In the summer of 2013, Edward Snowden sparked an uproar by leaking top secret documents about U.S. government surveillance to the media. Snowden’s disclosures showed how the National Security Agency was exploiting the dominance of the United States in internet services to spy on the world’s citizens. From Berlin to San Francisco, demonstrators rallied behind Snowden, carrying signs demanding an end to mass surveillance.

When Snowden began working for the intelligence community in 2006, I left my job as a lawyer for the American Civil Liberties Union to work as a privacy official in the intelligence community and later at the White House. As surprised as I was by the breadth of modern surveillance, I was just as surprised by how seriously everyone in government took the rules that governed it. As a privacy official inside America’s growing surveillance state, it was my job to enforce these rules. While I am proud of the work we did to keep the NSA and other agencies in bounds, it is fair to say my success in protecting privacy was limited.

So what did we miss? In a word, the internet – and the transforming impact the internet has had on the global marketplace in digital services, and on all of our lives.

The internet had made it far more difficult to protect the privacy of Americans while leaving the rest of the world’s data unprotected. Official assurances that “we don’t spy on Americans” did not reassure a public who knew the NSA had masses of domestic data. Despite Snowden’s theft of top-secret documents and his decision to seek asylum in Russia, most Americans had mixed views of him. Many saw him more as a whistleblower than a traitor.

In the rest of the world, Snowden is even more popular. The internet gave American companies a reason to care about what foreigners in other countries thought about U.S. government spying. Snowden’s decision to leak details about the NSA’s surveillance programs had major implications for American business.

Foreign competitors argued that U.S. companies could not be trusted to store personal data because they were in bed with the NSA. The constant talk by U.S. officials of protecting “U.S. persons” was not helping. Initial estimates of lost business from the “Snowden effect” ranged from $35 billion to $180 billion. The nervous giants of Silicon Valley demanded surveillance reforms that go beyond protecting the privacy of Americans. Obama responded with a directive requiring intelligence agencies have rules to protect the privacy of everyone whose data is collected in mass surveillance programs.

In 2015 the European Court of Justice struck down a vital agreement allowing business to transfer personal data to the United States, citing fears of U.S. government surveillance. By 2016, officials from the United States and the European Union had negotiated a new deal on personal data, the US-EU Privacy Shield. The deal was based in part on assurances from U.S. intelligence officials they were serious about privacy. As evidence, they pointed to the new rules protecting the personal data of foreigners required by Obama’s presidential directive. While EU officials went along, the deal is being challenged in European courts because U.S. law still permits very broad surveillance.

Despite the “America First” rhetoric of Donald Trump, Obama’s directive protecting foreign privacy has survived. Trump’s director of national intelligence, Dan Coates, has said he agrees that Obama’s post-Snowden reforms are necessary to ensure a smooth transatlantic flow of personal data.

Congress must decide by the end of this year whether to renew the NSA’s power to engage in surveillance of communications that transit switches and servers inside the United States using a secret court order. The intelligence community has revealed that over 100,000 targets were under such surveillance in 2016, for reasons well beyond terrorism. While the government may not single out Americans as targets, it may search the database for information about Americans who may be communication with foreigners. It did so more than 30,000 times last year.

While Congress should reform this “backdoor search” practice, it should not make the same mistake I made by focusing only on protecting the privacy of Americans. If it does, businesses may face a rude awakening when European courts again strike down transfers of personal data to the United States, threatening a half-trillion dollar transatlantic trading relationship. Reforming the NSA’s mass surveillance programs to focus more narrowly on terrorism and other security threats would do much to address these concerns.

Protecting the privacy of foreign users of American internet services is not just good for business, it is good for everyone’s privacy – including Americans. The digital data, communications, and personal lives of Americans now transcend national boundaries. It turns out we are all in this together. In the digital age, the only way to protect the privacy of Americans is to protect the privacy of everyone.