Internet-based commerce knows few boundaries, spanning continents with ease. It does know, however, multi-pronged data privacy regimes that cross cultural and linguistic borders. Does a company have to learn the privacy laws of every individual country that its operations touches? Luckily, the general answer is “no,” as explored below.

First, let’s not make the common mistake of conflating the fields of data privacy and data security. The latter is really about preventing access to information and security breaches, and the former is the separate task of affirmatively regulating to whom access is granted.

Perhaps 240 countries have individual privacy frameworks. Among them: India; Hong Kong; Brazil; and Mexico. Doing business via Internet there makes it necessary to do some digging on the particulars of each country’s compliance regime. Two major regions, though, have systemic privacy regulations that are reasoned, collaborative efforts. They are, respectively, the European Union (“EU”) and an Asia-Pacific Economic Cooperation (“APEC”) conglomerate.

The U.S. and the EU have had a Privacy Safe Harbor agreement in place since 2000 that makes compliance and trade easier for the parties. There are even some model contracts containing provisions authorized by the EU. On the U.S. end, one of the Safe Harbor requirements is that an officer of the subject enterprise certify to the U.S. Department of Commerce that an internal privacy measures audit has been conducted and the entity meets the specifications of the Safe Harbor’s checklist.

The APEC regulations are viewed as superior in some circles, as they cover a number of major economies not part of the Safe Harbor rubric. Some geographic outliers like New Zealand and the U.S. are also APEC-participating economies. APEC has a very exact and systematic 51-question survey checklist. Some U.S. general counsel believe that the APEC framework covers the most bases for an enterprise attempting to comply with numerous scattered privacy rules. Get it right according to APEC, and you may be sufficiently compliant in many other places. The APEC privacy regulations are actually not in effect quite yet, but many general counsel are tuning up for them now.

U.S. businesses can find some additional guidance on these international privacy matters at

Comment now!