MY OWN VIEWS ABOUT DATA SOVEREIGNTY

MY OWN VIEWS ABOUT DATA SOVEREIGNTY

We keep hearing about “data privacy” and “cybersecurity” as if they were separate issues floating in a digital vacuum. But in truth, they all converge into one deeper concept: data sovereignty. And if we don’t reckon with that, I fear our efforts at privacy and security will remain half-baked.

What exactly is data sovereignty? At its core, it is the principle that data is subject to the laws and governance of the country or region where it is collected or stored. It means a citizen’s data should not drift off into foreign jurisdictions where local laws don’t apply. It means that when we talk about controlling our digital assets, we aren’t just talking about locking a database—we’re talking about maintaining legal, technical and ethical oversight over our data.

In the Philippine context, we do not yet have a dedicated data sovereignty law—but the topic is increasingly shaping digital-policy debates and legislative proposals. For example, industry groups are pushing for such a law, noting that our neighbours in ASEAN already have stronger localization or governance regimes.
Meanwhile, we rely primarily on the Data Privacy Act of 2012 (RA 10173), which protects personal information, and the Cybercrime Prevention Act of 2012 (RA 10175), which targets illegal access and interference. But neither fully addresses the question: who controls the data and where is it stored?

In my own opinion, there is a direct connection between data privacy → data security → data sovereignty. Let me unpack this:

  • Without data security, all the encryption, access controls and firewalls in the world won’t help if data is simply mishandled, mis-used or exposed.

  • Without data sovereignty, even secure data may be subject to foreign jurisdiction, foreign laws or hidden access from abroad—not just because of malicious actors, but by design of global cloud platforms.

  • And without data privacy, the individual loses control over how their personal or community data is processed, shared or monetized.

So the bottom line: If our law wants to keep up with technological advances that directly bear on these issues, then we must treat data sovereignty as core—not optional.

Why does data sovereignty matter?

  1. Legal jurisdiction and control – If the servers holding our data are abroad, whose law applies? Which court has jurisdiction? If something goes wrong, will Filipinos have real recourse?

  2. National security and economic independence – Data about citizens, infrastructure or business operations are strategic assets. Countries such as Indonesia, Vietnam or Thailand already have data localisation or sovereignty policies to attract investment and protect their data economy.

  3. Technological sovereignty – The launch of the first Philippine “sovereign cloud” by ePLDT is a step in that direction: hosting government applications and data strictly within the country and under local regulation.

  4. Community, cultural and indigenous data rights – Data isn’t just financial or personal—it includes community histories, indigenous knowledge, local languages. Sovereignty over that data matters hugely for cultural justice.

Where do we stand, and what is holding us back?

We are stuck in a curious limbo. On the one hand, the government has issued the National Cybersecurity Plan 2023‑2028 through Department of Information and Communications Technology (DICT) and adopted via Executive Order 58.  On the other hand, the legislative framework that deals directly with data sovereignty is absent. According to industry sources, the lack of a formal law means we may miss out on billions of dollars of data-centre investments or digital infrastructure growth. 

The proposed Konektadong Pinoy Act offers an example. While it aims to expand connectivity and digital infrastructure, critics warn that without embedded safeguards for data sovereignty, it could actually open the door to foreign surveillance or data harvesting. 

Another point: technical infrastructure matters. Sure, a law can require “data must stay in the Philippines,” but if we don’t have sufficient data centres, reliable power, cooling, network redundancy and local cloud-capacity, that law may become a barrier rather than a safeguard. The debate over data localisation often puts innovation and foreign investment on one side, and national data control on the other. 

My suggestions

  1. Enact a dedicated Data Sovereignty Law – We should not let this drag on. The legislative gap is already recognised by the industry.

  2. Embed periodic review and standards – The law should require review every 5-10 years, to keep pace with AI, cloud tech, data flows and emerging threats.

  3. Balance localisation with openness – The law can require critical or sensitive data to reside locally, but not impose blanket restrictions that hamper SMEs or startups. Smart regulation is better than blunt mandates.

  4. Build the infrastructure – We must ensure local data centres, sovereign cloud capacity, encryption-key management, and strong governance frameworks are operational.

  5. Raise public awareness – Citizens need to understand that their data is not just “some server somewhere”—it is part of their rights, their economy and their nation’s sovereignty.

Questions we need to ask

  • Should we treat data generated by government services, national infrastructure or citizens differently from other data?

  • How do we classify “sensitive data” for localisation or sovereignty purposes?

  • What roles will LGUs, barangays, indigenous communities play in the governance of their local data?

  • How do we ensure our laws are consistent with international data-flow agreements, cloud industry needs and competitiveness?

  • Can data sovereignty become an enabler of investment—instead of a deterrent—if we get the policy design right?

In closing: Data privacy and data security matter—but they cannot fully deliver unless the framework of data sovereignty is firmly in place. Not just as a conceptual ideal, but as a law, as regulation, as practice. The digital age is not a future possibility—it is our present reality. We owe it to ourselves and to future generations to ensure that when people talk about “data about us,” we know who controls it, where it’s stored, and how it’s governed. Otherwise, we remain digital spectators, not digital masters.

Ramon Ike V. Seneres, www.facebook.com/ike.seneres

iseneres@yahoo.com, senseneres.blogspot.com 03-03-2026

Comments

Post a Comment

Popular posts from this blog

HOW IS THE CRIME RATE COMPUTED IN THE PHILIPPINES?

HOW IS THE CRIME RATE COMPUTED IN THE PHILIPPINES? When we talk about the crime rate in the Philippines, we often assume that the figures we see are accurate reflections of reality. But have we ever paused to ask—how exactly is the crime rate computed? Where does this data come from, and how reliable is it? The computation of the crime rate in the Philippines is officially handled by the Philippine National Police (PNP). The formula itself is straightforward: Crime Rate = (Total Reported Crimes / Total Population) x 100,000 This simple equation gives us the number of crimes per 100,000 people, allowing for fair comparison across regions and time periods. However, the reality behind these numbers is more complex than it appears. Data from the Ground The foundation of our national crime rate is empirical data collected at the grassroots level—from individual police stations scattered across the country. Every reported crime is logged in local police blotters, forming the buil...
Read more

GREY AREAS IN GOVERNMENT FUNCTIONS

GREY AREAS IN GOVERNMENT FUNCTIONS Dear Mr. President: May I ask who is going to be the arbiter or referee whenever there are overlaps in functions between two or more government agencies? I imagine that there would be no problem if these agencies would just cooperate and collaborate with each other, but what if they are unable to settle their differences and they would just end up throwing blame at each other or finger pointing at each other? Allow me to cite some examples. Who is supposed to take the lead in waste to energy projects? Is it supposed to be the DENR that is supposed to handle waste? Or is it supposed to be the DOE that is supposed to handle energy generation? Or is it supposed to be the DILG since it is the one that could direct or influence the waste to energy projects of LGUs? Who is supposed to take the lead in producing and promoting the use of biofuels? Is it supposed to be the DA, since the production of biofuels is supposed to be all about planting biofuel ...
Read more

LOCALIZED FREE AMBULANCE SERVICES

LOCALIZED FREE AMBULANCE SERVICES As it is supposed to be, anyone in the Philippines should be able to dial 911, and a telephone operator should be able to dispatch fire, rescue, ambulance and police (FRAP) units as soon as possible, based on acceptable response times. I invented the FRAP acronym for easy recall, and I hope it sticks, if there is no other alternative. Unfortunately, due to a mixture of technical and political reasons, the Philippines has not adopted 911 as a national number, because some LGUs would rather use their own three-digit numbers such as 117 and 168. I actually proposed a technical solution to that problem, but it was not adopted either. For whatever it is worth, my solution is to install a call forwarding system that could route all calls to a central operator, regardless of what number is dialed. It is very sad for me to know that up to now, even if our country is already over one hundred years old, there are still many LGUs that do not have fire trucks. it ...
Read more