Introduction
Data is now lifeblood of the economies, governments, and societies in the digital age. Earlier, information used to circulate fairly across borders and hence sparked innovation and brought people together all over the world. However, over the last years, an opposing trend has appeared with reinforcement: States are aiming to regulate the storage, transfer, and use of data created on their territory. This is what is referred to as data sovereignty, it is transforming the architecture of the Internet and it has ignited a worldwide discussion on how cyberspace should be ruled. With nations enforcing tougher laws on data and with international institutions struggling to reconcile conflicting concepts of data governance, the issue of who owns data – and how it is owned – has never been more urgent.
Learning Data Sovereignty.
Data sovereignty is defined as the concept that information falls under the rules and regulations of that nation in which data is gathered or handled. Originally the design of the Internet was borderless and data packets were regularly sent through several jurisdictions on the way to their destination. This put governments in a hard position to enforce national laws to online activities. As a reaction, most nations have put in place solutions intended to make data localized, e.g., by enforcing the requirement that a subset of information classes must remain on domestic servers or limiting any cross-border transfers except in case of a certain set of conditions being fulfilled.
The motivations vary. The data sovereignty is framed in some governments as a solution of privacy protection of citizens and improved cybersecurity. Others view it as an economic development lever, in the hope that it will grow domestic cloud providers and digital industries. Others are motivated by political dominance and want to restrict foreign espionage or put a lot of censorship on their territories. Whether or not this is the intention, the net effect is a more fractured Internet.
Digital Borders, formerly a Global Commons.
During the initial years of the Internet, openness and interoperability were the models predominant. The U.S and the allied nations encouraged the principle of minimal intervention, handing over governance to a coalition of technical and non-governmental bodies, corporations and multi-stakeholder conferences. This allowed the Internet to grow all over the world and created gaps in regulation and responsibility.
This open model became weak as scandals of mass surveillance, data breaches, and foreign interference with election accumulated. The revelations of Snowden and big cyberattacks proved that the data could be easily used across borders. Responding, governments of the European Union to China to India have developed their own vision of digital sovereignty, all with varying rules regarding storage, privacy, and access.
The most influential is probably the General Data Protection Regulation (GDPR) of the European Union that imposes strict requirements on the transfer of personal data to foreign countries. The Cybersecurity Law and Data Security Law in China extend further, and provide extensive localization and security-review mandates. Even the traditionally open Internet countries are testing the policy of localization of sensitive spheres such as health, finance and defense.
Business and User implications.
In the case of multinational firms, this quilt of regulations makes it difficult to conduct business. The companies might have to have different data centers in different jurisdictions and may have to adhere to different privacy policies and deal with conflicting government access requirements. Such measures can add the expenses, decrease productivity, and slow innovation.
To the common users, the implications are not so apparent but equally important. Locality of data may slow down cross border services, restrict use of global platforms, and produce unequal privacy protection depending on place of residence. In the worst situation, it may support the state surveillance and censorship where governments can access domestic servers with ease. Therefore, although data sovereignty can strengthen the state control, it also becomes a threat to fragment the Internet and destroy the advantages of a global commons.
Internet Governance: Global Competing Visions.
The core of the argument concerning data sovereignty is a bigger question, what to do with the Internet: Who is to govern it? Three general models are taking shape.
The former is the state centric model where the governments dominate the activities on the internet in their country. Such a model corresponds with classical concepts of sovereignty, but it conflicts with the decentralized structure of the Internet.
The second is the multi stakeholder model which is advocated by most western states and civil societies. It aims at harmonizing the contributions of the governments, the private enterprises, and the professionals in technical aspects as well as the non-governmental organizations. The advocates believe that this method maintains transparency and innovation and makes it possible to regulate the matter flexibly.
The third one is hybrid where states remain powerful but do agree to shared rules or structures to deal with inter-border matters. Indicatively, the international data privacy or cybercrime or digital trade agreements may standardize standards, but not to put one standard neutral at the helm.
As yet there is no dominant model. Internet Corporation of assigned Names and Numbers (ICANN), International Telecommunication Union (ITU) and other UN organization each manage fragments of the puzzle but are not given overall control. In the meantime, trade agreements at the regional level are becoming digital in nature, with their digital chapters progressively influencing cross-border data flows.
Security, Privacy and Human Rights.
Not only economic and governance concerns are involved in data sovereignty, but also such fundamental questions as security and human rights. On the one hand, the localization of data may minimize the vulnerability to foreign surveillance and enhance resistance to external cyber-attacks. Conversely, it can be used to ease surveillance within the country and limit freedom of speech.
The balance that must be reached is clear legislation, autonomous supervision, and global collaboration. In the absence of these safeguards, data sovereignty will turn into the shred of authoritarian control. It is on this basis that many human-rights lobbyists demand international standards that safeguard privacy and free speech irrespective of the location of data.
Towards Standards and Commonalities.
Although there has been no uniformity in approaches, there are attempts to create some common ground. Efforts such as those of OECD on cross-border privacy regulations, the G20 on privacy of data free flow discussions and regional standards, such as the African Union Convention on Cyber Security and Personal Data Protection, seek to make the standards the same. The United States and the European Union have worked out transatlantic data-transfer agreements, but they have suffered a legal setback, on privacy concerns.
Certain scholars suggest that some types of data should be regarded as a sort of digital common good, like information vital to the health of the planet, climate studies, or cybersecurity. Instead, others support the interoperable data trusts or federated systems in which the data can be shared on the condition of agreement without complete centralization. Although these concepts are in the developmental stage, they are a sign of the increasing awareness that no single nation can independently address issues of cross- embarrassing data.
The Road Ahead
With the spread of digital technologies to artificial intelligence, the Internet of Things and 5G networks, the amount and sensitivity of cross-border data will continue to expand. Nation states will continue reasserting data sovereignty and the expenses of fragmentation will increase. To businesses, it translates to increasingly complicated compliance environments, to governments, it represents more impediments to collaborating on cross-border challenges like cybercrime, combating pandemics, and climate surveillance.
A possible battle of norms over data governance in the coming years may, therefore, emerge in the same way the trade, finance and environmental regulation debates did in the past. It will largely be a matter of whether or not states can balance their control ambitions with the advantages of an open, interoperable Internet.
Conclusion
Data sovereignty is an expression of reasonable privacy, security, and economic competitiveness anxieties. However, when done unilaterally, it will prove to be divisive to the Internet making it a disjointed national or regional system. There should be a sensible strategy, the one that protects the rights of individuals, supports innovation, and allows collaboration across the borders.
The Internet will not be governed on a global basis in one day, though gradual improvements via treaties, trade agreements and multi stakeholder forums would provide a basis to build trust and come up with a set of standards. At a time when data is a strategic resource and a civic good, policymakers must find a way of developing policies that uphold the sovereignty without compromising the connectivity that actually creates value in the digital world in the first place.
