What Is Data Sovereignty in the Context of the Public Sector?

Data Sovereignty vs. Data Residency vs. Data Localization: Key Distinctions

Data sovereignty is often confused with related concepts such as data residency and data localization, but the distinctions are critical for public sector leaders.

“Data residency is a requirement for data to be held in a specific country or jurisdiction,” Nair explains. “Data localization means it needs to be held locally in country.” 

These are primarily technical or regulatory requirements about where data is stored. But they do not fully address sovereignty.

Data sovereignty is about legal jurisdiction and authority — which laws apply to the data and who can compel access to it. As Nair emphasizes, even if data is stored in a specific location, it may still be subject to external legal claims depending on the service provider’s presence in other jurisdictions.

This distinction is especially important in cloud environments. A state agency may believe it has met its obligations by keeping data within the United States, but if the provider operates globally, other legal systems may still assert authority.

For state and local governments, the key takeaway is that data location alone does not guarantee control. Agencies must evaluate both where their data resides and which legal regimes may apply to it.

Why Does Data Sovereignty Matter for State and Local Governments?

Data sovereignty has direct implications for legal authority, compliance and risk management in state and local government.

Public agencies hold highly sensitive information collected under specific legal frameworks. “This data was collected for specific purposes under specific legal authority,” Nair says. “Citizens have a reasonable expectation that it will be used only for those purposes and governed by the legal framework of the jurisdiction that collected it.” 

When data moves into cloud environments, that expectation can be challenged. Competing legal claims — particularly from federal or foreign jurisdictions — may introduce uncertainty about how data can be accessed or used.

Nair highlights that this risk is not always fully appreciated. The CLOUD Act, for example, allows U.S. authorities to seek access to data held by providers with a U.S. presence, regardless of where that data is stored. While such access requires legal process, the possibility introduces a layer of jurisdictional risk that agencies must consider. 

For state CIOs and CISOs, this creates a dual challenge: ensuring compliance with existing regulations while also managing emerging risks tied to cross-border data governance.

It also reinforces the importance of procurement and contract strategy. Agencies must ensure that sovereignty considerations — including access controls, legal jurisdiction and data handling practices — are clearly defined when working with cloud and service providers.

READ MORE: Artificial intelligence changes the game for procurement.

How Does Data Sovereignty Apply to Criminal Justice Data?

Data sovereignty considerations are particularly acute when it comes to criminal justice information.

CJIS requirements impose strict controls on how law enforcement data is stored, accessed and transmitted. While CJIS is primarily a security framework, it also has clear implications for sovereignty.

Criminal justice data must remain under appropriate legal authority and be protected from unauthorized access — including access that could arise from competing jurisdictional claims.

This becomes more complex in cloud and multicloud environments. Agencies must understand not only where their CJIS data is stored, but also who can access it and under what legal authority.

Nair’s broader point about jurisdictional risk applies directly here: Even when technical safeguards are in place, agencies must evaluate whether external legal frameworks could affect their control over sensitive data.

In practice, this means aligning CJIS compliance with a broader sovereignty strategy, one that includes contractual protections, provider due diligence and ongoing governance.

What Challenges Does AI Pose for Data Sovereignty?

Artificial intelligence is adding a new layer of complexity to data sovereignty.

“Gen AI is especially complex because it doesn’t function like simple data,” Nair says. “Questions about sovereignty occur at multiple points — training time, fine-tuning time, deployment time and inference time.” 

Modern AI systems include not just models, but also supporting components such as vector databases and logs, all of which may contain sensitive or regulated data. These components can be subject to overlapping sovereignty claims, particularly when hosted by providers operating across jurisdictions.

Nair also notes that AI systems can transform and potentially redistribute data, raising new questions about how sovereignty applies once data has been incorporated into a model.

“The AI was designed for capability, not for the kind of data traceability that sovereignty frameworks require,” she says. 

For state and local governments, this underscores the need to incorporate sovereignty considerations into AI governance strategies from the outset.

DIVE DEEPER: State CIOs prioritize AI governance.

How Can State and Local Officials Build a Data Sovereignty Framework?

To manage these challenges, state and local governments need a structured approach to data sovereignty that integrates legal, technical and organizational considerations.

Nair outlines several practical steps agencies can take, beginning with visibility. Agencies should “build a sovereign data inventory — a living document that maps every major data set to its origin authority, governing frameworks, sensitivity classification and federal funding.” 

From there, agencies should conduct a sovereign threat assessment focused on jurisdictional risks; particularly, scenarios in which a legal order could assert authority over state data against the state’s interests.

Establishing clear sovereign data principles is also essential. These may include minimum necessary sharing, purpose limitation, proactive legal defense, citizen notification and “sovereignty by design,” along with a defined AI sovereignty posture. 

Implementation requires coordination across multiple domains. Agencies should work with state legislatures to build a supporting legal framework, while also deploying technical controls such as customer-managed encryption, network segmentation and AI governance capabilities.

Governance structures must also be defined. Assigning clear roles and responsibilities — potentially including a dedicated data sovereignty leader — can help ensure accountability and oversight across the organization.

Finally, agencies should treat data sovereignty as an ongoing program rather than a one-time initiative. Continuous review processes, including regular data inventory updates and monitoring of legal developments, are critical to maintaining control in a rapidly evolving environment.