Large American flags hanging from the arched entrance of a neoclassical government building in Washington DC

TL;DR: On February 18, 2026, Secretary of State Marco Rubio signed an internal cable ordering US diplomats worldwide to actively lobby against data sovereignty and data localization laws. The cable explicitly names the EU's GDPR as "unnecessarily burdensome" and promotes the US-led Global Cross-Border Privacy Rules Forum as the alternative. This isn't Rubio's first such cable: he previously ordered diplomats to fight the EU's Digital Services Act, and the administration banned former EU Commissioner Thierry Breton's visa for authoring the DSA. The US is simultaneously running a Section 301 trade investigation against Brazil over digital sovereignty. The pattern is clear: the State Department is systematically pressuring governments worldwide to keep American tech companies' access to foreign citizens' data unrestricted.

What the Cable Says

Reuters broke the story on February 25, 2026.[1] The cable, dated February 18, went to US diplomatic missions worldwide. Its instructions are explicit:

  • Challenge data sovereignty and data localization laws wherever they emerge
  • Monitor new regulatory initiatives before they gain momentum
  • Promote the Global Cross-Border Privacy Rules Forum as the US-preferred privacy framework
  • Counter what the cable calls "unnecessarily burdensome regulations, such as data localization mandates"

The cable frames data sovereignty laws as threats to American interests. They "disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship."[2]

Read that again. The US government (which runs the NSA, which conducts warrantless surveillance under Section 702, which buys Americans' data from brokers without warrants) is lecturing the world about data privacy undermining civil liberties.

GDPR Is Named as a Target

The cable doesn't speak in abstractions. It names the EU's General Data Protection Regulation (the world's most influential privacy law) as an example of the kind of regulation diplomats should push back against.[2]

GDPR gives EU citizens the right to know what data companies collect, the right to deletion, the right to data portability, and restrictions on cross-border data transfers to countries without adequate privacy protections. It went into effect in 2018 and has become the global gold standard that dozens of countries have modeled their own laws after.

The US doesn't have a federal privacy law. The cable's alternative? The Global Cross-Border Privacy Rules (CBPR) Forum, a voluntary, self-certification framework with nine members: the US, Australia, Canada, Japan, Mexico, the Philippines, South Korea, Singapore, and Taiwan.[3] Notably absent: the EU, which has called the CBPR system "not essentially equivalent" to GDPR standards.

Translation: the State Department is telling diplomats to push countries away from strong, enforceable privacy protections and toward a voluntary framework the US controls.

This Is a Pattern, Not an Incident

The February 18 data sovereignty cable didn't come out of nowhere. Here's the timeline:

  • May 2025: State Department announces a new "visa restriction policy" targeting foreign nationals deemed responsible for restricting American speech online[4]
  • July 2025: USTR launches a Section 301 trade investigation against Brazil, triggered by Brazil's Supreme Court ruling requiring digital platforms to take responsibility for harmful content. Google, Meta, X, and Microsoft all submitted positions opposing Brazil's digital sovereignty.[5]
  • August 2025: Rubio signs an internal dispatch ordering US diplomats in Europe to fight the EU's Digital Services Act (DSA) and collect examples of alleged "censorship" against American companies[4]
  • December 2025: The administration bans visas for five Europeans, including former EU Commissioner Thierry Breton, calling him the "mastermind" behind the DSA. Breton responded on X: "Is McCarthy's witch hunt back?" He noted 90% of the European Parliament voted for the DSA.[4]
  • February 18, 2026: The data sovereignty cable goes out to all diplomatic missions worldwide

This isn't ad hoc. Policy analyst James Gorgen, writing in TechPolicy.Press, called it "a coordinated, wide-ranging strategy to prevent sovereign nations from regulating how American platforms treat data."[6]

The Hypocrisy Is Breathtaking

The US doesn't just fight other countries' data protections. It maintains its own:

CLOUD Act (2018)

Lets US law enforcement compel American tech companies to hand over data stored anywhere in the world. The exact kind of "extraterritorial data access" the cable warns other countries against.

Executive Order 14086

Biden's order restricting intelligence collection on allies, the foundation of the EU-US Data Privacy Framework. Project 2025 explicitly flagged it for revocation. The Trump v. Slaughter Supreme Court case (expected June/July 2026) could gut it.[7]

TikTok Ban

The US forced TikTok's sale over data sovereignty concerns: Chinese access to American data. The same principle other countries apply to American companies.

Section 702 FISA

The warrantless surveillance authority that collects communications from foreign targets, and "incidentally" sweeps up millions of non-Americans' data in the process.

As Techdirt's headline put it: "Rubio to World: Stop Doing the Exact Same Thing the US Just Did."[8]

What's Actually at Stake

Data sovereignty isn't an abstract policy debate. When a country like France or Brazil says "our citizens' data must stay on servers within our borders," they're trying to ensure:

  • Local courts can enforce privacy rulings
  • Intelligence agencies from other countries can't easily access the data
  • Their own privacy laws actually apply
  • Citizens have meaningful legal recourse for data misuse

The US position, that data should flow freely across borders under voluntary frameworks, benefits exactly one group of companies: American tech giants. Google, Meta, Microsoft, Amazon, and Apple all depend on the ability to move data across borders for their cloud, advertising, and AI operations.

The cable frames this as "innovation" and "economic growth." Countries on the receiving end see it as losing control over their citizens' data to companies accountable primarily to US law, and to US surveillance authorities.

Europe Isn't Backing Down

When the Breton visa ban hit in December, the European Commission called it "an attack on European regulatory autonomy." French President Macron called it "coercion aimed at undermining Europe's digital sovereignty" and hinted at reciprocal measures.[4]

The EU-US Data Privacy Framework (the legal mechanism allowing US companies to transfer European data) already survived one court challenge in September 2025. But a new challenge is pending at the European Court of Justice, filed October 31, 2025.[7] Privacy campaigner Max Schrems has advocated limiting data transfers to US providers entirely, calling the framework a fragile "house of cards."

If the ECJ strikes it down (Schrems has killed two previous frameworks), the diplomatic cable's strategy backfires spectacularly. Aggressive US pressure on European data privacy makes it more likely European courts will find US data protections inadequate, not less.

What This Means for You

If you're in the EU: your data protections are under direct diplomatic pressure from the US government. Support organizations defending GDPR, like EDRi, Access Now, and noyb (Schrems' organization).

If you're in the US: your government is fighting privacy protections globally while refusing to pass a federal privacy law at home. The same administration fighting GDPR abroad is fighting warrant requirements for surveillance domestically.

If you're anywhere: use privacy tools. Encrypted messaging. VPNs in countries with strong privacy laws. The less data available for cross-border transfer, the less the diplomatic cables matter.

The State Department is betting that most people won't notice an internal cable about "data sovereignty." Now you know.

References

  1. Reuters/US News: Exclusive: US Orders Diplomats to Fight Data Sovereignty Initiatives (February 25, 2026)
  2. TechCrunch: US Tells Diplomats to Lobby Against Foreign Data Sovereignty Laws (February 25, 2026)
  3. Global Cross-Border Privacy Rules Forum: Official Website
  4. CNBC: 'Witch Hunt': Ex-EU Commissioner Breton Denounces US Visa Ban (December 24, 2025)
  5. USTR: Section 301 Investigation: Brazil's Digital Trade Practices (July 2025)
  6. TechPolicy.Press: How Trump's Data Regulation Crackdown Undermines Digital Sovereignty
  7. noyb: EU-US Transfers: A House of Cards (December 2025)
  8. Techdirt: Rubio to World: Stop Doing the Exact Same Thing the US Just Did (March 3, 2026)