Digital Sovereignty and International Order: How Small States Can Find Their Place Amid Tech Hegemony

When the rules of the global digital economy are being written by a handful of tech superpowers, small and medium-sized economies face not merely a technology gap but a more fundamental existential question: In an era where data has become a strategic resource, algorithms have become governance tools, and technical standards have become instruments of geopolitical power projection, how can small states preserve their digital sovereignty? This is not an abstract debate confined to the ivory tower. In my experience leading cross-national policy research for the World Bank and United Nations, spanning more than fifteen countries across Asia, Europe, Africa, and Latin America, I have repeatedly encountered the same dilemma: the digital infrastructure, data governance frameworks, and technical talent reserves of developing economies and small states are far insufficient to protect their interests within a digital order dominated by great powers. Yet passive acceptance is not the only option. This article argues that small states can not only survive in the crevices of digital hegemony but can also establish asymmetric digital advantages through strategic institutional design and diplomatic alignment.

I. Redefining Digital Sovereignty: From Territorial Borders to Data Frontiers

The evolution of sovereignty has always advanced in lockstep with technological change. The Westphalian system established state sovereignty centered on territory; the age of naval power extended sovereignty to disputes over jurisdiction of territorial waters and the high seas; aviation and space technologies gave rise to airspace sovereignty and international legal frameworks for outer space governance. Today, digital technology is opening the fourth major expansion of the sovereignty concept—and this time, the frontier is intangible.

Digital sovereignty encompasses at least three interrelated dimensions. The first is data sovereignty—a state's claim to jurisdiction over data generated within its borders. When the health data, financial data, and communications data of a country's citizens are stored on cloud servers abroad, can that country's judicial jurisdiction reach them? The EU's General Data Protection Regulation (GDPR) is the most ambitious answer to date—it not only regulates data processing within the EU but extends its regulatory reach through "extraterritorial effect" to any global enterprise processing EU citizens' data. The deeper implication of the GDPR is that it elevates data protection from an individual right to a declaration of collective sovereignty.^[1]

The second is technological sovereignty—a state's autonomous capability in critical digital technologies. This does not mean every country must independently develop semiconductors or build large language models; rather, it refers to whether a state possesses sufficient technical judgment and alternative options to avoid irreversible dependence on a single foreign supplier. During my digital economy research at Cambridge University, the EU's process of advancing the Gaia-X cloud infrastructure initiative left a deep impression on me: this was not a commercial plan to compete with AWS or Azure for market share, but a strategic investment to ensure Europe retained an "exit option" in cloud computing.

The third is governance sovereignty—a state's ability to formulate digital governance rules according to its own values and social needs. When the United States builds its digital governance paradigm around free markets, China around state control, and the EU around rights protection, the question for small states is: do they have the capacity to establish their own governance pathways, or can they only passively "pick a side"? In my research visits to multiple countries in Southeast Asia and Central Asia, I found that many countries' digital governance is effectively a patchwork of great power norms—simultaneously adopting Chinese surveillance technology, American platforms, and EU regulatory language, yet lacking an internally coherent governance logic.^[2]

The intersection of these three dimensions constitutes the complete picture of digital sovereignty. For small states, the challenge lies in the fact that they occupy structurally disadvantaged positions in every dimension. Data sovereignty is constrained by the data concentration of multinational tech companies; technological sovereignty is limited by insufficient R&D resources; and governance sovereignty faces the powerful spillover of great power standards.

II. The Digital Order Under Great Power Competition: The US-China-EU Tripolar Structure

Understanding the predicament of small states requires first understanding the power structure of the international digital order in which they are situated. Global digital governance today has effectively formed a tripolar structure dominated by the United States, China, and the European Union, with each pole embodying a fundamentally different governance philosophy.

The core of the American model is "market-driven, light regulation." America's digital hegemony is built upon the global dominance of its tech enterprises—the combined market capitalization of the five tech giants, Google, Apple, Meta, Amazon, and Microsoft, exceeds the GDP of most countries. The US government's strategy is to provide maximum global expansion space for these enterprises while maintaining technological leadership through technology export controls (such as sanctions on Huawei and restrictions on advanced chip exports). On data governance, the United States still lacks a federal-level personal data protection law—this is not an oversight but a deliberate choice: the free flow of data is regarded as the cornerstone of American digital economic competitiveness.^[3]

The core of the Chinese model is "state-led, data localization." China's Cybersecurity Law, Data Security Law, and Personal Information Protection Law operate in parallel, constructing the world's strictest data localization regime. Critical data must be stored within China's borders, and cross-border transfers require security assessments. Simultaneously, China exports its technological infrastructure—from 5G networks to smart city systems—to dozens of countries across Asia, Africa, and Latin America through the "Digital Silk Road." This is not merely commercial activity but an export of digital governance paradigms. During my research visits to parts of Southeast Asia, I personally witnessed Chinese-built surveillance systems, electronic payment platforms, and e-government systems deeply embedded in local digital infrastructure—while the recipient governments often lacked sufficient technical capacity to audit the security of these systems.

The core of the EU model is "rights-based, standards export." The EU's unique position in digital governance lies not in its technological prowess (Europe lacks world-class tech platform companies) but in its capacity for norm-setting. The GDPR has become the de facto global standard for data protection—from Japan to Brazil, from South Korea to India, countries' data protection laws extensively borrow from the GDPR framework. Scholar Anu Bradford calls this phenomenon the "Brussels Effect"—the EU leverages its enormous single market to convert its regulatory standards into compliance benchmarks for global enterprises, thereby achieving a form of "normative power" that does not depend on military or technological hegemony.^[4]

For small states, this tripolar structure implies a fundamental strategic choice: fully adopt a particular great power's digital ecosystem (enjoying short-term convenience while bearing the risk of long-term dependence), or attempt to maintain strategic balance among the three poles (gaining greater autonomy but requiring more sophisticated governance capacity)? In my research at the World Bank, I observed that most developing countries have not systematically considered this question—their digital infrastructure development is often driven by individual projects rather than guided by an overarching digital sovereignty strategy.

III. Asymmetric Advantages of Small States: Institutional Agility and Trust Capital

Facing the digital hegemony of great powers, small states are not entirely without leverage. Quite the contrary, small states possess structural advantages in certain dimensions that great powers do not—the key is whether these advantages can be strategically deployed.

The first advantage is institutional agility. Digital governance in great powers is often constrained by massive bureaucracies, interest group lobbying, and institutional rigidity. Small states can more rapidly formulate, test, and adjust digital policies. Estonia's "digital nation" experiment is the most classic example. This Baltic state of only 1.3 million people fully digitized government services in the early 2000s—from electronic ID cards and e-voting to the e-Residency program, Estonia single-handedly proved that a small country can become a global benchmark for digital governance. In my exchanges with former Estonian President Toomas Hendrik Ilves, he repeatedly emphasized one point: Estonia's success was not because its technology was particularly advanced, but because a small country could achieve "whole-of-government" digital transformation—something nearly impossible in large countries.^[5]

The second advantage is "trust capital." In the digital economy, trust is a scarce resource. When tech competition among great powers is rife with espionage allegations, data theft, and technological blockades, small and medium-sized countries that do not belong to any tech camp may instead become "trusted third parties." Singapore's positioning in this regard is particularly astute. Singapore is neither America's tech vassal nor China's digital extension, but has deliberately positioned itself as a "neutral data hub"—multinational corporations locate their Asia-Pacific data centers in Singapore precisely because it maintains sufficient neutrality and institutional predictability between the great powers.^[6]

The third advantage is the first-mover role in regulatory innovation. Small states can pioneer new digital governance models, providing empirical evidence for the international community. Switzerland's pioneering experience in crypto-asset regulation, Israel's strategic framework for national cybersecurity, and Rwanda's breakthrough in digital identity infrastructure—all demonstrate the potential of small states as "digital governance laboratories." This first-mover role not only brings economic benefits to the home country (such as attracting digital enterprises) but also secures a voice in international digital governance standard-setting that exceeds their size.

For Taiwan, all three advantages are highly relevant. Taiwan possesses high-quality technical talent, a mature democratic system, a critical position in the semiconductor supply chain, and the trust advantage of being a "non-great power." The question is whether Taiwan has integrated these advantages into a systematic digital sovereignty strategy. From my observation, the answer is not yet satisfactory—Taiwan's digital governance remains overly focused on the industrial dimension (such as semiconductors and AI), while investment in the international positioning of data governance, strategic participation in technical standards, and institutional development of digital diplomacy falls far short.

IV. The Data Governance Battleground: Cross-Border Data Flows and the Standards Contest

If twentieth-century geopolitics revolved around oil, the strategic resource of the twenty-first century is undoubtedly data. And "cross-border data flows" represent the core battleground of the contest for digital sovereignty.

The governance dilemma of cross-border data flows lies in this: the free flow of data promotes economic efficiency (enterprises can process data at the most optimal locations globally), but unconstrained cross-border data transfers may lead to privacy erosion, national security risks, and digital colonialism—where developing countries' raw data is acquired at low cost by multinational enterprises, processed into high-value AI models and data analytics products, while profits and technological capabilities concentrate in a few tech powerhouses.^[7]

At the international level, three competing normative frameworks are emerging for cross-border data flow governance. The United States promotes "free flow of data" and consolidates this position through APEC's Cross-Border Privacy Rules (CBPR) system and bilateral trade agreements. The EU insists on "conditional data flows"—data can only be transferred across borders when the receiving country provides "adequacy" protection. China promotes strict data localization under the banner of "data security."

The strategic space for small states in this standards contest is larger than it appears on the surface. In the World Trade Organization's (WTO) Joint Statement Initiative (JSI) on e-commerce negotiations, Singapore, Chile, and New Zealand took the lead in signing the Digital Economy Partnership Agreement (DEPA), establishing a set of high-standard rules specifically targeting the digital economy—covering cross-border data flows, mutual recognition of digital identities, AI ethics, electronic invoicing, and other issues. The strategic significance of DEPA lies in the fact that it was not initiated by great powers but was proactively constructed by three small to medium-sized open economies—subsequently, South Korea, China, Canada, and other countries applied to join, demonstrating the capacity of small states to lead in rule-making.^[8]

Taiwan should draw strategic lessons from the DEPA experience. In formal international organizations, Taiwan's participation space is constrained by political realities. But in bilateral and multilateral agreements on the digital economy—particularly in cooperation frameworks based on issues rather than sovereignty—Taiwan has the opportunity to earn participation rights through substantive technical contributions and institutional innovation. This requires a new form of "digital diplomacy"—one that does not take national flags as a prerequisite, but uses rule innovation as currency.

In the arena of technical standard-setting, small states can likewise exert asymmetric influence. The standard-setting processes of the International Organization for Standardization (ISO), the International Telecommunication Union (ITU), and the Internet Engineering Task Force (IETF) are nominally technical, but in practice profoundly shape the competitive landscape of the digital economy. In recent years, China has significantly increased its proposal submissions and personnel placements in organizations like the ITU, seeking to internationalize its domestic technical standards. The response strategy for small states should be: build specialized expertise in specific technical sub-domains and form collective influence in international standard-setting through alliances.^[9]

V. A New Paradigm for Digital Diplomacy: Taiwan's Opportunities and Pathways

Synthesizing the above analysis, I believe that small economies—Taiwan in particular—need to construct a comprehensive "digital sovereignty strategy," and the core of this strategy should not be technological catch-up, but institutional innovation and diplomatic alignment. The following are my five policy recommendations:

First, establish a national-level data governance framework. Taiwan's current Personal Data Protection Act was enacted in the early 2010s and has seriously fallen behind the pace of digital economic development. Taiwan needs a new-generation data governance law benchmarked against the GDPR—not only to protect individual privacy but also to possess the legal infrastructure for negotiations on international data flows. Without a robust data governance framework, Taiwan cannot become a data hub trusted by multinational enterprises, nor can it speak with authority in the international rule-making on cross-border data flows.

Second, leverage "digital trust" as a diplomatic asset. Taiwan should position itself as a "trusted digital partner"—building deep cooperation with the democratic alliance in areas such as semiconductor supply chain security, cybersecurity collaboration, and open-source technology contributions. This "digital trust diplomacy" does not require formal diplomatic recognition but accumulates international trust through the tangible results of technical cooperation. My experience serving as the Asia-Pacific representative at Cambridge University confirmed that in the domains of academic and technical collaboration, professional competence and institutional quality matter more than national flags.^[10]

Third, strategically participate in international technical standard-setting. Taiwan's semiconductor, ICT, and precision manufacturing industries occupy critical positions in global supply chains, granting Taiwan a natural voice in related technical standard-setting. The government should establish a dedicated agency to systematically track, analyze, and participate in the agendas of international standards organizations such as ISO, ITU, and IEEE, converting Taiwan's industrial advantages into influence in standard-setting.

Fourth, build an international brand as a "digital governance laboratory." Taiwan can learn from Estonia's experience by selecting two to three frontier issues in digital governance (such as AI ethics review mechanisms, open government data frameworks, and mutual recognition systems for digital identity), leveraging the agility of a small country to pilot them first, produce empirical evidence, and then convert these experiences into entry tickets for international cooperation. The open government and civic technology practices championed by former Digital Minister Audrey Tang have already earned Taiwan a degree of international visibility—this pathway deserves systematic deepening and expansion.

Fifth, cultivate professional talent for "digital diplomacy." International negotiations on digital governance require interdisciplinary talent who simultaneously understand technology, law, economics, and geopolitics. Taiwan's diplomatic and technical communities have long operated in parallel with little intersection. The government should establish cross-ministerial digital diplomacy training mechanisms, enabling diplomats to understand technology and engineers to understand diplomacy—only then can Taiwan field negotiation representatives with sufficient professional depth in international digital governance forums. In my experience directing MBA programs at Zhejiang University, the most successful cross-domain leaders were not top experts in a single field, but "translators" who could fluidly switch between technology and policy.^[11]

Digital sovereignty is not the exclusive domain of great powers. In this era where data equals power, standards equal rules, and trust equals assets, the fate of small states depends not on the number of their servers or the scale of their algorithms, but on the ingenuity of their institutional design and the wisdom of their diplomatic strategy. Taiwan possesses sufficient conditions to become a "small but refined" exemplar of digital sovereignty—but this requires transforming from a passive technology follower into a proactive institutional innovator and rule-maker. During this period of reshaping the international digital order, the window of opportunity will not remain open forever.^[12]