.
- Deibert, R. (2020). Reset: Reclaiming the Internet for Civil Society. Anansi Press. Confidence: High for digital-sovereignty geopolitics framing.
- Segal, A. (2022). “The Failure of Cyber Deterrence.” Survival, 64(4). Confidence: Medium-High for the strategic implications of data-governance fragmentation.