Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected. The concept of data sovereignty is closely linked with
data security
Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.
Technologies
Disk encryption
Disk encryption refe ...
,
cloud computing
Cloud computing is the on-demand availability of computer system resources, especially data storage ( cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over mul ...
,
network sovereignty
In internet governance, network sovereignty, also called 'digital sovereignty' or 'cyber sovereignty', is the effort of a governing entity, such as a state, to create boundaries on a network and then exert a form of control, often in the form of ...
and
technological sovereignty. Unlike technological sovereignty, which is vaguely defined and can be used as an umbrella term in
policy
Policy is a deliberate system of guidelines to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol. Policies are generally adopted by a governance body within an organ ...
making, data sovereignty is specifically concerned with questions surrounding the data itself.
Data sovereignty as the idea that data is subject to the laws and governance strcutures within one nation is usually discussed in two ways: in relation to Indigenous groups and Indigenous autonomy from post-colonial states or in relation to transnational data flow. With the rise of cloud computing, many countries have passed various laws around control and storage of data, which all reflects measures of data sovereignty.
More than 100 countries have some sort of data sovereignty laws in place. With
self-sovereign identity
Self-sovereign identity (SSI) is an approach to digital identity that gives individuals control over the information they use to prove who they are to websites, services, and applications across the web. Without SSI, individuals with persistent ...
(SSI) the individual identity holders can fully create and control their credentials, although a nation can still issue a digital identity in that paradigm.
History
The
Snowden revelations Snowden may refer to:
* Snowden (surname), a given name and a family name
People
* Edward Snowden, former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013
Music
* Snowden ...
on the
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
's (NSA)
PRISM program provided a catalyst for global data sovereignty discussions. It was revealed that the US was collecting vast swaths of data not only from American citizens, but from around the world. The program was designed “to "receive" emails, video clips, photos, voice and video calls, social networking details, logins and other data held by a range of US internet firms” such as American tech companies like Facebook, Apple, Google and Twitter among others.
In the wake of the revelations, countries became increasingly concerned with who could access their national information and its potential repercussions. Their worries were further exacerbated due to the
US Patriot Act. Under the act, US officials were granted access to any information physically within the United States (such as
server farm
A server farm or server cluster is a collection of Server (computing), computer servers, usually maintained by an organization to supply server functionality far beyond the capability of a single machine. They often consist of thousands of compu ...
s), regardless of the information's origin.
This meant that any information collected by an American server would have no protection from the US government.
Another instance that put data sovereignty in the news was a case between
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
and the US government. In 2013, the
Department of Justice
A justice ministry, ministry of justice, or department of justice is a ministry or other government agency in charge of the administration of justice. The ministry or department is often headed by a minister of justice (minister for justice in a v ...
(DoJ) demanded that Microsoft grant the DoJ access to emails “related to a narcotics case from a
Hotmail
Outlook.com is a webmail service that is part of the Microsoft 365 product family. It offers mail, Calendaring software, calendaring, Address book, contacts, and Task management, tasks services.
Founded in 1996 by Sabeer Bhatia and Jack Smit ...
account hosted in Ireland”. Microsoft refused, stating that this transfer would result in the company breaking data localization and protecting laws in the EU.
The initial ruling was in favour of the US government, with Magistrate James Francis concluding that American companies “must turn over private information when served with a valid search warrant from US law enforcement agencies.
Microsoft asked for an appeal and went to court again in 2016 with the case ''
Microsoft v. United States.'' John Frank, the VP for EU Government Affairs at Microsoft stated in a 2016 blog post that a US court of appeals ruled in favour of Microsoft, supporting the notion that "US search warrants do not reach our customers' data stored abroad". On October 23, 2017, Microsoft said it would drop the lawsuit as a result of a policy change by the
Department of Justice
A justice ministry, ministry of justice, or department of justice is a ministry or other government agency in charge of the administration of justice. The ministry or department is often headed by a minister of justice (minister for justice in a v ...
(DoJ) that represented “most of what Microsoft was asking for."
Indigenous context
Discussions of
Indigenous data sovereignty for Indigenous peoples of Canada, New Zealand, Australia and the United States of America are currently underway. Data sovereignty is seen by Indigenous peoples and activists as a key piece to self-governance structures and important pillar of
Indigenous sovereignty
Indigenous rights are those rights that exist in recognition of the specific condition of the Indigenous peoples. This includes not only the most basic human rights of physical survival and integrity, but also the rights over their land (includ ...
as a whole.
The decolonization of data is seen by activists as a way to give power to Indigenous people to "determine who should be counted among them" and would be able to better reflect the "interests, values and priorities of native people".
Scholars also argue that given the power over their own data, Indigenous peoples would be able to decide which data gets disseminated to the public and what does not, a decision typically made by the settler government.
In New Zealand, Te Mana Raraunga, a
Māori
Māori or Maori can refer to:
Relating to the Māori people
* Māori people of New Zealand, or members of that group
* Māori language, the language of the Māori people of New Zealand
* Māori culture
* Cook Islanders, the Māori people of the C ...
data sovereignty network, created a charter to outline what Māori data sovereignty would look like. Some of the requests in the charter included "asserting Māori rights and interests in relation to data", "advocating for Māori involvement in the governance of data repositories" and "Supporting the development of Māori data infrastructure and security systems".
In Canada, Gwen Phillips of the
Ktunaxa
The Kutenai ( ), also known as the Ktunaxa ( ; ), Ksanka ( ), Kootenay (in Canada) and Kootenai (in the United States), are an indigenous people of Canada and the United States. Kutenai bands live in southeastern British Columbia, northern ...
nation of British Columbia has been advocating for Ktunaxa data sovereignty and other pathways towards self-governance in the community.
National data sovereignty measures
Canada has enacted various data sovereignty measures, primarily on storage of Canadian data on Canadian servers. As part of Canada's IT strategy for the years 2016–2020, data localization measures were discussed as a way to uphold citizens' privacy. By using Canadian servers to store Canadian data as opposed to American servers, this would safeguard Canadian data from being subject to the US
Patriot Act
The USA PATRIOT Act (commonly known as the Patriot Act) was a landmark Act of the United States Congress, signed into law by President George W. Bush. The formal name of the statute is the Uniting and Strengthening America by Providing Appropr ...
.
In 2017, it was discovered that
Shared Services Canada
Shared Services Canada (SSC; french: Services partagés Canada (SPC)) is an agency of the Government of Canada responsible for advancing, consolidating and providing information technology services across federal government departments. It was est ...
and the
Communications Security Establishment
The Communications Security Establishment (CSE; french: Centre de la sécurité des télécommunications, ''CST''), formerly (from 2008-2014) called the Communications Security Establishment Canada (CSEC), is the Government of Canada's national c ...
were "exploring options for sensitive data storage on U.S.-based servers" with Microsoft".
Also in 2016, the EU Parliament approved their own data sovereignty measures within a
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
(GDPR). This regulatory package homogenizes data protection policy for all European Union members. It also includes an addendum that establishes extraterritorial jurisdiction for its rules to extend to any data controller or processor whose subjects are EU citizens, regardless of the location the holding or processing is conducted. This forces companies based outside of the EU to reevaluate their sitewide policies and align them with another country's law. The GDPR also effectively replaced the 1995 European
Data Protection Directive
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
that had originally established the free movement of personal data between member state borders, and in doing so granted interoperability of such data among nearly thirty countries.
Criticism
A common criticism of data sovereignty brought forward by corporate actors is that it impedes and has the potential to destroy processes in cloud computing.
Since cloud storage might be dispersed and disseminated in a variety of locations at any given time, it is argued that governance of cloud computing is difficult under data sovereignty laws.
For example, data held in the cloud may be illegal in some jurisdictions but legal in others.
According to
economist
An economist is a professional and practitioner in the social sciences, social science discipline of economics.
The individual may also study, develop, and apply theories and concepts from economics and write about economic policy. Within this ...
and
political scientist
Political science is the science, scientific study of politics. It is a social science dealing with systems of governance and power, and the analysis of politics, political activities, political thought, political behavior, and associated c ...
Professor
Susan Ariel Aaronson
Susan Ariel Aaronson is an American author, public speaker and an academic professor whose works are centred on the relationship between economic change and human rights and more recently focuses on data. She is a research professor at the El ...
, founder and director of the Digital Trade and Data Governance Hub at
George Washington University
, mottoeng = "God is Our Trust"
, established =
, type = Private federally chartered research university
, academic_affiliations =
, endowment = $2.8 billion (2022)
, preside ...
, "some governments are seeking to regulate the commercial use of personal data without enacting clear rules governing public sector use... The hoarding of data by nations or firms may reduce data generativity and the public benefits of data analysis."
See also
*
Data governance
Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data govern ...
*
Data localization
Data localization or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after m ...
*
Digital inclusion
Digital inclusion involves the activities necessary to ensure equitable access to and use of Information and communications technology, information and communication technologies for participation in social and economic life including for education ...
*
Digital self-determination
Digital self-determination is a multidisciplinary concept derived from the legal concept of self-determination and applied to the digital sphere, to address the unique challenges to individual and collective agency and autonomy arising with increa ...
*