By Javier Surasky
In our
recent posts, we examined the geopolitics
of AI in general and the geopolitics
of computing power. This time, we will focus on the geopolitics of data.
As we
already know, computing power and the availability of massive datasets are the
two major pillars sustaining the evolution of AI. Someone who knows a great
deal about this once told me, “If you have to choose between the best
programmer with a poor dataset or an average programmer with a good dataset,
always choose the latter.”
Without
access to large volumes of updated and representative data, no AI system can be
efficient. Foundational models—those that achieve versatility and applicability
across multiple tasks and become the basis for other applications—are doomed to
fail when high-quality data is lacking.
Data has
become a geopolitical resource: it not only informs us about the economic
power, surveillance capabilities, and political influence of different actors,
but, in a sense, it closes a circle by becoming a constitutive element of each
of these.
Situated at
the base of the pyramid leading to information, knowledge, and—at the
apex—expert wisdom, data is not reality but a segmented expression of it that
appears to have been objectified. That is false: the medium chosen to capture
reality in data will always introduce some degree of subjectivity. Data is a
construct.
On the
other hand, we must move beyond the myth that data is immaterial: “data is not
a virtual entity but a materiality anchored in a territory that requires
infrastructure, workers, energy, and nature to function” (Blinder, 2021:182).
That implies data only exists atop localized infrastructures of collection,
transmission, and use. This leads the author to affirm that “in recent years,
with the increase in data volume, geopolitical changes have emerged that are
directly intertwined with new technologies and have implied a
re-territorialization” (Blinder, 2021:190). Consequently, it is not surprising
that in an unequal and inequitable world, the data sector reproduces that
pattern.
And as
happens with AI in general, as well as with compute power and semiconductors,
data circulates through infrastructures that are mostly private, taking the
form of large data centers and clouds, and ending up concentrated in a small
number of companies from a small number of countries.
Another
logic is replicated here: the United States and China are the dominant actors
in this field, jointly concentrating nearly half of all hyperscale data centers
and 90% of the market capitalization of major digital platforms (UNCTAD, 2021a).
That exposes the dispute between the different models of digital governance
currently under discussion.
This
leadership is evident in data infrastructure: U.S.-based companies account for
more than 63% of the global cloud market, which reached approximately USD 106.9
billion in the third quarter of 2025. In infrastructure services (IaaS) and
platform services (PaaS), the percentage is even higher, around 68% (Synergy
Research Group, 2025a, 2025c).
This
inequality helps us understand why the United States defends the principle of
Data Free Flow with Trust (DFFT), incorporated in the 2023
Hiroshima G7 Communiqué, and why the U.S.
CLOUD Act (2018) authorizes the government to demand extraterritorial
access to data stored on servers owned by U.S. companies wherever they are
located, effectively turning the American regime into a de facto global regime.
Historically, the U.S. position has been similar to that of the United Kingdom,
which demanded freedom of the seas at the height of its maritime dominance.
Obviously,
both “the two giants” (the United States and China) and “the third at the
table” (the European Union) have recognized the strategic nature of data and
equipped themselves with regulations grounded in different principles and
objectives, resulting in a fragmented international architecture.
In the
United States, there is no horizontal federal data protection law (OCDE, 2023; UNCTAD, 2021b), but rather a network of
sector-specific domestic rules, such as the Health
Insurance Portability and Accountability Act (HIPAA) or the Children’s
Online Privacy Protection Act (COPPA), among others.
The Chinese
model, by contrast, is built on the territorialization of data in the name of
digital sovereignty. The Chinese regulatory triangle—comprising the Cybersecurity
Law (2017), the Data
Security Law (2021), and the Personal
Information Protection Law (2021)—establishes a regulated space centered on
national security. DLA Piper
(2024) notes that the three laws share common features: they classify data
according to relevance and sensitivity (the Data Security Law, for instance,
distinguishes important data requiring export review and critical data whose
transfer may be prohibited), impose localization requirements, and mandate
prior assessments for international data transfers.
A 2025
amendment to the Cybersecurity Law, analyzed by Huld
(2025) and the Hunton
Privacy Blog (2025), reinforces sanctions for violations and enables broad
inspection processes aimed at increasing government control over China’s
cyberspace, placing the country among those with explicit digital security and
nationalism frameworks.
Finally,
the European Union adopts a rights-centered approach, prioritizing the
protection of citizens. Its General Data Protection
Regulation (GDPR) sets criteria for consent, minimization, portability, and
purpose limitation in the production and use of data, establishing a general
regime later expanded through the Data Governance Act (2022,
in force since 2023) and the Data Act (adopted in 2023,
in force since 2025), which form the foundations of a single European data
market. These developments have produced the so-called “Brussels Effect,”
requiring thousands of non-European companies selling goods or services in the
EU to adapt their data storage and management practices.
The idea of
a European data market aligns seamlessly with other EU regulations, such as the
Digital Markets Act
(DMA), the Digital
Services Act (DSA), and, of course, the AI Act.
These three
approaches represent different strategies and, according to the OECD
(2023) and UNCTAD
(2024a), constitute incompatible geopolitical projects with respect to
critical elements such as the degree of freedom/control over data flows, the
extent of data sovereignty, transparency and security, and the prioritization
of rights versus technological development.
What
positions do other States take? To be clear, under current global power
distribution, it matters very little: the entire African continent combined
holds less than 2% of global data center capacity (Oxford
Business Group, 2024), and in both Africa and Latin America and the
Caribbean, most investment capital for new data centers “comes from abroad;
foreign companies and investors continue to shape LAC’s digital infrastructure
and cloud ecosystem” (UNDP,
2025).
The result
is an elite debate table with structural fragmentation produced by great-power
competition. From a network governance perspective, the global data
architecture functions as a formally polycentric system where States and
non-state actors interact, but in practice operates as a VIP club restricted to
a few.
Worsening
the outlook, multilateral organizations fail to move beyond expert analysis of
what should be done, without actual capacity to implement it; the G7 and OECD
are seen as representatives of wealthier economies, while the G77 has no real
influence due to resource limitations and conflicting normative constraints.
Here is
when the “harder” political effects of hyper-concentrated data power begin to
appear: the rules adopted by the “data powers” become de facto standards to
which other countries and actors must adjust, even when these standards
contradict one another, creating a new obstacle to the digital development of
the most lagging countries.
The
proliferation of national data-protection laws only worsens the problem:
approximately 79% of countries had some form of data-protection legislation by
early 2021, but at that time “less than half of Least Developed Countries had
adopted data-protection and privacy legislation” (UNCTAD,
2021b:187). More recently, DLA
Piper (2024) and the International Association of Privacy Professionals (IAPP, 2024)
indicate that data-protection laws have expanded to more than 160
jurisdictions, while only 16 analyzed countries lack such legislation.
That gives
us an alternative perspective on the data divide and introduces the notion of data
colonialism, defined as “the appropriation of human life through data,
extracting social resources for profit and control,” combining “the predatory
extractiveness of historical colonialism with the abstract quantification
techniques of datafication, transforming human life into a direct input for
capitalist accumulation” (Couldry
& Mejías, 2018:340–341).
Normatively,
this is reflected in the fact that countries that are not leaders in the data
sector adopt legal forms determined by others, without participating in their
creation and without the capacity to modify them.
Data models
can also be interpreted as instruments of power: they determine how data
circulates, which actors can extract value from it, and which jurisdictions
control the interpretation of norms in cases of disagreement.
Another
consequence of fragmentation is the absence of interoperability between
datasets governed by different regimes, generating regulatory costs for
companies and public administrations—costs that disproportionately affect
countries with fewer resources (OECD,
2023). Fragmentation thus becomes a mechanism of exclusion.
The notion
of data sovereignty—“the authority of a state to govern data generated within
its territory, including how such data is accessed, stored, processed, and
transferred” (UNESCO,
2022:19)—fades into the background and yields to the power of large nodes.
A new model of digital colonization that, like past colonization processes,
excludes entire populations’ knowledge. In earlier times, this was called
“barbarian knowledge” or “indigenous beliefs”; later, “non-scientific
knowledge” (taken to mean useless or invalid). Today, it is called “bias,” but
it is the same phenomenon under new technological conditions.
Put simply,
regulatory power follows data-infrastructure capacity to the letter—a situation
seemingly welcomed by the United States, China, and the EU, which obstruct any
attempt to develop global data governance that is not strictly aligned with
their positions or could constrain their freedom of action. A new “triple
entente” blocking multilateral, inclusive, and democratic solutions in the data
domain, crystallizing an exclusive, competitive, and hierarchical international
architecture that aims not at coordination but at the global projection of each
actor’s power.
In fact,
this is not the only “understanding” of the triple data entente: cross-border
data flows are concentrated in the North America–Europe and North America–Asia
corridors. Despite their differences, pragmatism ensures that data continues to
circulate among the “big players.”
We must
begin by accepting this reality and acknowledging that promoting a global data
regime is currently beyond reach. The smartest move may be to start stacking
steps that allow us to climb toward it:
For
example, we could create mechanisms for regulatory interoperability based on
functional equivalences to reduce the costs of incompatible regulatory
frameworks. Joint certification processes or bridge standards between existing
regulations could be introduced for this purpose.
At the same
time, we should envision institutional arrangements to strengthen public
capacities in areas such as algorithmic oversight and data audits.
Establishing
an international cooperation framework for data production, management, and use
is feasible and would strongly support countries lacking the technical and
human resources to exercise sovereignty over their data. “Donor” countries
would see their positions strengthened by extending their regulatory models
through cooperation programs—at least until recipient countries build their own
capacities, even though that process will not be quick.
As seen,
these proposals do not seek to overcome the existing power order in the data
domain or eliminate regulatory fragmentation, but rather to manage both
realities to reduce dysfunctional decoupling, lower costs, and foster more
inclusive dialogues.
Eryurek et
al. (2021) identify seven factors driving the growing importance of
establishing global data governance:
- Data volume continues to
increase.
- The number of people processing
or visualizing data keeps rising.
- Data-collection methods have
advanced and improved.
- More types of data are
collected, including increasingly sensitive data.
- Data use cases have expanded.
- New data-processing regulations
are emerging.
- Ethical concerns surrounding
data use are increasing.
While these
points are undeniable and provide a strong rationale for the increased
presence, critique, and policy engagement of the social sciences in
data-related issues, we wish to add another reason that we consider even more
relevant.
During
industrialization, those who pioneered or managed to join the process became
what we now call developed countries, whereas those left behind had to settle
for supplying raw materials and acting as consumers in an unequal international
market. With AI, we may be witnessing a similar phenomenon, and the data domain
may be to AI what fossil fuels were to the Industrial Revolution.
Remaining
“outside the game” of data governance today is a clear indicator of tomorrow’s
underdevelopment. Data is a projection of power relations and a key
geopolitical resource for unlocking innovation and knowledge—two critical
drivers that will determine our societies’ standard of living in a future that
is no longer distant.
References
Blinder, E.
(2021). Geopolitics and Big Data: Territorialities of Technology. In Actis, E.;
Berdondini, M. & Castro Rojas, S.R. Social Sciences and Big Data.
UNR Editora. 175–194.
Couldry, N.
& Mejias, U. A. (2018). Data Colonialism: Rethinking Big Data’s Relation to
the Contemporary Subject. Television & New Media, 20(4), 336–349. https://doi.org/10.1177/1527476418796632
DLA Piper.
(2024). Data Protection Laws of the World. DLA Piper Global Data
Protection Resource. https://www.dlapiperdataprotection.com/
Evren
Eryurek, E.; Gilad, U.; Lakshmanan, V.; Kibunguchy, A. & Ashdown, J.
(2021). Data Governance: The Definitive Guide. O’Reilly Media.
G7 (2023,
May 20). G7 Hiroshima Leaders’ Communiqué. https://www.consilium.europa.eu/en/press/press-releases/2023/05/20/g7-hiroshima-leaders-communique/
Huld, A.
(2025, November 5). Revisions to China’s Cybersecurity Law: Strengthened
Oversight and Alignment with Emerging Technologies. China Briefing. https://www.china-briefing.com/news/china-cybersecurity-law-amendment-in-effect-january-1-2026/
Hunton
Privacy Blog (2025, November 13). CAC Issues Amendment to the Cybersecurity Law
of China. https://www.hunton.com/privacy-and-information-security-law/cac-issues-amendment-to-the-cybersecurity-law-of-china
International
Association of Privacy Professionals (IAPP) (2024). Global Privacy Law and
DPA Directory. https://iapp.org/resources/global-privacy-directory/
OECD
(2023). Moving Forward on Data Free Flow with Trust: New Evidence and
Analysis of Business Experiences (Digital Economy Papers No. 353). https://www.oecd.org/content/dam/oecd/en/publications/reports/2023/04/moving-forward-on-data-free-flow-with-trust_0f681e91/1afab147-en.pdf
Oxford
Business Group (2024). Data Centres in Africa. Focus Report. https://africadca.org/wp-content/uploads/2024/05/ADCA-Report-2024_with-PPT.pdf
Synergy
Research Group. (2025a, July 31). Q2 Cloud Market Nears $100 Billion
Milestone – And It’s Still Growing by 25% Year Over Year. https://www.srgresearch.com/articles/q2-cloud-market-nears-100-billion-milestone-and-its-still-growing-by-25-year-over-year
Synergy
Research Group. (2025b, October 31). Cloud Market Growth Rate Rises Again in
Q3: Biggest Ever Sequential Increase. https://www.srgresearch.com/articles/cloud-market-growth-rate-rises-again-in-q3-biggest-ever-sequential-increase
Synergy
Research Group. (2025c, November 19). Cloud Market Share Trends: Big Three
Together Hold 63% While Oracle and the Neoclouds Inch Higher. https://www.srgresearch.com/articles/cloud-market-share-trends-big-three-together-hold-63-while-oracle-and-the-neoclouds-inch-higher
UNCTAD
(2021a). Digital
Economy Report 2021: Cross-border Data Flows and Development. https://unctad.org/publication/digital-economy-report-2021
UNCTAD
(2021b). Data Protection and Privacy Legislation Worldwide. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
UNCTAD
(2024a). Digital Economy Report 2024. https://unctad.org/publication/digital-economy-report-2024
UNDP (2025,
April 15). Data in the Clouds, Centers on the Ground: The Role of Data
Centers in LAC’s Digital Future. https://www.undp.org/latin-america/blog/data-clouds-centers-ground-role-data-centers-lacs-digital-future
UNESCO
(2022). Data Governance Toolkit for United Nations Member States. https://unesdoc.unesco.org/ark:/48223/pf0000394518
Laws
China
Cybersecurity
Law (CSL, China). Cybersecurity Law of the People’s Republic of China. Adopted
on November 7, 2016. Entry into force: June 1, 2017.
https://www.lawinfochina.com/Display.aspx?Id=22826&Lib=law&LookType=3
Data
Security Law (DSL, China). Data Security Law of the People’s Republic of China.
Adopted on June 10, 2021. Entry into force: September 1, 2021.
http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html
Personal
Information Protection Law (PIPL, China). Personal Information Protection Law
of the People’s Republic of China. Adopted on August 20, 2021. Entry into
force: November 1, 2021.
https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china
United
States
Health
Insurance Portability and Accountability Act (1996). Pub. L. No. 104-191, 110
Stat. 1936 (codified primarily at 42 U.S.C. § 1320d et seq. and in scattered
sections of 29 U.S.C., 42 U.S.C., and 26 U.S.C.).
https://www.congress.gov/bill/104th-congress/house-bill/3103/text
COPPA
(1998) Children’s Online Privacy Protection Act of 1998. Pub. L. No. 105-277,
div. C, title XIII, 112 Stat. 2681-728 (codified at 15 U.S.C. § 6501 et seq.).
https://www.congress.gov/bill/105th-congress/senate-bill/2326/text
CLOUD Act
(2018) Clarifying Lawful Overseas Use of Data Act. Enacted as Division V of the
Consolidated Appropriations Act, 2018, Pub. L. No. 115-141. U.S. Congress,
115th Congress.
https://www.congress.gov/bill/115th-congress/house-bill/4943/text
European
Union
GDPR
(General Data Protection Regulation) Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement
of such data. Official Journal of the European Union, L 119/1.
https://eur-lex.europa.eu/eli/reg/2016/679/oj
Data
Governance Act (DGA) Regulation (EU) 2022/868 of the European Parliament and of
the Council of 30 May 2022 on European data governance and amending Regulation
(EU) 2018/1724. Official Journal of the European Union, L 152.
(Check: your original link pointed to the Data Act; here is the correct DGA
link)
https://eur-lex.europa.eu/eli/reg/2022/868/oj
Digital
Markets Act (DMA) Regulation (EU) 2022/1925 of the European Parliament and of
the Council of 14 September 2022 on contestable and fair markets in the digital
sector and amending Directives 2019/1937 and 2020/1828. Official Journal of
the European Union, L 265.
https://eur-lex.europa.eu/eli/reg/2022/1925/oj
Digital
Services Act (DSA) Regulation (EU) 2022/2065 of the European Parliament and of
the Council of 19 October 2022 on a Single Market for Digital Services and
amending Directive 2000/31/EC. Official Journal of the European Union, L
277.
https://eur-lex.europa.eu/eli/reg/2022/2065/oj
Data Act
(2025) Regulation (EU) 2023/2854 of the European Parliament and of the Council
of 13 December 2023 on harmonised rules on fair access to and use of data, and
amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828. Official
Journal of the European Union, L 2023/2854.
https://eur-lex.europa.eu/eli/reg/2023/2854/oj
AI Act
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13
June 2024 laying down harmonised rules on artificial intelligence and amending
certain Union legislative acts. Official Journal of the European Union,
L 2024/1689.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj