Data Sovereignty: Why Organizations Need Control of Their Data Now More Than Ever

Recent reports have highlighted a concerning trend: Federal agencies are increasingly using administrative subpoenas to seek identifiable information about individuals who run anonymous social media accounts or who have criticized government policies. While the specific political context varies across administrations, this development underscores a fundamental challenge that transcends any single government or policy agenda: Organizations and individuals need to take greater control of their sensitive data.

Unlike judicial subpoenas, which are authorized by a judge after seeing enough evidence of a crime, administrative subpoenas are issued by federal agencies, allowing investigators to seek information from tech and phone companies without a judge's oversight. Because administrative subpoenas are not backed by a judge's authority or a court's order, it's largely up to a company whether to give over any data to the requesting government agency.

This puts technology providers in an untenable position and leaves data owners with limited recourse.

As someone who has spent my career working at the intersection of national security and technology, I believe we're at an inflection point. The solution isn't to prevent legitimate law enforcement activities or to create impenetrable data silos. Rather, it's to fundamentally reimagine how we architect data security, shifting from perimeter-based defenses to data-centric security that keeps control with the data owner, regardless of where that data travels.

3 Reasons Data Sovereignty Is More Critical Than Ever

1. Traditional Trust Boundaries Have Eroded

Organizations—from enterprises to government agencies—are asking increasingly urgent questions about who truly controls their data, who holds the encryption keys, and whether their cloud providers could be compelled to surrender sensitive information without their knowledge or consent.

The reliance on U.S. tech giants is one reason why European countries and ordinary consumers are seeking to rely less on American tech giants. But this isn't just an international concern; domestic organizations face similar challenges. When sensitive data resides with third-party providers who can be compelled to turn over information through various legal mechanisms, data owners lose meaningful control.

The traditional model (trusting infrastructure providers to protect data) is no longer sufficient. The security paradigm has moved from mere risk minimization to active value creation, catalyzed by the rapid adoption of AI and agentic workflows, which are simultaneously intensifying data risk and demanding a new architecture that treats data control, rather than network perimeters, as the foundational security layer.

2. Cross-Boundary Data Sharing and Collaboration Is Essential

Modern operations—whether in national defense, healthcare, finance, or critical infrastructure—require secure data sharing across organizational boundaries. Data must move across commands, agencies, allied nations, and partners without surrendering sovereignty or control. Data security platforms provide the neutral, data-centric trust and policy layer that enables coalition collaboration, industrial ecosystem sharing, and international exchange with owner-controlled policy, audit, and revocation.

The data security category will be won by the company that enables organizations to "set data free," to share it with others (humans, machines, models) while still maintaining control throughout the entire data lifecycle.

3. True Data Sovereignty Is Now Possible

For years, we've had a binary choice: Either lock data down completely or accept significant risk when sharing it. New architectures change this equation entirely.

Security should empower privacy, not compromise it. Solutions built on the Trusted Data Format (TDF) ensure that sensitive data remains protected with military-grade encryption and granular access controls, no matter where it moves. TDF provides dynamic, policy-driven protection that follows the data, offering cryptographic proof of control.

Even when presented with a full subpoena, not all tech companies are capable of handing over data about their customers. Why? Because information that is end-to-end encrypted can’t be unlocked by a third-party cloud provider unless they also possess the keys. If you host your own keys, separately from your cloud-hosted data, the only one who can unlock it is you. 

Virtru's Commitment: Data-Centric Security for a Complex World

At Virtru, we've built our platform around a simple principle: data owners should control their data.

Our unique strategic position lies in making data self-protecting. We occupy a singular position to provide a neutral, cross-cloud data sovereignty service layer — built on our TDF-based, FedRAMP-authorized platform and Private Keystore — that sits above any single hyperscaler, enabling organizations to leverage cloud offerings while maintaining owner-controlled encryption keys and ensuring that classified or sensitive workloads can move across commercial providers without compromising security posture or sovereign control.

This matters because Virtru's TDF-based platform and Private Keystore architecture provide customer-controlled encryption and key management. Unlike hyperscaler-native key management solutions that keep customers locked into a single cloud provider (with that same cloud provider owning both encrypted content and encryption keys), our provider-agnostic approach enables agencies to distribute workloads across multiple commercial clouds while maintaining consistent policy enforcement and data sovereignty through a single, external keystore, which they themselves control.

How to Protect Data from Administrative Subpoenas

The recent reports about administrative subpoenas should serve as a wake-up call—not for any particular political reason, but because they expose a fundamental architectural vulnerability in how we manage sensitive data today.

Governments, corporations, and the public must collectively take steps to restore trust by safeguarding society against threats to our liberty. Our daily lives leave a massive footprint of personal information out in the wild, controlled by others whose interests may not align with our own. We must all work together to address this problem.

Whether you're a defense agency sharing intelligence with coalition partners, a healthcare system collaborating on research, a financial institution managing cross-border transactions, or an enterprise deploying AI across sensitive datasets, the question is the same: Who controls your data?

At Virtru, we believe the answer should always be: You do.

To learn more about how Virtru's Data Security Platform and Trusted Data Format enable true data sovereignty and data-centric security, visit www.virtru.com or contact our team directly.