On Earth, data sovereignty is tied to geography. If a server is in Frankfurt, it follows German law. If it’s in Virginia, it follows US law. But where does the data reside when the server is traveling at 7.6 kilometers per second, orbiting over Brazil, the Atlantic, and France in the time it takes to read this sentence?
This problem isn’t hypothetical. The space industry is developing and launching servers that can process data in orbit and be powered directly by the sun, bypassing the constrained power grids of Earth.
But as the hardware matures, we’re colliding with a legislative wall that physics can’t penetrate: the question of where the data lives. Clarifying this regulatory standard is critical for high-compliance sectors such as finance, health care, and defense. And the best way to clarify it is to institute a “digital flag state” borrowed from maritime law.
Imagine a US bank sends its artificial intelligence fraud detection model up to a satellite cluster. The data leaves New York encrypted and secure. Twenty minutes later, that same satellite is passing directly over a country with strict data laws, or worse, one that’s under US sanctions.
While the laws of physics dictate the satellite’s path, the laws of nations are far less clear about the data’s status. The 1967 Outer Space Treaty legally designates orbit as a global commons, free from national sovereignty. However, terrestrial data regulations (such as the General Data Protection Regulation or International Traffic in Arms Regulations) haven’t been updated to reflect this.
Under a strict risk-averse interpretation, has that data been “exported” to a foreign jurisdiction simply by virtue of its position? Right now, the answer is maybe.
This ambiguity is a throttle on the orbital economy. Chief risk officers can’t sign off on orbital processing if it creates a “Schrödinger’s Compliance” scenario, where the legality of a transaction flickers on and off depending on which country the satellite happens to be flying over at the precise millisecond of compute.
The solution doesn’t require inventing new laws—it requires modernizing the application of old ones.
For centuries, maritime law has used the concept of the “flag state,” in which a ship in international waters is governed by the laws of the nation where it is registered. Article VIII of the Outer Space Treaty applies this same logic to space hardware: The state of registry retains “jurisdiction and control” over the object.
Regulators should explicitly interpret this jurisdiction to extend beyond the physical hull to cover the digital payload as well. This “Digital Flag State” standard would rely on three principles:
- The hull is sovereign territory. A satellite licensed in the US must be treated as US soil for the purposes of data privacy and export control, regardless of its ephemeris, meaning its changing orbital position relative to the ground. As long as the satellite uses hardware-enforced security controls—ensuring no electronic access is possible by foreign actors—the data inside remains “domestic.”
- Uplink/downlink are the customs gates. Data sovereignty laws should apply only at the points of entry and exit—the ground stations. Once the data leaves the ground antenna and enters the “high seas” of orbit, it’s subject only to the flag state of the satellite until it returns to Earth.
- Transit is free. Just as “freedom of overflight” is a cornerstone of space law, the passive orbit of data overhead shouldn’t trigger a nation’s digital sovereignty laws.
This framework is not a free pass. To earn “flag state” protection, operators must demonstrate cyber-physical verification—proving via cryptographic attestation that the hardware is physically isolated and has not been tampered with.
But security can only be guaranteed if it’s clear which rules apply. If the definition of an “export” changes every time the satellite crosses a longitudinal line, compliance becomes impossible.
The Path Forward
We’re seeing the rise of sovereign AI, the idea that nations must control the infrastructure their AI runs on. If we force orbital data centers to comply with a patchwork of 190 different national data laws every 90 minutes, the friction will cripple the industry.
The US has an opportunity to lead this standard setting. By codifying that the flag state model applies to data residency, it can give domestic industries the confidence to export their heavy computing workloads to space.
We’ve built the rockets. We’ve built the networks. We’ve built the servers. Now, we just need to agree on where “here” actually is.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Joseph Yaffe is the chief operating officer and chief legal officer at Aetherflux, where he leads the global operations and regulatory strategy, and a retired partner at Skadden.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.