What Data Sovereignty Means Under GDPR and the AI Act
GDPR fines reach up to €20 million or 4% of global annual revenue — and they apply to every organisation handling EU citizens' data, regardless of where that organisation is based. That extraterritorial reach is the practical face of data sovereignty: the legal principle that EU data protection follows the data, wherever it travels.
Quick Answer: Data sovereignty is the principle that data is subject to the laws of the country or region where it originates. Under GDPR (in force since May 25, 2018), EU citizens' personal data is protected globally — any organisation processing it must comply, with fines up to €20 million or 4% of global revenue. The EU AI Act adds a second layer: high-risk AI systems placed on the EU market must meet additional governance requirements, even when the provider sits in a third country.
Data sovereignty is the legal principle that data is subject to the laws of the jurisdiction where it was generated, making compliance with local laws critical for any organisation that handles data across international borders.
What Is Data Sovereignty? The Legal Principle Behind Modern Privacy Law
Data sovereignty refers to the application of laws to a user's data — specifically, which jurisdiction's laws apply to that data and what rights are protected for each individual user regarding privacy, usage, and consent. The most well-known example is the EU's General Data Protection Regulation (GDPR), which defines how EU citizens' data is protected in terms of collection and use.
The concept has become increasingly important as data crosses international borders constantly during ordinary business operations. The principle: laws and regulations applicable to data must be observed regardless of where servers physically sit or which company controls the storage. This produces a layered compliance landscape — organisations may have to satisfy both the GDPR and the laws of individual states where their users reside.
How GDPR Established the Modern Data Sovereignty Framework
The GDPR entered into force in 2016 and became enforceable on May 25, 2018. It applies to any organisation worldwide that collects or processes data related to persons in the EU, regardless of where that organisation is based. This extraterritorial reach is what gives data sovereignty its practical bite — even a US-based company that targets European customers falls under GDPR jurisdiction.
Key Provisions and Penalties
Three GDPR concepts matter most for understanding data sovereignty:
Personal data — any information that relates to an individual who can be directly or indirectly identified
Data controllers — individuals or organisations that determine the purposes and means of processing personal data; the entities held accountable for compliance
Penalty ceiling — fines reach up to €20 million or 4% of annual global revenue, whichever is higher
Data subjects (individuals) have rights under GDPR, including the right to seek compensation for damages caused by violations of the regulation. This creates a governance framework in which individuals maintain meaningful control over their information regardless of where it travels.
Data Protection Officer Requirement
The GDPR requires companies operating inside EU territory and dealing with EU citizens' data to hire a Data Protection Officer (DPO). The DPO is the named role responsible for ensuring the organisation strictly maintains the confidentiality, integrity, and accessibility of the data it generates, processes, and stores.
Cross-Border Data Transfers Under GDPR
The GDPR imposes restrictions on transferring personal data outside the European Economic Area (EEA) to ensure that the level of protection for individuals remains the same as inside the EEA. Chapter V of the GDPR governs these transfers.
There are essentially two routes for transferring personal data to a non-EEA country:
On the basis of an adequacy decision
On the basis of appropriate safeguards that provide enforceable rights and legal remedies for individuals
Adequacy Decisions (Article 45)
An adequacy decision is a determination by the European Commission that a non-EEA country provides essentially equivalent data protection to the EU. When one exists, personal data can flow to that country without additional safeguards. The Commission publishes its current list of adequate countries — organisations should consult that list directly before relying on this route, as the set evolves with policy and litigation developments.
Appropriate Safeguards (Article 46)
In the absence of an adequacy decision, GDPR Article 46 lists several transfer tools that organisations can use. The most widely used instrument among European companies is Standard Contractual Clauses (SCCs).
On June 4, 2021, the European Commission adopted two sets of SCCs specifically for the transfer of personal data to countries outside the EEA. These clauses contain specific data protection safeguards ensuring that personal data continues to benefit from a high level of protection when transferred outside the EEA. SCCs also provide a coherent approach to the relationship between controllers and processors throughout the EEA.
Derogations (Article 49)
When neither an adequacy decision nor appropriate safeguards are available, derogations for specific situations may apply. Due to the high standards required for adequacy and Article 46 safeguards, derogations have become increasingly popular as a practical solution for transferring personal data to international organisations.
Schrems I and Schrems II
The Court of Justice of the European Union (CJEU) has ruled in landmark cases — Schrems I and Schrems II — that have influenced the standard of protection required for international data transfers. The rulings led to a renewed focus on the use of derogations and on the rigor required when relying on SCCs, particularly for transfers to countries where government access to personal data raises concerns.
Onward Transfers and EU Institutions
For EU institutions, bodies, offices, and agencies (EUIs), transfers of personal data outside the EEA may create additional risks for individuals due to potentially lower levels of protection in the third country. Crucially, the original controller is accountable for ensuring that any onward transfers maintain the same level of protection as the initial transfer. Liability follows the data downstream, not just at the first hop.
The EU AI Act: A Second Layer of Sovereignty
The EU AI Act introduces separate but complementary requirements for AI systems. Like GDPR, it applies extraterritorially: providers that intend to place high-risk AI systems on the EU market — regardless of whether they are based in the EU or a third country — must comply with the obligations outlined in the Act.
High-Risk AI Systems
As of July 17, 2024, high-risk AI systems must comply with extensive requirements, including:
Risk management system — established and maintained throughout the AI system's lifecycle
Data governance practices — appropriate to the nature of the system and the data it processes
Third-party conformity assessments — for systems that are safety components of products
The AI Act defines high-risk AI systems in Article 6 according to specific criteria, including being safety components of products that must undergo third-party conformity assessments as mandated by EU legislation.
Users in Third Countries Also Have Obligations
Users of high-risk AI systems located in third countries — when the AI system's output is used in the EU — also have obligations under the AI Act, though these are less stringent than those imposed on providers (developers). This is the AI Act's extraterritorial echo of GDPR's reach.
General-Purpose AI Models
All general-purpose AI model providers must:
Comply with the EU Copyright Directive
Provide technical documentation
Publish a summary about the content used for training their models
These transparency requirements establish a governance framework for AI systems in relation to data ownership and training-set provenance.
How GDPR and the AI Act Work Together
The two frameworks operate in layers. GDPR governs personal data — what can be collected, how it is stored, who controls it, and how it crosses borders. The AI Act adds AI-system-specific requirements that apply regardless of whether the system processes personal data. The two intersect when an AI system handles personal information — which most consumer-facing systems do.
The frameworks also cross-reference each other in specific places. Article 4(4) of the GDPR defines profiling as any automated processing of personal data that evaluates personal aspects concerning a natural person — for example, performance at work or behaviour. The AI Act builds on this definition when classifying certain systems as high-risk, making the boundary between "data protection" and "AI governance" deliberately porous.
The 2025 EDPB Update on Article 48 Transfers
On June 5, 2025, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Article 48 of the GDPR, which governs data transfers to third country authorities. The headline clarification: judgments or decisions from third country authorities cannot be automatically recognised or enforced in the European Union. Appropriate legal bases and safeguards are required for transfers — typically an international agreement, or grounds considered on a case-by-case basis when no agreement exists.
This is consequential for any organisation that receives data requests from non-EU government authorities. A foreign subpoena or warrant alone is not, under EU law, sufficient legal basis to transfer EU personal data.
Practical Challenges and Limitations
Implementing data sovereignty requirements presents genuine challenges, particularly for smaller organisations and those operating across multiple jurisdictions.
The compliance burden of SCCs. Standard Contractual Clauses are the most widely used instrument for international data transfers among European companies, but they require organisations to implement and maintain detailed contractual safeguards, supplementary measures, and transfer impact assessments — ongoing work, not a one-time signature.
Difficult transfer destinations. Research from the Northwestern Journal of International Law & Business examines the challenges companies face when transferring data to China. A preliminary negative assessment has been given regarding the potential for a European Commission adequacy determination for China, because government access to personal data is part of the regulatory picture. The study highlights difficult points for data exporters relying on EU transfer mechanisms following Schrems II — and concludes that restrictions on flows both into and out of China will continue and potentially intensify.
The "zero risk" critique. The Centre for Information Policy Leadership (CIPL) — which contributes to international data transfer mechanism reform, including the Global Cross-Border Privacy Rules and Global Privacy Recognition for Processors — argues in its 2024 paper The Zero Risk Fallacy that the current framework can be disproportionate. CIPL advocates a risk-based approach to data transfers and supports balanced, multilateral solutions to counter data localisation mandates that disrupt international data flows.
Sovereign cloud as a practical response. Sovereign cloud frameworks have emerged to help enterprises build customer trust while complying with data collection, storage, and privacy laws in the regions where they operate.
Frequently Asked Questions
What is data sovereignty?
Data sovereignty is the principle that data is subject to the laws of the country or region where it originates. It means organisations must comply with local data protection laws wherever the data goes — making compliance critical for any business handling personal data across international borders.
Does GDPR apply to companies outside the EU?
Yes. The GDPR applies to any organisation worldwide that collects or processes data related to persons in the EU, regardless of where the organisation is based. This extraterritorial reach is a defining feature of GDPR — and means non-EU firms targeting EU customers must comply with the same rules as European companies.
What is an adequacy decision under GDPR?
An adequacy decision is a determination by the European Commission that a non-EEA country provides essentially equivalent data protection to the EU. When in place, personal data can be transferred to that country without additional safeguards under Article 45 of the GDPR.
What is the difference between GDPR and the EU AI Act?
GDPR governs the processing of personal data — what can be collected, how it's stored, and how it crosses borders. The EU AI Act adds requirements specific to AI systems, regardless of whether they handle personal data, with extra obligations for high-risk AI systems and general-purpose AI model providers.
What are Standard Contractual Clauses (SCCs)?
Standard Contractual Clauses are pre-approved data protection contracts adopted by the European Commission for transferring personal data outside the EEA. On June 4, 2021, the Commission adopted two new sets of SCCs, which have become the most widely used instrument for international data transfers among European companies.
Conclusion
Data sovereignty under GDPR and the EU AI Act represents a structural shift in how organisations must think about data governance. GDPR establishes the foundational principles for protecting personal data and controlling its transfer across borders; the AI Act adds AI-specific governance requirements that apply even when the provider sits outside the EU. Together, the regulations create a framework where EU data protection principles travel with the data, regardless of destination.
For any organisation handling EU citizens' data — or selling AI systems into the EU market — the practical actions are concrete: identify which cross-border transfers occur, confirm a legal basis (adequacy decision, appropriate safeguards, or derogation), implement SCCs where needed, and conduct transfer impact assessments. As both frameworks continue to evolve — including the EDPB's 2025 guidance on third country authority transfers — keeping pace with new guidance and CJEU decisions is part of the job, not a one-time project.