Data sovereignty across the Atlantic: a comparison of EU and US platform governance

While the EU-US data transfer instability has been considered a challenge of legal coordination, it has also been regarded as a challenge of repeated difficulties in coordinating data transfer safeguards, data transfer oversight, and data transfer enforcement between the two jurisdictions. The instability of the EU-US data transfer relationship has been demonstrated by the invalidation of the EU-US data transfer framework, including the invalidation of the EU-US Safe Harbor framework in 2015 and the EU-US Privacy Shield framework in 2020 by the EU Court of Justice, as the US failed to ensure protection that was “essentially equivalent” to EU data protection standards.

These differences do not remain abstract, but they materialize in how platforms write their terms, restructure operations, roll out new data uses, and segment users by jurisdiction. Over time, these observable policy shifts reveal a structural divergence: the EU governs platforms primarily through enforceable constraint, while the US governs them primarily through strategic control. Data sovereignty has become the shared vocabulary through which this divergence is expressed, even as the underlying meanings diverge.

Two models of sovereignty applied to the same systems

At a high level, both the EU and the US recognize data and digital infrastructure as strategically significant. The EU explicitly situates data governance within its European Strategy for Data, linking it to competitiveness, autonomy, and sovereignty.

In the United States, data governance has increasingly been treated as a national security concern in specific contexts, particularly where platforms are perceived as posing foreign influence or strategic risk, as illustrated by recent legislation targeting foreign-controlled applications.

Both systems recognize the importance of large platforms in the market and their potential impact on political and strategic interests. The difference lies in what it seeks to achieve. In the case of the EU, sovereignty is largely implemented through constraint. The legitimacy of the governance structure stems from constraints enshrined in the General Data Protection Regulation (GDPR), which include purpose limitation, data minimization, and individual rights (see GDPR, Article 5). Cross-border data transfers are treated as conditional rather than presumptively lawful. Under Chapter V of the GDPR, transfers to third countries are permitted only where adequacy decisions exist or where appropriate safeguards, such as Standard Contractual Clauses, are in place (GDPR, Articles 44–49).

If personal data leaves the EU, protections must follow it in a way that remains legally contestable. This principle was reinforced by the CJEU in Schrems II, which held that the validity of transfer mechanisms depends not only on contractual commitments but also on the legal environment of the receiving country, including access by public authorities and the availability of effective judicial remedies.

However, in the case of the US, sovereignty is usually operationalized through control. The legitimacy of governance is premised on the state’s capacity for decisive action when there is a perception of strategic exposure through its data systems. Unlike Europe and the GDPR, the United States does not have a general restriction on the flow of data. Instead, the US has sectoral regulations and enforcement tools for data privacy. This is illustrated through the implementation of the CLOUD Act, which enables law enforcement in the US to demand the disclosure of data by US-based providers of services, regardless of the location of the data.

Both models are coherent within themselves, but they cause friction when they intersect with global platforms that operate across both systems.

The EU model: constraint under pressure from accumulation

The EU’s rights-based approach has fundamentally changed the world of global platform governance. It has pushed companies to declare their data practices, explain their purposes, and design accountability structures that did not previously exist. This remains perhaps the EU’s greatest policy achievement to date.

However, the framework is increasingly under pressure from the phenomenon of “cumulative expansion,” where platform power is not driven by individual infractions but rather by the constant addition of new data uses, new purposes, and new types of inferences. Recent EU instruments such as the Digital Services Act (DSA) and Digital Markets Act (DMA) acknowledge systemic platform risks that extend beyond traditional privacy law.

The US model: control with a trust deficit

The US governance model prioritizes flexibility and responsiveness. It is designed to preserve the ability to intervene when systems appear strategically threatening, even if harms are not yet fully realized. This can be effective in rapidly evolving technological contexts. For example, the TikTok case has shown how the US has taken a security-driven approach, framing platform risk in terms of future strategic exposure and jurisdictional control rather than demonstrated compliance failures, and favoring structural remedies such as divestment or exclusion over incremental regulatory enforcement. Yet this approach creates a credibility gap in cross-border governance. From the EU perspective, this reliance on broad discretionary authority contributes to skepticism regarding the durability of safeguards. This concern was central to the CJEU’s reasoning in Schrems II, which emphasized the absence of effective limitations and redress mechanisms under US surveillance law.

The US reliance on sectoral privacy laws and existing agencies, rather than a comprehensive baseline data protection framework, further contributes to perceptions of legal volatility in cross-border contexts.

Shared blind spots and emerging convergence

While tensions between the two sides continue, there are some areas of convergence. First, there is a clear move by the EU and the US alike to think of sovereignty as an industrial strategy. While the EU defines sovereignty in terms of reducing dependencies and enhancing regulatory powers, the US defines it in terms of protecting technological leadership and national security. While the narratives differ, the stakes are the same. Secondly, there is a clear move by the EU and the US alike towards creating fragmented platform realities. The default positions, opt-out positions, and exclusions vary across the EU and the US These are not minor positions; they define how the EU and the US operationalize the global platform.

The shared blind spot is the role of private actors. Both systems still think of sovereignty as a state-to-state issue, even as corporate decisions on infrastructure are becoming key to determining which data is and which data isn’t valuable. These trends suggest that future conflicts over sovereignty will be about more than data transfer. Data transfer is a discrete event; AI system refinement is not.

A platform might be able to localize data storage, but centralize model development and value extraction. In this regard, the sovereignty issues move from the movement to the transformation, i.e., who controls the training pipelines, who audits the models, who decides on the acceptable use cases, and who is accountable for the negative consequences.

Neither of these governance models is well-equipped to handle this shift. The rights-based model has difficulty dealing with the accumulation, while the control-based model has difficulty legitimizing the opaque transformation.