The Trump administration has just drawn a line in the sand over one of the most consequential geopolitical battles of our time: who controls your data. In a leaked diplomatic cable dated February 18, 2026, U.S. Secretary of State Marco Rubio directed American diplomats to actively oppose foreign laws that restrict how U.S. tech companies handle citizens' data abroad, describing such measures as threats to AI services, global data flows and civil liberties.
This isn't just diplomatic posturing. It's an explicit declaration that the United States views European attempts to protect their citizens' data as obstacles to American economic and technological dominance. And it crystallizes a fundamental question that will define the next decade of digital life: should data be governed by the country where it's collected, or by the foreign corporations that profit from it?
What's Actually Happening
The internal State Department cable warned that data sovereignty rules could increase costs, introduce cybersecurity risks, and expand government control in ways that enable censorship. The directive specifically targets regulations like the EU's General Data Protection Regulation (GDPR), which has imposed billions in fines on American tech giants for mishandling European data.
The cable instructs U.S. diplomats to track and counter any proposals that could limit cross-border data flows and to promote the Global Cross-Border Privacy Rules Forum — a multinational initiative launched in 2022 by the United States, Mexico, Canada, Australia and Japan designed to facilitate free data movement while claiming to ensure privacy protections.
This follows a pattern. Last year, diplomats were ordered to challenge the EU's Digital Services Act, aimed at making the internet safer by forcing social media firms to remove illegal content and the U.S. is reportedly planning an online portal to help users bypass content moderation, including restrictions on material flagged as hate speech or terrorist propaganda.
Why Europe is Fighting Back
To understand why this matters, you need to understand what "data sovereignty" actually means — and why it terrifies American tech companies.
Digital sovereignty relates to the EU and EU Member States' ability to exercise autonomy and free choice in respect of their own technological solutions, encompassing hardware, software, networks and cloud services, ensuring that European organizations and regulators can define and enforce their own rules.
The stakes are enormous. An estimated 97% of Europe's cloud infrastructure market is dominated by non-European U.S. or Chinese providers, meaning that nearly all European data — from health records to financial transactions to government communications — sits on servers controlled by foreign companies subject to foreign laws.
This isn't theoretical. The U.S. CLOUD Act allows American authorities to compel any U.S.-based company to hand over data, regardless of where it's physically stored. In June 2025, during a hearing of the French Senate's commission of inquiry on public procurement, the head of legal and public affairs at Microsoft France acknowledged that the company could not guarantee that data stored in France would be shielded from U.S. judicial requests.
Read that again: even data stored on European soil, intended for European citizens, can be accessed by the U.S. government if the company managing it is American.
The Regulatory Arsenal Europe is Building
Europe hasn't been sitting idle. The EU has taken a proactive stance with its comprehensive regulatory framework, including the Data Act, Data Governance Act, AI Act and GDPR which collectively aim to safeguard European citizens' data rights and promote digital autonomy.
Here's what that looks like in practice:
GDPR (2018): The foundational regulation that gave EU citizens unprecedented control over their personal data, including the right to access, correct and delete it. Since its implementation, Europe has issued 2,245 GDPR fines totaling €5.65 billion, with 2025 alone accounting for €2.3 billion — a 38% year-over-year increase.
NIS2 Directive (2024): Effective since October 2024, NIS2 applies to critical infrastructure and mandates comprehensive cybersecurity and risk management across supply chains, with strict breach reporting timelines and liability at the management level. It extends cybersecurity obligations to energy, healthcare, transport, digital infrastructure and public administration.
Digital Operational Resilience Act (DORA) (2025): Effective January 2025, DORA applies to banks, insurers, investment firms and any third-party ICT providers deemed critical to financial services, mandating resilience, auditability and regulator access to ICT systems.
EU Data Act (2025): Effective September 2025, the EU Data Act extends sovereignty beyond personal data to industrial and non-personal data, granting users rights to access and port information from connected devices while prohibiting vendor lock-in.
AI Act (2026): Set to become fully applicable on August 2, 2026, the AI Act establishes risk-based obligations for high-impact AI systems with fines up to 7% of global annual turnover for non-compliance.
On November 18, 2025, EU Member States adopted a 'Declaration for European Digital Sovereignty,' a non-binding commitment centered on strengthening Europe's digital sovereignty to support economic resilience, social prosperity, competitiveness and security.
The Real Conflict: Sovereignty vs Surveillance
The U.S. position frames this as a battle between innovation and protectionism. But the reality is more uncomfortable: it's about whether democratic societies have the right to protect their citizens from foreign surveillance and corporate data extraction.
The EU's GDPR seeks to unify how personal data is looked after online through rules and regulations with the threat of punitive sanctions, making it possible for individual citizens to take more control of how their data might be used, with potential fines of almost $25 million for data breaches.
Meanwhile, the U.S. CLOUD Act creates what European privacy advocates call an impossible choice: comply with GDPR and risk violating American law or comply with U.S. subpoenas and risk GDPR penalties.
This isn't just about consumer privacy. Over 92% of the Western world's data is stored on servers owned by U.S.-based companies, giving American tech giants — and by extension American intelligence agencies — unprecedented access to the digital lives of billions of people who aren't American citizens and have no recourse under U.S. law.
What "Digital Sovereignty" Actually Looks Like
So what's the solution? Europe is betting on technological and economic independence.
European enterprises can strengthen sovereignty and compliance by using self-hosted solutions where organizations in sensitive sectors install and manage their own servers that operate under European law and adopting European-built software to reduce exposure to foreign surveillance laws.
The GAIA-X initiative, a joint effort by Germany and France, has moved into its implementation phase with more than 180 data spaces being developed to enable secure data sharing under European control. The European Commission plans to introduce the Cloud and AI Development Act in 2025, aiming to triple the EU's data center capacity within seven years.
These aren't just policy documents. As one European tech leader put it, digital sovereignty has become a matter of resilience, not just privacy.
Why This Matters to You
The global fragmentation of data governance is already here. Gartner forecasts that 75% of the world's population will operate under modern privacy regulation by the end of 2024, with 71% of organizations citing cross-border data transfer compliance as their top regulatory challenge in 2025.
Every time you use a service — email, cloud storage, social media, search — you're making a choice about whose legal jurisdiction governs your data. And right now, for most people, that choice has been made for them: it's American tech companies, subject to American laws, answerable primarily to American shareholders and American intelligence agencies.
The European approach offers an alternative vision: one where your data is protected by the laws of your own country, where fines for misuse are meaningful and where the fundamental asymmetry of power between individuals and Big Tech is at least partially rebalanced.
The Stakes Are Existential
The Trump administration's aggressive pushback reveals just how much is at stake. By framing data sovereignty laws as a threat to AI development, cybersecurity and civil liberties, the administration is positioning the free flow of data as a cornerstone of U.S. economic and technological influence.
But whose "civil liberties" are we talking about? The liberty of tech companies to harvest data without restriction? Or the liberty of citizens to control their own information?
Rising competition from China in digital infrastructure and AI adds urgency, highlighting the geopolitical stakes of controlling international data flows, signaling potential tensions in transatlantic and international digital governance for years to come.
This is no longer just a regulatory squabble. It's a fundamental contest over who controls the infrastructure of modern life.
What You Can Do
The good news is that you don't have to wait for governments to resolve this. Individual choices matter:
Switch to European alternatives: See our email alternatives, cloud storage options and search engines that don't track you. Every service you move off American Big Tech platforms is one less stream of data flowing to foreign servers.
Understand where your data lives: When you sign up for a service, check where the company is headquartered and where your data is stored. "EU-hosted" isn't enough if the company itself is subject to U.S. law.
Demand transparency: Ask the companies you use whether they can guarantee that your data won't be accessed by foreign governments. If they can't answer clearly, that's your answer.
Support data sovereignty politically: If you're in Europe, the regulations being implemented now are the direct result of political pressure. Support politicians and companies that prioritise digital sovereignty.
The Bottom Line
The leaked diplomatic cable reveals something that should alarm anyone who cares about privacy, sovereignty or democratic control over technology: the U.S. government views your data as an American asset regardless of where you live or what protections your own government tries to put in place.
Europe's push for digital sovereignty isn't protectionism or technophobia. It's the recognition that in a world where data is power, allowing that power to be concentrated entirely in the hands of a few American Big Tech companies accountable primarily to American interests is a strategic, economic and democratic vulnerability.
The battle over data sovereignty will define the next decade of digital life. The only question is whether you'll be governed by the laws of your own country or by the terms of service written in Silicon Valley.
Choose wisely.