Our first Data Policy Network event of 2021 explored data sovereignty with three expert speakers. We considered the current state of play, the policy objectives driving change and how technology can play a role in resolving some of the tension between limiting data to national silos while encouraging global enterprise.

What is data sovereignty?

‘Data sovereignty’ is a broad concept. For the purposes of the event, we used the term ‘data sovereignty’ to refer to the range of legal or policy levers that governments use to manage cross-border data flows and to enable access to data stored outside of their jurisdiction.

In practice, it includes data transfer restrictions (ranging from outright bans to limiting transfers to certain recipients), and local processing or local storage requirements. These measures sometimes work in combination, for example allowing international transfers on the condition that a copy of the data is stored locally.

What’s the issue?

We can divide the policy objectives driving data sovereignty measures into three broad, and sometimes overlapping, categories: protecting citizens’ data rights, economic interests, and national security and law enforcement.

  • Citizens’ data rights. Limitations on international data transfers arising from data protection law are generally framed in terms of protecting citizens’ data rights. The GDPR’s international transfer mechanisms allow transfers to jurisdictions deemed to offer adequate protection for data rights, or where that protection is guaranteed by contract (though as Schrems II reminded us, contractual terms only bind the parties to that contract and are ineffective against government surveillance).
  • Economic interests. The economic drivers are more difficult to unpick. However, economic transactions can have significant implications for data transfers. The Committee on Foreign Investment in the United States intervened retrospectively to undo Chinese company Kunlun’s acquisition of Grindr, a dating app. The Committee worried that data on Grindr users could be used for blackmail. Kunlun’s promise not to transfer sensitive data to China failed to reassure the Committee.
  • National security and law enforcement. India’s personal data protection bill proposes localisation requirements on personal data defined as “sensitive” or “critical”. Transfer restrictions on the former category (which includes data on caste, health and religion) can be interpreted as a desire to protect individuals (the GDPR affords enhanced protection to similar types of ‘special category’ data). But the latter category allows for broad government discretion in defining “critical”, leading the IAPP to conclude that “the concept appears to be related to national security”.Laws such as the US’s CLOUD Act contribute to data sovereignty by providing a legal route for government access to data stored overseas when necessary for law enforcement purposes. Unlike the measures we’ve described about, this is not about erecting barriers to data flows, but about enabling government access to data regardless of where it is stored.

The classic argument is that global data flows underpin global trade. A 2016 paper found that restrictions on the free flow of data tend to reduce productivity and economic output in sectors that depend on data services. The UK government highlights the free flow of data provisions in the recently-concluded trade deal with Japan, arguing that these underpin digital services exports worth £675 million.

We can easily imagine a scenario where a US-based company providing products or services in China wants to be able to leverage data obtained in all of its markets to guide its decision making, product development or service improvement.

PETs such as homomorphic encryption or multiparty computation (explained in detail in these short workshops) can allow companies to centralise insights from data without needing to transfer the data itself. Whether these technologies hold the answer depends on the objectives for the data sovereignty measure. Transferring only insights protects individual data rights, but not necessarily economic or national security interests.

We started with reflections from our excellent panel: Tamara Quinn (on the current legal and regulatory constraints), Darrell M. West (on the policy drivers) and Nigel Smart (on what role technology can play). After a brief Q&A, we moved into our familiar small discussion groups to dive deeper.

Watch the panel here

  • Economic interests. The economic drivers are more difficult to unpick. However, economic transactions can have significant implications for data transfers. The Committee on Foreign Investment in the United States intervened retrospectively to undo Chinese company Kunlun’s acquisition of Grindr, a dating app. The Committee worried that data on Grindr users could be used for blackmail. Kunlun’s promise not to transfer sensitive data to China failed to reassure the Committee.
  • National security and law enforcement. India’s personal data protection bill proposes localisation requirements on personal data defined as “sensitive” or “critical”. Transfer restrictions on the former category (which includes data on caste, health and religion) can be interpreted as a desire to protect individuals (the GDPR affords enhanced protection to similar types of ‘special category’ data). But the latter category allows for broad government discretion in defining “critical”, leading the IAPP to conclude that “the concept appears to be related to national security”.Laws such as the US’s CLOUD Act contribute to data sovereignty by providing a legal route for government access to data stored overseas when necessary for law enforcement purposes. Unlike the measures we’ve described about, this is not about erecting barriers to data flows, but about enabling government access to data regardless of where it is stored.

The classic argument is that global data flows underpin global trade. A 2016 paper found that restrictions on the free flow of data tend to reduce productivity and economic output in sectors that depend on data services. The UK government highlights the free flow of data provisions in the recently-concluded trade deal with Japan, arguing that these underpin digital services exports worth £675 million.

We can easily imagine a scenario where a US-based company providing products or services in China wants to be able to leverage data obtained in all of its markets to guide its decision making, product development or service improvement.

PETs such as homomorphic encryption or multiparty computation (explained in detail in these short workshops) can allow companies to centralise insights from data without needing to transfer the data itself. Whether these technologies hold the answer depends on the objectives for the data sovereignty measure. Transferring only insights protects individual data rights, but not necessarily economic or national security interests.

We started with reflections from our excellent panel: Tamara Quinn (on the current legal and regulatory constraints), Darrell M. West (on the policy drivers) and Nigel Smart (on what role technology can play). After a brief Q&A, we moved into our familiar small discussion groups to dive deeper.

Watch the panel here

Speakers

Speaker headshot

Darrell West

Director of Governance Studies,
The Brookings Institution

Darrell is vice president and director of Governance Studies and holds the Douglas Dillon Chair. He is Co-Editor-in-Chief of TechTank. His current research focuses on artificial intelligence, robotics, and the future of work.

Speaker headshot

Nigel Smart

Professor,
Katholieke Universiteit Leuven

Nigel’s research covers a variety of topics in cryptography. His work with Gentry and Halevi on performing the first large calculation using Fully Homomorphic Encryption won the IBM Pat Goldberg Best Paper Award for 2012.

Speaker headshot

Tamara Quinn

Partner,
Osborne Clarke

Tamara is a partner at Osborne Clarke, specialising in non-contentious intellectual property and data protection. She has wide-ranging experience including advising on the protection, enforcement and ownership of all types of IP rights.