Tesseract Academy

Data Sovereignty: Who Really Owns Your Information?

Data Sovereignty

Written by

Erika Balla

in

The saying “data is the new oil” likely sounds familiar to you. However, unlike oil, data isn’t transported from one nation and stored in another with specific ownership regulations. Rather, your private data, including your location, payments, messages, and photos, is spread across servers internationally.

And that poses an important question: who’s the real owner? Is it the country storing it, the business collecting it, or yourself?

That’s the dilemma at the core of data sovereignty, and it’s one of the defining debates of our digital age.

Mouse cursor clicking the “Accept” button 

Source:https://www.livelaw.in/articles/analyzing-the-landscape-of-click-wrap-agreements-245917 

Why is Data Sovereignty Suddenly Everywhere?

At its core, data sovereignty means that data is subject to the laws of the country where it’s stored. Simple enough, right? It would be, if data sat still.

When you store a document on the cloud, post a picture to Instagram, or stream a show on Netflix, it’s likely copied, backed up, and transferred across multiple countries – subtly and automatically.

Because cloud infrastructure spans across continents, this means that your personal data may be sitting under foreign laws without you knowing it.

This is going beyond a mere technical curiosity – it’s becoming a political fault line.

Why Data Sovereignty Matters to You

Think about the amount of private information you disclose in a single day. You check your bank app, share your location for food delivery, back up photos on cloud services, and share the path you walked through GPS data. Each of these actions produces a digital trail.

This is where data sovereignty takes on a personal dimension. It’s about corporate power as much as government surveillance. You’re not truly in control when a business has the ability to move, analyse, or even sell your data across international borders.

The New Global Power Struggle

The world is entering a phase where data doesn’t just belong somewhere – it’s being claimed by nations. Governments are drawing digital borders faster than ever.

  • The European Union’s GDPR gives citizens control over their personal data and imposes fines for violations. 
  • The U.S. introduced the CLOUD Act, which allows American authorities to access data held by US tech firms, even when that data is stored in another country. 
  • China has also passed several data localisation laws, requiring companies to store information about their citizens within national borders.
  • The UK is considering updates to its Data Protection Act, balancing EU alignment with the push for looser regulations to attract tech investment.
Map of global data sovereignty laws

Source: https://insights.comforte.com/beyond-borders-unraveling-the-essence-of-data-sovereignty-and-protection 

Real Consequences and Lessons We’ve Learned

These issues are no longer confined to legal departments; they’re affecting how we use the internet. Moreover, data usage is becoming more and more controlled, with laws mandating how companies can collect, store, and use our data. Breaking these laws will, and has, resulted in bans and fines.

British Airways Data Breach

In 2018, British Airways experienced a data breach exposing over 400,000 customers’ personal and payment information via a web skimming attack. The ICO fined BA £20 million for inadequate GDPR security measures. The incident highlighted how even large organisations are vulnerable, underscoring the critical importance of strong cybersecurity and strict compliance with data protection regulations.

Facebook Data Scandal

One of the most popular cases of data mishandling is the Facebook scandal, where it was revealed that a UK-based company harvested data from more than 50 million Facebook profiles to build a system that could analyse US voters and target them with personalised political ads. This resulted in millions of fines imposed on Facebook and revealed some major issues with data handling at the time.

TikTok Bans

TikTok is another app that has faced bans or restrictions in several countries over concerns that user data could be accessed by China, including in the US and the UK. In response, TikTok announced “Project Clover,” a €1.2 billion project to store European user data in Ireland and Norway under stricter controls.

The United States v. Microsoft Corp.

In the United States v. Microsoft Corp. case, Microsoft refused to hand over emails stored on Irish servers, exposing the legal gap between national laws and global cloud data. Following the case’s closure, the U.S. introduced the CLOUD Act, which allows American authorities to access data held by US tech firms, even when that data is stored in another country.

CaseDurationFines Result
Facebook–Cambridge Analytica Scandal2015-2018£500,000 (ICO fine, UK); €1M+ other penaltiesHighlighted GDPR importance; led to stricter EU/UK enforcement
United States v. Microsoft Corp.2013-2018No typical legal resolution in courtCLOUD Act (2018)
TikTok Project Clover (EU/US scrutiny)2020-2023No direct fines, but regulatory pressureLocal data storage agreements in EU and Norway
Google Street View Wi-Fi Data Collection2007-2013€7M (Germany); settlements in other countriesStrengthened EU and US privacy laws; set precedents for data collection limits
British Airways Data Breach (ICO investigation)2018£20M (ICO fine, UK)GDPR enforcement example

How to Protect Your Digital Sovereignty

The good news? Even in the cloud-driven, hyperconnected world of today, you can take practical steps to regain control.

Here’s how to begin safeguarding your data, privacy, and sense of control on the internet:

1. Know Where Your Data Is

Check the location of your data’s hosting first. Users or organisations can choose storage regions on a number of major platforms, including Google and Microsoft.

Opting for data centres in the UK or the EU guarantees that your data stays under strict privacy regulations rather than being subject to less strict or conflicting laws.

2. Restrict Unnecessary Data Sharing

Keep an eye on what you share and with whom. Turn off any unnecessary app permissions, like those that give the app access to your contacts, location, or camera.

Review the data that your smartwatch, voice assistant, and browser gather; you’ll be shocked to see how much is collected in the background. Fewer permissions mean fewer entry points for misuse.

Infographic illustrating data collection by fitness apps. It shows that 80% of fitness apps share user data with third parties. A bar chart ranks apps by data points collected. Most apps gather around 12 data types, led by Strava and Fitbit. Includes sensitive info and precise location. Surfshark logo at the bottom right.


80% of top fitness apps share data with third parties

3. Protect Your Connection

Your connection may automatically pass through networks in other nations when you work remotely or travel overseas, leaving your online activity vulnerable to foreign surveillance or different, laxer privacy regulations.

Using a VPN with a UK IP helps keep your data traffic mostly within UK legal frameworks, preserving alignment with domestic privacy protections. It’s a simple yet effective way to maintain some jurisdictional consistency while staying connected globally.

4. Back Up and Encrypt Your Data

One of the simplest ways to improve your digital sovereignty is to use encryption. Use encryption software that protects your devices, files, and cloud storage.

Incorporate that with routine offline backups to ensure that your data is secure even in the event of a data centre failure or breach at a cloud provider.

5. Opt for Ethical and Transparent Platforms

Support services that are transparent about where and how they handle your data. Seek out GDPR compliance badges, transparency reports, and privacy policies that are written in plain English rather than legal jargon.

Choosing ethical, open tech firms contributes to the development of a more responsible digital ecosystem.

The Next Frontier: AI and Personal Data

Artificial intelligence is also amplifying the sovereignty debate. AI tools like ChatGPT and Google Gemini train on vast datasets, often scraped from public sites or collected from user interactions. This raises concerns for where the line lies between innovation and surveillance.

Bar graph comparing data collection by AI chatbots as of May 2025. Meta AI collects 32 data types, over 90% of possible types, surpassing the average of 13.


Meta AI collects over 90% of user data types

If an AI model or even something derived from it uses your data, where does sovereignty end and ownership begin?

That’s a problem governments are only beginning to grasp, but it’s already influencing AI legislation across the UK and EU.

The Bottom Line

Every user wants privacy, every business wants flexibility, and every country wants to protect its citizens. However, until international laws align, the world’s data will continue to be ensnared in a complicated web of overlapping jurisdictions.

Even though your information can travel the world in milliseconds, geography, politics, and awareness still determine how it is controlled.

So, before you click “Accept”, ask yourself where your data is going. The answer to that question might be the most powerful form of ownership you have.

More posts