How Data Sovereignty is Reshaping Business Strategies
In a digital world that is increasingly interconnected, data has become the lifeblood of modern business. Its flow, storage and processing are essential for everything from new product development to supply chain logistics and customer relationship management. However, the rise of “data sovereignty” has led to this vital resource being subject to an increasing range of differing laws and regulations. Organisations need to navigate the sometimes conflicting requirements of those laws, and those who do so best will have a distinct competitive advantage.
What Is Data Sovereignty?
Data sovereignty is the concept that data is subject to the laws and regulation structures within a particular nation or bloc – usually that in which it is created or collected. It is not a single rule or standard, but a policy direction that reflects growing concern over external dependencies and control. Related and entwined concepts include:
Tech sovereignty, meaning that a country has control over its own technology infrastructure, including that for storing and processing data.
Data localisation, where data relating to a country or its inhabitants is to be kept in that country.
Organisational data sovereignty, which relates to an organisation having control over its own data and how it is handled.
The Global Rise of Data Sovereignty
Historically, the use of data and its flow across borders was relatively unregulated – governed by contractual agreements and early privacy laws. That changed with the digital revolution which ushered in an unprecedented surge in data creation, collection and processing. Recognising the growing importance of data for their citizens, economic growth and national security, governments began to assert greater control over information originated or held within their borders. This resulted in new laws – some general in application, others sector-specific – that introduced various forms of "data sovereignty". Three key themes tend to feature in the sovereignty aspects of those laws.
The first is restriction of cross-border data transfers, either by way of outright prohibition (leading to data localisation) or with transfer subject to stringent rules and conditions. The specific data and organisations covered by these prohibitions and restrictions, and how those rules are applied in practice, differ significantly across jurisdictions.
“While many jurisdictions do not ban extra-territorial data transfer outright, they often create enough regulatory friction and legal risk that local storage can become the preferred option.”
Benjamin Docquir, Partner, Osborne Clarke Belgium
The second key theme is extra-territorial reach. Increasingly, territories' data laws state that they apply to forms of data processing that take place outside the territory's borders, regardless of the location of the entities involved in that processing. Again, the scope and extent of any international reach can vary: it may not apply to all forms of processing or all kinds of data.
The third key theme is that not all relevant laws are necessarily data specific. Data is central to many digital solutions and services, and so a particular territory’s laws governing these activities can also indirectly impact the data which they use or produce. A current example is AI: data is the essential fuel powering the development of many AI models, but laws around AI and its inputs and outputs differ considerably between countries.
The effect of this shift has been profound for multinational corporations. Data and processing activities may no longer be subject solely to domestic laws but also to other data laws worldwide. Those laws are becoming less harmonised and are sometimes driven by different political or economic aspirations.
This means multiple regulatory regimes need to be navigated and direct conflicts of law can arise. As a result, traditional straightforward data strategies – typically involving data centralised in a few key locations for efficiency – are subject to a changed risk profile and are increasingly not fit for purpose.
Instead, businesses need to understand and reconsider where their data resides, which laws govern it and how vulnerable it is to disruption. Further, with data laws continuing to emerge and evolve around the world, businesses need to be prepared to adapt to legislative changes. In short, a much more sophisticated approach is required.
Data Transfer Restrictions – Some Examples
Australian law prohibits transfer outside Australian borders of information from the national digital health record system.
Canadian provinces British Columbia and Nova Scotia require personal data held by public sector bodies to be kept in Canada, subject to some exceptions.
The US’ Bulk Data Rule, due to be fully implemented in October 2025, prohibits the large-scale sharing of genetic data to certain territories including China, Russia and Iran.
Extraterritorial Reach – Some Examples
The US CLOUD Act allows US law enforcement to order US-based technology companies to provide requested data, regardless of where that data is stored globally, provided certain conditions are met.
The EU GDPR applies to organisations outside the EU who process personal data of EU-based individuals where organisations are offering of goods or services to those individuals within the EU or are monitoring those individuals' behaviour within the EU.
Developing a Resilient Data Strategy
To develop and implement the kind of proactive, robust and future-ready data strategy that can best deal with the shifting sands of global data laws, a number of strategic questions need to be addressed on an ongoing basis.
Finding the answers to these questions – and having a process to update those answers over time – will help businesses make much more informed decisions around data strategy. Those might include, for example, moving to a multi-cloud strategy with distinct regional footprints and taking a more strategic and intentional approach to data duplication.
Making those decisions will require strong collaboration between legal, IT and business units – and any changes will naturally need to be flowed through into third-party contracts and due diligence processes, employee training, policies, external disclosures and incident response plans.
However, creation and implementation of a resilient data strategy should not be seen as a one-off project, but rather as an ongoing commitment. To successfully maintain that commitment requires a dynamic governance framework – one that drives continuous monitoring of business developments and global regulatory changes, and that enables proactive identification of compliance gaps and an adaptive approach to emerging risks.
Questions to address on an ongoing basis
Understanding the physical location of data collection and storage, who has access to it, where it is transferred to, what it is used for and the location of the data subjects are all crucial in order to map out the legal jurisdictions that need to be taken into account.
Granular data classification is also important, so as to understand the sensitivity of particular data and the different sector-specific regimes that may apply. For example, the position differs between health data and financial data.
The more data that is held, the greater the potential exposure to regulatory and cybersecurity risk. Steps can be taken to reduce this risk. For example, where data has no obvious business purpose, could it be discarded? To what extent can historic data be anonymised or pseudonymised, particularly for analytics purposes, in order to reduce privacy risk?
Where third-party vendors and service providers are involved, the relevant contract terms with those entities should be examined to assess the position on location and transfer of data. These aspects may open up other risks – for example, where a supplier's location causes additional laws to apply. Contractual lock-in with specific suppliers and locations also needs to be considered.
Are there organisational or technical reasons why certain locations may be preferable for data collection, storage and processing?
Businesses will need to consider factors such as: whether data can realistically be kept local; to what extent this will inhibit growth and the ability to adapt to changing business needs and developing law; whether data localisation might impact adversely on customer experience, and how operational resilience might be affected if the back-up copies are not kept outside that region.
“Operational resilience regulations naturally push companies to focus on service continuity and risk mitigation. They are often interpreted as requiring multi-cloud setups, redundant systems or geographic dispersion.”
Joanne Zaaijer, Partner, Osborne Clarke Netherlands
In the face of a growing number of high-profile cyber-attacks – and geopolitical uncertainty – planning for disruption is a key component of resilience and compliance with data laws. Businesses must consider the impact of various forms of disruption and develop contingency plans. Diversifying providers and locations can enhance resilience, but may also cause additional laws linked to those providers and locations to apply.
Businesses should evaluate whether their data storage locations are susceptible to geopolitical pressures that could impact data security and accessibility, and hence require a rapid change of approach.
Strategic opportunities
Data sovereignty is a geopolitical reality that will continue to add greater regulatory complexity for businesses. Navigating this evolving terrain requires a comprehensive understanding of legal requirements, robust but pragmatic compliance and governance frameworks, and a willingness to make strategic operational changes. The goal is to design systems – both technical and organisational – that can flex as necessary without adding unnecessary complexity and cost.
This can be challenging, and it is as much an art as it is a science. However, a well-articulated and carefully implemented data strategy that meets data sovereignty's challenges head-on can be a powerful differentiator. It will not only mitigate legal and reputational risks but also build deeper trust with customers, partners and regulators. The future belongs to those who can master this art.
Contributors
We would like to thank these individuals for having shared their insight and experience on this topic.
