The world is playing catchup. Thanks to the pandemic, digital transformation and disruption are running full pelt. But think of that energy as a steel spring that’s being stretched tighter and tighter.

The issue is how to define the concept of data sovereignty, especially when businesses and governments wrestle to enshrine it in law across international and continental borders.

Data sovereignty is a conundrum that has intrigued Associate Professor Henry Gao from the Singapore Management University (SMU), who is also a member of SMU’s Centre for AI and Data Governance and a Senior Fellow at the Centre for International Governance Innovation, a premier Canadian think-tank.  With law degrees from three continents, Prof Gao has been a trade advisor to many national governments, the UN, World Bank, World Trade Organisation, Asian Development Bank, APEC and ASEAN.

“To start with, the concept [of data sovereignty] has been dismissed by many as just an oxymoron, as data by its nature transcends borders, while sovereignty traditionally has been understood to be confined to within borders.”

- Associate Professor Henry Gao

He has been researching data sovereignty and trade agreements across “three digital kingdoms” – the United States, China and the European Union. Thanks to funding from Singapore’s National Research Foundation under its Emerging Areas Research Projects, Prof Gao has delved into the issue and recently published a peer-reviewed paper on the topic, “Data Sovereignty and Trade Agreements: Three Digital Kingdoms”.

Power of digital giants

Digital giants “pose serious competition to national governments in terms of the powers they possess”, explains Prof Gao, and those giants’ powers could rival traditional sovereign countries. Think of Meta, which owns Facebook, Instagram and WhatsApp. Each month it reaches 3.6 billion people, according to Statista, and that’s more than 2.5 times the population of China.

He says sovereignty and international obligations are “often pitted against each other”. For instance, he points to the US administration under President Donald Trump equating sovereignty to national security. That stance underpinned Trump’s policies, which were generally inconsistent with those of the World Trade Organisation.

Sovereignty is a key concept in modern law. At present, there’s no consensus on an exact definition, but what exists is workable. In particular, Prof Gao tips his hat to theorists who define sovereignty as akin to control or along the themes of the highest power, underived power, and exceptional power. It’s a way of representing reality, as well as playing a leading role in creating and transforming reality.

A satisfactory definition of data sovereignty, on the other hand, is much harder to pin down.

“To start with, the concept has been dismissed by many as just an oxymoron, as data by its nature transcends borders, while sovereignty traditionally has been understood to be confined to within borders,” explains Prof Gao.

“Further complications would arise when the data is generated, processed, stored and disseminated in different jurisdictions, as it has become commonplace in the cyberspace these days.”

Applying the existing concept of sovereignty in the context of trade agreements, Prof Gao defined data sovereignty as “the highest independent power over data trade, that can define rules and exceptions, especially regarding first, border measures such as the crossborder transfer of data; and second, domestic regulations such as data localisation requirements”.

Why is data sovereignty important?

Ideally, all countries/states are equal sovereigns, and as such are independent actors, though their military or economic might mean their relative powers differ, says Prof Gao. That’s why we need to understand sovereignty to appreciate the key contentions and approaches in data governance and trade regulation.

In fact, he offers a provocative thought: consider sovereignty as traditionally confined within borders, yet “data [sovereignty] by its nature transcends borders”.

According to Prof Gao, there exists three main “players” in data governance: The individual who provides the raw data and uses the processed data; the firm, which processes consumers’ raw inputs; and the state, which monitors and regulates individuals’ and firms’ data use.

Perspectives from the three ‘kingdoms’

Countries aim to balance the interests of stakeholders, but, in practice, their approaches differ. For example, the EU prioritises users’ privacy with its General Data Protection Regulation, while the US emphasises firms’ commercial interests, and China focuses on national concerns such as state security.

In turn, those perspectives favour each jurisdiction’s regulatory framework and trade agreements, therefore data sovereignty. But it’s good to know that most other countries embrace one of the three perspectives or models. Moreover, such data sovereignty perspectives are not set in stone.

Ultimately, while trade agreements and data sovereignty are currently divergent from one country to the next, global economies will likely head towards a more united model through a better understanding of one another’s models. For example, China seems to be edging closer to the US position by accepting obligations on free flow of data and prohibitions on data localization requirements.

“We should not be disheartened by the wide divergences among the three [kingdom’s] approaches,” says Prof Gao.

“Just like the three kingdoms in Chinese history which was ultimately united into one, hopefully, the three digital kingdoms studied in this paper can also, through trade agreements, forge their divergent approaches to data sovereignty into one, at least in cyberspace.”