A country may control its land, borders, currency, army and laws, yet still lose power in the digital age if it cannot control its data.
That is the new reality of sovereignty.
In the twentieth century, independence meant control over territory, natural resources, defence, taxation and political institutions. In the twenty-first century, independence also means control over digital infrastructure, citizen data, cloud systems, payment rails, artificial intelligence models, cybersecurity architecture and the rules governing how information moves across borders.
Data is no longer a by-product of modern life. It is a strategic resource.
Every payment, search, location ping, hospital record, school database, tax filing, e-commerce purchase, social-media interaction, biometric authentication, satellite image, logistics update and government-service request produces data. This data can improve services, power artificial intelligence, help businesses innovate, detect fraud, monitor disease, optimise traffic, strengthen welfare delivery and support scientific research.
But the same data can also be misused.
It can enable surveillance, profiling, manipulation, cyberattacks, financial fraud, identity theft, political targeting and foreign intelligence gathering. It can be extracted from developing countries, processed by foreign platforms, monetised elsewhere and used to train AI systems that generate value outside the society from which the data came.
This is why data sovereignty has emerged as the new form of digital independence.
The question is no longer only: Who owns the land?
The question is also: Who owns the data, who stores it, who processes it, who profits from it, who can access it, and under whose law?
Data Is the New Strategic Asset
The phrase “data is the new oil” became popular because it captured the economic value of information. But data is not exactly like oil.
Oil is depleted when used. Data can be reused, copied, combined and analysed repeatedly. Oil powers machines. Data powers decisions. Oil must be extracted from specific geography. Data is generated everywhere, but value is captured by whoever has the infrastructure, algorithms and legal rights to process it.
This makes data more politically complex than oil.
A poor country may generate enormous data through its citizens, markets and public systems, but still fail to capture value if foreign platforms control the digital layer. Its users may produce behaviour data, payment data, mobility data, health data and consumption data, while cloud providers, app companies, advertising platforms and AI firms elsewhere convert that data into economic power.
That is digital dependency.
In such a system, a country may appear digitally modern because its citizens use smartphones, apps, e-commerce platforms and online payments. But beneath that appearance, the core infrastructure may be foreign-owned, the data may be externally processed, the algorithms may be opaque, and the profits may leave the country.
This is why data sovereignty matters.
It is not a call to shut down the internet. It is a demand that digital modernisation should not become digital colonisation.
Sovereignty Has Moved From Borders to Servers
Traditional sovereignty was territorial. A state controlled what happened within its borders.
Digital sovereignty is more complicated because data does not naturally respect borders. A message sent in Delhi may be routed through servers abroad. A company in Mumbai may use a cloud provider headquartered in the United States. A hospital database may be stored in a data centre outside the country. An AI model trained in one jurisdiction may process citizen data from another. A platform may be legally incorporated in one country, operationally managed in another and serving users globally.
This creates a jurisdictional problem.
Which government’s law applies? Which court can demand access? Which regulator protects citizens? Which intelligence agency may legally request data? Which company is accountable when data is breached or misused?
The OECD’s work on cross-border data flows recognises this tension directly: cross-border data flows are critical for modern economic and social interaction, but they also raise concerns around privacy, data protection, intellectual property, digital security, national security, regulatory reach and trade.
This is the core dilemma of data sovereignty.
If data flows too freely without safeguards, citizens and states become vulnerable. If data is locked down too aggressively, trade, innovation, AI development and digital services suffer. The challenge is not to choose between openness and control. The challenge is to build trusted flows.
Data Localisation: Protection or Digital Protectionism?
One common response to data sovereignty concerns is data localisation: requiring certain data to be stored or processed within national borders.
Supporters argue that localisation helps law enforcement, protects citizen data, reduces foreign surveillance risks, strengthens domestic cloud infrastructure, creates local data-centre investment and gives regulators practical control.
Critics argue that excessive localisation raises business costs, fragments the internet, hurts small firms, restricts digital trade, weakens cloud efficiency and may not actually improve privacy if domestic protections are weak.
Both sides have valid concerns.
Data localisation can protect sovereignty in sensitive sectors such as defence, health, finance, telecom, critical infrastructure and government databases. But if localisation is applied broadly and mechanically to all data, it can become digital protectionism.
The issue is not whether data should ever be localised. The issue is what type of data, for what purpose, under what safeguards and with what accountability.
A serious data sovereignty policy must distinguish between ordinary commercial data, sensitive personal data, critical infrastructure data, financial data, health data, children’s data, defence data, anonymised datasets, industrial data and government data. Treating all data the same is intellectually lazy and economically harmful.
Data sovereignty requires classification, not panic.
Cross-Border Data Flows Are the New Trade Routes
In earlier periods of globalisation, shipping lanes, ports and trade corridors carried the global economy. Today, cross-border data flows are the invisible trade routes of the digital economy.
They support e-commerce, cloud computing, online education, digital payments, remote work, financial services, logistics, software exports, AI tools, telemedicine, streaming, cybersecurity and platform services. Without data flows, modern digital trade slows dramatically.
The OECD’s Data Free Flow with Trust framework captures this balance: data should move across borders where it supports economic and social value, but it must do so with trust, oversight and protection.
This phrase — data free flow with trust — is important because it rejects two extremes.
It rejects naïve data globalisation, where corporations move data freely while citizens and governments lose control. It also rejects crude data nationalism, where every cross-border data movement is treated as a threat.
The future belongs to countries that can build trusted data regimes: open enough for innovation, strong enough for rights, and strategic enough for security.
The Cloud Is the New Strategic Dependency
Data sovereignty cannot be understood without cloud computing.
Cloud infrastructure stores, processes and analyses enormous volumes of data. It allows companies and governments to scale services without building their own physical servers. It powers artificial intelligence, digital payments, streaming, software services, public administration, cybersecurity and enterprise operations.
But cloud dependence creates strategic questions.
If a government’s critical systems run on foreign cloud infrastructure, can it guarantee continuity during geopolitical tension? If a domestic company relies entirely on foreign platforms, can it protect customer data from foreign legal orders? If AI start-ups must rent compute from a handful of global cloud giants, can a country truly build domestic AI sovereignty? If cloud providers control pricing, interoperability and data portability, do users really control their data?
Europe has taken this concern seriously. The EU Data Act became applicable from 12 September 2025 and aims to create legal clarity on access to and use of data, including rules that support cloud switching and fairer data access.
Cloud sovereignty does not mean every country must build every cloud service itself. That is unrealistic. But it does mean countries need options: domestic cloud capacity, trusted foreign providers, portability rights, strong encryption, sectoral rules, procurement standards and resilience planning.
A state that cannot move its data cannot fully control its digital future.
AI Has Made Data Sovereignty More Urgent
Artificial intelligence has changed the stakes of data sovereignty.
AI models are trained on data. They improve through data. They generate value from patterns found in data. The more high-quality, diverse and domain-specific data a company or country has, the more powerful its AI systems can become.
This creates a new geopolitical question: who gets to train intelligence on whose data?
If Indian users, African markets or Southeast Asian consumers generate enormous data, but foreign AI firms use that data to build models that are owned, priced and governed elsewhere, then data becomes a channel of value extraction. The society generates the raw material; someone else captures the intelligence layer.
This is the core concern behind AI-era data sovereignty.
It is not enough to protect privacy after data is collected. Countries must think about how data contributes to model training, algorithmic advantage, platform dominance and future economic value.
UNCTAD’s Digital Economy Report 2024 warns that digitalisation has environmental and developmental consequences, and stresses the need for inclusive digital strategies so developing countries are not left behind in the digital economy.
The same warning applies to AI. If developing countries lack compute, data governance, cloud infrastructure and bargaining power, they may become data suppliers rather than AI powers.
Privacy Is Not the Same as Sovereignty
Privacy and data sovereignty are connected, but they are not identical.
Privacy protects individuals. It asks whether a person’s data is collected fairly, used lawfully, secured properly and processed with consent and accountability.
Data sovereignty protects collective control. It asks whether a nation, community or institution can govern the data generated within its society and prevent external misuse, dependency or extraction.
A country can have privacy rules but weak data sovereignty if foreign platforms still dominate infrastructure and value capture. A country can claim data sovereignty but violate privacy if the state uses data for unchecked surveillance.
This distinction matters.
True digital independence must protect both the individual and the nation. It must prevent corporate extraction and state overreach. It must allow innovation while defending rights. It must ensure that citizens are not reduced to raw material for either foreign platforms or domestic surveillance systems.
A democratic data sovereignty model must begin with this principle: the citizen is not a data mine.
India’s Data Sovereignty Moment
India is one of the most important countries in the global data debate.
It has one of the world’s largest internet user bases, a massive digital payments ecosystem, Aadhaar-linked digital identity infrastructure, expanding e-governance systems, a strong IT sector, a growing start-up ecosystem and enormous linguistic, social and economic diversity.
This gives India extraordinary data potential.
India’s digital public infrastructure has already shown how population-scale digital systems can transform service delivery, payments and identity verification. But the same scale also creates risk. If India fails to govern data properly, the consequences will be enormous: privacy violations, cyber vulnerabilities, platform monopolies, AI misuse, exclusion errors and digital profiling.
India’s Digital Personal Data Protection Rules, 2025 were notified to give effect to the Digital Personal Data Protection Act, 2023, with the government presenting them as a framework to protect personal data while supporting responsible innovation and a globally competitive digital economy.
This is a major step, but India’s data sovereignty challenge is larger than personal-data protection alone.
India must decide how to govern non-personal data, public datasets, AI training data, health data, financial data, children’s data, government databases, cross-border transfers, cloud infrastructure and platform accountability. It must also ensure that data regulation does not crush start-ups or create compliance burdens that only large corporations can afford.
India’s objective should be neither blind localisation nor blind openness. It should be strategic data governance.
India’s Cross-Border Data Approach
India’s approach to cross-border data transfers has evolved over time.
Earlier debates were heavily focused on localisation. The later framework has moved toward a more flexible model where personal data may generally be transferred outside India unless the government restricts transfers to specified countries or entities. This creates a “blacklist” style approach rather than a strict localisation model for all personal data.
The DPDP Rules framework, as summarised in legal and policy analyses, allows personal data transfers outside India subject to government-specified restrictions, especially where data is made available to foreign states or entities under their control.
This approach reflects a practical compromise.
India wants to protect sovereignty and citizens, but it also wants to remain attractive for global business, cloud services, start-ups and digital trade. Overly rigid localisation could hurt India’s IT and digital-services ambitions. Overly loose transfer rules could weaken control over sensitive data.
The challenge is implementation.
Rules must be clear, predictable and enforceable. Businesses need compliance certainty. Citizens need meaningful rights. Regulators need capacity. Government powers must be bounded by transparency and accountability. Without these, data sovereignty can become either weak protection or excessive discretion.
Data Sovereignty and National Security
National security is one of the strongest arguments for data sovereignty.
Foreign access to sensitive data can create intelligence risks. Location data can reveal troop movement, critical infrastructure patterns or strategic facilities. Financial data can expose economic vulnerabilities. Health data can reveal population-level weaknesses. Telecom data can map social networks. Industrial data can reveal supply-chain dependencies. Government data can expose administrative systems.
In the AI age, even seemingly ordinary datasets can become sensitive when combined with other datasets.
This is why data security must be treated as part of national security.
A breach is not merely a privacy incident. It can be a strategic compromise. A foreign-controlled platform is not merely a business actor. It may become a channel of influence, surveillance or dependency. A cloud outage is not merely a technical inconvenience. It may disrupt essential services.
Data sovereignty therefore requires cybersecurity, encryption, incident reporting, audit systems, domestic technical capacity and trusted infrastructure.
It also requires restraint. National-security arguments can easily become excuses for excessive state surveillance. A democratic country must protect national security without creating a digital police state.
The Risk of Digital Authoritarianism
Data sovereignty can be misused.
Authoritarian states may use the language of sovereignty to justify censorship, surveillance, internet shutdowns, social scoring, political monitoring and restrictions on civil society. They may claim to protect citizens from foreign platforms while actually concentrating data power in the hands of the state.
This is the dark side of digital sovereignty.
A government that controls all data without independent oversight can become more powerful than any previous state apparatus. It can track movement, spending, communication, association, opinion and behaviour. With AI, it can predict, profile and intervene.
Therefore, data sovereignty must be anchored in constitutional values.
It needs independent regulators, judicial review, transparency requirements, privacy rights, proportionality tests, cybersecurity standards and limits on government access. Otherwise, digital independence becomes digital domination.
A country is not digitally free merely because its data stays within its borders. It is digitally free only when its citizens are protected from both foreign exploitation and domestic abuse.
Data Colonialism: The New Extraction Model
Colonialism historically involved the extraction of land, minerals, labour and agricultural surplus. In the digital age, extraction can take the form of data.
Data colonialism occurs when platforms collect data from users and communities, convert it into behavioural insights, train algorithms, build products, sell advertising, influence choices and capture profits without fair participation by the people or countries generating that data.
This extraction may be legal. It may even appear voluntary through consent forms. But the power imbalance is real.
Most users do not understand how their data is collected, combined and monetised. Most developing countries do not have the bargaining power to demand fairer data value-sharing. Most local firms cannot compete with global platforms that already possess enormous datasets and AI systems.
The result is a new dependency.
The Global South may provide users, markets and data, while the Global North and a few technology centres capture profits, intellectual property and AI advantage.
Data sovereignty is therefore a development issue.
It asks whether countries can convert their own digital activity into domestic capacity, local innovation and public value.
The Business Case for Data Sovereignty
Some businesses fear data sovereignty because they associate it with compliance costs, localisation mandates and regulatory uncertainty.
That fear is understandable. Poorly designed data rules can harm innovation.
But well-designed data sovereignty can actually support business.
Clear rules increase trust. Trust increases digital adoption. Strong privacy protections reduce reputational risk. Cloud portability reduces vendor lock-in. Cybersecurity standards reduce breach costs. Data-sharing frameworks can unlock innovation. Public datasets can support start-ups. Interoperability can reduce platform dominance.
The WTO and OECD have examined the economic implications of data-flow regulation and the role of trust in supporting economic transactions within data-protection frameworks.
This matters because digital trade depends on confidence.
Consumers will not use digital services if they fear misuse. Companies will not share data if rules are unclear. Governments will not allow cross-border flows if national-security risks are unmanaged. Trust is not the enemy of digital commerce. Trust is its foundation.
The right data sovereignty model can make a country more attractive, not less.
The European Model: Rights and Regulatory Power
Europe has positioned itself as a global rule-maker in data governance.
The General Data Protection Regulation became one of the world’s most influential privacy laws. The Data Governance Act and Data Act expand Europe’s approach into data-sharing, access rights, cloud switching and data economy regulation. The EU Data Act, applicable since September 2025, is part of Europe’s attempt to build a fairer and more innovative data economy.
Europe’s strength is regulatory influence. Even when European technology firms do not dominate global platforms, European rules often influence how companies behave globally because access to the European market matters.
But Europe also faces criticism.
Some argue that excessive regulation has slowed innovation and made it harder for European firms to compete with American and Chinese technology giants. Others argue that strong rights-based regulation is necessary precisely because platform power is so concentrated.
This is the European dilemma: how to protect rights without becoming technologically dependent.
For developing countries, Europe offers useful lessons but not a complete template. India, Indonesia, Brazil, South Africa and others need frameworks suited to their own scale, institutions, markets and development needs.
The American Model: Platform Power and Innovation
The United States dominates much of the global digital economy through private companies.
American firms lead in cloud computing, AI models, digital advertising, operating systems, enterprise software, social media platforms and data-centre infrastructure. This gives the US enormous private-sector digital power.
The strength of the American model is innovation speed. Venture capital, research universities, cloud infrastructure, private entrepreneurship and deep technology markets have produced some of the world’s most powerful digital companies.
The weakness is concentration.
A small number of private firms control large parts of the digital economy. They collect data at scale, influence information flows, shape AI development and operate infrastructure used by governments and businesses worldwide. This creates a different kind of sovereignty challenge for other countries: even when they are not dealing directly with the US government, they may still depend heavily on US corporations.
The American model shows that private digital power can become geopolitical power.
The Chinese Model: State Control and Data Security
China approaches data sovereignty through a state-security lens.
It has built strong domestic platforms, restricted many foreign digital services, regulated cross-border data flows, and treated data as a strategic economic and national-security asset. Its model gives the state significant control over data, platforms and digital infrastructure.
This has supported domestic technology champions and reduced dependence on foreign platforms. But it has also raised concerns about surveillance, censorship and political control.
China’s approach reminds the world that data sovereignty can strengthen domestic capacity, but it can also centralise state power.
For democratic societies, the challenge is to build sovereign digital capacity without copying authoritarian control.
The Missing Model: Democratic Data Sovereignty for the Global South
The Global South needs its own model of data sovereignty.
This model should avoid three traps.
The first trap is platform dependency: allowing foreign digital companies to dominate data, cloud, payments, e-commerce and AI without meaningful accountability.
The second trap is state overreach: using sovereignty as an excuse for surveillance, censorship and unrestricted government access.
The third trap is regulatory overload: creating rules so complex that only large corporations can comply, while start-ups and small businesses suffer.
A democratic Global South model should focus on citizen rights, trusted data flows, public digital infrastructure, local innovation, open standards, cybersecurity, competition, domestic cloud capacity and fair value creation.
It should ask not only where data is stored, but who benefits from it.
Data Sovereignty and Public Digital Infrastructure
Public digital infrastructure changes the data sovereignty debate.
India’s experience shows that digital identity, payments and public platforms can create enormous social and economic value when designed at scale. But such systems also generate sensitive data and require strong governance.
Public digital infrastructure must be open, interoperable and accountable. It should not become a tool for exclusion or surveillance. It should empower citizens, not merely make them legible to the state.
The data generated through public systems should serve public value: better welfare delivery, fraud reduction, financial inclusion, health planning, education, urban governance and climate resilience. But it must be protected from misuse, commercial exploitation and political abuse.
Public digital infrastructure without data protection is dangerous. Data protection without public digital capacity is incomplete.
India’s challenge is to combine both.
Health Data, Financial Data and Children’s Data
Not all data carries the same risk.
Health data can reveal intimate details about individuals and communities. It can affect insurance, employment, social stigma and public-health policy. Financial data can expose consumption, debt, income, tax compliance and economic vulnerability. Children’s data is especially sensitive because misuse can follow them for life.
These categories require stronger safeguards.
AI makes the concern deeper because sensitive data can be used to infer patterns beyond what individuals explicitly share. A person may not disclose a health condition, but behavioural, location and purchase data may allow systems to infer it. A child may not understand consent, but platforms may build long-term behavioural profiles.
Data sovereignty must therefore include data minimisation, purpose limitation, consent clarity, breach notification, age-appropriate design, strong penalties and independent oversight.
A nation cannot call itself digitally sovereign if its citizens are digitally exposed.
Industrial Data and the Future of Manufacturing
Data sovereignty is not only about personal data. Industrial data is equally important.
Modern factories generate data through sensors, machines, robotics, supply chains, enterprise systems and quality-control processes. This data can improve productivity, predictive maintenance, design, energy efficiency and logistics. It can also reveal trade secrets, production capacity, supplier relationships and strategic vulnerabilities.
As manufacturing becomes digitised, industrial data becomes a competitive asset.
If foreign platforms control industrial data, domestic manufacturers may become dependent on external analytics and software ecosystems. If industrial data is locked away inside firms, innovation across sectors may slow. If governments demand too much access, companies may fear disclosure.
The EU Data Act’s focus on access to and use of data from connected products reflects this emerging issue in the data economy.
For India, this matters as manufacturing becomes more digital. Automotive, pharmaceuticals, electronics, logistics, agriculture, defence production and energy systems will all generate valuable industrial data. India needs rules that allow innovation while protecting strategic sectors.
Data Sovereignty and Cybersecurity
Data sovereignty without cybersecurity is meaningless.
A country may store data domestically, but if systems are insecure, hackers can steal it. A government may require localisation, but if agencies lack cyber capacity, local storage may simply concentrate risk. A company may claim compliance, but if it lacks encryption, access controls and breach response, citizen data remains vulnerable.
Cybersecurity is the practical foundation of data sovereignty.
This includes secure cloud architecture, encryption, zero-trust systems, security audits, breach notification, cyber insurance, incident response teams, domestic cyber talent and cooperation with trusted international partners.
Data sovereignty is not achieved by geography alone. A server located within the country is not sovereign if it is insecure, foreign-controlled, poorly audited or legally vulnerable.
Security is not where the data sits. Security is how the data is governed.
The Future of Digital Trade Depends on Data Trust
Digital trade cannot grow without trusted data governance.
A software exporter needs to move data. A fintech company needs cross-border compliance. A telemedicine provider needs health-data rules. An AI company needs training-data clarity. A cloud firm needs legal certainty. A small business selling globally needs payment and customer-data flows.
If countries build incompatible data regimes, digital trade will fragment. If they build weak regimes, citizens will be exposed. If they build trusted interoperable regimes, digital commerce can expand.
This is why data sovereignty and digital trade must be integrated.
The future of trade agreements will increasingly include data-flow provisions, privacy protections, cybersecurity cooperation, digital identity, source-code protections, AI governance, consumer protection and cloud rules.
Trade ministries can no longer ignore data policy.
India’s Strategic Doctrine for Data Sovereignty
India needs a clear data sovereignty doctrine.
Such a doctrine should include ten principles.
First, citizen rights must be central. Data sovereignty cannot mean state ownership of citizens’ lives.
Second, sensitive data must receive stronger protection than ordinary data.
Third, cross-border data flows should be permitted where trust, reciprocity and safeguards exist.
Fourth, critical government and national-security data should remain under strict sovereign control.
Fifth, cloud portability and interoperability should reduce dependence on any single provider.
Sixth, public digital infrastructure should operate under transparent governance.
Seventh, AI training data must be governed through consent, rights, fairness and public interest.
Eighth, cybersecurity capacity must be treated as national infrastructure.
Ninth, domestic start-ups should not be crushed by compliance burdens designed for large platforms.
Tenth, India should help shape global data rules rather than merely react to them.
This is the difference between policy and doctrine. Policy solves immediate problems. Doctrine defines the strategic direction.
India needs both.
Digital Independence Is Not Digital Isolation
The most important point is this: data sovereignty is not digital isolation.
A country cannot grow in the modern economy by cutting itself off from global data flows. Indian IT firms, exporters, start-ups, financial services, cloud users, researchers and AI developers all need international digital connectivity. Blocking data flows blindly would harm the very sectors India wants to strengthen.
Digital independence means the ability to participate in global digital systems without being dominated by them.
It means choosing openness from a position of strength, not dependency. It means allowing data to move when rights and security are protected. It means building domestic capacity where dependence is dangerous. It means negotiating with global platforms instead of surrendering to them. It means protecting citizens without suffocating innovation.
The goal is not to build a digital wall.
The goal is to build digital self-respect.
Conclusion: The New Freedom Struggle Is Digital
Data sovereignty has emerged as the new form of digital independence because power has moved into invisible infrastructure.
A country’s future will be shaped not only by its factories, ports, armies and natural resources, but by its data centres, cloud contracts, privacy laws, AI models, cybersecurity systems, payment rails, public digital infrastructure and regulatory capacity.
The countries that control their data intelligently will gain economic power, strategic autonomy and citizen trust. The countries that fail will become dependent on foreign platforms, exposed to cyber risks, vulnerable to surveillance and unable to capture the full value of their own digital societies.
But sovereignty must be understood carefully.
Data sovereignty is not a licence for authoritarian control. It is not an excuse for shutting down the internet. It is not a slogan for protectionism. It is not achieved merely by storing data locally.
Real data sovereignty means democratic control over digital power.
It means citizens know how their data is used. It means companies are accountable. It means governments are restrained. It means data flows are trusted. It means sensitive information is protected. It means domestic innovation is supported. It means AI is built on fair and lawful data. It means digital infrastructure strengthens national capacity rather than creating dependency.
In the coming decades, nations will not ask only whether they are politically independent.
They will ask whether they are digitally independent.
And the answer will depend on a simple but profound question: does the country control the data that controls its future?
Start writing the tenth article