The white elephant has a long history as a diplomatic weapon. You give something that cannot be refused, that looks magnificent, and that quietly ruins the recipient – not through malice, but through the simple mathematics of cost. The gift consumes more than it’s worth. The recipient can’t refuse it, can’t maintain it, and can’t get rid of it without causing offense.
It’s a remarkably precise image for what happened to transatlantic data governance after 2013.
This week, the European Commission published its Technological Sovereignty Package – a proposed regulation that would, once enacted, effectively bar American cloud providers from the highest tiers of EU public sector procurement in banking, healthcare, defense, and energy.
The hot take version I read on Twitter called it “American AI made illegal in 27 countries.” That’s not what it is. It’s a proposed regulation. It won’t bind anyone before late 2027 at the earliest. American companies aren’t banned, but they may be structurally disqualified from the highest sovereignty tier because of something they cannot change about themselves.
That something is US law.
The CLOUD Act, passed in 2018, allows American law enforcement to compel US companies to hand over data stored anywhere in the world. It doesn’t matter where the servers are. It doesn’t matter what the contract says. If you’re a US company, American jurisdiction follows you.
This isn’t a new problem. The EU has known about it for over a decade. They’ve watched two successive transatlantic data frameworks collapse under legal challenge – Safe Harbor in 2015, Privacy Shield in 2020 – both struck down by the Court of Justice of the European Union on the same grounds: that US surveillance law makes adequate data protection structurally impossible for European citizens.
The current framework, the EU-US Data Privacy Framework, is already being challenged. The pattern is established.
What changed this week isn’t the legal reality. It’s that the EU stopped pretending the next framework agreement would somehow fix it, and encoded the structural reality into procurement law instead.
Best left unsaid
There was a time when the transatlantic relationship operated on a particular unspoken agreement. Everyone with clearance knew roughly what American intelligence capabilities looked like. European governments broadly understood what cooperation with US agencies entailed. The arrangement wasn’t clean. It wasn’t equal. But it was stable, and that stability was doing diplomatic work that nobody wanted to examine too closely.
In 2013, Safe Harbor was the legal architecture underpinning transatlantic data flows. It was thin (critics had been questioning it for years) but it was functional. It was the thing that made “your data is protected” a statement European regulators could say with a straight face.
Then a program called PRISM became public knowledge, broken simultaneously by the Guardian and the Washington Post on June 6, 2013.
PRISM revealed that American tech companies had been providing the NSA with access to user data under secret court orders. Not hypothetically – systematically. The unspoken agreement had become undeniable, public, and politically toxic on both sides of the Atlantic.
Max Schrems, an Austrian law student, filed a complaint with the Irish Data Protection Commissioner the same year. It took two years to work through the courts. In 2015, Safe Harbor was struck down.
The EU didn’t build surveillance capitalism. It didn’t write the CLOUD Act. It didn’t design the legal architecture that makes American cloud providers structurally unable to guarantee data sovereignty.
But it did lose the ability to pretend otherwise.
Do you read the terms of service?
In the years that followed, the surveillance apparatus that PRISM revealed didn’t get dismantled. It mostly continued under revised authorities. What changed was the private sector equivalent grew far faster, far less accountably, and with none of the legal compulsion that at least made government surveillance theoretically subject to oversight.
Cambridge Analytica harvested psychographic profiles of millions of people using data they’d handed over voluntarily to a social media platform, and used it to target democratic elections. Palantir – founded in 2003 with early investment from In-Q-Tel, the CIA’s venture capital arm, now embedded across NHS, police, and defense infrastructure – is essentially a privatized intelligence capability available to whoever can afford the contract. The data broker industry operates in a regulatory grey zone that makes NSA bulk collection look positively accountable.
At least PRISM required a secret court order. Clearview AI just scraped the internet.
The people who were surveilled by the state in 2013 and briefly felt outraged about it got Cambridge Analytica instead. They traded a surveillance apparatus that needed a judge’s signature for one that needed a terms of service agreement.
That’s not a coincidence. It’s what happens when the framework that might have constrained private surveillance capitalism gets destroyed before it can do that work.
Ripples
Edward Snowden was 29 years old when he flew to Hong Kong with a hard drive.
I’ve believed since 2013 that what he did would have lasting, destabilizing consequences for the transatlantic relationship and that the people who would ultimately benefit were not the ordinary people whose data PRISM was harvesting. I didn’t know exactly what shape those consequences would take. I do now.
For what it’s worth, I don’t think he was evil, or anyone’s puppet. I think he was a very particular kind of American – the kind shaped by a founding mythology that says sunlight is always the best disinfectant, that transparency is inherently democratizing, that if people just knew, things would be different. (Like me, until I lived in the UK for a while.)
That’s not stupidity. It’s formation. It’s what America teaches its people to believe.
It just doesn’t work at the level of transatlantic intelligence frameworks.
He could have gone through legitimate channels. Yeah, they might (okay, probably would) have buried it. He would probably have been promoted. Instead, he made a choice – not naive, not unconsidered, but catastrophically miscalibrated about second and third order consequences – that detonated the one framework that was, imperfectly, doing the work of constraining what came next.
Now we all know what was left unsaid. Look at what it cost.
Snowden didn’t cause the oligarchy. But he gave the world a white elephant at a critical moment – and the oligarchy was the only party that could afford the upkeep.
The procurement regulation published in Brussels this week is what that looks like twelve years later.
A longer version – one with questions about who benefits from Western institutional collapse and what certain events have in common with the assassination of Archduke Ferdinand – is probably coming. I’m still just thinking out loud.