Data Sovereignty

Core Definition (BLUF)

Data sovereignty is the principle that data generated within a state’s jurisdiction is subject to that state’s laws and governance — and, by extension, that the state has the right to require that such data be stored, processed, or accessible within its borders (data localisation). It is the data-layer expression of the broader Cyber Sovereignty doctrine: just as Cyber Sovereignty asserts state control over the information environment, data sovereignty asserts state control over the informational substrate on which that environment depends. These principles are promoted most aggressively by the People’s Republic of China and the Russian Federation but have been partially adopted by democratic states in different registers.

Governance Variants

Data-sovereignty doctrine fractures into several distinct governance models with different motivations:

ModelPrimary ProponentCore MotivationInstrument
Authoritarian sovereigntyPRC, Russia, IranDomestic control, intelligence collection, censorshipData localisation mandates, national routing (RUNET), Great Firewall
Regulatory sovereigntyEUPrivacy, rule of law, consumer protection, economic leverageGDPR, Standard Contractual Clauses, adequacy decisions
National security sovereigntyUS (sector-specific), Australia, IndiaSupply-chain security, FDI screening, trusted-vendor rulesCLOUD Act, CFIUS, Clean Network initiative
Development sovereigntyIndia, Indonesia, BrazilDigital industrialisation, data as economic assetNational data governance bills, sector-specific localisation

Assessment (Medium): the convergence of authoritarian control-motivation and democratic national-security motivation has produced what scholars call “splinternet” dynamics — a fragmentation of the global digital infrastructure along geopolitical lines that mirrors Cold War bloc logic.

PRC Data Architecture — Paradigm Case

The PRC’s data-sovereignty architecture is the most comprehensive and operationally significant:

  • Cybersecurity Law (2017) — mandates “important data” storage within PRC borders; requires “network security reviews” for cross-border data transfers.
  • Data Security Law (2021) — classifies data by national-security importance; “core state data” subject to stricter controls.
  • Personal Information Protection Law (PIPL, 2021) — modelled partly on GDPR but with state-access carve-outs absent from the EU version.
  • Cross-border data transfer restrictions — export of “important data” requires security assessment; standard contracts or certification for personal information.
  • State access — intelligence and security agencies retain authority to access any data held within the PRC regardless of ownership or encryption, under the National Security Law and related instruments.

The practical effect: any firm operating in the PRC under these laws must make its data available to the Chinese state on demand. This creates structural intelligence access for the PRC to data generated by foreign companies, their employees, and their Chinese customers — regardless of corporate nationality.

CLOUD Act and Extraterritorial Reach

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) allows US law enforcement to compel US-based cloud providers to produce data stored overseas, subject to bilateral executive agreements with partner countries. It is the US analogue to PRC state-access provisions — premised on jurisdiction over the company (nationality principle) rather than jurisdiction over the data location (territoriality principle). The tension between CLOUD Act extraterritoriality and EU data-sovereignty requirements (GDPR, Schrems II) has produced sustained transatlantic legal friction.

Strategic Implications

  • Intelligence collection through data localisation: adversary states that mandate local storage of foreign-firm data gain covert intelligence access to commercial, diplomatic, and personal data at scale. This is a structural intelligence advantage that does not require active espionage operations.
  • Digital Silk Road as data-sovereignty export: Chinese-built telecommunications infrastructure along BRI routes (Huawei 5G, undersea cables, data centres) extends PRC data-access reach into partner-state networks, effectively projecting PRC data-sovereignty norms beyond its own borders.
  • Splinternet as power structure: fragmentation of the internet into jurisdictional segments is not merely a regulatory inconvenience but a structural shift in the global information environment — determining whose legal norms govern which data flows, and whose intelligence services benefit.
  • EU as third pole: GDPR-based data sovereignty represents a third governance model that neither accepts US extraterritoriality nor authoritarian control, but its enforcement has been inconsistent and its strategic implications (limiting US cloud dominance in Europe) are only partially realised.

Key Connections

Sources

  • PRC Cybersecurity Law (2017), Data Security Law (2021), PIPL (2021) — official statutory texts. Confidence: High — primary sources.
  • US CLOUD Act (2018), Public Law 115-141. Confidence: High — primary source.
  • European Commission, GDPR (Regulation 2016/679) and Schrems II judgment (C-311/18, CJEU 2020). Confidence: High — primary legal instruments.
  • Deibert, R. (2020). Reset: Reclaiming the Internet for Civil Society. Anansi Press. Confidence: High for digital-sovereignty geopolitics framing.
  • Segal, A. (2022). “The Failure of Cyber Deterrence.” Survival, 64(4). Confidence: Medium-High for the strategic implications of data-governance fragmentation.