Store Studio Campus Bootcamp

Services

AI Audit & Mapping Training Governance AI Integration For law firms For legal departments All services

Campus

Bootcamp Legal prompts Vibe Coding guides Webinars & Events Discover the Campus

Resources

Legaltech & AI Glossary Legaltech guide Legaltech Directory Blog Studies & Analysis

Zevra

The team Manifesto Contact

Change language

FrançaisEnglishEspañol
I have a tech project!
Formation

Data Sovereignty: Definition and Stakes for Lawyers

Pierre Colliot Pierre Colliot
Data sovereignty: definition and stakes for lawyers

In just a few years, data sovereignty has become an unavoidable topic in conversations about regulatory compliance and the management of information systems. Yet behind the phrase lie legal and technical realities that many professionals still struggle to pin down precisely. What does it actually mean? What obligations does it create for lawyers, law firms and independent professionals when it comes to personal data protection and data governance?

What is data sovereignty?

Data sovereignty refers to the principle that data — whether personal, professional or commercial — is subject to the laws and regulations of the country in which it is stored or processed. In other words, the law that applies to a piece of data is determined by its geographic location, not solely by the nationality of the company that holds it or of the person it relates to.

Point to watch: Data hosted on a server located in the United States may be subject to the U.S. Cloud Act, which allows federal authorities to issue data access demands, including when those demands concern European citizens or companies. Conversely, data stored in France or in the European Union falls under the General Data Protection Regulation (GDPR) and national law.

A concept to distinguish from neighbouring notions

Data sovereignty is often confused with other closely related notions. It is worth distinguishing them clearly:

  • Digital sovereignty refers to a state’s ability to control its digital infrastructure and technologies as a whole. Data sovereignty is only one component of it.
  • Personal data protection (in the GDPR sense) concerns individuals’ rights over their data. It dovetails with data sovereignty but is not reducible to it.
  • Data residency refers to the contractual or legal obligation to store data within a defined territory. It is a tool that serves sovereignty, not a synonym for it.
  • Data localization refers to legal requirements mandating that a category of data remain on national territory. Some countries, such as Russia and China, have adopted legislation along these lines.

Over the years, the European Union has built a body of texts that govern the flow and processing of data. This regulatory framework rests on several complementary instruments, whose impact is felt right down to professionals’ day-to-day practices.

The GDPR, the reference text for data protection

In force since 25 May 2018, the GDPR governs the processing of personal data within the European Union. It imposes strict rules on any transfer of data to third countries. These data transfers are authorized only if the destination country offers an adequate level of protection, or if appropriate safeguards are in place: standard contractual clauses, binding corporate rules, and the like.

The Schrems II ruling of the Court of Justice of the European Union (16 July 2020) reinforced this requirement by invalidating the Privacy Shield, the mechanism that had governed data transfers between the EU and the United States. It reaffirmed that a U.S. company’s mere adherence to a bilateral agreement is not enough to guarantee protection equivalent to that offered by European law.

The Data Act and the Data Governance Act: new regional rules for the flow of data

More recently, the European Union has adopted two regulations that extend and clarify the applicable framework. These new regional rules profoundly reshape data governance within the internal market:

  • The Data Governance Act (in force since September 2023) organizes data sharing between public and private actors, while setting conditions for transfers to third countries.
  • The Data Act (in force since January 2024) clarifies access rights to data generated by connected devices and digital services, and introduces specific provisions to limit unauthorized access by foreign authorities.

French law

Under domestic law, the French Data Protection Act (“loi Informatique et Libertés”), amended to incorporate the GDPR, is the reference text. The French Data Protection Authority (CNIL) is the competent supervisory authority. It holds investigative and enforcement powers, and regularly publishes practical recommendations for professionals.

Why this question directly concerns lawyers and independent professionals

Law firms and independent professionals handle sensitive data every day: client identification data, information covered by professional privilege, procedural documents, financial data. The question of data sovereignty is therefore anything but abstract: it bears directly on the security of the data entrusted to them and on their professional ethics obligations.

Professional privilege put to the test by cloud computing

The use of digital tools — messaging services, matter-management software, online storage — is now widespread. Yet many of these tools rely on cloud computing and are offered by providers whose servers sit outside the European Union, or whose parent company is subject to foreign legislation allowing access to the data.

A concrete risk for lawyers: Entrusting data covered by professional privilege to a cloud service provider subject to the U.S. Cloud Act potentially exposes that data to an access request from U.S. authorities, without either the client or the professional being informed. This raises serious questions in light of professional ethics obligations, all the more so because data can be affected at every stage of its lifecycle, including data in use.

“A lawyer’s professional privilege is a matter of public policy. It is general, absolute and unlimited in time.” — Article 2 of the National Internal Regulations (RIN) of the French legal profession.

The practical obligations that follow

In concrete terms, lawyers and independent professionals must put in place data governance suited to their activity. This involves several steps:

  1. Identify where their data is hosted: in which country are their providers’ servers located (practice-management software, messaging tools, collaboration platforms)? Data residency must be known and documented.
  2. Check the law that applies to those providers: a company headquartered in the United States remains subject to the Cloud Act, even if it hosts its data in Europe. Data localization alone is not enough to guarantee protection.
  3. Review subprocessing contracts: the GDPR requires concluding a data processing agreement with any provider that processes data on behalf of the controller. Clauses relating to data transfers deserve particular attention.
  4. Favour certified solutions wherever possible: the SecNumCloud qualification, issued by France’s cybersecurity agency (ANSSI), certifies that a cloud provider meets reinforced security measures and the sovereignty requirements defined by the French state.
  5. Encrypt the data: data encryption, whether at rest or in transit, is one of the most effective technical measures for limiting the risk of unauthorized access, including in a cross-border context.
  6. Inform their clients of the conditions under which their data is processed and hosted.

Data sovereignty in contractual practice

Beyond internal compliance, data sovereignty is also a topic lawyers encounter in their advisory practice. Companies that outsource activities, migrate to cloud computing solutions or enter into international partnerships need guidance on these data governance questions.

Clauses to watch in cloud contracts: data localization and security

When negotiating or reviewing contracts with digital service providers, several points deserve particular attention:

  • Data localization: does the contract specify in which country the data will be hosted? Can that location be changed unilaterally by the provider?
  • Transfers to third countries: does the contract frame any data transfers outside the EU? Are the safeguards provided for (standard contractual clauses, etc.) up to date?
  • Data access demands by authorities: does the contract require the client to be notified in the event of an access request from a foreign authority?
  • Data encryption and security: what technical measures does the provider implement to protect the data, in particular encryption in transit and at rest?
  • Reversibility: at the end of the contract, under what conditions can the data be retrieved or deleted?

What is at stake for client companies

For the companies that lawyers advise, data sovereignty can have implications across a range of fields: competition law (protection of trade secrets), employment law (employee data), health law (health data subject to specific hosting rules in terms of data residency), or public procurement (some public contracts impose sovereignty requirements). In each of these fields, personal data protection intersects with sector-specific constraints that need to be identified precisely.

Towards stronger data sovereignty: developments to follow

The regulatory framework keeps evolving. Several work streams are worth watching closely for legal professionals:

  • The Gaia-X project: this European initiative aims to build a shared, interoperable data infrastructure that respects European rules on data security. Its actual rollout remains gradual, but it traces a clear political direction.
  • The EU-U.S. adequacy framework: adopted in July 2023, the Data Privacy Framework once again governs data transfers between the EU and the United States. Its legal soundness is already being contested and could be the subject of a fresh challenge before the CJEU.
  • Sector-specific requirements: in certain sectors (health, finance, defence), specific rules already impose high levels of sovereignty. These requirements tend to tighten and to spread to other fields, bringing reinforced security measures and new obligations around data encryption.

Key takeaways

Data sovereignty is not a concept reserved for digital-law specialists. It concerns every professional who handles data as part of their work — which, today, means every lawyer and every independent professional. Understanding this principle, identifying the risks it carries and adapting one’s practices accordingly is part of the due-diligence obligations that any serious professional must build in.

Between the requirements of the GDPR, the stakes tied to cloud computing, data localization, data residency and data encryption, the data governance of a firm or an independent practice rests on a coherent set of technical and contractual decisions. The question is not whether data sovereignty concerns you. It is to what extent your organization already addresses it — and what is left to do.

About the author

Pierre Colliot
Pierre Colliot

Fondateur Zevra, hôte du podcast Quasar, expert Legal Tech & vibe coding. +50 projets livrés.
Back to the blog