Who Writes the Digital Rules, Wins the Future

Writing rules for the digital economy is a balancing act. Everyone agrees that to derive the maximum benefit from the digital economy requires keeping obstacles to trade to a minimum. Yet, there is also a consensus that questions of national security, consumer protection and competition are of crucial importance. 

For political, economic and strategic reasons every government insists on a degree of sovereignty in striking this balance and it’s no surprise that governments disagree on how best to regulate the digital economy. But industry officials argue forcefully that a marketplace which is regulated in a fragmented manner severely limits opportunities for growth and innovation. 

For businesses, the consequences are real. Companies find themselves squeezed between Europe’s ex-ante rules and Washington’s resistance, forced to navigate a patchwork of conflicting requirements. Compliance costs rise. Legal uncertainty delays innovation. Smaller firms find it hardest to cope — even though they stand to benefit most from access to international markets. For businesses uncertainty means headwinds for innovation. 

Most companies prefer a lighter regulatory touch, but they are unanimous in their view that the worst outcome is one in which multiple sets of rules prevail. This is why they have lobbied so strenuously for greater regulatory convergence. 

PICK YOUR POISON 

Today, there are three broad sets of rules under which digital trade is regulated. The European Union has passed a sophisticated matrix of regulations covering data privacy, market concentration digital content and artificial intelligence. The United States applies a relative light regulatory touch with many of the key guidelines spelled out regulations drafted in big states like California. 

And then there is China. 

Beijing maintains an iron grip on digital content and uses its economic clout and digital expertise to achieve political, strategic and even military objectives. China applies among the world’s harshest restrictions on the flow of data, often compels foreign companies to reveal their algorithms, and insists that data pertaining to China be stored on servers in China. The fact that China has used its vast resources to build digital infrastructure in dozens of countries, further strengthens its grip while raising suspicion about its motives. 

Many policymakers involved in negotiations believe that the crucial first step to any broad agreement involving multiple countries would be convergence between the US and the EU on the breadth and scope of rules. Most agree that while China’s hardline model may be attractive to certain leaders, businesses and consumers disdain the authoritarian nature of Chinese rules. A set of standards, even general standards, agreed by Brussels and Washington would be a powerful lure to the dozens of countries which are allied with both. 

NOT SO FAST 

A nice idea perhaps, but a decade of US-EU negotiations have thus far yielded little fruit and now politics is widening the divide. Under President Biden, Washington tilted closer to Brussels on data protection and platform accountability and worked with Brussels to craft a global minimum tax deal through the OECD. But the industry was frustrated by the Biden administration’s schizophrenic approach to tech companies and the decision by the White House to walk away from the WTO e-commerce agreement. 

Under President Trump, the tone is more contentious. Trump and his team portray EU rules as threats to free expression and competitiveness. His personal experiences with platform bans hardened his skepticism of regulation. 

At the Munich Security Conference in 2025, Vice President JD Vance accused Brussels of “hiding behind Soviet-era words like ‘misinformation’ and ‘disinformation’” to suppress dissent. Commerce Secretary Howard Lutnick and U.S. Trade Representative Jamieson Greer reinforced this line, charging that EU regulations like the Digital Services Act and the Digital Markets Act unfairly target U.S. firms. 

Heavy fines applied by Brussels against US companies — the latest being the nearly €3 billion fine levied against Google this month for anti-competitive practices — have infuriated Washington. After the announcement of the Google fine Trump responded with threats of fresh tariffs.

Although the US and EU reached a broad – though vague and legally questionable – trade agreement in July,  a bilateral digital deal has proven tough. Ideological differences and the Trump administration’s aversion thus far to the sort of complex, detailed negotiations needed to strike a deal on mutual recognition of rules have thus far made compromise unattainable. 

In the first Trump administration the attraction for deals on digital trade was evident. WTO talks on e-commerce were launched in 2017 and the 2018 US-Canada-Mexico free trade agreement contains some of the most advanced digital trade language in any such agreement. Whether this enthusiasm continues in this second term is unclear. But Silicon Valley certainly has the ear of the president, and should tech companies push for greater regulatory convergence surprising outcomes might emerge, particularly such so many companies find the status quo unsatisfactory. 

THE COMPLEX EU MATRIX 

The European Union has in place a sophisticated matrix of regulations covering data privacy, market concentration digital content and artificial intelligence. Europe has built a comprehensive digital rulebook: the General Data Protection Regulation (GDPR) for privacy, the Digital Services Act (DSA) for platform content, the Digital Markets Act (DMA) for competition, and the AI Act for artificial intelligence. 

The General Data Protection Regulation (GDPR), enacted in 2018, tightly controls how data is collected, stored, and used. Violations can result in fines of up to €20 million or 4% of global revenue, and such penalties have already been levied on Amazon, Meta, and TikTok. Brussels views GDPR as essential to protect citizens’ dignity, something the EU considers a fundamental 

human right. Because GDPR applies extraterritorially, most major U.S. firms are already bound by European rules whenever they operate in Europe. That reality has reduced pressure on Congress to pass a federal privacy law — big platforms have already adapted policies to align with Brussels. 

The EU believes large platforms require ex ante — before-the-fact — obligations. The Digital Services Act (DSA) compels them to curb illegal or harmful content, reduce disinformation, and provide researcher access. Repeat offenders can face fines of up to 6% of global revenue or even suspension from the EU market. 

Many U.S. companies bristle at Europe’s restrictions and hope pressure from Washington will force Brussels to relent. The administration’s combative stance has emboldened firms to openly oppose the EU’s AI Act and DMA. Europe, for its part, has no intention of backing down. Commission leaders insist that their laws are not targeted at American firms but designed to protect citizens and ensure fair competition. With populist parties gaining ground, loosening rules on Big Tech would be politically impossible. For many Europeans, standing firm against U.S. platforms is synonymous with defending sovereignty. 

WASHINGTON SEES THINGS DIFFERENTLY 

The United States has no federal privacy law, minimal limits on online content, and no equivalent regulations to ensure competition among platforms. 

The United States applies a relative light regulatory touch with no federal privacy law, minimal limits on online content, and no equivalent regulations to ensure competition among platforms. Instead, the U.S. relies on state-level rules like California’s CCPA, sectoral laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Rule (COPPA), and Federal Trade Commission enforcement against “unfair or deceptive” practices. The result is a patchwork that prioritizes innovation and flexibility but leaves gaps. In the same way that the impact of GDPR regulations extend far beyond the borders of the 27-member EU, U.S. tech companies operating across the United States generally apply the toughest state-level privacy laws, such as California’s CCPA, across all their operations, further reducing the momentum for a federal standard. 

Section 230 of the US Communications Decency Act shields platforms from liability for user content and protects their discretion in moderation. This framework reflects the First Amendment’s strong protection of free speech, which prioritizes keeping lawful expression online even if it is offensive or unpopular. Federal courts have reinforced this principle, emphasizing that platforms cannot be compelled to remove lawful speech. Rather than pressuring platforms to take content down, U.S. policy shields them, so they do not feel legally forced to censor. 

It is this free speech-maximizing predisposition that fuels US concerns about European commitment to free expression as strongly — concerns echoed recently by Vice President Vance at the Munich Security Conference. 

Washington has pressed other allies as well. Under Trump, Canada rescinded its 3% digital services tax. The United Kingdom has resisted similar pressure to drop its 2% levy but backed down from demands that Apple provide a “back door” into its encryption systems. In each case, allies are caught between U.S. pressure and their own political imperatives.

Meanwhile, Brussels continues to expand its digital rulebook, embedding Europe’s values in global markets. For EU officials, backing down is not only unfeasible but contrary to their integrationist mission. As one senior commissioner put it: “We are convinced that the European Union and the United States share the common goal of preventing the harmful effects of monopolization.” The implication: Europe will regulate — and expects others to adapt.

ARTIFICIAL INTELLIGENCE GOVERNANCE 

On oversight of artificial intelligence, the different approaches are again evident. Europe’s answer is the AI Act, adopted in 2024. It bans practices like social scoring and imposes rigorous obligations on high-risk applications such as biometric surveillance and job-screening algorithms. The U.S. response is voluntary guidance. The NIST AI Risk Management Framework (2023) and White House executive orders (2023, 2025) set expectations for federal procurement and agency use but impose no binding requirements on private actors. Congress has debated an Algorithmic Accountability Act, but it has not passed. Washington emphasizes flexibility to avoid stifling innovation.

AN OPENING FOR CHINA 

While the U.S. and Europe squabble over rules, Beijing is busy wiring the Global South with bundled infrastructure and surveillance-friendly platforms. China’s Digital Silk Road offers a turnkey model of hardware, software, and financing. For developing countries, the attraction is clear: speed, scale, and simplicity. For the West, the risk is obvious: by the time democracies converge, the defaults may already be set in ways that favor authoritarian control. 

If the current digital fragmentation is to be overcome, and China’s efforts at imposing its draconian regulator model deterred, like-minded countries need to find the regulatory sweet spot that provides economic opportunity, consumer protection and national security. No easy task to be sure, but it can be done. Governments know this because in various formats they have already done it. 

GLOBAL RULES? 

The ideal arrangement would have been a global pact at the World Trade Organization, but these talks ran out of steam last year. 

In July 2024, 82 WTO members agreed on a text which would lay the foundation for regulating electronic commerce. The agreement is less ambitious than many had hoped but the organic structure of this agreement allows new issues to be introduced and new countries to participate.

Because of differences between the United States, the EU and China, some important issues were stripped out of the text including provisions on the free flow of data across borders, limits on requirements that local data be stored locally and restrictions on the forced transfer of source code. 

Moreover, the United States, Brazil and Turkey pulled out of the agreement last year, while India and South Africa have, from the start sought to sabotage an agreement which is plurilateral and can thus not be vetoed by New Delhi or Pretoria. These latter efforts have placed the agreement in limbo as proponents struggle to find a legal pathway for bringing this plurilateral accord into the WTO architecture. 

LESSONS LEARNED 

Despite these frustrations, the framework offers a useful template for agreeing on guidelines for data privacy, consumer protection, access to government data, electronic invoicing, electronic contracts and signatures. The agreement also outlines how issues could be addressed in the future. 

Much in the agreement is without precedent including Chinese commitments on the protection of data privacy and access to government data. The agreement would also make permanent a provisional accord from 1998 in which governments pledge to abstain from applying duties to electronic commerce transmissions. Thanks to opposition from India, South Africa, Indonesia and Turkey this moratorium will expire next year. 

The position of the Trump administration will be of great interest among WTO members. Administration officials have already signaled their desire to see this moratorium extended. But whether Washington would be amendable to agreeing to the rest of the agreement is another question, particularly given the administration’s distaste for the WTO. 

Washington’s most recent concerns relate to the language in the text on essential national security. Washington has been vague on what precisely it wants but those close to the e-commerce negotiations say the Americans suggest could accept textural language that approximates what the Trump administration negotiated with the Mexicans and the Canadians on the US-Canada- Mexico free trade agreement.

The agreement also permits a deviation from the most favored nation clause among parties to the accord, something that might be attractive to the White House, given US discomfort in extending MFN treatment to China in the e-commerce negotiations. Specifically, Article 34 of the text which is entitled “Non-application of this Agreement between Particular Parties” states unequivocally that the agreement “shall not apply as between any two Parties where either Party, at the time either Party accepts or accedes to this Agreement, does not consent to such application.”

IF NOT GLOBAL THEN WHAT? 

WTO Members participating in the e-commerce talks overwhelmingly prefer to keep the agreement inside the organization’s framework. But participating in the WTO process and striking digital trade deals outside the organization are not mutually exclusive. 

The first agreement on e-commerce was reached in February 2016 among the 11 countries of the Comprehensive and Progressive Trans-Pacific Partnership, which then included the United States. The US quit the TPP in 2017, but in 2019, the United States and Japan struck a deal building on this agreement. A year later, Washington reached a deal as part of the US-Mexico-Canada agreement that built on the CPTPP accord and extended it to cover financial services. 

Chile, Singapore, and New Zealand have entered into agreements that encompassed new elements including cross-border data flows and localization of data. An agreement between Australia and Singapore introduced clauses on cross border data flows and data localization. Source code protections were also introduced. 

The EU has a deal with Canada that came into force in 2017 which was among the first to protect the privacy of personal information. The EU has also concluded digital trade agreement 

negotiations with Singapore, Japan and South Korea. These agreements including allowing the free flow of data across borders, disciplines on data localization, and bans on the forced transfer of course code, unless there are exceptional circumstances. All of the agreements provide for strong protections of consumers data and privacy. These deals have been successful and many of their provisions have found their way into the WTO plurilateral. Stitching them together to provide a broader multi-country framework agreement is far from impossible. 

The EU and the 12 Members of the Comprehensive and Progressive TransPacific Partnership have held preliminary conversations on a closer trade partnership. The EU has already reached economic cooperation agreements with 10 of the 12 CPTPP members.

THE STRATEGIC NEED FOR CONVERGENCE 

It would be too much to expect that Washington would join the CPTPP – though its members would welcome the United States with open arms. But could a narrower agreement on digital trade rules be reached among a group of countries with shared values and aspirations? 

The U.S., Europe and their Asian allies all want a digital economy that empowers citizens rather than controls them. They reject the authoritarian model that Beijing is exporting across Africa, Latin America, and Asia. Yet despite this shared objective, disputes over privacy, content moderation, competition, and artificial intelligence remain. 

This creates a vacuum into which China strides forcefully. Absent a US-EU deal, prospects for a meaningful broader pact are unlikely. But if they were to work together, they pull of such a partnership would act like a magnet to attract other economies including Japan, Singapore, Australia, New Zealand, Chile and others. 

All of these important players have deep experience in negotiating digital trade agreements. Finding solutions to issues that have separated them in the past – national security exceptions, privacy protections, monopoly power – are difficult but not intractable. We know this because ideas for resolving them have already been put forward and adopted in various forums. 

What would an agreement among like-minded partners look like? Clearly, such rules should ensure that data circulates freely among allies while shielding it from authoritarian capture. They should establish provenance and authenticity standards for AI-generated content, ensuring citizens can trust what they see and hear. There needs to be a kernel of interoperability on which broader commitments — from cybersecurity baselines to trusted telecom supply chains — can grow. 

Data flows are the lifeblood of commerce. Without them, global supply chains, scientific research, and cross-border innovation cannot function. The U.S. and EU have already shown they can compromise here, most recently in the 2023 Data Privacy Framework. 

AI provenance is urgent for democratic trust. Without standards for watermarking and authentication, deepfakes and synthetic media will erode confidence in what citizens see and hear. Here too, Washington and Brussels are already moving in parallel — the EU through its AI Act, the U.S. through voluntary commitments from leading AI firms. Industry and civil society alike are demanding clarity and safeguards, creating rare political alignment. 

An accord should also recognize the reality of the considerable US dominance in information technology. Washington has conditioned access to the most advanced technologies — from AI chips to lithography tools — on the adoption by partners of parallel export controls. Rather than seeing this as a burden, it can become an incentive. Access to the US innovation ecosystem — its capital, talent, and trusted supply chains — offers obvious advantages to partners. If done judiciously, if would not only lead to a harmonization of rules would also attract countries to a democratic digital system which links principles with opportunity. 

But if democracies continue to bicker among themselves, they risk enabling authoritarian competitors to set the defaults of the digital age. Fragmentation is failure. Only when allies learn to work together will the future be shaped by core Western values. The politics may be difficult. But the strategic, technical, and social imperatives are aligned. That makes agreement possible — and necessary. 

In partnership with Konrad Adenauer Foundation.