According to a recent report, the State Department sent a cable urging U.S. diplomats to oppose international data sovereignty regulations like GDPR, characterizing these guardrails as “unnecessarily burdensome.” 

In the cable, the State Department claims that data sovereignty regulations “disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship.”

Underpinning this argument is both a legitimate concern and a critical misconception.

The truth is that actual data sovereignty is technical, not territorial. 

Data localization is a blunt instrument trying to solve a sophisticated problem. Mandating that data stay within geographic boundaries doesn’t actually ensure that data owners retain control over how their information is accessed, used, or shared. People move; endpoints move; data must move.

European regulators have already defined what digital sovereignty actually requires. Specifically, in the aftermath of Schrems II, the European Data Protection Board made clear that sovereignty is preserved when data is strongly encrypted and the encryption keys remain solely under the control of the data owner in Europe. That clarity is often lost in broader geopolitical debates. 

True data sovereignty requires governments, enterprises, and citizens to retain cryptographic authority over who can access their information, regardless of where it is processed. Forcing data to sit inside national borders accomplishes little if foreign vendors still hold the keys. Sovereignty is fundamentally a technical challenge: it depends on controlling access through encryption and authentication, not simply controlling physical location.

There is a widespread belief that data sovereignty is disruptive to innovation, commerce, and national security. This is a misconception.

The memo presents a false choice: That we must either accept unfettered cross-border data flows with minimal protections in place for the data owner, or implement burdensome localization requirements that stifle innovation and collaboration.

This is simply not true, and the rise of data-centric security proves it: From the U.S., to Five Eyes nations, to the Indo-Pacific, security leaders are embracing this model. Rather than focusing efforts solely on building a strong perimeter boundary, controls and policies must instead follow the data itself, wherever it moves — providing more resilient and contextual security for the data itself. This is the central pillar of the DoW’s own Zero Trust strategy, and the model for agencies across the U.S. federal government and beyond. 

Even the Department of State’s own ITAR (the U.S. International Traffic in Arms Regulations) treat sensitive munitions data with location-specific requirements. There are good reasons for some types of sensitive information to be shielded from external eyes.

Context matters. We should not dismantle well-established data sovereignty standards without clear technical alternatives in place. Instead, we need to evaluate how to more effectively protect and govern sensitive data, without impeding the free flow of information. 

Data-centric security fortifies data sovereignty and liberates secure data flows. 

By shifting the focus from walls — border-specific protections, localization, and perimeters — to the data itself, you can fundamentally transform global data flows. When data is actually governed, tagged, and understood, it can move safely, through trusted channels, to achieve mission success.

In a data-centric security environment, a government agency can leverage cloud services from any provider while maintaining sovereign control over sensitive information by managing and hosting their own encryption keys, additionally providing resilience from third-party breaches with cloud service providers or other partners. 

This isn’t theoretical. Modern data-centric security architectures are in production today, with open standards like the Trusted Data Format enabling platform-agnostic, global data sharing among partners. It’s the antithesis of a data silo, allowing data to travel under very specific conditions and with governance attached to each data object itself. The U.K.’s Operation Highmast is a prime example of the success that comes from dynamic, intelligent data sharing among trusted partners. 

In an era defined by AI acceleration and geopolitical competition, sovereignty and interoperability must be engineered to reinforce one another — not framed as tradeoffs.

Angel Smith is the president of global public sector for Virtru.

The post No, it’s not ‘unnecessarily burdensome’ to control your own data appeared first on CyberScoop.

A recent Forbes investigation revealed that Microsoft has allegedly been handing over Bitlocker encryption recovery keys to law enforcement when served with warrants. Microsoft says it receives about 20 such requests annually. Taken narrowly, this may appear to be a routine case of lawful compliance. On closer inspection, it raises a consequential question about how modern digital systems are designed and who ultimately controls the data they hold.

The essence of the debate centers on data sovereignty, or whether individuals and organizations truly control their own data, or whether that control can be involuntarily transferred because of architectural choices made by technology providers.

BitLocker itself is strong encryption. Federal investigators have acknowledged they cannot defeat it cryptographically. Access depends on possession of the recovery key. The issue, then, is not the strength of the encryption, but where the keys reside.

Microsoft commonly recommends that users back up BitLocker recovery keys to a Microsoft account for convenience. That choice means Microsoft may retain the technical ability to unlock a customer’s device. When a third party holds both encrypted data and the keys required to decrypt it, control is no longer exclusive. Data sovereignty has already been diluted—long before any warrant is issued.

Before founding Virtru, I served as the lead technology policy adviser at the White House National Economic Council, where I participated in the early debates around the Patriot Act. Those discussions were framed as exceptional—extraordinary access in extraordinary circumstances. What experience and history have shown since is that access tends to expand, requests become more routine, and oversight struggles to keep pace with technologies that were never designed to limit access in the first place.

We have seen the consequences of this design pattern for more than two decades. From the Equifax breach, which exposed the financial identities of nearly half the U.S. population, to repeated leaks of sensitive communications and health data during the COVID era, the pattern is consistent: centralized systems that retain control over customer data become systemic points of failure. These incidents are not anomalies. They reflect a persistent architectural flaw.

That is why the BitLocker issue matters beyond a single investigation. When systems are built so that providers can be compelled to unlock customer data, lawful access becomes a standing feature of the architecture rather than an exceptional outcome governed by narrow circumstances.

Other large technology companies have demonstrated that a different approach is possible. Apple has designed systems that limit its own ability to access customer data, even when doing so would ease compliance with government demands. Google offers client-side encryption models that allow customers to retain exclusive control of encryption keys. These companies still comply with the law, but when they do not hold the keys, they cannot unlock the data. That is not obstruction. It is a design choice.

Microsoft could make similar choices. Retaining decryption capability is not a technical inevitability; it is a product and business decision. Defaults matter, and when convenience is the default, most users—individuals and enterprises alike—will unknowingly trade control for ease of use.

There is no such thing as a risk-free backdoor or a universally safe key escrow. Encryption does not distinguish between authorized and unauthorized access. Any system designed to be unlocked on demand will eventually be unlocked by unintended parties.

These risks are magnified in an era of persistent nation-state cyber activity. Every additional entity capable of decrypting data increases the attack surface. 

The Salt Typhoon debacle underscores the point. Even when attackers target networks or infrastructure instead of endpoints, the goal remains the same: to gain access to systems where large volumes of sensitive data can be accessed or decrypted at scale. Architectures that concentrate decryption authority magnify the consequences of inevitable breaches; architectures that enforce data-level key ownership sharply limit the blast radius. 

For global companies, the issue is not only U.S. legal process, but the possibility of conflicting demands across jurisdictions—some with far weaker protections for civil liberties and commercial confidentiality.

The lesson is straightforward: organizations cannot outsource responsibility for their most sensitive data and assume that third parties will always act in their best interest. Encryption only fulfills its purpose when the data owner is the sole party capable of unlocking it.

Microsoft has an opportunity to address this by making customer-controlled keys the default and by designing recovery mechanisms that do not place decryption authority in Microsoft’s hands. True data sovereignty—personal and organizational—requires systems that make compelled access technically impossible, not merely contractually discouraged.

In the meantime, this episode should serve as a warning. Executives and boards should ask a simple question of their technology stack: Where do our encryption keys live? 

The answer increasingly determines who truly owns the data—and who does not. Because if you do not control the keys, you do not control the data.

John Ackerly is the CEO and Co-Founder of Virtru.

The post If you don’t control your keys, you don’t control your data appeared first on CyberScoop.