The pursuit of digital sovereignty for a trusted, integrated internet

The physical world we live in today is demarcated by national borders drawn over the course of time. The digital world today seems to be following in its footsteps.

Increasingly, countries around the world have been adopting numerous regulations that restrict data flow. The Information Technology & Innovation Foundation found that data localisation measures, which stipulate how data should be processed, stored, and perhaps confined within a geographic location, is rapidly increasing. From 2017 to 2021, regulations surrounding data localisation more than doubled.

The shift is often fuelled by geopolitical concerns, Welland Chu, Alliance Director for APAC at French multinational corporation Thales and the author of an ISACA article focusing on digital sovereignty, told GovInsider in a video interview.

A 2022 GovInsider article referenced Chinese-owned social media platform TikTok’s plan to move the private data of American citizens to cloud servers in the United States to prevent the risk of foreign governments accessing the data. This shift is also observed in Asia – with Vietnam most recently imposing data localisation regulations in late 2022. 

Data localisation alone comes at a cost

The same GovInsider article highlighted potential implications on economic growth due to increased costs on companies and the impediment of free trade.

A report funded by the NUS Centre for Trusted Internet and Community purports that Singapore, as a highly connected nation, may suffer from such practices given its reliance on the free flow of data.

Additionally, data localisation could hinder the performance of technologies like artificial intelligence and cloud computing, which work best with access to a broad set of free-flowing data.

The cloud, for example, is an enabler, says Francesco Bonfiglio, CEO of Gaia-X, in an online interview. Gaia-X is a non-profit which aims to promote digital sovereignty and enable the creation of data spaces through the development of trusted platforms and standards.

“[The cloud is] a motorway that allows you to openly share data, make available applications, increase the power and performance of those applications, and make the services and products more competitive and meaningful for citizens,” he explains.

But organisations are hesitant to openly share this data as there is a lack of platforms that are uniformly trusted on the market today, Bonfiglio says. He cited how adoption rates of cloud technology remain low in Europe.

Hindering innovation will only slow down the development of more efficient and citizen-centric public services. Bonfiglio gave the example of healthcare. Currently, healthcare research is often limited to specific networks of hospitals or research institutions with pre-arranged agreements on how data sharing will be done. But in order to build new drugs and vaccines, it is ideal to collect as much data as possible.

“If we could freely create an open and distributed data space to collect all the data to analyse them with the power of genomics, and identify new drugs … we could be faster in developing drugs,” he says.

But most of the core data of organisations is not on a cloud as they fear making data available on a technology where they have no control, Bonfiglio says. This is why he is promoting the broader concept of digital sovereignty as opposed to simply data localisation. 

A call for digital sovereignty instead

Digital sovereignty stipulates that “information is subject to the rules of its originating jurisdiction (regardless of its actual location),” according to a Gartner report published in December 2022. This means that even if data is exported and stored in another country, the use of and access to the data is governed by regulations of its home country.

An example of this is demonstrated by Article 45 of the EU’s General Data Protection Regulation (GDPR), which details that personal data can only be transferred should the importing country or organisation have data protection regulations and measures equivalent to that of the EU.

This approach is increasingly in demand today, according to Chu. He cited a survey by the International Data Corporation which predicts that 40 per cent of major enterprises will mandate data sovereignty from their cloud service providers by 2025.

Giving users the key to their own data

One way organisations can have digital sovereignty is through technical controls which give users the ability to retain control of their data, wherever it is on the cloud, Chu suggests.

Most data today on the cloud is encrypted, which ensures that data is rendered unintelligible for those that do not possess the cryptographic keys. But if the cloud operators are the ones in control of these keys, that means that they have the ability to decrypt the data as they wish, Chu says. Instead, it should be the data exporters – that is, the organisations themselves as opposed to the cloud service providers – who hold the cryptographic keys. (Note that the terms “organisations,” “customers,” and “users” are used interchangeably in this article. They refer to the entities from whom the sensitive data generate.)

He suggests that this can be done through three methods: Bring Your Own Key, Hold Your Own Key and Bring Your Own Encryption.

First, Bring Your Own Key means that customers are able to generate their own cryptographic key and import it to the cloud to decrypt their data if they require access.

Meanwhile, Hold Your Own Key, such as that offered by AWS or Google, provides an additional layer of security, as it means that the cryptographic keys are always in the hands of the customer. If the cloud service provider or a third party requires access to the data, they will first need to issue a request, which the customer can review and only grant the access based on the context of the request.

Finally, Bring Your Own Encryption means that the cloud users encrypt the data before it even enters the cloud and upload the encrypted data into the cloud.

These approaches ensure that cloud operators or third parties like foreign governments are unable to access and decrypt data that is on the cloud without prior consent by the users – who retain control of their own data ultimately, Chu explains.

The importance of this has previously been recognised by the Court of Justice of the European Union (CJEU). In 2020, the CJEU had ruled that “appropriate safeguards, enforceable rights and effective legal remedies must be in place before the data are transferred from Europe to the US”, Chu had written in the blog post.