Whilst not a new concept, data sovereignty has gained recent attention, especially in the wake of the European Commission’s data strategy and its use of the term “technological sovereignty” (European Commission 2020). Interpretations of the meaning of, and the motivation behind, this kind of sovereignty have ranged from data localisation and regional protectionism to economic and geopolitical ambition as well as the defence of fundamental digital human rights of privacy and digital self-determination. What is common to all of these interpretations, without commenting on their accuracy, is that they conceive of this new kind of sovereignty – variously called technological, information, digital, or data sovereignty – in terms of the basic element of traditional definitions of sovereignty: geographic territoriality.
Sovereignty is generally understood as supreme authority in a territory. It has traditionally been the domain of political theory with the most superior legitimacy to wield power with respect to territories or states (Philpott 2020). Discussions inspired by the EU’s commitment to European technological sovereignty usually take this sovereignty to mean the traditional, nation-based kind, emphasising that the analogue world is no longer the only dimension in which citizens are subject to their nation state’s sovereign authority: they are also active in the digital realm that transcends those nations’ borders. Consequently, technology and infrastructure – as well as information and data – ought to be governed by and aligned with the laws, needs, and interests of the state in which their user resides. This is a kind of extension of the basic concept of sovereignty, which conceives of it in terms of (a collection of) nation states and their supreme authority in a geographical territory.1
In this blog post, we discuss a different concept of sovereignty. Considering the traditional definition’s elements of supremacy, authority, and territoriality, we substitute the latter entirely. Data sovereignty, in our definition, means “supreme authority in a defined digital space” and does not reference states or geographies. Our definition of data sovereignty refers to: actors (individuals, groups, organisations, and institutions), regardless of their physical location or present jurisdiction; and their sovereignty over the data generated by and about themselves, regardless of that data’s physical location or present jurisdiction.
MyData Global is most concerned with personal data generated by and about individuals and groups of people. This is not to say, however, that data sovereignty cannot also be fruitfully applied to data generated by and about organisations and institutions. They are simply not our focus here. Similarly, whilst we do not discuss the data sovereignty of states or territories here, we are confident that some of the presented points can inform that discussion as well.
Our definition of data sovereignty
| Data sovereignty is the supreme authority of a person2 with regard to the digital domain particular to themselves. |
Authority must be conceived of not merely as coercive power but also as a right: the right to command and correlatively the right to be obeyed (Wolff 1970). Authority must therefore be understood as legitimate, i.e., as deriving from some mutually acknowledged source of legitimacy, such as a body of law.
Supremacy, on the other hand, signals that other authorities concerning this digital domain of sovereignty are subordinate to the sovereignty of the person themselves.
Finally, the digital domain particular to a person is defined as data generated by or about that person. This aspect of our definition sets it apart from the usual discourse on territorial data sovereignty and, we hope, sheds new light on that discourse. Using the person, as opposed to a geographical region, as the point of integration and the limiting factor for data sovereignty allows us to think more flexibly about our current situation in which people – and data about them – are not strictly geographically bound. This is an example of what the human-centric approach stands for.
The MyData principles and data sovereignty
MyData Global maintains the MyData declaration, first published in 2017, which outlines the six MyData principles. The table below describes how these principles relate to the data sovereignty concept.
| MyData Principle | Description | Relevance to data sovereignty |
|---|---|---|
| Human-centric control | Individuals should be empowered actors in the management of their personal lives, both online and offline. They should be provided with the practical means to understand and effectively control who has access to data about them and how it is used and shared. | Data sovereignty means people’s right to self-determination, autonomy, and control over personal data about themselves. |
| Individual as the point of integration | The value of personal data grows exponentially with its diversity, however, so does the threat to privacy. This contradiction can be solved if individuals become the “hubs” where, or through which, cross-referencing of personal data happens. | Data sovereignty means taking the person as the defining element of the realm over which sovereignty is held and exercised, rather than the state or other geographical area in which they are residing. |
| Individual empowerment | In a data-driven society, as in any society, individuals should not merely be seen as customers or users of pre-defined services and applications. They should be considered free and autonomous agents, capable of setting and pursuing their own goals. They should have agency and initiative. | Data sovereignty is something that people (should) not only have, but also something which they can exercise as agents and active participants in data ecosystems. |
| Portability: access and reuse | The portability of personal data, which allows individuals to obtain and reuse their personal data for their own purposes and across different services, is the key to making the shift from data in closed silos to data which can become reusable resources. Data portability should not be merely a legal right, but also combined with practical means. | An important aspect of exercising data sovereignty is the right, and the means, to access, port, and reuse data about oneself. |
| Transparency and accountability | Organisations that use a person’s data should say what they do with it and why. They should take responsibility for the intended and unintended consequences of holding and using personal data (for example, security incidents), and allow individuals to call them out on this responsibility. | Data sovereignty means that the legitimacy of personal data use is always derived from the person about whom that data exists. Transparency over where organisations derive the right to use personal data and the ability to hold those organisations accountable are necessary for ensuring data sovereignty. |
| Interoperability | The purpose of interoperability is to decrease friction in the data flow from data sources to data using services, whilst eliminating the possibilities of data lock-in. It should be achieved by continuously driving towards common business practices and technical standards. | Data sovereignty means freedom from external interference in its exercise. Interoperability is a principle that supports the freedom to choose which tools to use and which actors with whom to collaborate, without technological or other barriers. |
The limits of data sovereignty
Sovereignty is traditionally conceived of as something absolute, and by ‘absolute’ we mean ‘extending to all matters within a territory unconditionally’.3 With data sovereignty, however, it is clear that this cannot be the case. In the interconnected digital realm, it is inconceivable for any person’s authority to be absolute. For example, Person A has the right to object to appearing in a photo Person B took of them and wishes to publish; this is a classic example of personal data that is about more than just one individual, and is subject to the authority of both Person A and Person B. In fact, it can be argued that most personal data is generated through interaction: either with other people or with other data rights holders, such as companies and governments.
It is also important to speak of data sovereignty as something that both depends on and demands external recognition and respect, and not merely something held and exercised within a defined digital domain, i.e., with regard to data generated by and about a person. Data sovereignty, as we conceive of it here, means the freedom of external influence on its basic prerogatives or exclusive rights, but what exactly those basic prerogatives are is a difficult question to answer universally.
Taking into consideration these twin factors – the non-absoluteness of data sovereignty and the indefiniteness of what constitutes a data sovereign’s basic prerogatives – it is clear that data sovereignty, like any system of sovereign entities, involves a great deal of dialogue and negotiation.
The value and utility of a person’s personal data is multiplied when it is shared and combined with other people’s data. In order to tap into this potential, it is critical that sovereign entities, people, and groups are able to cooperate and pool their resources. Benefits from such cooperation include support for research, policy making, and authorities’ decision making. Such cooperation, in turn, requires shared governance and shared commitment to that governance. Good data governance, then, takes people’s sovereignty over data about themselves as a foundational principle. Just like sovereign states collaborate within and commit to supranational frameworks like the EU and the UN, sovereign people and groups can abide by and commit to common governance structures such as data collaboratives or networks of data intermediaries (like MyData operators).
This post summarises the longer thought piece by MyData Global, published in the 2021 Data Industry White Paper by the Korea Data Agency.
1 It should be noted here that a special use of traditional, geographically delineated data sovereignty has emerged, which specifically addresses data related to indigenous populations in and between postcolonial states and, more broadly, groups of people with a salient identity not defined along the same lines as the borders between states; cf. e.g., Rainie et al. 2017.
2 For simplicity, we will use the term “persons”, but this should be understood as a shorthand for “persons or groups”.
3 It is worth noting that even traditional, territorial sovereignties are becoming increasingly non-absolute. The states that are a part of the UN, the EU, and international criminal courts also yield some authority to those supranational institutions.
Bibliography
European Commission. 2020. ‘European Strategy for Data’. 2020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066.
Philpott, Daniel. 2020. ‘Sovereignty’. The Stanford Encyclopedia of Philosophy, edited by Edward N. Zalta, Fall 2020. Metaphysics Research Lab, Stanford University.
Rainie, Stephanie Carroll, Jennifer Lee Schultz, Eileen Briggs, Patricia Riggs, and Nancy Lynn Palmanteer-Holder. 2017. ‘Data as a Strategic Resource: Self-Determination, Governance, and the Data Challenge for Indigenous Nations in the United States’. The International Indigenous Policy Journal 8 (2). https://doi.org/10.18584/iipj.2017.8.2.1.
Wolff, Robert Paul. 1970. In Defence of Anarchy. Oxford: Basil Blackwell.