Policy

Part II — Surveillance, Democracy, and the Architecture of Control

Published on Dec 9, 2025·12 min read
Part II — Surveillance, Democracy, and the Architecture of Control

Introduction

Europe and the United States are both democracies, yet they approach digital identity, privacy, and surveillance in opposite ways. Europe builds strong legal protections while centralizing identity infrastructure. The U.S. decentralizes identity but allows intelligence agencies and corporations unprecedented surveillance power.

Each model reveals a different philosophy of freedom — and exposes different vulnerabilities. From a humanist personalist perspective, these systems must prioritize human dignity and autonomy, treating individuals not as data points but as relational beings whose privacy underpins meaningful participation in society. Building on Part I's exploration of emerging frameworks like the EU's eIDAS 2.0 and U.S. state-level innovations, this installment delves into the surveillance risks inherent in these models. By grounding our analysis in 2025 developments, we uncover how abstract risks manifest in real policy shifts, highlighting the need for vigilant safeguards — and foreshadowing the decentralized tools of resistance we'll examine in Part III.

What surveillance risks have you encountered in your own digital life? Share in the comments below.

1. Europe: Rights-Based Privacy, Infrastructure-Based Risk

Europeans often assume they are better protected from surveillance than Americans, and in many ways they are. The European Union enshrines data protection as a fundamental right. Citizens benefit from:

  • Comprehensive privacy laws
  • Regulatory oversight
  • Data minimization requirements
  • A culture of transparency

However, Europe is also building some of the world's most centralized digital identity systems.

The Digital ID Paradox

Countries like Estonia, Denmark, Belgium, and Sweden have embraced national digital IDs that permeate daily life. These systems streamline bureaucracy and reduce fraud, but they also create:

  • Unified identity numbers
  • Central identity registries
  • Interoperable authentication across sectors

The EU's incoming European Digital Identity Wallet (EUDI) will integrate digital IDs, credentials, and signatures across all member states. Its cryptographic design includes privacy protections — but the wider ecosystem increases the potential for political or bureaucratic overreach.

For instance, in October 2025, the European Commission announced nine grant calls worth a combined €204 million under the Digital Europe Work Programme 2025–2027, including €15 million specifically to support mobile driving licenses (mDLs) and expand EUDI Wallet consortia. This funding boost aims to accelerate rollout and testing, with full implementation required by the end of 2026 in every member state. While this enhances efficiency — such as seamless cross-border authentication — it centralizes sensitive data flows, raising concerns about repurposing under geopolitical pressures or regime changes. A future populist government could, in theory, use this infrastructure in ways its creators never intended, echoing historical abuses of centralized registries.

From a humanist viewpoint, this paradox erodes personal autonomy by embedding identity verification into everyday interactions, potentially reducing individuals to verifiable nodes in a network rather than free agents.

Europe's Strength: The Law

Europe has the world's strongest privacy laws. GDPR imposes strict obligations on companies and governments alike, offering real protections.

Enforcement in 2025 has been particularly robust, with fines totaling over €3 billion by mid-year, including the largest in GDPR history: a €1.2 billion penalty against Meta (Facebook) enforced at the start of the year by the Irish Data Protection Commission for systemic data transfer violations. Other major cases include a €530 million fine against TikTok for child data mishandling and a €479 million fine against Meta for behavioral advertising breaches. These actions demonstrate GDPR's teeth: purpose limitation, consent requirements, and independent oversight prevent unchecked surveillance, fostering a culture where data is handled with respect for human dignity.

Europe's Weakness: The Architecture

Even the best laws can be undone by crisis or political shift. Infrastructure, once built, can be repurposed. The danger is abstract today but structural in nature.

GDPR enforcement also varies significantly across member states, creating uneven protections. Spain has been aggressive, issuing 932 fines by mid-2025, while smaller or Eastern states lag in resources and case volume. In response, the Council of the European Union adopted new rules on November 17, 2025, to speed up cross-border handling of complaints, introducing uniform admissibility criteria and enhanced cooperation among Data Protection Authorities (DPAs). This addresses disparities but highlights how decentralized enforcement can undermine the model's uniformity, potentially leaving citizens in less proactive states more vulnerable.

Such variations underscore the need for decentralized alternatives, like self-sovereign identity systems, which we'll explore in Part III as tools to empower individuals beyond state architectures.

How do you think varying enforcement affects trust in systems like GDPR? Let me know your thoughts.

2. The United States: Suspicion of Government, Blindness to Corporations

In the U.S., proposals for a national ID face swift bipartisan resistance. Americans are deeply skeptical of centralized government systems, and this cultural distrust has prevented the development of unified digital identity.

A Patchwork Instead of a System

Instead of a national ID, Americans rely on:

  • State driver's licenses
  • Hundreds of fragmented government logins
  • The overused and insecure Social Security Number
  • Private-sector login systems (Google, Apple, Meta)

This "accidental decentralization" prevents the federal government from tracking identity usage easily, but it creates a different problem: inconsistent safeguards that expose users to fragmented risks.

State-level innovations do provide notable strengths. California's Consumer Privacy Act (CCPA) saw significant updates in 2025, with the California Privacy Protection Agency (CPPA) adopting regulations on July 24, 2025, that implement cybersecurity audits, risk assessments for automated decision-making technology (ADMT), and updates to existing rules, effective January 1, 2026. These enhancements require businesses to conduct annual audits for high-risk processing and provide opt-out rights for ADMT, offering pockets of robust protection absent at the federal level.

Corporate Identity Power

Tech giants have effectively become identity authorities. Millions rely on:

  • "Sign in with Apple"
  • "Sign in with Google"
  • Bank-based login systems

These companies track user behavior across apps, collect location history, analyze purchasing patterns, build psychological profiles, and share data with third parties.

Corporations thus become surveillance intermediaries — largely unregulated. The withdrawal of federal oversight exacerbates this: in May 2025, the Consumer Financial Protection Bureau (CFPB) withdrew a proposed rule aimed at regulating data brokers under the Fair Credit Reporting Act (FCRA), citing it as "unnecessary or inappropriate" amid industry pushback. This leaves sensitive data — like location and financial histories — vulnerable to sale without stringent controls, turning corporate power into a de facto surveillance state.

In humanist terms, this commodifies personal relationships and behaviors, reducing human interactions to profitable data streams.

The Intelligence Apparatus

The U.S. government wields extraordinary surveillance capabilities through NSA data collection, FISA courts, Section 702 warrantless surveillance, mass metadata gathering, telecommunication access, and cooperation with private companies.

While Americans resist national IDs, they often underestimate the scope of intelligence surveillance already in place. In 2025, the Foreign Intelligence Surveillance Court (FISC) approved the government's renewal certifications under Section 702 in a March opinion released publicly in September, enabling continued collection of foreign intelligence that incidentally sweeps up U.S. persons' data. The Annual Statistical Transparency Report for Calendar Year 2024, published in May 2025, detailed disseminations of U.S. person information under Section 702, highlighting ongoing warrantless access amid calls for reform before the program's April 2026 sunset.

This apparatus, empowered by post-9/11 laws, collaborates with corporations, creating a hybrid surveillance ecosystem that bypasses traditional checks.

3. Opposite Models, Opposite Dangers

Europe's model risks state overreach through centralized architecture, mitigated by strong laws but vulnerable to political shifts and enforcement gaps. The U.S. model risks corporate and intelligence overreach via fragmentation and weak federal oversight, though state innovations like CCPA provide counterbalances.

Both systems expose citizens to vulnerabilities — just different ones. And both must evolve. Ironically, Europe's legal strengths could inspire U.S. reforms, while America's anti-centralization ethos highlights the perils of unchecked private power. From a humanist lens, neither fully safeguards relational dignity; surveillance in both erodes trust, turning democratic participation into monitored compliance.

In Part III, we explore what a democratic, secure, privacy-preserving digital identity system could look like — through decentralized protocols like end-to-end encryption and self-sovereign identity — and how citizens can evaluate if a system is safe, empowering resistance against these risks.

— Pedro Murinelo