No, it’s not ‘unnecessarily burdensome’ to control your own data
According to a recent report, the State Department sent a cable urging U.S. diplomats to oppose international data sovereignty regulations like GDPR, characterizing these guardrails as “unnecessarily burdensome.”
In the cable, the State Department claims that data sovereignty regulations “disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship.”
Underpinning this argument is both a legitimate concern and a critical misconception.
The truth is that actual data sovereignty is technical, not territorial.
Data localization is a blunt instrument trying to solve a sophisticated problem. Mandating that data stay within geographic boundaries doesn’t actually ensure that data owners retain control over how their information is accessed, used, or shared. People move; endpoints move; data must move.
European regulators have already defined what digital sovereignty actually requires. Specifically, in the aftermath of Schrems II, the European Data Protection Board made clear that sovereignty is preserved when data is strongly encrypted and the encryption keys remain solely under the control of the data owner in Europe. That clarity is often lost in broader geopolitical debates.
True data sovereignty requires governments, enterprises, and citizens to retain cryptographic authority over who can access their information, regardless of where it is processed. Forcing data to sit inside national borders accomplishes little if foreign vendors still hold the keys. Sovereignty is fundamentally a technical challenge: it depends on controlling access through encryption and authentication, not simply controlling physical location.
There is a widespread believe that data sovereignty is disruptive to innovation, commerce, and national security. This is a misconception.
The memo presents a false choice: That we must either accept unfettered cross-border data flows with minimal protections in place for the data owner, or implement burdensome localization requirements that stifle innovation and collaboration.
This is simply not true, and the rise of data-centric security proves it: From the U.S., to Five Eyes nations, to the Indo-Pacific, security leaders are embracing this model. Rather than focusing efforts solely on building a strong perimeter boundary, controls and policies must instead follow the data itself, wherever it moves — providing more resilient and contextual security for the data itself. This is the central pillar of the DoW’s own Zero Trust strategy, and the model for agencies across the U.S. federal government and beyond.
Even the Department of State’s own ITAR (the U.S. International Traffic in Arms Regulations) treat sensitive munitions data with location-specific requirements. There are good reasons for some types of sensitive information to be shielded from external eyes.
Context matters. We should not dismantle well-established data sovereignty standards without clear technical alternatives in place. Instead, we need to evaluate how to more effectively protect and govern sensitive data, without impeding the free flow of information.
Data-centric security fortifies data sovereignty and liberates secure data flows.
By shifting the focus from walls — border-specific protections, localization, and perimeters — to the data itself, you can fundamentally transform global data flows. When data is actually governed, tagged, and understood, it can move safely, through trusted channels, to achieve mission success.
In a data-centric security environment, a government agency can leverage cloud services from any provider while maintaining sovereign control over sensitive information by managing and hosting their own encryption keys, additionally providing resilience from third-party breaches with cloud service providers or other partners.
This isn’t theoretical. Modern data-centric security architectures are in production today, with open standards like the Trusted Data Format enabling platform-agnostic, global data sharing among partners. It’s the antithesis of a data silo, allowing data to travel under very specific conditions and with governance attached to each data object itself. The U.K.’s Operation Highmast is a prime example of the success that comes from dynamic, intelligent data sharing among trusted partners.
In an era defined by AI acceleration and geopolitical competition, sovereignty and interoperability must be engineered to reinforce one another — not framed as tradeoffs.
Angel Smith is the president of global public sector for Virtru.
