The unprecedented COVID-19 global health crisis, growing international trade tensions and rising national aspirations to technological autonomy have contributed to make data sovereignty a significant and urgent policy issue to address worldwide in the years to come.
There are multiple aspects and drivers of data sovereignty. In an oversimplified world, data would be subject to the rules of one jurisdiction, hence accessed, processed and stored in one territory to be protected from unauthorized access by foreign countries, or to be more easily accessed for local law enforcement purposes. Also, citizens and users would claim better control over their personal information, while governments and businesses would deem access to local data a competitive advantage over foreign competitors. The reality shows a much higher degree of complexity, whereas traditional data sovereignty policy approaches, such as data localization and limitation to international data flows may not always be as meaningful as before, in a technology landscape where data access, storage and analytics do not need to happen all in the same location.
Privacy and data protection have been a major driver for restricting international data transfers. This is apparent in the context of transatlantic data flows with the invalidation of Safe Harbor in 2015 and Privacy Shield in 2020 (Schrems I and II rulings), both triggered by concerns over surveillance practices on EU citizens. Similarly, the popular Chinese app Tik Tok was nearly banned in the United States last year as data collection on US citizens was considered a threat to privacy and national security. Policymakers in the EU and around the world are focusing their attention on the rollout of digital infrastructure like cloud and 5G, to reduce dependence on international suppliers and to prevent potential surveillance activities by foreign governments. Data localization approaches have been embraced around the world (e.g. Russia, Brazil, China, India, Vietnam) to ensure easier law enforcement access to data for criminal investigations and prosecutions. Finding a policy solution to cross-border data transfers (and the tension between privacy and national security/law enforcement) is an unprecedented opportunity: a new Privacy Shield might set the benchmark for global data flows, while the OECD could be the right forum to build international consensus.
At the same time, the recognition that data drives growth has put pressure on governments to create or modernize their data policy frameworks, to regulate both personal and non-personal data. Policy measures foreseen include the creation of local high-value datasets and repositories (e.g. data spaces in the EU, data trusts in India) to foster innovation in different industrial sectors, to benefit the local community and to boost the economic competitiveness of national digital champions and startups through increased data access and sharing. The way big countries like China and India will shape their data policies will influence some future technology directions.
The current global policy debate on data sovereignty is critical to the future deployment of data-driven technologies like artificial intelligence and autonomous driving. In fact, restrictions to data transfers may negatively impact the possibility to train algorithms with datasets reflecting the multiplicity of different populations, countries and contexts where technologies could be used. Carrying out R&D only on “local data” (both personal and non-personal) may hinder the quality and the accuracy of determinations made by automated systems, hence impinging on their overall trustworthiness. In addition, performance and reliability of the modern digital infrastructure benefit from the opportunity to leverage hardware, software, services and datasets available worldwide, without the need to duplicate each layer of the entire stack across all countries. Moreover, technology, could play a role in increasing privacy and security safeguards in data transfers, as well as decreasing the need for sensitive data to be moved and shared (federated machine learning in sectors like healthcare is a bright example).
This year, Intel is hosting a panel discussion on data sovereignty at Computer Privacy Data Protection Conference (CPDP), a flagship event for the international privacy community. Together with eminent policymakers and experts – Ms Meenakshi Lekhi (Indian Parliament), Ms Audrey Plonk (OECD), Mr Bruno Gencarelli (European Commission), Ms Samm Sacks (New America) – we will assess current and future trends around data sovereignty and try to outline potential policy priorities and solutions for global data access and flows.