Data and privacy

Digital sovereignty and the rise of data spaces: What does it mean for business?

Digital sovereignty has shaped how businesses use data for many years, and with AI and data spaces proliferating, its influence will grow.

Art by

Paul Sizer

Share article

Data. It seems businesses can’t live with it – without big friction – and can’t live without it. Cory Doctorow wrote for Secure Futures in 2020 that data – rather than being the ‘new oil’ – can fast become toxic waste, without due attention to minimization and proper management.

Now data fuels almost every business, it’s critical leaders understand the next evolution of data regulation – digital sovereignty – and how it applies to their work. It’s not just about complying with the law, but an opportunity for competitive advantage with the bonus of enhancing customer trust.

In our podcast Insight Story, experts Ben Farrand (UK,) Professor in Law and Emerging Technologies at Newcastle University and Sille Sepp (Finland,) Director of Operations at MyData Global, explore how business can do better in an increasingly interconnected world. Dr. Amin Hasbini of Kaspersky’s Global Research and Analysis Team talks about the role of transparency in digital sovereignty, and why sharing intelligence makes good business sense.

What is digital sovereignty, and what does it mean for business?

Ben says, “Digital sovereignty is about geopolitics. We’re seeing increasing tensions between states and concern over the power of big market players like Google, Amazon and Facebook in the US and Chinese companies like Baidu, Alibaba and Tencent. When data moves between countries, there may be detrimental impacts from geopolitics and national regimes, regulations or policies.”

Against this backdrop, the EU introduced its General Data Protection Regulation (GDPR) in 2016, providing that identifying, personal or sensitive data about EU citizens kept anywhere in the world is governed by EU law.

GDPR and digital sovereignty more broadly mean companies must think about the legal implications of their cross-border interactions.

Ben Farrand, Professor in Law and Emerging Technologies, Newcastle University

Ben recommends firms wanting to trade more internationally have people dedicated to data security and digital sovereignty. “Companies handling EU citizens’ personal data need someone aware of how to comply with GDPR’s requirements. In the EU and UK, they’re often called data protection officers. They must know data security protocols, and how data can and can’t be used.”

Can state concerns and business interests align?

Businesses often don’t have the same priorities as nations. Is digital sovereignty making it harder to trade internationally?

Ben says, “Digital sovereignty covers the whole supply chain from raw materials to cybersecurity services. For example, when supply chains for semiconductors collapsed during the pandemic, shutting some car manufacturers, the EU, China and the US started seeking more control of resources.”

But he questions the merit of attempts at strategic autonomy in today’s world.

Interdependence is the nature of 21st-century life. No matter how much desire for increased control and demonstrating countries’ sovereignty, supply chains are global, making cooperation essential.

Ben Farrand, Professor in Law and Emerging Technologies at Newcastle University

Getting ahead of compliance with data ethics

Digital sovereignty is on the radar for many businesses, but those who go the extra mile to do the right thing, rather than simply comply, may see advantages.

Ben says, “We’ll see both ‘stick’ and ‘carrot’ regulation. There’s much legislation about investment, like the US CHIPS and Science Act, around how companies can cooperate and seek funding to diversify supply chains, for improving trade relations with third parties in ways that build resilience.”

Businesses should also note a growing focus on regulating social media platforms, given its role in communicating with customers.

The EU recently passed the Digital Services Act. It applies to content on social media platforms and search engines that may be illegal in member states, such as hate speech or trade in prohibited goods,” says Ben.

The legislation isn’t concerned with individual instances of illegal content but requires social media platforms and search engines to have transparency, accountability and oversight systems.

Ben sees benefits for business. “Companies don’t want to be associated with illegal or immoral things. They already manage this by pulling advertising or moving over to other platforms. Digital sovereignty isn’t just coming from regulation, but market-based decisions.”

AI and digital sovereignty

The explosion of AI systems has made it even more important that organizations are clear on data ownership.

Ben sees regulation in this field coming soon. “The EU is talking about regulating high-risk systems because they believe AI shouldn’t be doing some things.”

And it’s not just the EU. “At the AI Safety Summit hosted by UK Prime Minister Rishi Sunak in November 2023, there was an agreement between the EU, US, China and others to take a united approach in managing high-risk systems.”

Again, there are business opportunities. “New technologies arise from regulation like the ‘federated computing‘ approach, where you train AI on data sets remotely then communicate only the outcomes centrally, minimizing data privacy risks,” explains Ben.

Making space for data security and data power

All businesses want to use their data better for innovation and growth. But it may be challenging to do so securely, fairly and in ways customers trust. Data spaces are one tool for addressing safe and ethical data use while leveraging its power for better business.

Sille Sepp, Director of Operations, MyData Global

Sille Sepp is Director of Operations at human-centered data non-profit MyDataGlobal. She explains data spaces: “They’re a systemic approach to increasing trust and sovereignty in sharing and using data across organizations and sectors. It’s not just technological infrastructure but includes business, legal and operational layers for trustworthy data sharing.” Examples include the Smart Connected Supplier Network for manufacturing supply chains and Catena-X for automotive supply chains.

MyData is involved in a cross-data space project, Data Spaces Support Center, and preparing for the Data Space for Skills. Businesses can join projects as a data provider, data user or enabling service, or look at creating their own data space with collaborators.

Sille recommends how to start: “As a partner in the Data Spaces Support Center, I recommend exploring the website, the repositories of initiatives and the contributing partners. Associations like International Data Spaces, Gaia-X and FIWARE have long mapped data space work.”

Data spaces go beyond EU-based businesses. “Many initiatives collaborate with international partners and look at business cases that will bring global benefits,” says Sille.

Sille highlights the need to put customer control of their data at the heart of developing data spaces. “When developing design principles and architecture for data spaces, we must embed human-centric principles. There are ways to empower people through design choices. Businesses can get involved as enabling services – intermediaries that serve the interests of individuals, managing permissions and returning value to them.”

Transparency’s role in digital sovereignty

Dr. Amin Hasbini of Kaspersky’s Global Research and Analysis Team explains how tech businesses can use transparency centers to uphold different states’ digital sovereignty worldwide. “Digital sovereignty means companies, especially multinationals operating in digital, need tools that comply with regulation in countries where they operate. As an example, Kaspersky operates transparency centers in several countries. These let entities check code to ensure it complies with their laws.”

But he thinks international firms can go further in building regulators’ trust.

Cooperation is the way to go. We start by sharing intelligence about recent attacks in the region. This brings discussions into a better place.

Dr. Amin Hasbini, Global Research and Analysis Team, Kaspersky

Sharing also benefits the industry as a whole. “We publish many of our threat intelligence findings, which means better threat visibility for everyone. The cybersecurity community can build on our findings,” says Amin.

Taking the first steps into digital sovereignty

Ben advises businesses to consider the basics as they start exploring digital sovereignty. “What data are you collecting and where does it go? Once you know that, you can think through the implications: Security provisions you may need to protect data within your company and outside. Think first about why you need this data, and that will help you define every step of the process.”

Let’s be super clear: Digital sovereignty, like all matters of global trade, is complex. It’s not an off-the-shelf charter or compliance checklist. Enterprises should grasp the opportunity now to get involved with data spaces and other cooperation projects to shape the new international standards for data.

Digital sovereignty regulation will only grow – particularly around the use of AI. Businesses should think through how they use data and what security should be in place to safeguard it. Digital sovereignty also presents opportunities for better business, such as through data spaces and transparency initiatives.

Kaspersky Global Transparency Initiative

Our concrete measures to engage the cybersecurity community and stakeholders in verifying our products’ trustworthiness.

About authors

Susi O’Neill is the Editor-in-Chief of Secure Futures and host of business tech podcast Insight Story. She’s a seasoned creative who’s led business content programs for brands including EY, Mastercard and Unilever. Off the clock, she’s a musician and performer who gives international performances playing theremin, the world’s first electronic instrument.