The digital age is advancing at a dizzying pace, a pace that regulators around the world struggle to match. But the speed of digitization is only part of the challenge facing regulators today; even more demanding is the complexity of the issues they confront.
Regulating information technology is not contentious. Adequate protection of privacy and of children’s rights must be ensured and widespread dissemination of misinformation must be forestalled. But by the same token too heavy a regulatory hand can stymie innovation, depress growth and undermine competitiveness.
If the European Union (EU) and the US could agree on standards for data privacy and protection, they would take a giant step towards setting the global standard for digital trade. But despite ongoing efforts to find common ground reaching such a deal has proven elusive.
Further complicating matters is the fact that international efforts to establish regulatory standards at the World Trade Organization (WTO) have foundered, not least due to US disengagement.
WTO members have struggled to agree on a framework of rules for electric commerce. Agreement among more than 80 members was reached in July on a myriad of important transactional rules for electronic commerce, but many key players including the US pulled out of the deal at the last minute. Moreover, serious differences remain on the critically important issues of cross border data flows, data localization and forced transfer of source code.
The result is that the status quo of uncertainty has prevailed. For businesses, large and small across the world this is a problem. Tech companies largely accept the need for regulation. Their worries center on whether rules may be too onerous and whether disparate regimes create regulatory fragmentation. Different approaches to tech regulation mean companies must adapt to a glut of different regulations, reducing efficiency and productivity and perhaps sowing the seeds of intense legal clashes with government regulators.
Since the beginning of the year, the Konrad-Adenauer-Stiftung and the Wilson Center have analyzed the issue of trans-Atlantic cooperation on digital regulation and have examined possible approaches which might narrow policy gaps in the positions of these two critically important economic partners.
These efforts culminated in a dialogue at the margins of the 2024 WTO Public Forum in Geneva at which business leaders, academics, delegates from WTO Members and representatives from international organizations debated the question and proposed possible ways forward.
All agreed that the current situation is untenable and unsustainable. All agreed that the issue is highly complex and that finding the right balance between regulatory oversight and nurturing innovation was a tricky undertaking. All agreed that international cooperation was essential.
But there was much on which the participants did not agree including the extent to which regulatory regimes should be aligned, which international organizations should lead the efforts at finding agreement and even whether the US and EU were the right actors to be leading these efforts.
The Contrast
The EU and the US are home to many of the world’s most iconic companies and a large and ever-growing number of digital giants. Two-way transatlantic trade in goods and services came to $1.3 trillion in 2022. Last year, more than 2.64 billion people bought $6.3 trillion worth of goods online. Today 54% of global trade in services, worth $3.82 trillion, takes place digitally and the US and the EU are, by far, the largest exporters of services in the world.
Brussels has taken the lead in setting regulations which impact global digital trade. Rather than focusing on Federal laws or regulations, Washington brandishes aggressive anti-trust actions against big tech companies using a methodology that goes beyond the traditional emphasis on consumer welfare – efficiency and lower prices – and looks instead at how market power may harm workers, suppliers, and entrepreneurs.
Absent a bilateral agreement and any US regulatory template, the EU regulations become the de facto rules of the road. Plan beats no plan. This is known as the “Brussels effect.”
The contrasting approaches of the US and the EU raise questions about how precisely big tech should be regulated and by whom?
European Union
When it comes to digital regulation, the EU is leading the way. Whether this is a positive development depends on one’s perspective.
Some business leaders believe Brussels has been overly zealous and that burdensome bureaucracy is stifling innovation. They are not alone.
In a report written for the European Commission entitled, “The Future of European Competitiveness," former Italian Prime Minister and European Central Bank chief Mario Draghi lays blame for Europe’s sluggish tech performance squarely at the feet of ill-considered regulations.
“The problem is not that Europe lacks ideas or ambition,” he writes. “We have many talented researchers and entrepreneurs filing patents. But innovation is blocked at the next stage: we are failing to translate innovation into commercialization, and innovative companies that want to scale up in Europe are hindered at every stage by inconsistent and restrictive regulations.”
Imperfect though these regulations may be, the fact is that apart from China – which imposes on consumers and companies a draconian and highly restrictive system of tech regulations – the EU offers the only extensive framework for regulating information technology.
EU concerns about data privacy and protection led to the implementation of the General Data Protection Regulation (GDPR) in 2018. These rules are strictly enforced with severe penalties applied to those who do not adhere to them.
Under GDPR rules, Brussels can fine a company, municipality – or an individual -- up to 20 million euros or up to 4% of global revenues for violating data privacy and protection laws.
These fines can range from 10,000 Euros for a physician in Spain to many millions of euros for giant companies. In 2021, the fines were significantly increased, and Amazon was hit with a 746 million Euro fine. Last year the EU Commission hit Meta, parent of Facebook and Instagram, with a 1.2 billion Euro fine for violating the privacy of EU citizens. The case specifically involved the transfer of data from the EU to the US.
Ireland, which is the European home to many tech companies in the US and Asia, has been particularly active in enforcing privacy regulations. In addition to the 1.2 billion Euro fine, the Irish Data Protection Commission hit Meta with another hefty fine, this time for 390 million Euros because, the Irish claimed, Facebook and Instagram forced users to agree to the distribution of their data. TikTok was fined by Dublin 345 million Euros for the public disclosure of children’s data. These fines are in addition to the billions in fines levied on these companies by EU anti-trust regulators.
US objections to GDPR have been consistently rebuffed by Brussels. Washington tried to assuage EU concerns about its protection of EU citizens’ data, but in 2020 the European Court of Justice struck down an initial agreement, arguing that it did not go far enough. A second effort, an executive order by President Biden in 2021 was the basis for a 2022 deal which strengthened the protections by further restricting the ability of US intelligence agencies to access data and by providing recourse to EU citizens in US courts if they feel their rights have been violated.
The GDPR is only the first of many EU digital regulations. The Digital Services Act, implemented in 2023, differs from the GDPR in that it covers all information carried on social media platforms and seeks to “prevent illegal and harmful activities online and the spread of disinformation,” according to the EU Commission. Companies in breach of these regulations could be hit with fines of up to 6% of global revenue and repeat offenders risk being banned from setting up shop in Europe.
The Digital Markets Act approved in 2022, sets regulations for “gatekeeper” platforms like search engines or social media companies. Gatekeepers are required to grant access for third parties to the platforms and to any data that the platform may generate.
The AI Act, which was approved in May 2024 and will come fully online in 2026, would ban certain AI activities such as government run systems which “score” citizens behavior, as is done in China. Scanning tools which rank job applicants would be subject to legal oversight.
Corporate Complaints
Many businesses have complained about the restrictive nature of the EU regulations and some American commentators have said these rules unfairly target US companies. But the concerns raised about the US tech sector on both sides of the Atlantic stem largely from the sheer size and dominance of these companies. European countries have of course been affected as well, but such is the prominence of US tech companies – 36 of the 50 largest global tech companies are American – that the nine largest EU GDPR fines ever applied were against US companies.
Alphabet, Amazon, Apple, Meta, Microsoft, Nvidia and Tesla have a market capitalization value of more than $12 trillion. The seven largest European tech companies hold a combined market capitalization of $705 billion. Revenues for the US companies came to $1.72 trillion vs. $133 billion for their European counterparts and average annual revenue growth has been 27% over the last decade compared with 10% for the European companies. Some commentators go even as far as to see a correlation between excessive EU tech regulations and the lack of a meaningful tech sector.
Such dominant positions cause unease on both sides of the Atlantic. Recently, Washington has also begun to question whether these companies are too dominant. Brussels has kept a close eye on them for years.
The imbalance in market power between US and EU tech companies helps explain why European regulators have taken a more activist approach in implementing rules. Participants at the KAS-Wilson dialogue raised the possibility that absent a powerful domestic private sector presence Brussels faced limited resistance in imposing regulations. Since the big players were all American – or Chinese – there was little domestic push back to the implementation of the GDPR or the other regulatory frameworks that followed. This dynamic has led to the transatlantic imbalance in regulations. One participant speculated that until there are more European tech firms, transatlantic convergence will remain a pipe dream.
Some commentators have warned that the heavy fines and rigid regulations may lead US tech companies to abandon the EU market altogether, a daunting prospect given that US tech companies employ close to 200,000 people in the EU and United Kingdom. But while EU Commission officials acknowledge the benefits stemming from the presence of US companies within its territory, there are some principles on which they remain unyielding not least the importance of protecting the personal data of children and the need for a more competitive landscape to enable smaller entrepreneurs to prosper.
Moreover, EU officials are losing no sleep over the possibility that US tech companies might depart Europe. The European Union is market of 450 million of some of the world’s richest consumers. If Big Tech didn’t leave China where the restrictions are far more onerous, the feeling is that they are unlikely to leave Europe.
US Paralysis
While the EU may seem overly restrictive, the US has been beset with political paralysis. Some members of Congress may believe regulation to be the root of all evil but others, prodded by anti-corporate activists, believe no effort should be spared in the campaign to keep big tech on a short leash.
The US has nothing like the GDPR and given the political polarization in Washington no such regulation is on the horizon. The Office of the US Trade Representative (USTR) has indicated as well that it has no appetite for international rules on digital trade. In October 2023, USTR stunned its trading partners, including the EU, by dropping its support for a global deal on cross border data flows, restrictions on data localization and the forced transfer of source code. This decision left WTO negotiations in these areas in tatters.
On February 12th, USTR Katherine Tai defended her position telling the Council on Foreign Relations that the US must “take steps forward” in regulating data privacy. Since then, nothing.
Currently, 20 states including California apply data privacy laws. Some participants in the dialogue suggest that the California law – which most Silicon Valley companies accept as the de facto standard -- should be the model for others. Other participants point out that these US state laws are “largely compatible” with EU regulations.
Amb. Tai, and Federal Trade Commission Chair Lina M. Khan have suggested aggressive anti-trust actions against big tech companies using a different methodology that goes beyond the traditional emphasis on consumer welfare – efficiency and lower prices – and looks instead at how market power may harm workers, suppliers and entrepreneurs.
The sporadic US response to regulating the marketplace – no legislation, novel (and sometimes legally shaky) interpretations of anti-trust law in curbing corporate power and complete disengagement at the WTO – have frustrated private sector officials and US trade partners.
Some participants in the KAS-Wilson Center dialogue believe however that a change may come soon. According to these participants the ardent anti-tech stance staked out in some corners in Washington is not the product of an administration wide assessment. Rather it is, say these participants, the brainchild of a handful of administration officials with a particular orientation regarding multilateral corporations. Regardless of whether Kamala Harris or Donald Trump triumph in November, this hardline stance is viewed by some as likely to change.
WTO
Prodded by left wing activists, the Biden Administration has walked away twice from an agreement on electronic commerce. The October 2023 decision not to participate in talks centering on cross border data flows, data localization and source code was followed this summer by Washington’s abandonment of a scaled down, but still relevant e-commerce deal. The reason, said US officials was because the draft agreement did not meet the country’s “essential security” concerns. Essential security was not defined, an omission which has left US trading partners perplexed about Washington’s real motivation.
The question of security exemptions weighs heavily on almost all international negotiations today and digital trade is no different. But security means different things to different constituencies. The US places a premium on the issue of “national” security more so than any other nation save perhaps for Russia and China. It’s difficult for other countries to fully understand the US fixation on the issue and the breadth and depth of its definition. But on the issue of “public” security there is more of a common basis for understanding. Might, suggested one participant, the overlap of these two principles be space where compromise could be found?
There are other philosophical differences where traditional approaches may yield little. One such difference, one participant pointed out is that the EU sees data privacy as a human right while the US views it as an issue of consumer protection.
Many participants in the dialogue openly questioned whether the WTO was the place to hold such discussions. While the WTO has excelled at creating rules for goods – and to a lesser extent for services – the treatment of data presented WTO Members with a more complex set of issues. Many said that the issues of data protection, privacy, security were standards and that trade negotiators are not necessarily adept at standard setting. Several drew the distinction between international agreements, like those negotiated at the WTO, and international cooperation.
Other participants said efforts to harmonize regulations were unlikely to prosper and that it was better to seek outcomes based on interoperability. Might, asked one participant, common ground be found through regulatory cooperative arrangements in which standards were applied on a non-discriminatory basis? The US-EU Trade and Technology Council (TTC) has been a useful forum for discussion on precisely these kinds of issues. Might it be used more broadly?
Some said too much emphasis was being given to developing regulation and not enough to nurturing opportunities.
Several participants said governments should consider the establishment of a new organization – a World Technology Organization -- to address these complex questions.
Conclusion
Businesses on both sides of the Atlantic are growing restless. While the Biden executive order and the 2022 agreement have stabilized the trans-Atlantic digital trade relationship, the order itself is not law and thus is not binding on future administrations.
A more permanent accord between Brussels and Washington would carry great weight globally. Other major economies with strong trading relationships with the US and EU, such as Japan, South Korea, Australia, the United Kingdom and much of Southeast Asia, would likely adopt trans-Atlantic standards proving a strong counterweight to the strictly controlled information policies in China.
Still, it remains far from clear that such an accord can be reached. The current climate on Capitol Hill and the trade adverse approach of the Biden administration make the US a reluctant partner.
But change is coming. There will be a new administration in place on January 20 and dialogue participants were hopeful that whoever wins will bring a new, less antagonistic approach to tech regulation. In the EU as well, attitudes are shifting. The Draghi report and the new, more pro-business Commission may herald greater emphasis on innovation and competitiveness.
Clearly, both sides can gain from engaging with and listening to the other. The two sides have cooperated extremely well in coming to the aid of Ukraine in its defense against Russian aggression. Talks in the TTC have been constructive if not substantively ambitious. Difficult conversations can and do take place. What is needed is a bit more trust on each side.
Several participants pointed to the fact that the US and the EU were democracies and that this should bring them together on the issue of data regulation, particularly since the only other model implemented on a large scale today was that of China. While this may be the model favored by some authoritarian governments, in the West it would be neither desirable nor feasible.
Viewed through this prism it is clear that for all their differences, there is much on which Brussels and Washington can agree – the need to protect children, to combat misinformation, to protect consumer welfare and to promote innovation and sustainable growth. With standard trade agreements, the devil always lies in the details and hammering those out is painstaking. When we speak of agreements on data regulation we are, in many respects, entering unchartered territory. These new technologies and standards render the traditional approach to negotiations aimed at reaching binding, detailed outcomes overly burdensome if not obsolete.
Might a better way be one in which the parties agree on the basic concepts and principles, while mutually recognizing the competence, authority and expertise of regulators on the other side? It would not be an approach that delivers all the answers, but it could be an important start.
Cosponsored by the Konrad Adenauer Foundation
Author
Director of the Information and External Relations Division and Chief Spokesman at the World Trade Organization (retired)
Wahba Institute for Strategic Competition
The Wahba Institute for Strategic Competition works to shape conversations and inspire meaningful action to strengthen technology, trade, infrastructure, and energy as part of American economic and global leadership that benefits the nation and the world. Read more