Ceding regulatory power to Europe will weaken the security of the free world

The Biden administration is seeking to highlight the importance of transatlantic relations to U.S. national security interests. In addition to his G7 and NATO meetings in June, President Biden participated in a U.S.–European Union (EU) summit that touched on the issue of enhancing “digital and trade cooperation.”

These meetings laid the groundwork for last week’s Trade and Tech Council (TTC) with European allies with the goal of strengthening transatlantic ties. But hope for a more cooperative landscape will be impaired by the EU’s ever-growing appetite for regulation, which increasingly and unfairly targets U.S. tech companies.

The increasing frequency and severity of cyberattacks on U.S. businesses requires a comprehensive policy response. At its highest level, government and commercial entities must find ways to achieve better operational coordination, technology companies must continue to innovate and we must pursue a foreign policy that punishes bad actors and forges a cooperative alliance among countries that share a fundamental belief in free trade and representative government. Without international solidarity among free nations, the internet will continue to fracture along geopolitical lines, and autocracies will rise.

Nevertheless, the EU continues to pursue regulations that would narrowly target the U.S. technology industry and ultimately threaten U.S. security. With few domestic technology champions of its own, the EU has long positioned itself as a global regulatory power.

Over the past five years, the EU has grown increasingly ambitious with its regulatory campaign. Recently proposed laws such as the Digital Markets Act (DMA) and the Digital Services Act (DSA) not only overwhelmingly target U.S. tech companies (as an EU official responsible for the DMA made clear); they also seek to break these companies’ business models and, by extension, their ability to secure their systems and data.

There are three main provisions that would require the transfer of data or code under the DMA. None of these provisions include geographic restrictions or security safeguards. This means that any company in any country (including China and Russia) could invoke these DMA entitlements against the five American companies being targeted, and there is no opportunity for these American companies to protest.

One section would require U.S. companies to give third-party service providers “access to and interoperability with the same operating system, hardware or software features” used by the U.S. companies. This would give outside companies, including Chinese firms, the ability to obtain access to sensitive code and design features.

Another section would require U.S. companies to “provide to any third party providers of online search engines, upon their request, with access … to ranking, query, click and view data in relation to free and paid search generated by end users on online search engines of the gatekeeper.”

There are no geographical limitations, security commitments or other qualifying factors for third-party companies seeking access to this data. Any search provider in any country could use this provision to gain access to a trove of sensitive user data. This measure would also facilitate copying of search providers’ ranking and display mechanisms, and would enable a rival to reverse-engineer those mechanisms. 

A separate section would require U.S. companies to provide “effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided for or generated in the context of the use of the relevant core platform services.” The definition of “user data” that must be disclosed under this obligation is quite broad, likely including proprietary commercial or technical insights based on such data. U.S. companies would be forced to share commercial or engineering insights with businesses with which they compete.

It does not require a giant leap of imagination to see how increasing the access of foreign competitors in Beijing and Moscow to user data and U.S. intellectual property could pose a real risk to U.S. cybersecurity.

Over the long-term, regulation that specifically targets top U.S. tech companies risks creating a vacuum that Chinese tech firms, not European ones, are strategically positioned to fill. Ceding power to Europe to set global regulatory standards in this vein will weaken the security of the free world. 

Meanwhile, Russia allows criminal gangs to operate against Western targets with tacit approval and abets them when it suits its interests. China has developed strong offensive cyber capabilities and a nationalistic technology policy that targets Western industry as core tenants of its strategy for future economic growth, prosperity and geopolitical power.

Fortunately, the Biden administration established a mechanism to reach some common ground with our European allies on ways to foster a technological ecosystem that promotes shared democratic values. The administration has launched the Trade and Technology Council (TTC), which can serve as an ongoing venue to push against European actions that risk the collective ability of the West to compete with nations such as China.

The Biden administration should actively oppose efforts by our close allies to enact regulations that force U.S. companies to hand over trade secrets and sensitive company data to foreign competitors, or any third party. The security of our internet connected systems and data should be a top priority, particularly in light of the ever-rising number of cyberattacks on U.S. agencies and businesses.

There is a legitimate need to ensure healthy competition in our technology sector. But doing it in a way that exposes vulnerabilities or stifles innovation will risk ceding advantages to our geopolitical adversaries and autocratic nations that do not play by the rules. 

Thomas P. Bossert is president of Trinity Cyber, Inc., and served as the White House assistant to the president for homeland security and counterterrorism from 2017 to 2018.