Data Sovereignty: Threading The Regulatory Needle

~8 min read

Every move we make in cyberspace leaves a digital footprint. The emerging area of Data Sovereignty asks: in what ways are governments responsible for the data of citizenry, and who “owns” the digital paper trail that users of online services leave behind? Challenges around data sovereignty have swept across the regulatory landscapes in developed markets in recent years, and emerging markets as recently as last week, when Kenya passed new data protection laws. The task facing regulators is twofold: they must protect user privacy and public trust in institutions while also enabling innovation and profit in the private sector. In practice, do these competing concerns leave enough room for digital finance to thrive, or is it too difficult a needle to thread, given the particular sensitivity of financial data?

Data Sovereignty Unraveled

Data sovereignty, as a concept, focuses on information collected about real people in the real world which has been recorded in digital form - thus becoming subject to multiple and sometimes contradictory international regulatory regimes. These rules can be predicated on the nationality of the footprint-leaver, or on the law of the physical soil on which the digital footprint was left, or on the jurisdiction in which the relevant data center resides. These distinctions, and the data sovereignty practices which they imply, are complicated even further by the disaggregated nature of the internet and the rise of cloud-based storage. At the same time that data has become more mobile and accessible, it’s become more difficult to corral, legally speaking.

Contrary to popular belief, data uploaded to ‘the cloud’ does not exist in a disembodied ethereal void. A more accurate mental model might represent information uploaded on the cloud as being hosted on “someone else’s computer.” That “someone else”, in this case, often happens to be a multinational tech firm. Google, for example, hosts 13 data centers around the world and has another eight under construction. Along with Amazon, Facebook, and Microsoft, Google are leading the ‘race across the bottom’ connecting the world’s data centers to the global net via subterranean cables laid across the floors of the world’s oceans. Heading into 2020, undersea cables remain the lowest-cost, highest-efficiency way to get data around the world. Even in a cloud-first world, the physical routes individuals’ data take around the world do have a bearing on data sovereignty worries, and it is within this context that geopolitical issues can arise, along with fundamental questions around identity and privacy for end users.


The implications are weighty - not only for businesses whose operations rely on storing and analyzing customer data, but governments racing to catch up to the regulatory landscape of international relations developing online, and customers whose data - often described as the new oil - is mined and used in ethically dubious ways.

GDPR: An Off-the-rack Answer?

Back in 2016, the EU announced the looming General Data Protection Regulation, applicable to any company A) based in the EU; B) handling the data of EU-based individuals; or C) dealing with any organization handling such data - in other words, almost everyone. Early skepticism has generally given way to recognition that Brussels was a step ahead of the game; in the US, California is leading the way with new laws granting consumers the right to know what information companies are collecting about them, why, and with whom they’re sharing it. The state is also cognizant of the right to “be forgotten,” and of the need for stricter laws governing the sharing or sale of data on children younger than 16.

For digital financial service providers in Europe and elsewehere, GDPR is likely to be a speed bump at the best of times and a thorn in the side at worst. For example, Article 6 of the regulation requires explicit user consent for data processing, which sounds grave but in practice simply introduces an extra step in the adoption process. Articles 24 and 33, on the other hand, lay out extensive requirements for data "controllers", whose responsibilities include assessing risk, demonstrating compliance, and quickly reporting security breaches. The category of "controller" in GDPR-speak encompasses any entity who wants to make use of user data, which includes lenders, payment providers, insurers, and banks - in other words, anyone under the digital finance sun.

Such requirements, if taken in good faith, imply more investment and effort than a simple update in T&C -- although as GDPR critics point out, that's largely all that's happened in response to the regulation thus far. And While GDPR is, for better or worse, a needed move in the direction of data protection, most governments are playing catch-up, and Africa in particular remains the region with the most glaring gaps in data protection legislation.




Despite nascent efforts at harmonization across the region’s data protection laws, some common trends have emerged with respect to consent of the data subject, and most statutes have provided for the establishment of a data protection authority reporting to the telecommunications or ICT regulator. Compliance with such laws remains a challenge for smaller businesses, who are not always aware of their legal obligations (like the requirement to appoint a data protection officer), and records published by data protection authorities show that the vast majority of organizations engaged with notification and approval processes thus far on the continent are multinational businesses headquartered in Europe or America, public services, and local giants in banking and telecommunications.

Given Africa’s heavy reliance on internet routes through Europe (81% in 2017) - fledgling growth in local data centers aside - some African organizations and governments have expressed concern around ‘digital colonization’ of being forced to comply with European directives applying to African data which is, by necessity, hosted abroad. The ‘data localization’ movement - which attempts to mandate that politically and strategically sensitive data be kept in-country, or even on-premise at government facilities - has been met by skepticism from the academic community, who have cited the economic costs of such barriers to data flow on international trade and the human rights implications of what African governments themselves may do with powerful information on their own citizens.

The Danger of Knockoffs

These heady questions come at a time when the fundamental relationship between governments and corporations is under new scrutiny thanks to the unexpected ways in which companies are able to exert influence and power in the modern era of computing. The global data protection awakening may have been sparked by the Cambridge Analytica scandal (in which data on millions of Americans were used in service of a coordinated, hyper-targeted disinformation campaign on the eve of the 2016 election) but the current data sovereignty climate is also defined by the expansion of Russia’s and China’s digital soft power in African states. Last month, Facebook said it removed three Russian-backed influence networks on its site that were aimed at African countries including Mozambique, Cameroon, Sudan and Libya. At the same time, the social media giant is taking pains to distance itself from any responsibility to monitor ‘truth’ in political advertising on its platform, a more permissive stance than Google and Twitter have adopted.

For companies whose user baser doesn’t comprise a sixth of the planet, navigating the issues at the heart of data sovereignty poses an intersecting set of challenges: KYC and digital identity; cybersecurity and fraud prevention; and safeguarding surveillance abuse, to name just a few. The long list of issues raised by data sovereignty and protection are rapidly become less black-mirror and more black swan; worries of algorithmic predation are already cropping up in Kenya in the form of loans and betting. But threading the needle is tricky work for regulators. The internet is increasingly tied to productivity gains in international trade and recognized for its potential to stimulate microeconomic growth and financial inclusion for small to medium enterprises, like those engaged in e-commerce (already around 12 percent of international global goods trade) or even in Facebook’s particular brand of ‘f-commerce’.

Tailor-made Solutions

Regulators are not rolling over just yet. Despite the ascent of global corporations powerful enough to sway elections, the public sector still has some muscle to flex. If anything, state control of the internet is actually experiencing a resurgence of late. In response to unrest, Iran’s government shut off internet access in the country altogether this month, and troubling reports of surveillance tactics employed in Zimbabwe, plus the perennial concerns with surveillance in China prove that the state still has plenty to say about what its citizens do online.

Governments lacking the stomach for extreme measures, on the other hand, find themselves at a crossroads. Simply put, the need to safeguard personal and national interests conflicts with imperatives of economic growth. Approaches diverge. Brazil, for instance, offers an interesting counterpoint to the ‘strong data sovereignty’ postures of China and Russia; under President Rousseff, Brazil’s position was that data sovereignty is a citizen’s right. By contrast, India has approached data sovereignty from a private-sector-first perspective resembling the Western approach -- sensible given the national emphasis on protecting Western investments in its BPO market. Meanwhile, South Africa appears to be following a ‘wait and see’ approach to figuring out its data sovereignty stance, having so far emphasized public awareness and research through the office of the Information Regulator.

Ultimately, threading the needle of data sovereignty involves creating a system that produces opportunities for individual and collective economic activity without losing sight the safety and security of citizens. Additionally, against the reality of repressive governance, the private sector may have a role to play against state overreach and surveillance. In any case, a new paradigm for understanding data —and what rights pertain to it— is urgently needed if the internet will be a force for good in the 21st century. Governments (and citizens, for that matter) the world over would do well to draw on the environmental analogies currently gaining purchase in the collective consciousness: while an incremental erosion of privacy feels inconsequential, on the aggregate, a massive shift in the nature of privacy may cause fundamental damage to the social fabric.

As nation-states legislate what to do with their citizens’ data, momentum is growing around the idea of a ‘Bill of Data Rights’ which would guarantee rights relevant to the challenges newly faced by states, individuals, and corporations in the age of data. Such rights would be adapted to local regulations, and according to Martin Tisen (writing for MIT Tech Review) could include the following:

  • The right of the people to be secure against unreasonable surveillance shall not be violated.
  • No person shall have his or her behavior surreptitiously manipulated.
  • No person shall be unfairly discriminated against on the basis of data.

It’s a short list, but noticeably alike to other documents assessing human rights. A rights-based approach puts the citizen and user first, with any subsequent considerations subordinate to the interests of individuals. Where governments, multinational corporations, and imperfectly-understood tech intersect, putting the rights of the individual down in writing may be the only way to ensure they’re attended to.

© Mondato 2019

Image courtesy of Volha Flaxeco
Click to subscribe and receive a weekly Mondato Insight directly to your inbox. 
Author image
Mondato is a boutique management consulting firm specializing in strategic, commercial and operational support for the Digital Finance & Commerce (DFC) industry.
Washington DC Website