Key takeaways
Data sovereignty is more complex than data location
Where data is stored does not always determine which country’s laws ultimately apply.
Cloud provider jurisdiction can undermine sovereignty and continuity
Foreign-owned cloud providers may be forced to follow overseas legal orders, causing service disruption.
Ongoing due diligence is essential to manage risk
Organisations must regularly reassess data location, ownership, and legal exposure throughout a service’s lifespan.
During these turbulent times, the concept of data sovereignty has increasingly become a topic of discussion in tech circles. We all know what data is, and most of us are familiar with the concepts of data privacy and data security, but the notion and meaning of data sovereignty deserves more attention given the increasingly heated geopolitical climate.
What is data sovereignty?
Data sovereignty, at its simplest, means that data created within a jurisdiction and the rights and responsibilities associated with that data will be subject to and governed by the laws, rules and regulations of the country where it was generated or created. Put most simply, data created in the UK, which may well include data related to state secrets, national security and policing issues, trade and client data or just the vast amounts of electronic communications that are generated every second of every day should be subject to UK law.
Similarly Chinese data would be subject to Chinese law, US data to US law, Indian data to Indian law, and so on. Governments, technology companies and security specialists spend considerable time and money ensuring that such data is securely stored and protected against bad actors, as indeed every one of us should take steps to ensure our data is safely stored and protected.
This seems straightforward, until you remember that data is not a tangible physical asset one can essentially see, touch and lock away in a safe somewhere. Nor is it like a building, ship or rail network that one can look at and guard with a physical security team. Also, the sheer volume of data processed globally is astonishing. As of February 2026, approximately 402 million terabytes of data were being created each day, with 181 zettabytes generated in 2025 and an estimated 221 zettabytes will be generated in 2026. A zettabyte is the equivalent of 1 trillion gigabytes: equivalent to around 250 billion DVDs full of data, or, if you’re more old-school, enough data to fill 694 trillion floppy disks.
This data most likely resides, is stored in and is accessed from the many datacentres and servers spread across the world. The biggest and most prevalent of these datacentres are typically owned and/or managed by the largest global technology companies and their subsidiaries or by governments. The majority of the major global datacentres on the planet are physically located in the United States, China, the UK, Europe, Canada and India. The United States and China lead by number of datacentres (in terms of both number located in jurisdiction and number owned worldwide) by a significant margin.
Location, location, location
Now, one would assume that to guarantee data sovereignty an entity would seek to ensure that its data is stored in a datacentre located in its own jurisdiction. For example, a UK company would seek to ensure that its data is stored in a datacentre within the UK, a US company would prefer a datacentre in the US, and so on. This makes perfect sense in theory (“my sensitive UK data is stored in the UK and therefore governed and protected by applicable English laws”) and it seems logical and practical.
Yet it may be a fallacy. The companies that own and run these datacentres may not be headquartered in the jurisdictions where the datacentres themselves are located. As a consequence, these companies may not be subject to the law where the datacentres are located either. Remember, the majority of datacentres are owned and/or managed by the biggest technology companies in the world. These companies could be subject to and required to comply with the laws of their home jurisdictions. In practical terms, for the majority of cases these will be laws of either the US or China, including any laws in relation to ownership, control of, or governance of data.
The issue is this: if a data centre run by a US company located in the UK is ordered by the US government or courts to disable or switch off that datacentre, then what is the likely outcome? The US company, headquartered in the US, may have no choice but to comply, leading to access to that data being discontinued. At the very least it might lead to service disruption and/or protracted and costly legal proceedings while a conflict of laws is sorted out. Whatever the case, in the immediate term such action will lead to potentially catastrophic disruption to a business or organisation. Unfortunately, the likelihood of such disruption occurring, in the current geopolitical climate, is greater than one would like and suggests that the concept of data sovereignty may not be workable, or even a myth.
What should we be doing in the short term to mitigate against this? After all, it’s certainly not practicable for every organisation to retreat from the cloud and its datacentres and begin storing all of their data on systems they themselves own and manage.
The answer is to audit the systems you are using, as well as the providers of those systems and the company structure, governance and rules which may apply to the provider. Ask the following questions:
Where is data stored?
Where is the cloud and/or systems provider from and to whom is it legally accountable?
What laws and regulations govern the obligations and activities of the provider and what rights do you have in a dispute?
Are there any laws in the home jurisdiction of the provider or generally which could require the provider to discontinue, relocate, or otherwise amend its services?
These questions need to be asked, not just at the time of agreeing and signing contracts but throughout the lifetime of the service. If you or a provider amend or alter an existing service, the questions must be asked again. Make sure you are clear where your data is and what laws it is subject to and ensure you are notified in the event of any changes.
This will not necessarily guarantee the safety and control of your data, but it will ensure that you are informed as to the risks and advantages associated with the cloud service you are using. Properly informed, you are more likely to respond in the event of any unexpected circumstance which might harm your organisation and its work.
For advice on data ownership and data location, explore our data and privacy law service and see how our team supports clients manage data-related risks before they disrupt operations or compromise compliance.
