Data Sovereignty
The principle that people and organisations should control their own data — where it lives, who accesses it, how it is processed, and what inferences are derived from it.
Overview
Data sovereignty is asserted against a political economy in which data about people is extracted, processed into behavioural products, and used for purposes those people did not choose and cannot see. It spans legal rights, technical architecture, and political economy.
Data sovereignty is the principle that individuals, communities and organisations should have meaningful control over data generated about them, the inferences derived from it, and the conditions under which it is stored, processed and shared. It is not merely a privacy claim — it is a claim about power. Data about people confers predictive and influencing power over those people; whoever controls the data controls that power. The sovereignty question is about who that should be.
Shoshana Zuboff's The Age of Surveillance Capitalism (2019) provides the most comprehensive account of what data sovereignty is being asserted against: an economic logic that treats human experience as raw material for extraction, processes it into behavioural data, and sells it as prediction products to advertisers and other interested parties. The subjects of this extraction receive no share of the value created, have no meaningful consent over the process, and typically have no knowledge of the extent of it. GDPR (2018) is the most significant legal response: it establishes rights to access, rectification, erasure, and portability; requires a lawful basis for data processing; and creates obligations of purpose limitation and data minimisation. It applies to any organisation processing data about EU residents, regardless of where the processing occurs.
Nick Couldry and Ulises Mejias' The Costs of Connection (2019) extends the frame globally: data extraction is a form of colonialism, imposing a particular social and economic logic on populations whose data is appropriated to serve interests distant from their own. The CARE Principles for Indigenous Data Governance (2020) — Collective benefit, Authority to control, Responsibility, Ethics — provide an alternative framework developed from within affected communities: data governance that starts from the community's interests rather than the data collector's.
At the infrastructure level, data sovereignty requires that data can be stored and processed within jurisdictions where legal rights apply and can actually be enforced. The Schrems rulings (CJEU, 2015 and 2020) — which invalidated successive EU-US data transfer frameworks — demonstrate that legal rights are meaningless unless data physically remains where those rights can be enforced. This creates a direct connection between data sovereignty and the technical architecture of AI systems: systems that send data to remote servers for processing cannot guarantee that processing occurs under the legal protections the data subject is entitled to.
Key Texts
Foundational works in this research tradition.
Surveillance capitalism: human experience as raw material for extraction, processing into behavioural data, and sale as prediction products. The most comprehensive account of the political economy of personal data — and of what data sovereignty is being asserted against.
The legal foundation of data sovereignty in Europe: rights of access, rectification, erasure, and portability; lawful basis requirements; purpose limitation; data minimisation. Applies to any organisation processing data about EU residents, regardless of location. The most consequential data protection regulation enacted.
Data colonialism: extraction logic imposed globally, serving interests distant from those whose data is taken. Extends the sovereignty frame beyond European data protection to the global political economy of data — and the communities most affected by it.
An alternative data governance framework developed within affected communities: Collective benefit, Authority to control, Responsibility, Ethics. Starts from the community's interests rather than the collector's. A principled alternative to notice-and-consent frameworks that implicitly accept extraction as the default.
Territorial limits of data sovereignty in practice: two rulings that invalidated successive EU-US data transfer frameworks. Establishes that legal data rights are only meaningful if data is processed within jurisdictions where those rights can be enforced — with direct implications for AI systems that use cloud-based processing.
Related Research
Connected areas of inquiry.