Data Sovereignty

Definition:

A legally enforceable authority that is asserted over data by any entity, including not only the laws imposed by governments and regulators, but also the legally binding contractual obligations between data providers and their customers.

Commentary:

• Sovereignty is not constrained by the location where the data is stored or processed:
• GDPR applies to “the processing of personal data … by a controller or processor not established in the Union”
• CCPA applies to organizations that collect data about California residents and meet certain criteria; these criteria do not include where those organizations are physically located.
• Sovereignty is not constrained by the location of the data subject:
• CCPA applies to personal information about “a natural person who is a California resident”, even when they are temporarily out of the state.
• Sovereignty is not the exclusive purview of states:
• Data providers’ contracts may stipulate how the data they provide can be used, where, and by whom.
• Sovereignty is not singular: the same data may be subject to the authority of multiple legal systems, e.g.:
o a social media post may be subject to multiple laws depending on where the post was made, where the poster is normally resident, where the contract between the poster and the social media provider is made, and where the readers of the post are located.
o Both GDPR and CCPA may apply if a California resident’s personal data is collected while she is visiting an EU territory.