For a long time, data sovereignty has been understood through the lens of localisation. Over the past decade, data localisation laws have been expanding as worries about sovereignty and cybersecurity have grown more acute. By early 2023, there were 100 of these measures affecting 40 countries, with more than two-thirds requiring local data storage and prohibiting flows. Ville Sirviö, the CEO of the Nordic Institute for Interoperability Solutions (NIIS), thinks this approach can sometimes miss the wider principle at play.
“When we think about data sovereignty, we should really be thinking about who the owners of that infrastructure really are. I wouldn’t call it sovereign if there is a data centre in Europe, of which 51–100% of the control is elsewhere,” Sirviö tells Investment Monitor. “I don’t think it is a question of law, it is a question about the basic principles of ownership.”
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
Sirviö is generally unconvinced by the ‘sovereign’ cloud options being offered by US tech companies in Europe. “If anyone controls more than 51%, that is the real control over everything. Who owns the company owns all of its infrastructure,” he says.
He also cautions against putting too much value on localisation strategies, even with domestic ownership. In the past, some European countries felt like storing data on-premise out of distrust for cloud services was a viable strategy, but events like Russia’s invasion of Ukraine show how dangerous it can be to rely on a single approach. “In Ukraine, they have been using the cloud. Without it, much of the data could have been stolen or destroyed,” Sirviö says.
The rise of strategies such as data embassies reflects an awareness of the dangers of storing critical data in a single location. In 2017, Estonia established the first data embassy in Luxembourg, which holds backups of the country’s critical data to hedge against cyber and climate threats. An adviser to the country’s Ministry of Digital affairs noted a potential threat from Russia as a driver for the strategy: “It is not a secret that if we look at Estonia’s neighbours, then some are not so friendly to us.”
Proprietary versus open source
Another important aspect of data sovereignty, Sirviö notes, is the nature of the digital solutions being employed. When governments build digital public infrastructure (DPI), for example, he says they should aim to favour open-source strategies – where source code is made collaboratively and is freely available, enabling changes and redistribution – over proprietary solutions often provided by foreign companies.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“The implementation is critical because that is setting the basis for the life cycle of the product, and how much it can be either developed further and operated locally, or how much it relies on foreign resources,” he says.
NIIS is a supporter and creator of open source tools. The organisation developed X-Road, an open-source, secure data exchange layer enabling data transfers over the internet between private and public sector organisations. It was recently added to the Tech Sovereignty Catalogue, a European initiative that showcases domestic digital solutions across the tech stack.
Taking this approach would help prevent vendor lock-in in DPI, where governments become so dependent on a single service provider that it becomes difficult to switch, he says.
While Sirviö has heard fears around ‘kill switches’ being deployed by US tech firms, he warns there are plenty of other levers that governments can pull to disrupt the flow of services, such as export taxes. For example, if a country whose companies provide software for a government elsewhere changes its export taxes overnight to 20%, that would show up in end-user billing.
“What would it mean for a government which has $1bn of purchases per year? It is not just kill switches, disruption can come from other means which can be financially disruptive,” he says.
Still, Sirviö notes it is not a “black and white” discussion, as many places lack the necessary resources to invest in domestic open source approaches and therefore must rely on foreign proprietary solutions.
“In some cases, I must admit, that it is even better for some countries to get at least a proprietary solution instead of getting nothing with an open source strategy,” he says.
