The advent of the commercial Internet has introduced novel challenges to global governance because of the transnational nature of shared data flows, creating interdependence that may result in inter-state cooperation or competition. Data protection laws that are designed to ensure citizens’ right to privacy are one of the primary tool used by states to extend control over data flows. The European Union’s (EU) General Data Protection Regulation (2016) is widely regarded as the strongest data protection law in the world, and therefore may serve as a barrier to the openness of the Internet. The GDPR is both an instance of regulatory competition between the EU and US, but also heightens the need for cooperation to ensure the smooth functioning of online commerce. This paper shows that the EU is exporting the GDPR to jurisdictions such as the US via extraterritorial effects, even though the US has adopted an alternative legal approach to data protection. This paper seeks to explain the influence and limitations of the GDPR by considering factors such as the relative regulatory capabilities of the EU and the US as the result of their institutional and legal histories. It demonstrates that the EU has relied on complex interdependence to design a regulation like the GDPR, and it uses this regulatory competitive advantage alongside its soft power to promote its model of data protection, allowing the EU to obtain favorable outcomes in cooperation with the US.