The compromise changed where the data resided, but not who extracted its intelligence. It demonstrated how difficult it becomes to reclaim digital sovereignty once foreign platforms are deeply embedded in a nation’s society.
The TikTok episode offers a glimpse into a much larger global contest for data, one whose consequences may prove as significant as any military rivalry of our time. Nations that can harness vast datasets will gain a decisive advantage in developing artificial intelligence (AI) systems that shape economies and societies. But the stakes extend far beyond AI. A foreign intelligence agency with access to population-scale behavioural data can identify social fault lines and behavioural vulnerabilities, making social engineering attacks far more effective.
The global data landscape has two distinct tiers. The first is the US-China duopoly. The second comprises middle powers seeking to strengthen data sovereignty strategies while reducing their dependence on the duopoly. Other countries are only beginning to develop the investments needed for sovereign alternatives.
Over the past decade, China has transformed data into a strategic asset. It recognised data as the fifth factor of production in addition to land, labour, capital and technology, established the National Data Administration and allowed certain categories of data to be recognised as assets on corporate balance sheets. Its cybersecurity and personal information protection laws reinforce sovereign control through data localisation, while the National Intelligence Law provides state access to data. The Digital Silk Road has extended Chinese digital infrastructure across telecommunications, Cloud services and smart cities, which has generated technological dependence that countries now find difficult to reverse.
Unlike China, the US has built its data advantage through market-driven innovation. American firms dominate Cloud computing, operating systems, and social media through which much of the world’s digital activity flows. The strategic effect, however, is similar: Control over the infrastructure on which global data reside. The CLOUD Act requires American technology firms to provide data under their control, regardless of where it is physically stored, to American law enforcement agencies. This underscores that data sovereignty depends not simply on where data resides, but on who controls the platforms.
Long-term reliance on foreign digital infrastructure creates economic and national security risks, leading countries to pursue different data sovereignty approaches. Russia has adopted data localisation. The European Union has pursued a rights-based framework , complemented by initiatives to strengthen digital sovereignty. Canada and Australia use national security legislation to ring-fence sensitive government, defence and health data. The common goal is to reduce strategic vulnerability without sacrificing the benefits of an interconnected digital economy.
Four lessons emerge. First, data sovereignty is now geopolitical, not merely regulatory. Second, once foreign digital platforms become deeply embedded, reclaiming sovereignty becomes difficult. Third, data localisation alone is insufficient; control over the algorithms that extract intelligence from data matters just as much. Finally, the contest is accelerating and the time to act is now.
India, arguably the world’s largest generator of data, remains deeply integrated with American technology platforms. The Reserve Bank of India’s 2018 data localisation directive for payment systems and plans to increase data centre capacity reflect the country’s determination to strengthen digital sovereignty while remaining connected to the global digital economy. The DPDP Act, 2023, adopts a calibrated approach, balancing privacy, sovereign oversight and international data flows. India’s most original contribution is the Data Empowerment and Protection Architecture/Account Aggregator (Depa) framework. Unlike the conventional platform model, where companies capture most of the economic value generated from user data, Depa enables individuals to securely share their data to access financial or other benefits. Silicon Valley created platforms that monetised data, Europe strengthened rights over data, and China built state-led data ecosystems. India has pioneered a model where individuals control their data.
Beyond the measures already underway, India could adopt a five-pillar strategy for strengthening data sovereignty. It should pursue intelligence sovereignty by building indigenous AI models and compute capabilities, recognising that in the AI era, control over intelligence matters as much as control over data. It should classify strategic datasets under a risk-based framework with differentiated safeguards. The Depa should be expanded beyond finance into sectors like health and education. India should also develop a sovereign digital technology stack spanning Cloud, AI, cybersecurity and semiconductors. Finally, it could take global leadership to forge trusted international partnerships for data flows, AI governance and digital commerce, leveraging its digital public infrastructure stack.
The contest for data has only just begun. Those who merely generate it will fuel someone else’s future; those who govern it will shape their own.
The author is Chairman, UPSC, and former Defence Secretary. The views are personal