Complying with data protection law is increasingly complex. In addition to federal, state and local law, international data protection law extends beyond traditional jurisdictional norms. Companies with minimal – even tangential – international connections may fall within the strictures of foreign law or at least be affected by it. As markets flatten in the global economy so do the laws that aim to regulate them, particularly those laws that target inherently borderless actions. It is seemingly inevitable that laws dealing with digital data are extra-jurisdictional. Digital data travels via circuitous and transnational routes from origin to terminus – if an end exists at all. As data flows without regard to territorial borders, so does legislation aimed at regulating it.
Properly presenting the full compliance measures required under international data protection law is a tall task, and one that is beyond the scope of this article. This article instead identifies those companies that must comply with international data protection laws by explicating the extra-jurisdictional provisions of those laws. The article then outlines several legal means of complying with international data privacy law.
McKay Cunningham, Complying with International Data Protection Law, 84 U. Cin. L. Rev. 421, 450 (2016)