At this year’s Davos Conference, the location of physical supply chains garnered significant discussion in light of rising geopolitical tensions. Intel CEO, Pat Gelsinger, noted, “We need this geographically balanced, resilient supply chain.” While he was referencing the global reset to physical supply chains, growing geopolitical risk impacts digital supply chains, too. Digital authoritarianism, and the data sovereignty frameworks pursued by those governments, pose a starkly different risk compared to the data sovereignty strategies of more democratic governments. These location-based risks, in turn, are exacerbated by geopolitics. Just as organizations are increasingly transforming their physical supply chains due to location-based risks, geopolitics is also sparking the need for a similar reset to digital supply chains and data security.
Data sovereignty generally refers to the notion that data is subject to the national laws and policies in which it is stored, collected, or originated. The global splintering of the internet, increased government intervention in data access, flows, and integrity, and the growing patchwork of data privacy and cybersecurity regulations highlight the vast variation of data risks dependent on national data laws. At a time of significant global transformations, data sovereignty considerations must become an integral component in any organization’s data loss prevention strategies.
Disparate Approaches to Data Sovereignty
Early aspirations of a united, global internet hit the geopolitical reality of data sovereignty, wherein data confidentiality, integrity, and availability are subject to the laws and policies governing the country in which it is located. For instance, 75% of countries have implemented some form of data localization policies that to various degrees require data to be stored within sovereign boundaries. Data localization and broader variation across data sovereignty frameworks is splintering the internet, creating distinct data risks that vary by location. National firewalls, regulatory frameworks, internet blackouts, and data localization are a few features defining the growing Splinternet and largely reflect two distinct approaches to the internet and cybersecurity: digital authoritarianism and the nascent democratic countermovement.
Digital authoritarianism refers to the manipulation, surveillance, and repression of data and digital technologies by authoritarian regimes. In an era of rising digital authoritarianism, dictators use the internet as a governmental tool for control. Global internet freedom declined for the 12th consecutive year in 2022, reflecting a sharp decrease in the free flow of data and information. Government-imposed internet blackouts cost the global economy $24B in 2022, increasing 41% year over year. Policies such as China’s Personal Information Protection Law, Belarus’ legalization of digital piracy from ‘unfriendly’ countries, or Vietnam’s cybersecurity law each reflect growing government attempts of internet control and government access to data.
Fortunately, there is a countermovement toward data protection and security. This is reflected in the European Union’s General Data Protection Regulation (GDPR), as well as many of its progeny, such as the California Consumer Privacy Act and Brazil’s General Data Protection Law (LGDP). In addition, secure data flows are increasingly a component of bilateral trade agreements, such as the USMCA, as well as joint data security agreements, such as the recent deal between the United Kingdom and South Korea. While none are a panacea to the entirety of data security challenges, they do provide a counter-movement toward greater data protection and have proven key to economic growth.
Data Sovereignty Risks in an Era of Heightened Geopolitics
To add to this complexity, these opposing faces of data sovereignty starkly reflect geopolitical divisions and have significant implications for data loss prevention. These barriers not only disrupt cross-border data flows (and thus access to data) but also represent distinct data risks depending on the governance structure and geopolitical situation.
For the past few decades, companies largely turned a blind eye to geopolitics when assessing their global footprint and their data risk abroad. In fact, over the last decade, many companies made a Faustian bargain – forgoing their own data security risks in return for market access. For instance, Russia requires source code review as a prerequisite for entering markets, while China’s cybersecurity law focuses on cyber sovereignty, internet controls, and government access to data. In contrast, while GDPR introduces a compliance risk, companies are at less risk of government-mandated access to sensitive data.
To fully assess data loss risk stemming from data sovereignty, organizations must have full visibility into their digital and physical supply chains. Unfortunately, the majority of companies lack this visibility and do not know where their data is stored. This must become a growing priority, especially as the internet continues to splinter and geopolitics heighten data risks abroad.
“The Internet is Absolutely Getting Balkanized,” claimed Matthew Prince, CEO of Cloudflare. The global fracturing of the internet introduces both regulatory risks as well as risks to data loss, manipulation, and access. National data sovereignty policies largely fall into disparate ends of a spectrum in how they address data: government control and access on one end and data protection and individual data rights on the other. This spectrum also largely reflects the growing geopolitical divide as well, with rules and laws targeting ‘unfriendly’ countries posing data security challenges for organizations across the world.
Data strategies must increasingly assess how this confluence of data sovereignty and geopolitical tensions could impact their own sensitive data and intellectual property. While compliance often is top of mind when discussing regulations, given the increasing number of governments seeking internet and data control, the distinct approaches to data sovereignty pose a range of additional data security risks as well. Global fragmentation not only is transforming the global trade system, but is also upending how we must think about data loss prevention in a reglobalized world system.