For most of the internet’s commercial history, data privacy was mostly a domestic concern. Companies collected what they could, stored it where it was convenient, and answered to whoever happened to be in charge locally. Cross-border commerce complicated that picture quietly at first, then rapidly. As online transactions became the default rather than the exception, the personal data of consumers began flowing across jurisdictions at a scale that national regulators had never anticipated and existing frameworks had no real tools to address.
The GDPR, which came into force in 2018, changed the terms of the conversation. By applying to any organisation processing data of EU residents regardless of where it was based, it established the principle that consumer data protection should follow the person, not the company. The financial consequences of getting it wrong became real very quickly. By early 2026, cumulative GDPR fines had surpassed €7.1 billion across more than 2,800 enforcement actions. TikTok received a €530 million penalty in 2025 for illegally routing European user data to China. Meta’s €1.2 billion fine, issued in 2023, remains the single largest on record. These are not edge cases: they reflect a sustained enforcement posture that shows no sign of softening.
Legislative activity outside Europe has accelerated in parallel. More than 170 countries now have some form of data privacy regulation. India’s Digital Personal Data Protection Act entered enforcement in late 2025. Vietnam’s comprehensive data law took effect in January 2026. In the United States, where no federal framework exists, over two dozen states have passed their own privacy statutes, each with different thresholds, rights, and enforcement mechanisms. For a business operating internationally, the compliance map has become genuinely difficult to read, and the cost of misreading it has grown considerably.
What this means at the consumer level is more concrete than it might appear. Every time someone in France streams content from a South Korean platform, a shopper in Brazil completes a purchase through a US marketplace, or a user in Germany deposits funds on a €1 deposit casino licensed in Malta, data crosses borders in real time. Whether those data flows are protected in transit depends entirely on the infrastructure decisions the platform made long before that transaction occurred, and on whether the jurisdiction where it is licensed actually enforces the standards it claims to apply. The difference between a regulated and an unregulated environment is invisible to the consumer in the moment of interaction, which is precisely why the pressure for common global standards has grown so urgent.
When harmonisation meets fragmentation
The difficulty is that different jurisdictions are pulling in different directions. China requires certain categories of data to be stored domestically and subjects outbound transfers to approval procedures that can effectively block them. The United States introduced its own outbound transfer restrictions in 2024, targeting data flows to countries it designates as adversaries. The EU’s adequacy framework, which permits transfers to countries deemed to offer equivalent protection, is subject to legal challenge and has already been revised once following the invalidation of the original Privacy Shield arrangement. A multinational operator trying to comply with all three simultaneously may find that the requirements are structurally incompatible, not merely inconvenient.
The response from the international community has been to build voluntary interoperability frameworks alongside the mandatory national ones. The Global Cross-Border Privacy Rules system, formally launched in June 2025 and building on the earlier APEC CBPR framework, allows organisations to certify against a common set of privacy principles that are recognised across participating jurisdictions. It does not replace national law, but it provides a portable credential that carries weight with regulators and counterparties alike. Certification signals that an organisation’s data practices meet an internationally recognised baseline, which increasingly matters in procurement decisions and cross-border partnership agreements.
Enforcement tightens and the industry adapts
In November 2025, the Council of the European Union adopted new rules to strengthen cooperation between national data protection authorities, specifically to address the delays and inconsistencies that had undermined the one-stop-shop mechanism. That mechanism, under which a single lead authority handles cases for organisations with EU main establishments, had produced uneven outcomes depending on which authority was involved. The new coordination rules introduce uniform admissibility standards and tighter procedural timelines, making enforcement more consistent and compliance planning more predictable for businesses operating across multiple member states.
For companies navigating this environment, the practical lesson is straightforward even if the implementation is not: data privacy compliance is no longer a back-office function that can be managed reactively. It has become a condition of market access in the most commercially significant jurisdictions in the world, and the standards those jurisdictions set are beginning to converge even as they diverge in the details.
