Answering Today’s Biggest Digital Questions

This essay is part of my Toward a Trusted Tech Alliance series, which explores how democracies can move from fragmentation to common cause in shaping the digital future.

In my last post, Different Histories, Different Rules, I traced how America’s rebellion against monarchy and Europe’s scars from authoritarianism forged two very different instincts toward regulation. America leans toward liberty as non-interference — innovation first, regulation later. Europe leans toward liberty as protection and dignity — rights and safeguards established before risks unfold.

Those instincts are not abstract. They shape the daily decisions governments make on privacy, speech, competition, artificial intelligence, and more. When Washington and Brussels confront the same questions, they often give strikingly different answers. Understanding these answers is the next step toward bridging the divide and identifying where common ground can realistically be built.

How should personal data be protected?

Europe’s answer is comprehensive, rights-based legislation. The General Data Protection Regulation (GDPR), enacted in 2018, tightly controls how data is collected, stored, and used. Violations can mean fines of up to €20 million or 4% of global revenue, and enforcement has already reached Amazon, Meta, and TikTok. Brussels views GDPR as essential to protect citizens’ dignity in an era of ubiquitous digital surveillance.

America’s answer is fragmented and sectoral. Instead of one sweeping law, the U.S. relies on state-level rules like California’s CCPA, sectoral laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Rule (COPPA), and Federal Trade Commission enforcementagainst “unfair or deceptive” practices. The result is a patchwork that prioritizes innovation and flexibility, but leaves gaps Europe finds unacceptable.

Because GDPR applies extraterritorially, most major U.S. firms are already bound by European rules whenever they serve EU users. That reality has reduced pressure on Congress to pass a federal privacy law — big platforms have already adapted policies to align with Brussels. The same dynamic plays out domestically: since U.S. firms operate nationwide, they generally apply the toughest state-level privacy laws, such as California’s CCPA, across all their operations, further reducing the momentum for a federal standard.

How should harmful content and speech on platforms be regulated?

The EU believes large platforms require ex ante — before-the-fact — obligations. The Digital Services Act (DSA) compels them to curb illegal or harmful content, reduce disinformation, and provide researcher access. Repeat offenders can face fines of up to 6% of global revenue or even suspension from the EU market. The thrust of the DSA is to ensure that platforms do more to exclude harmful material.

The U.S. takes the opposite stance. Section 230 of the Communications Decency Act shields platforms from liability for user content and protects their discretion in moderation. This framework reflects the First Amendment’s strong protection of free speech, which prioritizes keeping lawful expression online even if it is offensive or unpopular. Federal courts have reinforced this principle, emphasizing that platforms cannot be compelled to remove lawful speech. Rather than pressuring platforms to take content down, U.S. policy shields them, so they do not feel legally forced to censor.

Brussels’ ex ante model and Washington’s Section 230 framework thus point in opposite directions: Europe’s rules push platforms to remove more, while America’s protections encourage them to leave more speech up. It is its speech-maximizing instinct that fuels American concerns that Europe, through laws like the DSA, does not value free expression as strongly — concerns echoed recently by Vice President Vance at the Munich Security Conference.

How should market power of “gatekeeper” platforms be addressed?

The EU’s answer is the Digital Markets Act (DMA), adopted in 2022 to impose strict ex ante — before-the-fact — duties on “gatekeepers,” meaning large platforms such as search engines, app stores, and social media firms. These obligations ban self-preferencing, require interoperability and data-sharing with rivals, and restrict practices like bundling or locking in users — all aimed at ensuring fairer digital markets.

At the same time, the EU continues to use its traditional ex post—after-the-Fact—competition powers under Article 102 of the Treaty on the Functioning of the European Union. Recent major fines against Google related to advertising technology case came through this route.

The U.S. approach is ex post enforcement. The Department of Justice and the Federal Trade Commission bring antitrust lawsuits against dominant platforms such as Google, Meta, and Amazon. In fact, the DOJ recently won a landmark case against Google for monopolizing online search and search advertising — underscoring America’s shared focus on monitoring platform dominance, relying on litigation rather than preemptive obligations. Congress has floated bills like the American Innovation and Choice Online Act and the Open App Markets Act, echoing parts of the DMA, but neither has advanced to law.

Once again, U.S. platforms build compliance systems to satisfy EU obligations, reducing the immediate pressure for Congress to legislate.

How should artificial intelligence be governed?

Europe’s answer is the AI Act, adopted in 2024. It bans practices like social scoring and imposes rigorous obligations on high-risk applications such as biometric surveillance and job-screening algorithms. The message: AI is too powerful to be left unregulated.

The U.S. answer is voluntary guidance. The NIST AI Risk Management Framework(2023) and White House executive orders (2023, 2025) set expectations for federal procurement and agency use but impose no binding requirements on private actors. Congress has debated an Algorithmic Accountability Act, but it has not passed. Washington emphasizes flexibility to avoid stifling innovation.

How should cybersecurity be handled?

Europe’s response is to mandate resilience across the economy. The NIS2 Directiveextends cybersecurity obligations to more sectors, while the Cyber Resilience Actrequires secure-by-design practices and patching responsibilities for connected devices.

America’s answer is more targeted and incentive based. The Cyber Incident Reporting for Critical Infrastructure Act (2022) requires breach reporting in vital sectors, and the IoT Cybersecurity Improvement Act (2020) sets procurement standards for federal agencies.

Should governments create digital identities?

The EU’s answer is yes. Through Electronic Identification, Authentication and Trust Services regulation (eIDAS 2.0), Brussels is rolling out a European Digital Identity Wallet that allows citizens to verify themselves securely across borders for banking, travel, healthcare, and government services. This reflects the EU’s integrationist instinct: harmonizing identity systems to promote trust and market efficiency.

The U.S. answer is no federal solution. Identity remains fragmented across state-issued documents like driver’s licenses, with some coordination under the REAL ID Act of 2005 (which I voted for while in Congress) but no national standard. A single federal ID has long been resisted for two reasons:

• Civil liberties concerns — many Americans fear a centralized ID would expand federal surveillance or erode privacy.
• Federalism — states jealously guard their role in issuing IDs, and Congress has avoided challenging that tradition.

As a result, digital identity remains patchy and decentralized in the U.S., reflecting both political culture and institutional design.

Should crypto assets be federally regulated?

The EU’s answer is yes. With Markets in Crypto-Assets Regulation (MiCA), the EU adopted the world’s first comprehensive regime governing issuance, trading, and consumer protections for cryptocurrencies and related assets.

The U.S. answer until recently was fragmented oversight. The Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Financial Crimes Enforcement Network (FinCEN), and state regulators like New York’s Department of Financial Services (BitLicense regime) each claimed a piece of the puzzle. But in 2025 Congress passed the GOLDEN Act (Guidelines for Oversight of Digital Exchanges and Networks), the first broad federal law for crypto exchanges and service providers. While significant, it still falls short of MiCA’s comprehensiveness, leaving the U.S. reliant on enforcement actions and case-by-case rulemaking rather than a unified framework.

Why are the answers so different?

The divergence reflects history and political culture. Europe, shaped by centuries of monarchy and scarred by authoritarian surveillance, trusts centralized authority to safeguard rights and dignity. The EU also uses regulation as a tool of integration, unifying diverse markets into one.

America, born in rebellion against monarchy, places its trust in markets and individual liberty. Federalism complicates sweeping solutions, leaving agencies, states, and courts to fill the gaps. For Washington, freedom means limiting state interference. For Brussels, freedom means protection from domination by corporations.

The Strategic Stakes

Both instincts are defensible — and even complementary. Europe embeds trust; America drives scale. But the divergence creates friction that slows Western innovation and hampers establishing unified global standards that embed their shared ideals. This hands strategic advantage to China, whose state-led model promises simplicity and speed to emerging markets. The West must find ways to bridge its differences, not allow them to become Beijing’s opportunity.

In line with my belief that responsibly embracing AI is essential to both personal and national success, this piece was developed with the support of AI tools, though all arguments and conclusions are my own.