Chapter 37: Global South Perspectives on Data Governance

"The future is already here — it's just not evenly distributed." — William Gibson

Chapter Overview

Most of this textbook has been written from a perspective shaped by North American and European institutions, regulatory frameworks, and scholarly traditions. The GDPR is European. COPPA is American. The ethical frameworks in Chapter 6 draw on Western philosophical traditions. The corporate case studies feature companies headquartered in Silicon Valley and New York. Even the critical frameworks — data colonialism, data feminism — were developed primarily by scholars at Western universities.

This chapter confronts that limitation directly. More than 80% of the world's population lives in the Global South — Africa, Asia, Latin America, and Oceania. These regions are not passive recipients of data governance frameworks developed elsewhere. They are developing their own approaches — sometimes adopting and adapting Western models, sometimes rejecting them as inappropriate to their contexts, and sometimes leapfrogging them entirely to create governance innovations that the Global North has not yet imagined.

This is not a survey chapter that reduces entire continents to a few paragraphs. It is an analytical chapter that examines how the themes we've been tracking throughout this book — Power Asymmetry, Consent Fiction, Accountability Gap — manifest differently in contexts where the relationship between data systems and communities is shaped by histories of colonialism, ongoing resource extraction, infrastructure dependency, and what scholars call digital extractivism.

Sofia Reyes, whose experience growing up near the US-Mexico border gave her a firsthand understanding of how surveillance systems operate at the boundaries between the Global North and the Global South, plays a central role. Her work at the DataRights Alliance has increasingly connected domestic data rights advocacy to global data justice movements.

In this chapter, you will learn to: - Analyze how data colonialism operates through contemporary digital infrastructure - Compare data governance frameworks emerging from Africa, India, and Latin America - Evaluate the possibilities and limitations of "leapfrogging" problematic Western patterns - Examine alternative governance models rooted in community ownership and cooperative structures - Connect border surveillance to broader patterns of data-driven control

37.1 Data Colonialism Deepened: Digital Extractivism

37.1.1 From Chapter 5 to Chapter 37

In Chapter 5, we introduced data colonialism as a framework for understanding how digital platforms extract value from populations in ways that parallel historical colonial extraction. In Chapter 32, we deepened that analysis through the lenses of digital redlining and data justice. Here, we examine data colonialism from the perspective of the communities and nations from which value is extracted — and the governance responses they are developing.

The data colonial relationship operates through several mechanisms that are particularly visible in the Global South:

Infrastructure dependency. Most countries in the Global South depend on digital infrastructure controlled by companies headquartered in the Global North:

• Submarine cables. Approximately 97% of intercontinental data flows pass through submarine fiber optic cables. The ownership, routing, and pricing of these cables are controlled by a small number of companies, primarily American and European. African countries, in particular, depend on cable routes that connect to European landing points, creating bottleneck dependencies.

• Cloud computing. The major cloud platforms — Amazon Web Services, Microsoft Azure, Google Cloud — are American. Most Global South countries lack domestic cloud infrastructure sufficient for large-scale data processing, meaning that their citizens' data is stored and processed on servers controlled by foreign companies, subject to foreign legal jurisdiction.

• Platform dominance. WhatsApp is the primary communication platform in much of Latin America, Africa, and South Asia. Facebook is the primary social platform across most of the Global South. Google dominates search. This means that the digital infrastructure of daily life — communication, information access, commercial transactions — is controlled by companies with no democratic accountability to the populations they serve.

Data extraction without value return. Global South users generate vast quantities of data — search queries, social media posts, mobile money transactions, health records, agricultural data — that is processed in Global North data centers, used to train Global North algorithms, and monetized through Global North advertising markets. The value generated from this data flows overwhelmingly to shareholders in the Global North. The communities that generated the data receive the service (often a "free" platform funded by advertising) but not a share of the economic value their data produces.

Knowledge extraction. Research institutions in the Global North collect data from Global South communities — health data, genetic data, ecological data, social data — for studies published in Global North journals, advancing Global North careers and informing Global North policies. The communities studied often receive no research benefit, no co-authorship, and no control over how their data is used.

37.1.2 The Free Basics Debate

A concrete example of the tension between infrastructure provision and data colonialism is Facebook's Free Basics program (originally called Internet.org). Launched in 2013, Free Basics offered free access to a limited set of websites — including Facebook — in countries with low internet penetration.

The argument for Free Basics: In countries where many people cannot afford internet access, providing free access to essential services (health information, education, communication) is better than no access at all. Some connectivity is better than none.

The argument against: Free Basics violated the principle of net neutrality by providing access to a curated set of services (selected by Facebook) rather than the open internet. It created a two-tier internet: the full internet for those who could afford it, and a Facebook-controlled subset for those who couldn't. And it channeled the digital behavior of millions of new internet users through Facebook's platform — generating data and engagement for Facebook while locking users into its ecosystem.

India's Telecom Regulatory Authority (TRAI) banned Free Basics in 2016, ruling that it violated net neutrality principles. The decision was widely celebrated by net neutrality advocates and by those who saw Free Basics as a form of digital colonialism — offering the appearance of generosity while extracting data value and creating platform dependency.

"Free Basics was a masterclass in the Consent Fiction," Sofia told the class. "Facebook framed it as a gift — free internet for the poor. But the 'gift' was a walled garden controlled by Facebook, generating data for Facebook, and conditioning millions of new users to experience the internet as synonymous with Facebook. The 'consent' of users who had no other internet access and no way to evaluate the tradeoff was not meaningful consent. It was manufactured dependency."

37.2 Africa: Building Data Governance From Diverse Foundations

37.2.1 The AU Data Policy Framework

The African Union adopted its Data Policy Framework in 2022, establishing a continental approach to data governance that balances several objectives:

• Enabling the digital economy — creating regulatory environments that support data-driven innovation and economic growth
• Protecting individual rights — establishing data protection standards consistent with international human rights frameworks
• Asserting data sovereignty — ensuring that African data serves African development priorities rather than being extracted for external benefit
• Harmonizing regulation — creating a framework that enables cross-border data flows within Africa while establishing consistent protection standards

The Framework recognizes that Africa's data governance challenges are distinct from those of Europe or North America. Many African countries are building data governance institutions from scratch, without the institutional infrastructure (independent data protection authorities, specialized courts, trained regulators) that underpins enforcement in the EU.

37.2.2 National Frameworks: Nigeria and Kenya

Nigeria's National Data Protection Regulation (NDPR, 2019) was Africa's first comprehensive data protection regulation, drawing on the GDPR but adapted to Nigeria's context:

• Data Protection Bureau established as the supervisory authority
• Consent and lawful basis requirements similar to GDPR
• Data localization provisions requiring that personal data be stored in Nigeria or in jurisdictions with adequate protection
• Compliance auditing requirements for data controllers
• Penalties including fines of up to 2% of annual revenue or 10 million Naira

The NDPR was replaced by the Nigeria Data Protection Act (NDPA) in 2023, which established the Nigeria Data Protection Commission as an independent regulatory body — a significant institutional advancement.

Challenges include enforcement capacity (the Commission is still building its staff and processes), the informal economy (a large proportion of Nigerian economic activity occurs outside the formal digital systems the regulation covers), and the tension between data localization requirements and the reality that most Nigerian digital services depend on foreign cloud infrastructure.

Kenya's Data Protection Act (2019) similarly drew on the GDPR while adapting to local conditions:

• Established the Office of the Data Protection Commissioner
• Incorporated principles of purpose limitation, data minimization, and accountability
• Required data protection impact assessments for processing likely to result in high risk
• Addressed the challenge of Huduma Namba — Kenya's national digital identity program — which raised concerns about surveillance and exclusion

Kenya's experience illustrates a tension common across the Global South: the desire to build digital identity infrastructure (which can improve access to services) versus the risk that such infrastructure becomes a surveillance tool (which can enable exclusion and control).

37.2.3 Community Data Governance in Agriculture

Some of the most innovative data governance experiments in Africa are occurring not at the national level but at the community level — particularly in agriculture.

The challenge: Agricultural data — soil conditions, weather patterns, crop yields, market prices — is increasingly collected by agricultural technology companies, often in exchange for providing farmers with planting recommendations. But the data is processed and monetized by the companies, while the farmers who generated the data receive only the recommendations — and have no control over how their data is used, who it is shared with, or what value is extracted from it.

Community responses:

• Data cooperatives in East Africa. Farmer cooperatives in Kenya and Tanzania have developed data governance frameworks that enable collective bargaining over agricultural data. Rather than each individual farmer negotiating with a technology company, the cooperative negotiates collective terms — including data access rights, benefit-sharing provisions, and restrictions on secondary use.

• The GODAN (Global Open Data for Agriculture and Nutrition) initiative promotes open data principles in agriculture while recognizing that openness must be balanced with the protection of farmers' interests — particularly in contexts where open data can be exploited by more powerful market actors.

• Indigenous farming knowledge. In West Africa, community governance structures have been developed to protect traditional agricultural knowledge from extraction. These structures draw on indigenous governance traditions — communal decision-making, elder councils, customary law — rather than on Western intellectual property frameworks.

"This is what data governance looks like when it starts from the community rather than from the corporation or the state," Dr. Adeyemi observed. "The question isn't 'how do we protect individual data rights?' — it's 'how do we govern data collectively, in ways that serve our community's interests?' It's a fundamentally different starting point, and it produces fundamentally different governance structures."

37.3 India: Aadhaar, Digital Public Infrastructure, and the DPDP Act

37.3.1 Aadhaar: The World's Largest Biometric ID System

India's Aadhaar system, launched in 2009, is the world's largest biometric identification program. Over 1.3 billion Indians — approximately 99% of the adult population — have been enrolled, each receiving a 12-digit unique identification number linked to their biometric data (fingerprints and iris scans) and demographic information (name, date of birth, gender, address).

The case for Aadhaar:

• Financial inclusion. Aadhaar has enabled hundreds of millions of previously "unbanked" Indians to open bank accounts, receive direct benefit transfers, and access formal financial services.
• Benefit delivery efficiency. Direct benefit transfers linked to Aadhaar have reduced corruption and leakage in government welfare programs. The Indian government estimates savings of over $30 billion through the elimination of fraudulent or duplicate beneficiaries.
• Service access. Aadhaar-based authentication enables access to healthcare, education, and other government services without paper documentation — particularly valuable for rural and low-income populations.

The case against Aadhaar:

• Surveillance infrastructure. Aadhaar creates a comprehensive identification system that can be used to track individuals across services. When linked to bank accounts, mobile phones, tax records, and government services, Aadhaar enables a level of state surveillance that would be technically impossible without a universal ID.
• Exclusion. Biometric authentication fails at rates of 5-12% in field conditions (Dreze et al., 2017) — due to worn fingerprints (common among manual laborers), system connectivity failures, and database errors. These failures disproportionately affect the poorest and most vulnerable — precisely the populations the system was designed to serve. People denied benefits due to authentication failures have suffered severe consequences, including documented cases of starvation deaths.
• Function creep. Aadhaar was originally designed as a voluntary identification system for benefit delivery. Over time, it has been linked to an expanding range of services — bank accounts, mobile phones, tax returns, school admissions — making it effectively mandatory despite its nominal voluntary status.
• Legal challenges. The Indian Supreme Court's landmark decision in K.S. Puttaswamy v. Union of India (2018) upheld the constitutionality of Aadhaar but imposed significant constraints: Aadhaar cannot be mandated by private companies, cannot be required for non-governmental services, and must be subject to proportionality analysis. The Court also recognized a fundamental right to privacy — a landmark ruling with implications beyond Aadhaar.

37.3.2 Digital Public Infrastructure: The India Stack

Aadhaar is the foundation of what India calls its digital public infrastructure (DPI) — a stack of interconnected digital systems:

• Aadhaar (identity layer): Universal digital identity
• UPI (payment layer): Unified Payments Interface, enabling instant digital payments between bank accounts
• DigiLocker (document layer): Cloud-based storage for official documents
• Account Aggregator (data layer): Framework for consent-based sharing of financial data

The India Stack represents a model of public digital infrastructure — built and maintained by the state rather than by private corporations. Proponents argue that this model avoids the platform dependency that characterizes the Global North's privately controlled digital infrastructure. Rather than depending on Facebook for communication, Google for information, and Apple for identity, India has built public systems that are — in principle — accountable to democratic governance.

The model has attracted significant global attention. The G20, under India's presidency in 2023, endorsed DPI as a framework for digital development, and several countries — including Brazil, Singapore, and various African nations — are developing similar approaches.

Critical perspectives:

• Public infrastructure controlled by the state is subject to state surveillance, not corporate surveillance — but it is surveillance nonetheless. The concentration of identity, payment, and document systems in a single state-controlled stack creates surveillance capabilities that even the most powerful private platforms do not possess.
• The democratic accountability of DPI depends on the democratic accountability of the state. In a functioning democracy with independent courts and a free press, DPI can be governed transparently. In a state with weakening democratic institutions, DPI can become a tool of authoritarian control.
• The benefits of DPI are real but unevenly distributed. Financial inclusion has improved dramatically for many Indians. But those excluded by biometric authentication failures, connectivity gaps, and digital literacy barriers experience DPI not as inclusion but as a new form of bureaucratic exclusion.

Callout Box: Aadhaar — The Promise and the Peril

Dimension	Promise	Peril
Financial inclusion	500+ million new bank accounts	Authentication failures exclude the most vulnerable
Benefit delivery	$30+ billion in savings from fraud reduction	Documented deaths from benefit denial
Service access	One ID for all government services	Function creep toward mandatory universal surveillance
Digital economy	Foundation for payments, commerce, credit	State surveillance stack with no corporate counterweight
Democratic governance	Public infrastructure accountable to citizens	Dependent on democratic institutions' independence

37.3.3 The DPDP Act (2023)

India's Digital Personal Data Protection Act (DPDP Act), passed in August 2023, establishes India's first comprehensive data protection law. Key features:

• Consent-based processing with specific purpose limitations
• Data Principal (individual) rights including access, correction, and erasure
• Data Fiduciary (controller) obligations including purpose limitation and data security
• Significant Fiduciary designation for large data processors, with enhanced obligations
• Data Protection Board established as the regulatory authority
• Government exemptions — the Act includes broad exemptions for government data processing in the interest of "sovereignty and integrity of India," "security of the State," and "public order"

The government exemptions have drawn significant criticism. If the state is exempt from data protection requirements for broadly defined security and sovereignty purposes, the protections for individuals may be meaningful only against private sector data processing — leaving the enormous state surveillance apparatus (including Aadhaar) largely unregulated.

37.4 Latin America: The LGPD, Border Surveillance, and Digital Rights

37.4.1 Brazil's LGPD

Brazil's Lei Geral de Protecao de Dados (LGPD), enacted in 2018 and effective from 2020, is Latin America's most comprehensive data protection law and one of the most GDPR-influenced frameworks outside Europe.

Key features:

• Legal bases for processing including consent, legitimate interests, and contract performance
• Data subject rights including access, correction, deletion, and data portability
• National Data Protection Authority (ANPD) established as the regulatory body
• Cross-border transfer provisions allowing transfers to countries with adequate protection or through specific safeguards
• Significant penalties including fines of up to 2% of Brazilian revenue, capped at 50 million reais per infraction

The LGPD is notable for its inclusion of data subject rights that go beyond the GDPR in some respects — including the right to anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.

Challenges include:

• Enforcement capacity. The ANPD was established with limited resources and is still building its regulatory infrastructure.
• Informal economy. As in Nigeria, a large proportion of Brazilian economic activity occurs outside the formal digital systems the LGPD covers.
• Political uncertainty. The ANPD's independence has been questioned, given its organizational placement within the executive branch (unlike many European DPAs, which are institutionally independent).

37.4.2 Border Surveillance: Sofia's Experience

Sofia Reyes's personal experience illuminated the intersection of national security surveillance (Chapter 36), immigration enforcement, and data governance.

Growing up in a community near the US-Mexico border in southern Arizona, Sofia experienced the data infrastructure of border surveillance as a daily reality:

Physical surveillance. Surveillance towers equipped with cameras, radar, and sensors monitored the border zone continuously. The sensors tracked not just unauthorized border crossings but all movement in the area — including the movements of US citizens and legal residents going about their daily lives.

Biometric collection. Border Patrol checkpoints on highways miles from the border subjected travelers to identity verification, sometimes including fingerprint scans and facial recognition. For communities between the border and the checkpoints, routine travel — to work, to school, to the grocery store — involved regular encounters with biometric surveillance.

Data integration. Immigration enforcement systems integrate data from multiple sources: border surveillance, Customs and Border Protection databases, social media monitoring, airline records, visa applications, and local law enforcement records. The resulting integrated profiles are used for enforcement decisions — including decisions about who to stop, who to question, who to detain, and who to deport.

Chilling effects. Research has documented that border surveillance creates chilling effects on the exercise of constitutional rights. Residents of border communities are less likely to seek medical care (fearing that hospital visits could expose undocumented family members), less likely to call police to report crimes (fearing that police cooperation with immigration enforcement could lead to deportation), and less likely to engage in political advocacy (fearing that visible activism could attract enforcement attention).

"The border isn't just a geographic line," Sofia told Dr. Adeyemi's class. "It's a data governance regime. Within 100 miles of the border — a zone that includes roughly two-thirds of the US population — CBP operates with expanded authority. They can set up checkpoints, conduct warrantless searches, and collect biometric data. The 'consent' of people living in this zone is fictional — they can't opt out of surveillance without leaving their homes, their communities, their lives."

37.4.3 Latin American Digital Rights Movements

Latin America has a vibrant digital rights movement that connects data governance to broader social justice concerns:

• Derechos Digitales (Chile) produces research and advocacy on digital rights, privacy, and freedom of expression across Latin America.
• InternetLab (Brazil) provides interdisciplinary research on internet policy, including the intersection of data governance with racial justice, gender equity, and democratic participation.
• R3D (Mexico) advocates for digital rights and documents government surveillance of journalists and activists — including the use of NSO Group's Pegasus spyware against Mexican journalists.
• Access Now operates the Digital Security Helpline, which provides emergency digital security assistance to activists, journalists, and civil society organizations facing digital threats — a disproportionate number of whom are in the Global South.

These organizations bridge the gap between global data governance frameworks and the lived experience of communities in the Global South — insisting that data governance cannot be separated from the broader struggles for democracy, equality, and self-determination.

37.5 Leapfrogging: Can the Global South Skip Problematic Western Models?

37.5.1 The Leapfrogging Thesis

The concept of leapfrogging — the idea that developing countries can skip stages of technological development that wealthy countries went through — has been a recurring theme in development discourse. The classic example is mobile phones: many African countries went directly from minimal landline infrastructure to widespread mobile connectivity, bypassing the landline stage entirely.

Applied to data governance, the leapfrogging thesis asks: can Global South countries develop data governance frameworks that avoid the failures of Western models?

Potential leapfrogging opportunities:

• Skip the notice-and-consent paradigm. Western data governance is built on individual notice and consent — a model that we've repeatedly identified as a Consent Fiction (Chapters 9, 31, 33). Global South countries developing data governance from scratch could design frameworks based on collective governance, fiduciary duty, or community consent rather than individual consent.

• Build public digital infrastructure from the start. Rather than allowing private platforms to capture the digital infrastructure and then trying to regulate them (the Western pattern), Global South countries could build public digital infrastructure — as India has with the India Stack — that is designed for accountability from the outset.

• Integrate indigenous governance traditions. Data governance frameworks in the Global South can draw on indigenous governance traditions — communal decision-making, collective ownership, elder councils, restorative justice — that offer alternatives to the Western individualist model. The CARE Principles (Chapter 32) demonstrate how indigenous governance can inform data governance.

• Learn from Western failures. Global South countries have the advantage of observing Western regulatory experiments — the GDPR's successes and limitations, Section 230's consequences, the surveillance state's growth — and designing governance frameworks that address known failure modes.

37.5.2 The Constraints on Leapfrogging

The leapfrogging thesis is attractive but faces significant constraints:

Infrastructure dependency. Global South countries depend on digital infrastructure — cloud services, submarine cables, hardware, software — controlled by Global North companies. This dependency limits the autonomy of domestic governance frameworks. A data localization requirement means little if the "local" data center runs on AWS and is managed by technicians trained on American protocols.

Regulatory capacity. Effective data governance requires institutional capacity — trained regulators, technical expertise, enforcement resources, judicial infrastructure. Many Global South countries are building these institutions from scratch, with limited budgets and competing development priorities.

Power asymmetries. Global South governments negotiating with technology companies worth hundreds of billions of dollars face enormous power asymmetries. When Facebook threatened to withdraw from Australia over the News Media Bargaining Code (2021), Australia — a wealthy OECD country — was able to resist. It is unclear whether smaller, less wealthy countries could withstand similar pressure.

Conditionality and trade pressure. Data governance decisions are often linked to trade negotiations. The United States has used trade agreements to push for provisions that constrain data localization, limit cross-border transfer restrictions, and protect US technology companies from foreign regulation. These provisions can limit Global South countries' data governance autonomy.

"Leapfrogging is possible but not automatic," Dr. Adeyemi cautioned. "It requires power — the political power to resist pressure from global technology companies, the institutional capacity to build and enforce alternative frameworks, and the collective power of regional alliances (like the AU) to negotiate from strength rather than isolation."

37.6 Alternative Governance Models

37.6.1 Community Data Governance

Community data governance represents an alternative to both the corporate and state models that dominate data governance discourse:

Principles: - Data governance decisions are made by the communities most affected by those decisions - Data is treated as a collective resource to be governed collectively, not as an individual asset to be managed through individual consent - Governance structures draw on community norms, cultural values, and existing governance institutions rather than imposing external frameworks - Benefits from data use are shared with the communities that generated the data

Examples:

• The Maori Data Sovereignty Network (Chapter 32) applies these principles to Maori data in Aotearoa New Zealand.
• Community health data governance in several African countries gives communities collective control over health data collected within their communities, including the right to approve or reject research proposals.
• Participatory budgeting with data. Cities in Brazil (building on Porto Alegre's pioneering participatory budgeting model) have experimented with giving communities control over how city data is collected, analyzed, and used — including the data that informs budget allocation decisions.

37.6.2 Data Cooperatives in Agriculture

Agricultural data cooperatives — introduced in Section 37.2.3 — represent one of the most developed examples of alternative data governance:

The model: Farmers pool their data (soil conditions, yields, weather, market prices) into a cooperatively governed dataset. The cooperative negotiates data access and benefit-sharing agreements with agricultural technology companies, seed companies, and other actors who want to use the data. Benefits — financial returns, improved services, access to analytics — flow back to the cooperative's members.

Advantages: - Addresses the power asymmetry between individual farmers and large technology companies - Enables collective bargaining over data terms - Keeps governance decisions in the hands of the community that generates the data - Creates incentives for data quality (cooperative members benefit from better data)

Challenges: - Requires organizational capacity and governance infrastructure - Must navigate competition law (is collective data bargaining a form of cartel behavior?) - Depends on the willingness of technology companies to negotiate with cooperatives rather than collecting data directly from individual farmers - May exclude farmers who are not members of the cooperative

37.6.3 Regional Data Governance

Regional approaches — governance frameworks that operate at the level of a continent or economic bloc rather than a single nation — offer a way for Global South countries to negotiate from collective strength:

• The African Continental Free Trade Area (AfCFTA) includes provisions for digital trade that could establish continental data governance standards.
• ASEAN's Framework on Digital Data Governance provides regional guidelines for Southeast Asian countries.
• The Pacific Islands Forum has explored collective approaches to data governance for small island states that lack the individual capacity for comprehensive regulatory frameworks.

Regional approaches face the challenge of balancing harmonization (enabling cross-border data flows) with sovereignty (respecting each country's right to set its own standards). The EU's experience with the GDPR demonstrates that regional harmonization is possible but requires substantial institutional infrastructure.

37.7 Sofia Reyes: Bridging Border Surveillance and Global Advocacy

37.7.1 From the Border to the Global

Sofia's career trajectory — from growing up in a border community, to studying policy, to working at the DataRights Alliance — had given her a perspective that bridged the domestic and the global:

"I used to think border surveillance was a US-Mexico issue," she told Dr. Adeyemi's class in her final guest presentation of the semester. "Then I started working on data governance policy, and I realized: the same surveillance technologies are being deployed everywhere. The towers on the Arizona border are made by the same companies that sell surveillance technology to the EU for monitoring Mediterranean migration routes. The facial recognition systems at US immigration checkpoints are the same systems deployed at airports across the Global South. The data flows cross borders even when the people don't."

Her research at the DataRights Alliance had documented what she called the global surveillance supply chain — the network of technology companies, mostly based in the US, Israel, and Europe, that develop surveillance technologies and sell them to governments worldwide:

• NSO Group (Israel) sold Pegasus spyware to governments including Mexico, Saudi Arabia, and Rwanda, where it was used to surveil journalists, activists, and political opponents.
• Cellebrite (Israel/Japan) sold phone-hacking technology to law enforcement and intelligence agencies across the world, including agencies with documented human rights abuses.
• Palantir (US) provided data analytics platforms to immigration enforcement agencies (ICE) in the United States and to intelligence agencies in allied countries.
• Huawei (China) provided "Safe City" surveillance infrastructure to dozens of countries across Africa, Asia, and Latin America — bundling surveillance capability with telecommunications infrastructure.

37.7.2 The Advocacy Bridge

Sofia's work increasingly connected domestic data rights advocacy — worker data rights (Chapter 33), health data equity (Chapters 30 and 32), platform governance (Chapter 31) — to global data justice:

"The same Power Asymmetry operates at every level," she argued. "A gig worker in California and a farmer in Kenya face the same structural problem: a platform extracts their data, processes it in a data center they'll never see, and uses it to make decisions about their livelihood that they can't access, understand, or challenge. The contexts are different. The power dynamic is the same."

She had begun collaborating with digital rights organizations across the Global South — Derechos Digitales in Chile, the African Digital Rights Network, IT for Change in India — on a shared framework for data rights that would be applicable across contexts. The framework centered on three principles:

1. Data as a commons, not a commodity. Data governance should treat data generated by communities as a collectively governed resource — not as raw material to be extracted and monetized by corporations.

2. Governance by the governed. Data governance decisions should be made by the communities most affected by those decisions — not imposed by external institutions, whether corporate or governmental.

3. Accountability without borders. Technology companies that extract data from communities in the Global South should be accountable to those communities — through enforceable regulations, independent auditing, and accessible remedies — regardless of where the company is headquartered.

Reflection: Consider a data governance challenge you care about — platform accountability, health data equity, algorithmic bias, worker data rights. How would that challenge look different from the perspective of a community in the Global South? What governance approaches might be effective in that context that are not currently used in your own?

37.8 Chapter Summary

Key Concepts

• Data colonialism operates through infrastructure dependency (submarine cables, cloud computing, platform dominance), data extraction without value return, and knowledge extraction from Global South communities by Global North institutions.
• Africa is developing data governance through the AU Data Policy Framework, national laws (Nigeria's NDPA, Kenya's Data Protection Act), and community governance innovations (agricultural data cooperatives).
• India's digital public infrastructure (Aadhaar, UPI, DigiLocker) demonstrates both the promise of public digital infrastructure and the risks of state surveillance. The DPDP Act (2023) establishes comprehensive data protection but includes broad government exemptions.
• Latin America's LGPD (Brazil) adapts the GDPR model to a different context, while border surveillance connects data governance to lived experiences of migration and enforcement.
• Leapfrogging is possible but constrained by infrastructure dependency, regulatory capacity limitations, and power asymmetries in negotiations with global technology companies.
• Alternative governance models — community data governance, data cooperatives, regional frameworks — offer paths beyond the corporate and state models that dominate Western data governance.
• The global surveillance supply chain connects domestic surveillance to global power dynamics, with the same technologies deployed across borders.

Key Debates

• Is data localization an appropriate tool for asserting data sovereignty, or does it fragment the global internet and impose costs on the countries that adopt it?
• Can digital public infrastructure (like India's Aadhaar) be designed to serve citizens without becoming a tool of state surveillance?
• Should Global South countries adopt GDPR-like frameworks, or develop fundamentally different approaches rooted in their own governance traditions?
• How can community data governance models scale without losing the communal accountability that makes them effective?

Applied Framework

The Global Data Governance Assessment: 1. Infrastructure — Who controls the digital infrastructure? What dependencies exist, and what are their governance implications? 2. Extraction — How does data flow? Where is value generated, and where does value accumulate? Who bears the costs? 3. Governance capacity — What institutional capacity exists for data governance? What gaps need to be addressed? 4. Community voice — Are affected communities represented in governance decisions? Do governance frameworks incorporate local knowledge and values? 5. Accountability — Are technology companies accountable to the communities they serve, regardless of where they are headquartered? 6. Alternatives — What governance innovations are emerging? How do they address the failures of existing models?

What's Next

Part 6 is now complete. You have explored the societal dimensions of data governance — from misinformation to digital inequality, from labor to environment, from children's vulnerability to national security surveillance, from Global North dominance to Global South innovation.

In Part 7: The Future of Data Governance, we turn from analyzing the present to imagining and shaping the future. Chapter 38: Emerging Technologies and Anticipatory Governance examines the data governance challenges posed by technologies that are not yet mature but will reshape our world — quantum computing, brain-computer interfaces, digital twins, and the expanding Internet of Things. How do we govern technologies whose full implications we cannot yet know?

Chapter 37 Exercises → exercises.md

Chapter 37 Quiz → quiz.md

Case Study: Aadhaar — India's Digital Identity Experiment → case-study-01.md

Case Study: Data Governance in African Agriculture — Community Models → case-study-02.md