After Access: Why Data Sovereignty Fails Without Usage Control

This paper argues that most contemporary data governance frameworks stop at access and therefore fall short of sovereignty. Access control determines who may retrieve data at the moment of release. Usage control governs what may happen after release: purpose, obligations, derivation, onward transfer, retention, deletion, audit, and remedy. Drawing on International Data Spaces Association (IDSA) architecture, European data-space institutions, Canadian and Quebec privacy law, Indigenous data sovereignty frameworks, and NIST and W3C standards, the paper develops a sovereignty model built on four continuous layers: machine-readable policy expression, runtime policy enforcement, provenance and traceability, and observability with independent audit. The paper shows that the European Union is moving these ideas into infrastructure through the Data Governance Act, the Data Act, the Data Spaces Support Centre, and draft model contractual instruments. It further shows that PIPEDA and Quebec's private-sector privacy law create important accountability, assessment, and contracting duties, but do not by themselves deliver enduring post-disclosure control. The paper's central claim is practical as well as normative: sovereignty that disappears the moment data is disclosed is not sovereignty but ceremony. A regulator-built case study of Clearview AI and a worked AI pipeline illustrate how control evaporates when governance does not attach to derivative artifacts and downstream use. For AI systems, where data is transformed into embeddings, fine-tuning corpora, retrieval stores, logs, and derivative artifacts, post-access governance becomes a precondition for credible sovereignty. The paper concludes with a Sovereign Usage Control Audit and a procurement checklist for public bodies, regulated sectors, and communities managing sovereignty-sensitive data. This is the second paper in a developing sequence on operational sovereignty for AI and data systems. The first paper, Compute Sovereignty: Why Renting Foreign GPUs Is Not AI Independence (Salman, 2026, https://doi.org/10.5281/zenodo.20043230), addressed the substrate of AI through the framework of Minimum Viable Sovereign Compute. This paper extends the argument from compute to data lifecycle. Keywords: usage control, post-access governance, data sovereignty, AI sovereignty, IDSA, ODRL, provenance, observability, OCAP, CARE, Indigenous data governance, Clearview AI, Data Act, Data Governance Act, PIPEDA, Quebec privacy law, NIST AI RMF, sovereignty audit, procurement.