Data sovereignty is the ability of a legal person or an organisation to control the conditions that data is shared under, and how that shared data is used, as if it were an economic asset.[1][2] It can apply to both primary data and secondary data derived from data, or metadata.[3] In order to use restricted data, data consumers must accept the conditions that it is provided under.[4] In turn, the legal persons sharing data must trust other entities with it. Trust can be supported through the use of a suitable secure information system (such as a data space) which identifies, authenticates, and certifies users.[5]
The data sovereignty of individual legal persons can conflict with national data sovereignty.[6] Currently, a natural person does not have a statutory right to exclusively control how their data is shared and used. However, they can make it part of a contract, and offer it as payment.[7] The most common method for a legal person to impose its data sovereignty is through contract law.[8] Such a contract includes the terms of use, access and control policies, commercial conditions and jurisdiction.[3]
The European Commission's Data Governance Act seeks to increase trust in data sharing. It defines how one legal entity can access data belonging to another while respecting its data sovereignty.[1][9] It aims to promote data sharing by allowing European citizens to choose to make their data available for the good of society.
Between December 2016 and 2019, the city of Barcelona, Spain, undertook a European Commission funded research project called Decentralised Citizens Owned Data Ecosystem (DECODE). This project applied data sovereignty principles to public procurement contracts and municipal internet of things sensors.[10][11] Citizens operated noise and air quality sensors and were allowed to control what data they shared, for what purpose, and what data they kept private.[12][13][14]
In 2019 the Gaia-X European data infrastructure project began. This project is developing solutions for the exchange of sovereign data, and working on a reference implementation.[15][16] The Gaia-X architecture uses digital services that establish identity and trust based on European data protection legislation. Trusted data consumers in a certified data space can receive data, but only use it according to the agreed terms, and the data provider retains control of the data.[17]