The Battle for Data Sovereignty in the Digital Era

The careful use of personal data has led to numerous benefits, from tailored products and services to advancements in healthcare and better insurance rates for low-risk individuals. However, in a world where every click, search, and conversation leaves a digital footprint, people’s personal data has also become a valuable as well as a vulnerable asset. As powerful tools quietly record and extract our information, the question arises: who truly owns this data, and how secure is it from international entities? The battle for data sovereignty is not just about privacy; it is a matter of national security in an age of digital dependency. This raises a critical debate: whether individuals, communities, and nations should retain control over how their sensitive information is handled and shared.

What does Data Sovereignty Mean?

Data sovereignty is the principle under which data is subject to the laws of the country where it is stored. In a world driven by cloud computing and global data flows, storage location shapes privacy standards, access rights, and regulatory oversight. It is crucial for national security, economic independence, and personal privacy. Without it, countries risk exposing sensitive public information to interference and cyber threats, weakening their ability to defend against digital attacks. From a national defense perspective, data sovereignty ensures crucial information is protected from foreign surveillance and cyber espionage. To safeguard sensitive information, many countries enforce data localization laws, prompting cloud providers like Amazon Web Services (AWS) and Microsoft Azure to set up local data centers.

Economically, controlling data gives countries a strategic advantage by driving technological advancement and economic policy. It also strengthens local economies and promotes self-reliance, allowing domestic industries to thrive without being overshadowed by global tech giants. Similarly, on an individual level, data sovereignty protects personal privacy. In an era where data is often harvested without consent, strong data governance empowers users by constraining access to their data and enhancing transparency about how it is collected and used. This reinforces the fundamental right to privacy and data independence, ensuring that personal data belongs to the user, not the service provider.

The consequences of weak data sovereignty become clear through real-world incidents. The 2017 Equifax breach exposed the personal data of 147 million people, including Social Security numbers and credit card information — a catastrophic failure in data protection. Undetected for 76 days, the delayed response left millions at risk of identity theft and fraud. The fallout included lawsuits, a USD 700 million settlement, and lasting damage to Equifax’s reputation.

Similarly, The Cambridge Analytica scandal revealed how mishandled data can threaten democracy. In 2018, it was discovered that the company harvested millions of Facebook users’ data without consent through a third-party app. This data was used to influence political campaigns like the 2016 US election and Brexit referendum, exposing the dangers of poor data governance and the far-reaching impact of compromised data sovereignty.

Current Scenario of Data Sovereignty Around the World

When we use the internet, our data is not just on personal devices, but stored on servers in various countries. Data sovereignty is the concept that a country has the right to regulate data within its borders. This allows governments to regulate its collection, storage, and transfer, making sure data is protected and used correctly. However, since the internet makes it easy to send and store data across different countries, it can be confusing which country’s laws should apply. This creates issues of jurisdiction and control, meaning countries may argue over who is responsible for the data and how it should be handled. To protect important information, many governments have made laws that say certain types of data, like financial records, remain within national borders, so they do not fall into the wrong hands. However, it is still complicated because businesses operate across multiple jurisdictions, meaning they have offices and customers in many countries and must follow different rules in each place. Another major issue is cybercrime. A study by IBM found that companies take an average of 197 days to detect a data breach, which means hackers can steal information and sell it before anyone even realizes there is a problem.

Legalities Around the World on Data Security

To date, nearly 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. One notable example is the European Union’s General Data Protection Regulation (GDPR), which enforces strict data localization and protection requirements. It is described as a comprehensive privacy and protection legislation and is widely seen as the benchmark for data protections around the world. Enacted in 2016 and implemented in 2018, the GDPR establishes strong safeguards, including the right to privacy, consent, transparency, access, rectification, data portability, and security. It applies not only to entities within the EU but also to any organization processing the personal data of EU residents, ensuring accountability through strict compliance measures and steep fines of up to 4% of global revenue for violations. Additionally, the law mandates clear privacy notices, breach notifications, and the right to be forgotten, reinforcing individual control over personal data.

Another influential model is the California Consumer Privacy Act (CCPA), along with its amendment, the California Privacy Rights Act (CPRA). While not as comprehensive as the GDPR, the CCPA introduced landmark consumer rights in the U.S, including the right to know what personal data is collected, the right to delete data, and the right to opt out of data sales. The CPRA further strengthens consumer protections by introducing stricter compliance obligations for businesses, creating a dedicated privacy enforcement agency, and enhancing opt-out rights for targeted advertising.

Similarly, China’s Cybersecurity Law emphasizes national sovereignty by requiring  that all personal and critical data collected within China be stored on local servers. This approach reflects a growing trend where nations seek to strengthen control over the data within their borders to enhance security, protect privacy and ensure regulatory compliance. As data increasingly flows across borders via cloud infrastructures, governments face the complex tasks of navigating overlapping jurisdictions and legal obligations. In this interconnected digital age, China’s approach highlights the importance of developing adaptable legal frameworks and fostering international cooperation to manage data governance effectively. These laws have led to regulators increasingly holding companies accountable for data rights violations, as seen in recent enforcement actions against Meta.

South Korea’s Personal Information Protection Commission fined Meta KRW 21.6 billion (15 million USD) for illegally collecting and sharing sensitive data from 980,000 Facebook users without proper consent. Meanwhile, Ireland’s Data Protection Commission fined Meta EUR 251 million for failing to implement adequate privacy safeguards when transferring EU user data to the U.S., violating GDPR regulations. Similarly, the Dutch Data Protection Authority fined Netflix EUR 4.75 million (USD 4.98 million) for failing to adequately inform customers about its use of their personal data between 2018 and 2020.

Current Scenario of Data Security Laws in Nepal

Nepal has several laws related to data protection, but they are not well connected or comprehensive. Some of the important laws include the Individual Privacy Act 2018, Privacy Regulation 2020, Muluki Criminal Code 2017, and some other sector-specific laws. However, it lacks one singular main law that covers everything about data protection, which leads to confusion and weak enforcement. The laws do not provide clear rules about how personal data should be shared across countries, which is important to avoid problems like data leaks or privacy violations. While the law says companies should ask for permission before collecting your data, there are some exceptions, like for national security or emergencies, which may affect how well your privacy is protected. Even though there are some laws like the Electronic Transactions Act 2006 and the National ID and Civil Registration Act 2019 that help protect data in certain areas, they still do not ensure total protection for people’s personal information.

Nepal should establish a single comprehensive data protection law, supported by a dedicated agency to ensure compliance. Clear guidelines for international data transfers are needed to prevent misuse, and exceptions for data collection without consent should be limited and well-defined. Collaboration between the government and private companies is essential to strengthen rules that safeguard personal information and make the internet safer for users in Nepal. Without better laws, problems like the acquisition of Nepali startups by foreign firms and data breaches involving telecom companies will continue to happen. If Nepal adopts better rules, it can protect people’s data while encouraging businesses to grow and invest in the country.

Conclusion

Data protection stands at the frontline of a digital battlefield where the stakes are nothing less than our fundamental rights and freedoms. As technology races ahead, tracking our every move through the Internet of Things and making life-altering decisions with AI, laws and regulations struggle to keep pace, leaving dangerous gaps vulnerable to exploitation. The rise of algorithmic biases in policing, immigration, and biometric systems exposes the chilling consequences of unchecked data use, threatening fairness and transparency. This is not just a call for better governance; it is a fight for individual autonomy and global stability. Governments must act decisively by enacting comprehensive data protection laws and establishing independent regulators, while organizations must take accountability through rigid security measures and relentless vigilance. But the responsibility does not end there; each of us must safeguard our digital presence, demand transparency, and know our rights. In an era where data is power, the question is no longer whether our privacy will be compromised but when. The real question is: When it happens, will we be ready to fight back?