Sovereign Data Spaces (II):  The  Battle  for  Data Ownership in the U.S., China and Europe 

In the first part of this blog series, we defined sovereign data spaces as governance and technical ecosystems that enable multiple actors to share information under common rules while retaining control at all times and complying with key regulations such as GDPR and eIDAS2. The European approach, detailed in that first article, aims to move beyond simple data exchange toward responsible data governance based on trust, transparency, and respect for digital rights.

But how does this ambitious European model compare with the strategies of other major global powers? Digital sovereignty has become a global battleground, and data governance models in the United States and China differ fundamentally from the European Union’s citizen-centric vision. In this article, we analyze the struggle over data ownership, from corporate dominance to state control, to understand the need for and value of the European response.

The U.S. model: Big Tech dominance

In the United States, data management has been heavily shaped by large technology companies (Big Tech). These corporations have built their businesses around two models: either the user pays for a product (such as Microsoft, Apple, or Amazon), or the user is the product (such as Meta or Alphabet). In the latter case, massive amounts of personal data are collected through services offered as “free,” although data collection may also occur in paid products.

Once the value of data and its exploitation by Big Tech became evident to society, these companies exerted intense lobbying pressure on governments worldwide, including the U.S. government, to prevent the adoption of data protection measures. They have largely succeeded in preserving the laissez-faire environment and lack of regulation that initially enabled their growth.

The direct consequence is a major power imbalance. Individuals in the U.S. lack protection against unilateral decisions by these companies, as it is practically impossible to reject their terms of use given how deeply embedded these platforms are in society. Although the state could regulate, it is unlikely that regulation will become truly restrictive toward large U.S.-based corporations.

The main risk goes beyond data misuse and includes the manipulation of public opinion. Cases such as the Cambridge Analytica scandal opened democratic societies’ eyes to the enormous influence of social media. The greatest danger lies in large-scale manipulation with unprecedented granularity, carried out by private companies that are not politically accountable for their actions.

From a privacy perspective, this model leads to profiling and algorithmic discrimination, loss of control over personal data, and potentially over independent thinking itself. In addition, data brokers legally sell information without explicit consent. At the level of global competition, access to such vast volumes of data provides a competitive advantage that tends to create oligopolies and push smaller companies out of the market.

So far, the only significant regulatory response in the U.S. has been antitrust litigation, which has exerted limited pressure and has failed to alter Big Tech’s underlying business strategies.

The Chinese model: the state as the absolute owner of data

In stark contrast to the U.S., China’s data governance model prioritizes national security over individual privacy. While other regions legislate to protect privacy as a fundamental right, China views data as a strategic resource requiring state control.

Governance is primarily regulated through three laws: the Cybersecurity Law (2017), and the Personal Information Protection Law and Data Security Law (both enacted in 2021). These laws require Chinese user data to be stored domestically, impose security audits and random government inspections, define sensitive personal data, and establish data export controls.

Although these regulations resemble European ones in certain aspects, their focus is far more centered on national security. Unlike U.S. laws (such as CLOUD, PATRIOT, or FISA), which affect citizens worldwide due to the global market share of U.S. companies, Chinese laws primarily affect their own citizens.

The main advantage of this total state control is the ease of deploying large-scale systems that affect the entire population. This allows for immediate and uniform implementation of public security or public health policies. From a technical standpoint, centralized data processing and storage reduce operational costs and improve efficiency, facilitating large-scale projects that require coordination among ministries, companies, and universities.

However, the risks are significant. If government interests are not aligned with those of the population, this model enables the creation of systems of censorship or repression. The risk of abuse of power is high, as state access is broad and opaque, and citizens have little control over how their data is used.

From a trade perspective, this approach forces Chinese companies to create new entities in countries such as the U.S. or Singapore to manage data under foreign regulations, potentially preventing their innovations from reaching global markets as quickly.

Europe: toward citizen-centric digital sovereignty

Faced with U.S. corporate hegemony and Chinese state control, the European Union (EU) places the rights of citizens at the center. The EU seeks to establish a legal framework that empowers individuals to control their own data. This is the essence of “citizen digital sovereignty.”

While the U.S. relies on free markets and self-regulation, and China locates sovereignty in the state, Europe actively works to create mechanisms for the protection of personal data. European governance is grounded in ethical principles and transparency, with legislation designed around user-centric data management. In Europe, privacy is considered a fundamental right, granting individuals the power to decide who accesses the data they generate and for what purpose.

Challenges of the European model

Europe’s main challenge is competitiveness. As highlighted in the Draghi report, European competitiveness has declined relative to the U.S. and China over the course of this century.

Regulation that protects citizens can translate into cumbersome and bureaucratic processes for entrepreneurs. There is a risk that technically skilled individuals capable of driving transformative projects may choose not to pursue them, fearing inadvertent non-compliance with European regulations without the support of large and costly legal teams. This hinders the development in Europe of companies capable of generating wealth and employment.

The EU’s current major challenge is to reconcile citizen protection with bureaucratic simplification and to strengthen the global competitiveness of European companies.

PETs and FL: key technologies for secure competitiveness

To reconcile protection and innovation, the European model relies not only on regulation but also on technical solutions. This is where Privacy-Enhancing Technologies (PETs) and Federated Learning (FL) come into play.

PETs are essential tools for ensuring privacy without increasing business bureaucracy, as they address privacy challenges from a technical perspective. Federated Learning complements this approach by enabling compliance with GDPR principles such as data minimization and purpose limitation, since data are neither transferred nor unnecessarily exposed; only learning outcomes are shared.

Reconciliation and benefits

FL, enhanced with PETs, enables collaborative training of AI models without compromising privacy. This is critical for responsible innovation in sensitive sectors such as healthcare, banking, transport, or education.

The main advantage of Federated Learning over traditional centralized approaches is that data remain at their source (hospitals, banks, etc.). Only model updates (such as weights or gradients) are shared, reducing exposure of sensitive data. By avoiding centralization, the attack surface and the risk of large-scale data breaches are also reduced.

Challenges

Despite their benefits, these technologies face challenges. The primary technical challenge is building scalable systems, as some current technical choices (such as the use of trusted lists within the European identity framework) may pose medium-term limitations. From an adoption standpoint, it is crucial that solutions are usable and that relevant stakeholders create the right incentives for individuals and organizations to adopt these technologies.

TRUSTED and Gradiant: the European and sovereign response

Gradiant, through the TRUSTED initiative, offers a concrete proposal to ensure data sovereignty in Europe.

TRUSTED integrates the European Digital Identity Wallet with Data Spaces to achieve user-centric information management. In addition, it implements PETs that provide additional guarantees to enhance data privacy, even beyond the already high protections associated with the underlying technologies. Specifically, certain PETs are applied to identity data exchange, while others are combined with federated learning (FL) to strengthen the platform on which models associated with medical data will be shared.

Responding to global models

TRUSTED addresses the challenges posed by the U.S. and Chinese models by protecting data under the European approach that recognizes privacy as a fundamental right. It offers transparent data management (identity, health, etc.) for citizens—a benefit that could extend to individuals worldwide.

At the same time, it enables researchers to train AI models by ensuring the privacy of training data and guaranteeing that Europe can compete in Artificial Intelligence while fully safeguarding citizens’ rights.

Led by Gradiant, TRUSTED positions itself as a reference alliance for data space initiatives seeking ethical governance and technically guaranteed privacy through state-of-the-art technology. If more organizations and business sectors adopt this approach, it could become the market standard for privacy protection in data spaces. This would enable both the sovereign exchange of verifiable credentials and the privacy-preserving training of AI models at the system level.

In essence, TRUSTED strengthens Europe’s technological autonomy and demonstrates that privacy and innovation not only can coexist, but are essential pillars for building a safer, more ethical, and more competitive data economy. It is the security and privacy backbone that ensures European data space infrastructures deliver on their promise of digital sovereignty.

This article was originally published in: Sovereign Data Spaces (II): The Battle for  Data Ownership in the U.S., China and Europe  – TrustED

This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No. 101168467