Data Sovereignty
What is Data Sovereignty?
Data SovereigntyThe principle that data is subject to the laws and governance structures of the country in which it is collected, stored, or processed, regardless of where the provider is headquartered.
Data sovereignty goes beyond residency by asserting jurisdictional control over data: which courts, regulators, and access powers (for example the U.S. CLOUD Act, China's National Security Law, EU GDPR) can compel disclosure, override contracts, or set localization mandates. Architectural responses include sovereign cloud regions operated under local entities, customer-controlled keys with hardware security modules outside provider reach, confidential computing, and contractual safeguards such as European Data Boundary or Trusted Cloud certifications (C5, SecNumCloud, IRAP). Sovereignty also informs schemes like EUCS, GAIA-X, and the EU-U.S. Data Privacy Framework, addressing transatlantic transfer risks after the Schrems II ruling.
● Examples
- 01
Public-sector workloads running only in a sovereign cloud region operated by a national entity.
- 02
Holding KMS root keys in an on-premises HSM so that a cloud provider cannot decrypt customer data.
● Frequently asked questions
What is Data Sovereignty?
The principle that data is subject to the laws and governance structures of the country in which it is collected, stored, or processed, regardless of where the provider is headquartered. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Data Sovereignty mean?
The principle that data is subject to the laws and governance structures of the country in which it is collected, stored, or processed, regardless of where the provider is headquartered.
How does Data Sovereignty work?
Data sovereignty goes beyond residency by asserting jurisdictional control over data: which courts, regulators, and access powers (for example the U.S. CLOUD Act, China's National Security Law, EU GDPR) can compel disclosure, override contracts, or set localization mandates. Architectural responses include sovereign cloud regions operated under local entities, customer-controlled keys with hardware security modules outside provider reach, confidential computing, and contractual safeguards such as European Data Boundary or Trusted Cloud certifications (C5, SecNumCloud, IRAP). Sovereignty also informs schemes like EUCS, GAIA-X, and the EU-U.S. Data Privacy Framework, addressing transatlantic transfer risks after the Schrems II ruling.
How do you defend against Data Sovereignty?
Defences for Data Sovereignty typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Data Sovereignty?
Common alternative names include: Data Jurisdiction, Digital Sovereignty.
● Related terms
- privacy№ 283
Data Residency
The requirement that data is physically stored and, in some interpretations, processed within a specific country or region, often driven by contracts, customer demands, or sector regulation.
- privacy№ 276
Data Classification
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
- privacy№ 284
Data Retention
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
- privacy№ 210
Consent Management
The processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law.