Ask a Question

What Is Data Sovereignty?

Table of Contents

Definition

Data sovereignty is an organization’s ability to exercise effective legal and operational control over data and the conditions under which it is processed within a specific jurisdiction. It includes deciding where data is processed and stored, how cross-border data transfers are handled, which processors are involved, and which technical and organizational measures are applied. In the context of image and video anonymization, data sovereignty covers both source materials (recordings, photos), derivative files (anonymized versions), and the metadata generated throughout the process.

In the European Union, the legal basis stems from the GDPR, in particular the principles of purpose limitation, data minimization, integrity, and confidentiality, as well as the provisions governing transfers outside the EEA. The EDPB guidelines on international transfers and the case law of the CJEU are also critical, as they require organizations to maintain control over data flows to third countries. Data sovereignty therefore combines legal, technical, and operational aspects to ensure processing is compliant, auditable, and resilient to conflicting foreign access requests.

The Role of Data Sovereignty in Image and Video Anonymization

  • GDPR compliance - selecting processing locations and tools to prevent unauthorized transfers of personal data captured in recordings prior to anonymization. This is based on Articles 5 and 25 and Chapter V of the GDPR.
  • Legal risk reduction - following the CJEU ruling in case C‑311/18, organizations must assess the risk of access by third-country authorities. On‑premise processing within the EEA and reduced external network dependencies can simplify this assessment.
  • Chain of custody - video materials often serve as evidence. Data sovereignty requires control over evidentiary integrity, immutability, and accountability across the entire anonymization workflow.
  • Reduced exposure - limiting logs and telemetry that could reveal the presence of faces or license plates supports the data minimization principle.
  • National differences - the status of license plates as personal data varies by country. The EDPB indicates that identification may be indirect, which favors masking plates in publicly released materials. In practice, a precautionary approach is recommended.

Technologies That Support Data Sovereignty

  • On‑premise processing - software deployed within an organization’s own infrastructure or a private cloud in the EEA, with full control over networks and updates.
  • Edge computing and offline mode - anonymization performed on workstations or edge servers without persistent Internet connectivity.
  • Containerization and location policies - orchestration with restricted egress rules and explicit pinning of resources to EEA regions.
  • Encryption - data at rest encrypted with AES in accordance with FIPS 197, and data in transit protected by TLS 1.3 in line with RFC 8446. Key management handled by HSMs located within the EEA.
  • Transfer controls - maintained Transfer Impact Assessments (TIAs), Standard Contractual Clauses (SCCs), and supplementary measures recommended by the EDPB.
  • Accountability - immutable audit logs for the process (file hashes, timestamps), while avoiding logs that disclose biometric traits or object detections.
  • Privacy engineering - privacy by design in line with ISO/IEC 27701, pseudonymization, and minimization of data required for face and license plate detection.

Key Parameters and Metrics - Data Sovereignty

Attribute

How to Measure / Verify

Reference

 

Processing location

Share of tasks processed on‑premise within the EEA; data flow registers

GDPR Chapter V; EDPB 01/2020

Transfer controls

Completeness of TIAs, applied SCCs, supplementary measures

EDPB 01/2020

Key management

HSM location, key ownership, rotation, separation of duties

ISO/IEC 27002:2022 - cryptography

Process accountability

Immutable logs: task ID, input/output hash, timestamp

ISO/IEC 27002:2022 - logging and monitoring

Data minimization

No persistence of face/plate detections in logs; retention policies

GDPR Art. 5(1)(c) and (e)

Integrity and confidentiality

Protocols and algorithms used, file integrity tests

RFC 8446; FIPS 197; ISO/IEC 27001:2022

Anonymization effectiveness

Re‑identification risk assessment, including face and plate detection errors

EDPB 3/2019 - video

Challenges and Limitations

  • Jurisdictional conflicts - the risk of data access under third‑country laws requires transfer assessments and technical measures that prevent access to unencrypted data.
  • Divergent legal interpretations - authorities and courts vary in their treatment of license plates as personal data. The EDPB emphasizes indirect identifiability, raising the protection standard for publishing recordings from public spaces.
  • Vendor dependencies - some cloud solutions may introduce hidden transfers or external telemetry. Components that send metadata beyond controlled infrastructure should be eliminated.
  • Balancing accountability and minimization - logs must enable audits and preserve the chain of custody, but must not retain data that enables identification of individuals.

Use Cases - Image and Video Anonymization

  • A municipal authority processes CCTV footage on on‑premise servers within the EEA, anonymizes faces and license plates, and stores source versions in a segregated zone with short retention. No external services and no detection telemetry strengthen data sovereignty.
  • A manufacturing company shares anonymized factory footage with partners. The entire pipeline operates in an isolated network, and encryption keys are stored in an in‑country HSM. Cross‑border transfers include only post‑anonymization files.
  • A research organization creates anonymized image datasets for publication. Prior to processing, it conducts a DPIA and TIA, while the pipeline blocks outbound traffic. TLS 1.3 and AES are applied, and audits cover every detection and masking stage.
  • On‑premise solutions such as Gallio PRO automatically mask faces and license plates, do not anonymize entire silhouettes, do not perform live‑stream anonymization, and may allow manual masking of other objects in an editor. The absence of detection logs limits data exposure.

Standards and References

  1. GDPR - Regulation (EU) 2016/679 of 27 April 2016, in particular Articles 5 and 25 and Chapter V. OJ L 119/1.
  2. EDPB, Recommendations 01/2020 on measures that supplement transfer tools, Version 2.0, 18 June 2021.
  3. CJEU, Judgment of 16 July 2020, C‑311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
  4. EDPB, Guidelines 3/2019 on processing of personal data through video devices, Version 2.0, 29 January 2020.
  5. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - ISMS.
  6. ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection - Controls (logging, monitoring, cryptography).
  7. ISO/IEC 27701:2019 - Extension to ISO/IEC 27001 and 27002 for privacy information management.
  8. ISO/IEC 27018:2019 - Protection of PII in public clouds acting as PII processors.
  9. FIPS 197 - Advanced Encryption Standard (AES), NIST, 2001.
  10. RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3, IETF, 2018.
  11. Regulation (EU) 2023/2854 - Data Act, 13 December 2023, including safeguards against unlawful cross‑border access to data stored in the EU.

See also

Back to Glossary