Introduction
Data sovereignty sounds like a complex topic, and in some ways it is. At its core, data sovereignty refers to the control and ownership of data, which can be done on both individual and governmental levels. On an individual level, data sovereignty can intersect with concepts like self-sovereign identity, empowering individuals to have greater control over their data. I’ll talk about that more later on.
Meanwhile, on a governmental scale, data is subject to laws and regulations in the country where it’s collected from — which makes sense when you think about it. If data is a free-for-all, then it poses a threat to things like national security and all sorts of sensitive information.
Because of the decentralised, secure nature of blockchain, it offers a robust solution to support the principles of data sovereignty for both governments and individuals. It can provide the enhanced trust and transparency that many governments are trying to achieve with data sovereignty policies, as well as give users control over their own personal information.
In this article, I’ll delve into data sovereignty, explore how blockchain can enhance it, examine some relevant existing policies, and provide a future outlook into this world of data sovereignty and blockchain. Hopefully by the end, you’ll have a better understanding of what this all means, why it’s important, and how it affects citizens like you and me.
Table of Contents
- Introduction
- Understanding Data Sovereignty
- Enhancing Data Sovereignty With Blockchain
- Policies Relating To Data Sovereignty
- Data Sovereignty Challenges & Future Outlook
Understanding Data Sovereignty
As mentioned, there are multiple layers to understanding data sovereignty. It impacts governments, businesses, and citizens, and spans across societal values and ethics.
Since it’s garnering a lot of public and political interest recently, I’ll use TikTok as an example to help illustrate a few aspects of data sovereignty and data policy controversies in this section. Hopefully it will help give insights into how and why this is relevant.
National Security
National security is a key point of focus as governments may have concerns about data and sensitive information stored outside of their jurisdiction. Data sovereignty measures ensure that data remains within a country’s control. TikTok’s controversy involving China and the West demonstrates this well.
There are growing concerns about the amount of data TikTok collects and whether or not the Chinese government has access to this data. The biggest concern is that, as the users’ data is stored on Chinese servers, the data handling is subject to the country’s laws and regulations.
Specifically, there are fears that TikTok will be subject to China’s National Intelligence Law, which mandates that companies cooperate with intelligence efforts if requested. To address these concerns internationally, TikTok have suggested housing servers locally in each country in an effort to negotiate users’ data sovereignty and avoid being banned in certain jurisdictions.
There’s much more to the story of course, so if you’re interested in reading more, check out this article from The New York Times.
Localising Data
Let’s pick up where we left off in the last section: As another key aspect of data sovereignty, localising data refers to the storing and processing of data within national or regional boundaries.
One of the major pros of localising data is that it’s likely to comply with GDPR in the EU, for example. I go into these regulations much more in depth in another article, but in summary: By localising data in each country, organisations and governments can comply with privacy regulations and ultimately safeguard the privacy rights of citizens.
Localising data also ensures that governments maintain control over sensitive information and prevent exploitation by foreign governments. As we saw in the last section, TikTok is also a great example of this too. However, China’s data policy regulations as a whole provides a great example with its Cybersecurity Law that requires data and personal information to be stored within its borders.
Of course, this isn’t without its challenges. Currently, much of Europe is dependent on companies overseas to facilitate digital interactions. In fact, in 2020, it was estimated that 92% of the Western world’s data is stored in the United States.
Image source: Statista
Impact On Organisations & Citizens
This leads nicely into discussing the impact this all has on organisations and citizens.
Data sovereignty presents many hoops for organisations and businesses to jump through. For example, multinational companies are legally obligated to comply with data sovereignty regulations. Many times, they must establish data centres within each country they operate in order to store and process data locally. This is most definitely the case in China, and now we see it happening in the US and across the EU with the concerns surrounding TikTok. It’s all a control mechanism to ensure data and digital information flows solely within a country’s borders.
Abhijit Dubey, CEO of Japanese telecoms company NTT, said that demand from governments for data to be stored within their own countries means more facilities and servers need to be built:
“Many governments are focused on maintaining data sovereignty and ensuring that critical data is not being stored and moved across the globe, and as more and more countries ask for localised data, they will need more data centre capacity locally.”
— Abhijit Dubey
While data sovereignty regulations aim to increase data protection and security, they also raise broader questions about the balance between national interests, individual rights, and ethical data collection and use. Data equals profit, which in turn equals power. Actors across the globe seek to exploit the massive amounts of data being collected daily, and we often don’t know if they are good or bad actors until it’s too late.
While I like to think that these policies actually increase protection over citizen data by safeguarding it within a country’s borders, the above highlights that it isn’t as easy as it sounds. It is therefore crucial for governments to find the balance between protecting sensitive information, while also fostering citizens’ digital freedoms. The EU in particular aims to do this through the European Digital Rights network (EDRi).
“EDRi is the biggest European network defending rights and freedoms online. We work to to challenge private and state actors who abuse their power to control or manipulate the public. We do so by advocating for robust and enforced laws, informing and mobilising people, promoting a healthy and accountable technology market, and building a movement of organisations and individuals committed to digital rights and freedoms in a connected world.”
— EDRi
Enhancing Data Sovereignty With Blockchain
There are several reasons blockchain can play a key part in data sovereignty on both individual and governmental levels. The graphic above simplifies the way blockchain works in terms of utilising a decentralised platform to create immutable data records in a transparent and secure way. The decentralised aspect is key, because it means data remains under the control of its rightful owner, citizen or authority, and is not subject to manipulation or unauthorised access.
Central to the concept on an individual level is the idea of self-sovereign identity, which emphasises the user’s control over their own identity and data. It is a concept that empowers users to manage their digital identities without relying on a central authority or database. Metadium defines it as:
“[T]he concept of individuals or organizations having sole ownership of their digital identities, and control over how their personal data is shared and used. This adds a layer of security and flexibility allowing the identity holder to only reveal the necessary data for any given transaction or interaction.”
Through advocating for increased user ownership over data, governments can enhance security and ultimately safeguard citizens’ private information. Governments can also avoid risks of data breaches and unauthorised access, which can thereby increase trust in government services.
A significant challenge to data sovereignty is the overconcentration of control by very few organisations. According to Blockchain-as-a-Service provider mintBlue, 80% of the public intranet’s web traffic is controlled by a small group of powerful data companies. Through embracing a decentralised methodology to store data, governments can reduce reliance on centralised systems (and big tech) while still maintaining control.
With blockchain, governments can enhance security, privacy, and autonomy while sensitive information remains under control within national or regional borders.
Policies Relating To Data Sovereignty
So, what are the policies regarding data sovereignty? The European Union, for example, has tried to address data sovereignty by advocating for individuals to have greater control over data, while still complying with existing EU laws.
One of the ways the EU has done this is through the General Data Protection Regulation (GDPR). This regulation ensures that all EU Member States adhere to fair, secure, and transparent processing of personal data. It ultimately puts citizens in control of their sensitive personal data. You can read more about that regulation here.
Another approach to data sovereignty within the EU is through the European Data Protection Board (EDPB). The Board describes its goal as “ensur[ing] a consistent application and enforcement of data protection law across the European Economic Area”. It does this through enforcing GDPR regulations, providing general guidance, and more.
Overall, the EU does a great job of safeguarding citizens’ data internationally. While it doesn’t explicitly mandate data be stored within the region, it does impose restrictions on international transfers of personal data to countries outside of the EU that can’t ensure the same level of data protection. At least on some level, this should be reassuring for citizens and residents.
In fact, the EU sees a direct benefit of blockchain on data sovereignty, especially in relationship to self-sovereign information sharing. The Commissions states:
“The web is increasingly more distributed, and with it, a new pattern of information sharing is emerging: Self Sovereign Information sharing, where citizens stay in control of their information by choosing what and when to disclose it, and to whom EBSI enables self-sovereign Citizen-to-Government (C2G) and C2B (Citizen-to-Business) privacy-preserving information sharing. EBSI achieves this by using a combination of open standards from W3C, Verifiable Credentials and Decentralised Identifiers, and blockchain technology. EBSI works together with stakeholders from government, business, academia, and civil society.”
There are also other examples of integrating blockchain to better promote self-sovereign data handling. For example: the e-residency in Estonia, which is a mandated national ID card. It does the obvious like allow citizens to identify themselves digitally, but also gives access to all government services, too. In fact, 99% of the country’s public services are available online, 24/7. This includes things like paying taxes, voting, you name it. And the best part is, it’s all while using blockchain.
Data Sovereignty Challenges & Future Outlook
While the future is bright, there are quite a few challenges in relation to data sovereignty, self-identity sovereignty, blockchain, and the combination of the three.
For example, there are still some wrinkles to iron out in relation to how self-sovereign identity will allow both individual autonomy and governmental control. I can definitely foresee a few hiccups down the line as governments will need to balance between empowering users to maintain personal control, while also overseeing and maintaining large-scale control themselves.
Data sovereignty and blockchain can work harmoniously in many ways, but one point of contention relates to the right to be forgotten. Following a ruling in 2014, the right to be forgotten has been considered a human right by the EU. This is also a leading principle of the GDPR, as individuals can revoke personal data at any time. As blockchain is immutable by nature and deleting information is extremely difficult, the two are at odds.
There are some solutions, such as storing sensitive or personal data off-chain, which will ensure less information is exposed publicly, or to implement other techniques to ensure anonymity. In short, even though blockchain’s structure is immutable by nature, there are many additional ways to protect privacy.
Despite these challenges, there is huge opportunity for innovation and collaboration in this space and it will be exciting to see what the future holds. Inviting decisionmakers, businesses, and individuals to collaborate and explore creative opportunities will be essential to create something where individual rights align with regulations. I think both will have to co-exist as we continue becoming a more interconnected world.