ABSTRACT
Data is a critical resource. Like oil, gold, or lithium, both companies and countries covet data. Ultimately, like oil, data’s flow can enrich those that possess it, signifying it as the next grand prize in great power competition on the world stage. Despite its importance, law lacks a unifying framework for understanding how data is sourced upstream by both companies and countries.
This Article argues that this data competition has created global ‘data supply chains’: networks of transactions that transfer data as an intermediate good between individuals, organizations and technology to create a product or service for an end user. Beyond identifying it, this Article provides two foundational contributions: First, it offers a novel typology of the five methods that companies use to acquire the data that they need to power their goods and services: build, buy, scrape, surveil, and generate. Second, it provides an institutional framework – a supply chain – to explain how companies utilize these data acquisition methods. By doing so, this Article reconceptualizes data governance around upstream sourcing and supply chain problems, thereby challenging its exclusive focus on downstream data issues, such as data privacy.
This Article’s identification of data supply chains is important for both corporate management and national policymakers. Identifying data acquisition practices as a data supply chain means that data can be managed, governed, and regulated like supply chains for physical goods. Corporate management should understand the structure of their data supply chains; evaluate their data suppliers; identify critical risks to their data supply chains; and invest in resiliency capabilities. This is a priority for corporate boards and senior management and should be distinguished from the management of cyber risks.
Policymakers should recognize that data supply chains are critical to maintaining critical digital infrastructure, such as the internet, email and, increasingly, emerging technologies. Both the executive and legislative branches have strengthened US supply chains for physical goods. Now they need to do the same for data supply chains. But data acquisition is not a boon for all. It can come at a high cost to the users and organizations whose data is obtained. Policymakers should use a supply-chain framework to identify data harms and to adapt supply chain due diligence laws – applied to physical supply chains – to addressing harms in data supply chains.
Reyes, Carla and Parella, Kish, Data Supply Chains (January 19, 2026).
Leave a Reply