Global push for 'digital sovereignty' risks complicating global data flows, innovation

Amid rising global tensions, the ongoing conflict in the Middle East and growing strain in the Western world related to digital trade, there is an ongoing push among some countries to implement stricter digital sovereignty measures and efforts to boost production of domestic technology stacks. 

From Canada, to the EU, to the Pacific Rim, the ongoing period of geopolitical upheaval is compelling a number of countries to re-think what constitutes "sovereignty" in the digital realm.  

However, the term "digital sovereignty" in and of itself can carry different definitions in certain contexts. On one side of the debate are efforts from by some countries to break clean of the dominance of U.S. technology companies in pursuit of domestic tech production with significant data localization measures established. While proponents on the other end of the spectrum still envision an interconnected world of free-flowing data, albeit in a modified environment that maintains respect for data subjects' privacy, with a whole host variability in between both sides of the debate. 

At the IAPP Global Summit 2026 in Washington, D.C., panelists during several breakout sessions sought to provide clarity and nuance to the digital sovereignty conversation, while also opining on how the current geopolitical climate will shape that debate in the years to come. 

Defining 'digital sovereignty'

Hunton Andrews Kurth's Centre for Information Policy Leadership Bojana Bellamy, CIPP/E, said the concept of digital sovereignty relates to countries and their domestic industries seeking a "broader ability to control software, hardware and infrastructure." However, she said digital sovereignty has also become an umbrella term referring to several subcategories: Data sovereignty, advanced sovereignty, and now, sovereignty with respect developing artificial intelligence. 

Bellamy said data sovereignty involves the "control of data and when data designs are used." She said AI sovereignty measures are efforts by national governments to control "all the elements of AI from talent, to infrastructure, to data, to the stack ... by the state." Advanced sovereignty, she said, relates to ensuring all forms of digital sovereignty align with countries' existing laws and regulations concerning how a specific country asserts its sovereignty holistically. 

"What has changed in the last year is that many more countries are talking about digital data sovereignty, AI sovereignty, as a matter of their own industrial policy," Bellamy said. "Also, many company boards are now considering this a priority."

Joining Bellamy in the same breakout session was Mastercard Chief Privacy, AI and Data Responsibility Officer was Caroline Louveaux, CIPP/E, CIPM, who said the digital economy is undergoing a massive transformation driven by geopolitical events. She said privacy and data governance professionals, as well as policymakers, are realizing that the digital economy has, by and large, matured to the point where global data flows and storage are more secure. As a result, attention is shifting away from technical security concerns and toward questions of security and control, and, specifically, which nations control the systems that enable data flows and which domestic entities within those nations are responsible for collecting and storing the data. 

"The key question we are moving on from is can the data be adequately protected, which is a privacy question," Louveaux said. "Now it's a broader question about who controls the data and the systems that will shape our economy and society."

Why are governments seeking to achieve greater digital sovereignty?

Many of the discussions surrounding data sovereignty efforts have arisen out of frustration by governments and their respective private sectors over diverging global legal frameworks that impose inconsistent requirements for how data can be transferred to other jurisdictions and then processed.

Despite regulatory simplification efforts, such as the EU Digital Omnibus and AI Omnibus proposals that are being negotiated, in part, to ease compliance burdens on companies, NWong Strategies Principal Nicole Wong said there is still significant regulatory activity taking place in various jurisdictions but not necessarily from where technology regulations have historically originated. 

Using the example of the U.S. General Services Administration's new multiple award schedule guidance for prospective GSA contractors and the subcontractors they employ, Wong said the document's AI disclosure requirements contains "expansive definitions" around what constitutes government data and what becomes government property when an entity enters a contract with the agency. She said this approach of regulation by "individual negotiations" on an agency-by-agency basis will only complicate the overall legal environment for innovators if such policies are multiplied across jurisdictions and government entities. 

"That to me is not deregulatory, it's essentially a different kind of regulation and a different level of where it is taking place, and if our goal is to have an open field for AI innovation, I think our regulations need to be honed toward that," Wong said. "The question is whether the current regulatory scheme we're in is also creating openness and interoperability, and therefore, innovation."

Geopolitical forces acting on digital trade

Today, the push among countries to impose stricter digital sovereignty measures poses dilemmas for the global economy that is underpinned by how easily data can flow between jurisdictions. 

Perhaps no where else is this dilemma best exemplified than the ongoing digital trade dispute between the EU and U.S. that has seen U.S. President Donald Trump's administration lean on the EU to modify its digital rulebook to be less heavy-handed against U.S. technology firms when they have been found to violate EU laws, such as the EU General Data Protection Regulation, the Digital Markets Act and Digital Services Act. 

Irish Data Protection Commission Commissioner Dale Sunderland said when the GDPR was first adopted, there were a number of jurisdictions around the world that sought to align their data protection frameworks to be compatible with the GDPR's new requirements. Critically, he said, the U.S. was not one of them, and it has created a major geopolitical tug of war between EU regulators and American tech companies, and their backers across the U.S. political establishment. 

"Geopolitics has changed a lot," Sunderland said. "Privacy innovation is going to be critical, but if there are choices made by organizations to pull back from, it's going to make life much harder when they're working in a multi-jurisdictional context. If you come from the perspective of, 'let’s see what I can get away with,' in each jurisdiction, that all contributes to a sense of misalignment and diverging practices."

ASEAN offers example for maintaining data flows despite cultural, political diversity among countries

However, the countries party to the Association of Southeast Asian Nations, which includes Indonesia, Singapore, Thailand and Vietnam, may offer an example of how various domestic sovereignty measures can be respected, while also enabling data to flow between jurisdictions with minimal friction. 

Singapore's Personal Data Protection Commission Deputy Commissioner Denise Wong said despite varying forms of government among ASEAN countries, they each respect one another's economic interests and how their data protection frameworks operate within the broader concept of national sovereignty. 

"(Digital sovereignty) is about understanding what our values are, what our economic interests are, and then our interaction with technology has to respect that, whether it's the cloud, AI, data or digital as a whole," Wong said. "For ASEAN, it's a group of countries with very different economic contexts, very different journeys in terms of digitalization, so what does sovereignty and digital sovereignty mean in that economic and societal context? Part of it is about making sure there is trust in society, that technologies can be used with confidence and making sure the technology is clearly understood within existing risk management frameworks."

What's at stake

Ultimately, if world governments continue taking steps to turn back the clock on globalization by pursuing a sovereignty agenda in the strictest sense, it may usher in a new era where digital barriers among countries begin to resemble the hard physical borders they have erected between one another. 

Google Global Head of Privacy Policy Lanah Kammourieh Donnelly said if the day comes where countries retreat inward both economically and politically, less modernized economies will be particularly vulnerable because of transnational threat actors, who will continue to operate in a borderless environment, unlike cyber defenders who will be forced to operate in national siloes created under the guise of digital sovereignty. She said "digital autarky is impossible," given the highly interconnected nature of technology.

"(If in a) generation from now where the supply chains have been fundamentally rearranged and each country is trying to produce its own full stack entirely, you will deprive yourself of the best product at every level of the stack," Kammourieh Donnelly said. "Our adversaries are not localized. You don't want a single point of failure, so when we think about data localization, we immediately think about the biggest companies and their real strategic considerations, but the unintended consequences will play out in things like everyday security."