Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Submit a Peer Review for the AI Controls Matrix—a groundbreaking framework to address AI risks and strengthen security.

Global Data Sovereignty: A Comparative Overview

Published 01/06/2025

Home
Industry Insights
Global Data Sovereignty: A Comparative Overview

Written by Thales.


In a cloud-driven world where data is stored off-premises and distributed across global servers, the question of who controls data is complex. Maintaining control over data becomes increasingly crucial for businesses as data grows in value. This concern gave rise to the concept of data sovereignty, the principle that digital information is governed by the laws of the country in which it is stored. This principle addresses critical questions of ownership, protection, and third-party access.

The 2024 Thales Data Security Directions Council report, featuring insights from global security experts, highlights the complex landscape of data sovereignty. Emerging technologies like AI add to the challenge, amplifying data volume and complexity. With organizations demanding more data-driven decisions, they must navigate evolving regulations on data residency, privacy, and cross-border flows to meet heightened security demands.

Data sovereignty becomes crucial in ensuring that data handling aligns with strict privacy and security standards, particularly regarding access and stewardship in cloud-based and international contexts. Agnieszka Bruyere, VP of Cloud Growth and Public Sector, Oracle EMEA, said that determining who can access data “becomes more crucial as we consider all the data required for training purposes of AI models.”


Comparative Analysis of Global Privacy Laws

137 countries have data protection laws, and many more are considering implementing them. Besides the challenge of remembering all those acronyms and their association with the respective jurisdictions, businesses must understand the peculiarities of these laws.

The major data protection and privacy laws—EU’s GDPR, California’s CCPA/CPRA, UK GDPR, China’s PIPL, India’s PDPB, and Canada’s PIPEDA—share foundational similarities, focusing on principles such as transparency, data minimization, security, and user consent. Each regulation aims to protect individual rights by establishing clear guidelines on data collection, processing, and storage. All laws emphasize giving data subjects (i.e., the individual citizens) rights, though the extent varies; for example, GDPR and PIPL offer comprehensive rights like access, deletion, correction, and portability. Most frameworks also include requirements for organizational accountability and penalties for non-compliance, demonstrating a global push toward prioritizing data privacy and empowering individuals to control their personal data.

Despite these shared goals, each regulation differs significantly in implementation, reflecting regional priorities and regulatory nuances. GDPR in the EU and the UK have stringent rules cross-border data transfer rules, requiring adequacy decisions or strict safeguards. At the same time, PIPL enforces strict data localization and security reviews to prioritize national security. CCPA/CPRA, unique to California, focuses on consumer rights to opt out of data sale, with a lighter approach to cross-border requirements. PDPB and PIPL emphasize data localization, mandating certain data to remain within their borders. PIPEDA, primarily geared toward private-sector data, emphasizes consent and transparency but lacks comprehensive coverage for cross-border transfers.

The following table summarizes the essential requirements of these laws.

Regulation

Scope

Core Principles

Individual Rights

Penalties

Unique Aspects

Cross-Border Restrictions

GDPR

EU & global for EU residents’ data

Strong on transparency, purpose limitation

Extensive rights (access, erasure, portability, etc.)

Up to €20 million/4% turnover

Strict on data protection and consent

Yes, requires adequacy, safeguards

CCPA
CPRA

California, USA

Transparency, data minimization

Know, access, delete, opt-out of selling

Up to $7,500 per violation

Emphasis on consumer opt-out and data sale

No specific international data requirements

UK GDPR

UK & global for UK data subjects

Mirrors GDPR

Same as GDPR

£17.5 million/4% turnover

Adjusted for UK laws

Yes, mirrors GDPR requirements

PIPL

China & global for Chinese citizens' data

Data minimization, consent

Access, correction, deletion

5% annual revenue

Focuses on national security and data localization

Yes, with strict government review

PDPB

India & global for Indian data

Data minimization, purpose limitation

Confirmation, access, erasure

15 crores/4% turnover

Critical data must stay in India

Sensitive data can go abroad with safeguards

PIPEDA

Canada (private sector)

Fair information principles

Access, correction

CA$100,000 per violation

Emphasis on valid consent, no employee data coverage

No strict rules but encourages transparency


Data Sovereignty Across Jurisdictions

The notion of data sovereignty is not uniform across all these laws and appears in varying degrees of emphasis and interpretation. Regulations like China’s PIPL and India’s PDPB explicitly mandate data localization or have stringent requirements for specific data to remain within their borders, driven by national security concerns. This strict approach to data sovereignty requires organizations to store or process particular types of sensitive or critical data within the country’s jurisdiction, making compliance especially rigorous for cross-border operations.

In contrast, GDPR and UK GDPR do not enforce outright data localization, but they do impose strict controls on cross-border data transfers and maintain oversight of data ownership. Their requirement of "adequate" data protection for cross-border data transfers mandates businesses and organizations to maintain sovereign control of their data security. However, laws like CCPA/CPRA and Canada’s PIPEDA are more lenient; they lack explicit data sovereignty requirements, focusing instead on transparency and allowing consumers some control over data sharing and selling, especially for commercial or marketing purposes.


The Importance and Implications for Multi-cloud Businesses

“Global organizations operating in multiple jurisdictions face a complex web of local regulations, making it quite difficult to manage compliance with every one of them,” notes Ganesh Subramanya, Global Head of Data Security Practice, Cyber Security at Tata Consultancy Services.

The growth of cloud and multi-cloud environments has introduced additional complexity to data sovereignty. As data is spread across multiple cloud platforms, each with unique controls and security protocols, ensuring sovereignty is even more challenging. Data sprawl is another concern fueled by the need to maintain data accessibility and security while juggling regulatory and operational demands. This shift often results in data duplication, with some applications remaining on-premises, leading to uncontrolled data across a multitude of storage systems.

Balancing increasingly stringent security requirements with the agility modern businesses need to thrive is another challenge for multi-cloud businesses as they try to transform security from a barrier to a driver of growth and innovation. In fact, Dr Avesta Hojjati, Head of R&D at DigiCert, said: “The biggest challenge is how to implement data sovereignty in a way that is technically feasible and usable.”

Indeed, multi-cloud, global companies must navigate conflicting data sovereignty requirements that complicate compliance efforts when data is stored across different jurisdictions. Complying with diverse regulations can increase operational costs and add to the complexity of managing data transfers. Moreover, the lack of uniformity in legal definitions of sensitive data and compliance requirements can create legal uncertainties and potential liabilities for entities operating internationally.


Maintaining Control of Data Security

Keeping tight control over data security, particularly through effective encryption and key management across multiple cloud environments, is essential for businesses to protect sensitive information and comply with regulatory requirements. Michael Tadault, Chief Technologist for Telco in APAC at Red Hat, explained: “Encryption is a key tool in ensuring data sovereignty. By encrypting data, we assert control over who can access it.”

However, as companies increasingly adopt multi-cloud strategies, the complexity of managing diverse security protocols and ensuring consistent encryption practices becomes a challenge. Centralized key management solutions can enable organizations to oversee encryption keys effectively, ensuring they maintain control of their data security at rest and in transit.

These controls are also critical for ensuring compliance with regulations like the Digital Operational Resilience Act (DORA). By implementing robust encryption, centralized key management, and secure data flows, organizations can address DORA’s requirements for operational resilience, particularly in managing ICT risks within financial services. DORA emphasizes the importance of safeguarding data as part of an organization’s broader strategy to maintain operational continuity and minimize risks associated with cyber threats and technological failures. Thus, adhering to these practices not only protects sensitive information but also supports compliance with both DORA and other relevant data protection laws.

Through robust key management strategies, companies can mitigate the risks associated with misconfigurations and unauthorized access while remaining compliant with a variety of regulatory requirements. Furthermore, a unified approach to encryption facilitates better visibility and control over data flows so organizations can respond quickly to potential threats and protect their data assets across cloud platforms.

Cloud Key ManagementComplianceData SecurityRisk ManagementPrivacy

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Participate in the State of SaaS Security 2025 Survey
Key Management for Public Cloud Migration
Zero Trust for SMBs: A Guide to Strengthen Cybersecurity
Enhance your cloud security skills with CSA's online training options.
Related Articles:
The EU AI Act: A New Era of AI Governance Began August 1st

Published: 01/15/2025

Unpacking the LastPass Hack: A Case Study from CSA’s Top Cloud Threats Report

Published: 01/15/2025

Secrets & Non-Human Identity Security in Hybrid Cloud Infrastructure: Strategies for Success

Published: 01/14/2025

The Trouble with Large Language Models and How to Address AI “Lying”

Published: 01/13/2025