Written by Kai-Chih Chang
Image credit: Big_Data_Higgs by KamiPhuc/ Flickr, license: CC BY 2.0.
The concept of data sovereignty emphasises a country’s regulatory control over data within its borders. While this approach allows states to maintain oversight, traditional regulatory frameworks have primarily focused on restricting data usage and protecting data rather than harnessing its potential value. As data increasingly becomes a critical resource for the digital industry, states aiming to facilitate the development of their digital economy must adapt their regulatory concepts to better respond to industry needs. This article does not challenge the importance of maintaining or strengthening data regulation; instead, it highlights the equal necessity of facilitating the use of data. Furthermore, as the value of data exploitation becomes more widely recognised, it is important to develop rules that oversee such activities and ensure balanced protection of interests among all stakeholders.
Regulatory Structure over the Cyber Activities
From a traditional international law perspective, sovereignty represents the state’s supreme power over its territory and nationals. This supreme power ensures states are independent of each other and provides the state’s unchallengeable right to regulate within its territory. It is well known that states have long exercised jurisdiction to control and regulate subjects and matters within their territory. However, as the internet and digitisation have drastically transformed our lives and ways of living, the territorial boundaries that once divided between states and delineated their jurisdiction now face serious challenges. Although the physical territorial boundaries remain intact, the global operative features of internet connections now challenge the traditional divisions of state power. The borderless nature of the internet and its innovative uses present new regulatory challenges.
As more activities take place online, increasing amounts of data are transmitted through digital intermediaries. Much of this data includes personal, financial, and even sensitive information, which requires careful protection. Therefore, states must establish control and regulate how this information is managed. This increasing prevalence of online activities necessitates a fundamental shift in how states operate and regulate in the digital era, highlighting the necessity and inevitability of change.
In the initial stages of the Internet era, it took a while for the states to settle the disagreements about how jurisdictions should be exercised in cross-border Internet activities. Although it may seem absurd, the general rule is that states retain authority over events and subjects within their own territory, much like the traditional principle of sovereignty. While the principle that states can exercise jurisdiction over activities and data in cyberspace is not new, the challenge lies in determining the locations where these activities occur and where data is stored. Subsequent practices have established that a state’s regulatory authority over data hinges on two essential factors: either data must be located within its territory (i.e., where the data is stored), or it must relate to how data is used or processed within its borders (i.e., where the processing server is situated). This principle remains applicable even when data is transmitted globally or routed through countries unrelated to its use or storage.
Data sovereignty: the traditional sense
When we look up the term “data sovereignty,” the most prevalent definition we encounter is that “data is subject to the laws and governance structures of the country in which it is collected.” This definition reflects the regulatory practices that states exercise over digital activities. However, it is often overlooked that states do not always have the requisite connection to exercise authority over data or internet activities. In fact, the business models employed by digital companies complicate matters further, making it increasingly difficult for states to establish jurisdiction and effectively regulate these activities. In the digital business model, economies of scale matter, and the global-inter-connected feature of the internet made it easier for such a business model to be realised. Taking cloud services as an example, service providers can establish a data storage facility and provide services to customers elsewhere quickly with the help of an internet connection. Establishing a single, large data storage facility in an optimal location is likely to be more cost-effective for a company than setting up multiple small and disaggregated facilities across every area of operation. Consequently, it is rational for businesses to centralise their data storage in one or a few locations. Nonetheless, the direct consequence of such practices is that states without data stored within their territory would no longer be able to exercise control or regulate those data. Although it is possible to enforce extra-territorial jurisdiction, the required investment of resources and governmental collaboration made it an unfavourable option. While there are compelling and legitimate reasons for states to maintain control over data and internet activities, such as protecting personal data for human rights or constitutional reasons and sensitive data for national security considerations, the states need to develop a way to ensure its control and authority over data. As a result, a common strategy employed by states is to impose data localisation restrictions, which require that some or all data collected within their territory be stored domestically. This approach ensures that states maintain control and authority over data. These regulations are typically referred to as “data localisation” requirements. So, when states believe in retaining control over the utilisation or processing of data or want to minimise the risks that may occur during cross-border transmission, states may also require the data processing location to be within their territory.
The realisation of the multifaceted value of big data
Nowadays, storage and processing localisation requirements are the most commonly seen data localisation restrictions. Even though states have negotiated rules in various treaties and trade agreements to harmonise the regulations and minimise the negative impacts that data localisation restrictions may cause on the internet and data business, these rules are not going anywhere. Nevertheless, a more problematic development that pushes the states to strengthen their control over data is the emergence of new business models in the modern digital economy, such as data-driven advertising, personalised services, and predictive analytics.
With advancements in technology, big data analytics has become a widely used and often standardised tool for businesses. This approach enables companies to uncover previously unknown correlations, patterns, consumer preferences, and market opportunities, thereby enhancing decision-making and the development of commercial strategies. The rapid development and increasing use of artificial intelligence (AI) is another noticeable trend and business opportunity that cannot be ignored. However, despite the importance of algorithms and the computational power required for these tools to function, data is the critical material needed to make big data analytics or the development of AI possible. In big data analytics, the ability to perform any analysis hinges on the availability of data. For artificial intelligence, data is essential for training, testing, and refining the AI models. Ultimately, the effective use of AI is still contingent upon a consistent and reliable data supply. It is evident that the value of data is no longer limited to the information it carries but should be evaluated by the values it may generate.
Recently, the multifaceted value of data has gradually been noticed, and states are keen to expand their control over such value. In the recent French Digital Services Tax (DST) legislation that applies a 3 per cent tax to the revenues generated from online intermediation services and targeted online advertising, the rationale behind is that regardless of where the service is provided, the value of these services is at least partly contributed by data generated in France. From the fact that France took the standpoint that it should be entitled to enjoy part of such revenue, it suggests that the state is of the perspective that the sovereign shall not only have control and jurisdiction over data generated within its territory but should also enjoy the benefits derived from such data.
From Regulating to Facilitate Utilisation
Big Data Analytics and Artificial Intelligence are considered the future fuelling the fourth industrial revolution, and the value of data generated with these tools is broadly recognised. As the significance and value of data continue to rise, businesses and countries will likely compete for data in the same way they once did for essential natural resources. At the same time, states are enhancing their regulatory control over data to serve their own interests. If the trend of tightening regulation continues, this may inevitably lead to restricting data use and undermining its industrial applications and development.
Eventually, we may need a new regulatory framework to respond to such conflicting needs. However, before any policy or strategy develops, the stakeholders must rethink and understand data’s evolving role in the digital economy ecosystem. In addition to restricting the use of data to protect legitimate interests, the government should also actively encourage and facilitate exploiting data’s value so that it would not be left behind in this competition stage. Meanwhile, the industry should not only be narrowly interest-driven and seek to maximise its exploitation revenue but should recognise the interests of different stakeholders involved and equitably share the gained interests. Individuals should also understand that in addition to the individual interests attached to big data, the public has interests in collectively exploiting data’s value. After all, the digital economy cannot develop and flourish without the supply of data, and neither could the value of data be realised without further processing and exploitation. Ultimately, the only way to harness the benefits that data can offer and help develop in the digital economy is by establishing a collaboration strategy that balances the needs and interests of businesses, governments, and other stakeholders. However, the critical first step is to reassess the value of data and to understand the various interests and stakeholders involved.
This paper is a reflection of the 37th MIC Forum Fall, AI: Now and Next.
This article was published as part of a special issue on ‘Digital Governance in Taiwan’.
Taiwan Insight 