America Used to Own the Internet. Now It’s Running Scared.

For most of the internet era, the United States has preached the gospel that free data should flow across open borders for information with no barriers to digital trade. When the European Union limited the flow of personal data across the Atlantic, U.S. officials cried foul. What the EU presented as fundamental rights grounded in human dignity, U.S. officials dismissed as thinly veiled protectionism, compensating for European weakness. The U.S. position was clear: Free data flows are good, and anyone who disagrees is either afraid or falling behind.

Then TikTok emerged—and the U.S. blinked.

In less than a decade, Washington went from condemning barriers to digital trade to building a digital fortress of its own. Congress passed a law in 2024 forcing TikTok’s Chinese parent company, ByteDance, to divest its U.S. operations or face a nationwide ban. The Supreme Court upheld it in a 2025 ruling. The Trump administration signed off in January on a deal to implement the divestiture of TikTok’s U.S. operations. And new federal rules prohibit transferring bulk sensitive personal data to entities domiciled in or associated with foreign adversaries. Meanwhile, data brokers are prohibited from selling Americans’ personally identifiable sensitive data to adversaries, including China, Russia, North Korea, and Iran. The new rhetoric is national security, no longer trade and innovation. These restrictions, in some dimensions, have far exceeded the EU regulations.

As I lay out in more detail in a new essay, this dramatic reversal is not the show of strength it appears to be, but a sign of weakness. When a great power restricts its data exports, the move suggests not only diminished control over platforms and infrastructure but also a lack of confidence in technological dominance and a posture defined by perceived strategic vulnerability.

To be clear, this piece is not a normative argument for laissez-faire data globalization. Some restrictions are sensible. Others are overdue. But the point is that digital fortress-building reveals geostrategic weakness. It was digital frailty that kept Europe on a path of data protectionism.

To see the logic, start with the basic political economy of European data transfer restrictions.

European data transfer restrictions have a long history. National data protection regimes emerged in the 1970s, and by the 1980s, pan-European frameworks such as the Organisation for Economic Cooperation and Development’s guidelines and the Council of Europe’s Convention 108 facilitated internal data flows while allowing restrictions on transfers to third countries. The EU’s 1995 Data Protection Directive expanded this approach by adding a protective dimension: conditioning data exports on adequate protection abroad.

For years, the European Commission deemed U.S. safeguards sufficient, first under the Safe Harbor framework and later under the Privacy Shield. But the European Court of Justice struck down both, citing concerns about U.S. surveillance practices revealed after Edward Snowden’s disclosures. A third-generation framework, the EU-U.S. Data Privacy Framework, now governs transatlantic transfers.

Officially, Europe’s rationale is straightforward: Data protection is a fundamental right, and European safeguards must not be circumvented once data leaves. This has often been associated with ensuring digital sovereignty, a jurisdiction’s ability to govern its data relations autonomously. The approach was clothed in a broader push for “strategic autonomy.”

At a deeper level, however, the EU’s approach to protecting individuals’ privacy was never just an expression of sovereignty. Protecting Europeans’ privacy by reining in data exports became necessary because of Europe’s infrastructural dependence, geopolitical frailty, and military irrelevance. Almost all major digital platforms used by European citizens and companies are American. The capabilities of European intelligence services and the extent of their operations do not match those of the United States. U.S. threats of counterintelligence measures or offensive cyber operations carry weight; European ones do not.

Where Europe neither owned the infrastructure nor possessed the power to constrain foreign surveillance, regulation and export limitations provided the only plausible path. Its fortress building was less of a deliberate choice than a function of the EU’s weakness.

The United States did not feel the need to emulate Europe. For decades, the free flow of data served U.S. interests perfectly well. It allowed Google, Meta, Amazon, and Microsoft to scale globally and crush local competitors. The technological dominance reinforced U.S. cultural hegemony, embedding U.S. values into the architecture of global communication. And the flow of data came at virtually no cost. The data flowed mostly into the hands of U.S. companies anyway. Even when other countries engaged in surveillance, it didn’t matter much. The U.S.’s economic peers were militarily weak, and its military rivals were technologically behind. U.S. intelligence capabilities were unmatched. And if a country’s surveillance crossed a line, the United States had the economic and military leverage to shut it down. In short, the U.S. championed free data flows because it was winning.

Around 2020, however, U.S. attitudes to data flows shifted dramatically. Late in his first term, President Trump issued Executive Order 13942, seeking to prohibit “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd.” A similar executive order directed at WeChat and others followed. Although these executive actions ultimately stalled in the courts, the incoming Biden administration continued the push. On April 24, 2024, President Biden signed the Protecting Americans from Foreign Adversary Controlled Applications Act, a sweeping law with bipartisan support that effectively banned TikTok from operating in the U.S. if ByteDance did not divest its U.S. operations. The Supreme Court upheld the ban in January 2025. Although the incoming Trump administration delayed the law’s enforcement several times, the law ultimately led to a deal in which a group of investors bought TikTok’s U.S. operations from ByteDance.

Largely overshadowed by the TikTok ban, Congress also passed the Protecting Americans’ Data from Foreign Adversaries Act of 2024, which restricts the sale of sensitive personal information by data brokers. And based on a Biden-era executive order, the Department of Justice finalized a rule limiting the transfer of bulk sensitive data. By the mid-2020s, the U.S. was firmly committed to building a digital fortress.

The U.S.’s new fortress differs from the older European version in significant ways. Most importantly, the U.S.’s fortress is grounded in national security, not in protecting individual autonomy, leaving no room for individual choice. National security is a collective good, and consequently, individuals cannot be allowed to waive it. Moreover, the U.S. framework singles out specific adversaries, including China, Russia, and North Korea, whereas the EU’s data transfer rules set out substantive conditions under which data transfers do not require specific individual consent, namely when they meet adequate levels of protection.

But what led the United States on its path of “data nationalism,” as Anupam Chander and Uyên Lê call nation-states’ attempts to assert unilateral control over data flows? And what does the U.S.’s change of heart signal? Leaving aside allegations of hypocrisy, the policy shift crystallizes the U.S.’s anxieties about its position in global competition.

Launched internationally in 2017, TikTok became the most downloaded app in the world by 2020. Today, around 60 percent of U.S. teens and young adults use it. This was unprecedented across several dimensions. For the first time, a foreign company seriously challenged U.S. dominance in digital services, a major piece of U.S. digital infrastructure wasn’t under the ultimate control of the U.S. government, and the U.S. found itself on the receiving end of potential mass surveillance.

This is extraordinary by historical standards. Imagine if, in 1975, tens of millions of Americans suddenly spent an hour a day watching Soviet television. Or if, in 2010, they had switched to Russian search engines. Such scenarios would have been unthinkable—not because of regulation (there were limitations on foreign ownership of broadcasting stations), but because U.S. media products and digital services were far superior. No one would have wanted to watch Soviet television or use Russian search engines.

TikTok’s success shattered conventional assumptions about U.S. technological supremacy. U.S. consumers voluntarily chose a Chinese-owned app over homegrown alternatives. Millions of consumers’ revealed preferences became impossible to ignore.

At the same time, China has emerged as the U.S.’s top geopolitical competitor. The Chinese economy has increased almost 50-fold since 1990. Today, China boasts the world’s second-largest economy with a gross domestic product (GDP) of just over $18 trillion, behind the United States with a GDP of $29 trillion. Adjusted for purchasing power, China even holds the top spot. Although U.S. military spending still eclipses that of China, the Communist Party has rapidly increased its military budget to $245 billion, with likely higher actual spending levels.

Regulatory actions reveal more about a country’s self-assessment than speeches or polls. They show what governments are willing to spend political capital on, what economic costs they are prepared to absorb, and what trade-offs they consider acceptable. The TikTok legislation—passed with overwhelming bipartisan support in a Congress that struggles to agree on almost anything else—alone reveals the depth of concern.

Countries also send messages through regulation, whether they intend to or not. When the United States builds data walls, it signals to allies and adversaries alike that it no longer feels confident enough to rely on the openness it once championed.

Europe turned to data export controls because it lacked technological power. Now the U.S. has joined the defensive club. Beijing will notice.