Home

Donate
Perspective

Data Sovereignty Doesn’t Mean Data Isolationism

Luca Belli / Jul 15, 2026
Republish

Digital sovereignty, data sovereignty and AI sovereignty are highly prominent digital policy issues. Yet like many concepts propelled by political debates and turbocharged by geopolitical change, these terms risk being stretched beyond analytical usefulness. Definitions vary, evidence for policy suggestions is often thin, and debates are frequently driven more by opinions and rhetoric than by evidence-based analyses.

This article draws on multiple years of research conducted within the CyberBRICS program and multistakeholder debates on data governance within the CPDP LatAm conference, both organized by CTS-FGV, the Center for Technology and Society at FGV Law School in Rio de Janeiro. Rather than focusing narrowly on legislative developments, our work has analyzed how emerging economies may translate sovereignty claims into concrete digital, industrial and developmental policies. This perspective reveals a more operational understanding of data sovereignty, rooted less in formal legal prescriptions than in the capacity to shape and benefit from digital transformation.

Indeed, across leading emerging economies, data is increasingly treated as a strategic resource that warrants protection but, crucially, must also be mobilized for development. From this standpoint, data sovereignty is not synonymous with autarky or isolationism. It is better understood as the capacity to know how and why data are processed, by whom; to develop the technical means to process and extract value fairly from data; and to regulate these processes effectively. In short, it entails retaining and upgrading what has been defined as “informational self-determination” over the past four decades.

Self-determination as a foundation

Digital sovereignty can be seen as an extension of the longstanding principle of self-determination. Enshrined in Article 1 of the UN Charter and reaffirmed in the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR), this principle stipulates the peoples’ fundamental right to “pursue their economic, social and cultural development.” Within a digital context, this right acquires a technological dimension: control over data and digital infrastructures becomes integral to the ability to chart an autonomous developmental path.

This conception aligns with what I defined as “Good Digital Sovereignty,” which rejects authoritarian and protectionist conceptions of digital sovereignty and embraces the use of technology to foster development, innovation and competition, in accordance with constitutional values. Sovereignty, in this view, can be exercised by a plurality of actors—public, private and community-based—provided they possess the capacity to understand, use and develop digital technologies. Sovereignty thus depends as much on operational capability as on regulatory authority.

The legal dimension is nonetheless foundational. Informational self-determination was first recognized by the German Constitutional Court in its landmark 1983 Census decision and reaffirmed more recently by the Inter-American Court of Human Rights in the 2023 CAJAR case. It constitutes a standalone fundamental right requiring active state protection.

Traditionally associated with personal data protection, this right must now be interpreted more broadly. Indeed, it seems increasingly evident it has both individual and collective dimensions: individuals should control their personal data, but administrations, corporations and entire societies, too, should be able to exercise control and derive value from the data they generate.

The link to digital sovereignty is direct. Autonomy, whether individual or collective, presupposes not only formal rights, but also effective control over the technological systems that produce, process and monetize data.

The new oil?

Over the past two decades data has been routinely described as “the new oil.” Yet the analogy is misleading if taken at face value. Unlike oil, data is often extracted without meaningful compensation or control. Vast quantities of valuable information—generated by individuals, public institutions, researchers and businesses—are effectively ceded to a small number of global technology firms that subsequently refine them, reselling the refined product extracting enormous value, and selectively sharing insight with national intelligence agencies.

Data is remarkably different from oil. Oil is largely fungible regardless of whether it is extracted in Brazil, Norway or Texas, and is depleted once consumed. Data is inherently contextual and non-rival. Information generated by Brazilian courts and administrations, Norwegian researchers or Texan consumers is unique, cannot be replicated elsewhere, reveals unique insights and—potentially—can be reused to fuel large-scale analytics and train proprietary AI systems indefinitely.

The rise of generative AI intensifies this dynamic. Users are not merely consumers: they actively work to contribute high-value data that plays an essential role in training AI systems. A few global firms extract local data to commercialize AI worldwide, capturing value away from its source.

Breaking this pattern requires more than rhetorical recognition of data as “a new asset class.” It demands the capacity to understand how data-processing technologies function, to develop alternative technologies domestically, and to regulate them effectively. Absent these capabilities, countries—especially in the Global Majority—risk reproducing and exacerbating historical patterns of dependency, becoming suppliers of informational raw materials without sharing in the economic and technological gains.

Crucially, simplistic policy responses are inadequate. Data localization, which consists of storing data within national borders, is often presented as a solution. In practice, it is no panacea. Data may remain subject to foreign jurisdiction through extraterritorial laws; they may be replicated across global infrastructures on which neither individuals nor national regulators exercise any control or oversight; and may be accessed by foreign governments and processed by foreign-controlled platforms irrespective of where they are stored.

Without broader strategies connecting stringent cybersecurity requirements—including robust controls over access to cryptographic keys—to the development of local infrastructure and technological capabilities, localization, per se, risks being largely symbolic.

The limits of regulation and the untapped potential of fiscal policy

The proliferation of data protection laws over the past decades reflects an important normative shift. Yet the assumption that legal frameworks alone can secure data sovereignty is flawed. Sovereignty depends not only on the existence of rules but on the capacity to enforce them and to shape the environment in which they operate.

Adopting data protection legislation is necessary, but the mere existence of a law does not guarantee effective control over data and the AI systems they feed. Enforcement agencies typically lack resources, technical expertise, and political support necessary to regulate effectively.

Without an industrial policy that actively promotes investment in technological capabilities, well-intentioned laws risk becoming either empty aspirations or an excessive burden on small and medium enterprises. This gap between formal regulation and practical reality is particularly pronounced in developing economies. There, the challenge is not merely to import regulatory models but to build the underlying ecosystem, including human capital, research infrastructure, and industrial capabilities, required to make those models effective.

In this perspective, if data is a source of economic value, then questions of equity and distribution of such value become unavoidable in order to support the aforementioned policies. Who captures the value generated by data, and on what terms? Here, taxation should be understood not only as a revenue-generating tool but as a regulatory instrument. Properly designed, tax policies can incentivize responsible data governance, encourage investment in local ecosystems, and discourage business models based on the massive extraction and concentration of data.

At present, in most jurisdictions such policies are largely absent. A telling illustration is the principle of data minimization, also framed as the “necessity” principle, which requires that only personal data strictly needed for a specific purpose be collected and processed. While normatively appealing, its practical application is frequently undermined by prevailing economic incentives. In the context of AI development in particular, the dominant logic is one of data maximization: market advantage accrues to actors capable of amassing and processing the largest possible datasets, often through indiscriminate scraping practices that sit uneasily with both data protection and copyright frameworks.

In the absence of fiscal or regulatory mechanisms that reward data minimization and put a price on uncontrolled data maximization, there is little incentive to adhere to normative principles. This situation undermines both data protection and fiscal sovereignty. It creates an asymmetry in which both data and value are extracted from one jurisdiction but realized in another, exacerbating global inequalities.

Brussels Effect or Dunning–Kruger Effect?

The “Brussels Effect” is often cited as evidence of the European Union’s ability to shape global regulatory standards, notably through the diffusion of GDPR-inspired data protection regimes. This influence is real and has contributed to a degree of legislative convergence. Yet it may also have fostered a misleading sense of sufficiency.

The prominence of data protection law as the primary tool of digital governance risks encouraging regulatory overconfidence. In this sense, the comparison with another phenomenon, the Dunning–Kruger effect, is apt: the existence of sophisticated legal frameworks can create the illusion of control, masking deeper structural limitations.

Adopting a law does not equate to technological autonomy. Nor does it, by itself, ensure effective control over data flows, infrastructures or enforcement contexts. Extraterritorial legal regimes, the operational practices of global service providers, the concentration of digital infrastructure, and the limited capacity of regulators all constrain the ability of both individuals and states to meaningfully exercise informational self-determination.

Addressing these challenges requires a more integrated approach, coordinating policies spanning education, research, industrial development, tax reform, digital infrastructure, cybersecurity and data governance. Absent such coordination, countries remain vulnerable, dependent on foreign technologies and subject to external control over critical digital resources.

Data sovereignty, therefore, is a composite condition, requiring the alignment of legal authority, developmental capabilities and governance capacity. This will be the focus of the upcoming CPDP LatAm conference, dedicated to “Data Governance for Digital Sovereignty, Cooperation, and Interoperability.” Considering these dimensions as quintessentially intertwined is instrumental to move beyond symbolic assertions and achieve genuine control over one’s digital future.

Support Tech Policy Press
If you've found our work helpful, consider supporting us.

Authors

Luca Belli
Dr. Luca Belli is Professor of Digital Governance and Regulation at Fundação Getulio Vargas (FGV) Law School, Rio de Janeiro, where he directs the Center for Technology and Society (CTS-FGV) and the CyberBRICS project. Luca is also editor of the International Data Privacy Law (IDPL) Journal, publish...

Topics

Related

Perspective
Does Europe Really Have a Plan for Tech Sovereignty?June 29, 2026
News
EU Unveils Sweeping Tech Sovereignty Push, Balancing Autonomy with OpennessJune 3, 2026
Analysis
Brazil is Learning Achieving Tech Sovereignty is Easier Said Than DoneOctober 23, 2025