Individual Protection — A Practical Guide — IAS

Global coverage

This guide covers ~24 data-protection regimes in detail and another 11 briefly, shown on the map below. Countries are coloured by the regulatory family their primary law belongs to. Uncovered countries are shown in muted slate — the methodology in this guide still applies, but you'll need to substitute your local law for the worked GDPR examples.

Four orthographic globes showing jurisdictions covered in this guide, highlighted in cyan. — Four orthographic views — Americas · Europe/Africa/Mid-East · South + East Asia · Asia-Pacific/Oceania — together showing every jurisdiction on Earth. Base geography: Natural Earth 1:110m (public domain). Each country rendered as `<path id="{ISO3}">` for reproducible highlighting via `tools/generate-globe-views.py`.

Covered in this guide (60 countries — 24 in detail + 36 briefly or via EU/EEA) Not yet covered in detail — methodology still applies; swap your local law for the GDPR examples

Ocean + land: OpenEarth Pangea palette (--oe-bg-space · --oe-earth). Covered-country highlight: IAS theme cyan (--oe-process). Space ring + twinkling stars match the OpenEarth logo.
Microstates (Malta, Liechtenstein, Singapore) are too small to appear at 1:110m resolution but are covered through EU/EEA membership or national law.

Who this guide is for

You process data. Maybe client notes, collaborator emails, interview transcripts, a dataset of survey responses, your own coding history in an AI assistant — any information that could identify a specific person, including yourself. You're not a Fortune-500 corporation with a dedicated legal department. You're one person, or a small team, trying to understand what laws apply to what you're doing.

This guide exists because the structural question faced by solo developers is identical to the one faced by enterprises: which of my providers could be compelled to produce my data under a law other than the one that's supposed to protect it, and what do I do about that?

What this guide is not

Not legal advice. It summarises public law and regulator guidance. When your situation matters — contracts, litigation, enforcement — talk to qualified counsel.
Not a political statement. Every jurisdiction's laws exist for reasons its elected representatives considered legitimate. The goal here is factual clarity about how those laws interact, not judgment about which ones are "good" or "bad".
Not alarmist. The probability that any specific individual's data will be the subject of an extraterritorial production order is low. The probability that you should understand the framework anyway is high — because the understanding is what allows you to respond calmly if ever asked.

The core observation

Most people's data is protected by the data protection law of their jurisdiction. In the EU it's the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). It grants specific rights (Arts. 12-22), places obligations on anyone processing data (Arts. 24-43), and — critically for this guide — restricts when controllers may respond to data access requests from outside the EU (Art. 48).

At the same time, some providers that solo developers and small teams use every day — cloud APIs, code-hosting services, ML services — are incorporated in jurisdictions whose laws can compel them to produce data regardless of where the data physically sits. The US CLOUD Act (18 U.S.C. §2713) and the UK Investigatory Powers Act 2016 are the most commonly cited examples.

When data protected by one framework reaches a provider governed by another, the two frameworks interact. GDPR Art. 48 is written precisely for this interaction.

This guide uses GDPR as the primary example — but the methodology is global. Most major economies now have their own data protection regime: India's DPDPA (2023), China's PIPL + DSL (2021), Brazil's LGPD (2018), Russia's Federal Law 152-FZ (2006, heavily amended since 2015), Canada's PIPEDA, Australia's Privacy Act, Japan's APPI, South Korea's PIPA, and many more. The structural question is the same in every jurisdiction: which of my providers are subject to a foreign legal framework with extraterritorial reach, and what protective mechanism does my local law offer? Substitute your local law for "GDPR," your local supervisory authority for "EDPB/national DPAs," and the methodology — map your providers, minimise your data flow, document your actions — transfers directly.

Your jurisdiction shapes the analysis

The methodology of this guide — map your providers, minimise the data flow, document your actions — is universal. The specific protective mechanism you can invoke depends on which data-protection law you live under. Below is a deliberately concrete description of eight major jurisdictions, with the precise citations a lawyer would want.

European Union / EEA — GDPR

Primary law: Regulation (EU) 2016/679 ("GDPR"). Effective 25 May 2018. Applies in all EU and EEA states.

Lawful bases for processing — Art. 6: consent, contract, legal obligation, vital interests, public task, legitimate interests (six total).
Subject rights — Arts. 12-22: information, access, rectification, erasure, portability, objection, automated-decision restrictions.
Cross-border transfers — Chapter V (Arts. 44-50): adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, derogations.
Extraterritorial-order shield — Art. 48: foreign court/administrative orders are not lawful grounds for transfer unless based on an MLAT or other international agreement.
Breach notification — Art. 33(1): supervisory authority within 72h of awareness; Art. 34: data subjects when high-risk.
Enforcement — national DPAs (BfDI, CNIL, IMY, DPC, AEPD, Garante, ...). EDPB harmonises interpretation.

Authoritative source: eur-lex.europa.eu/eli/reg/2016/679

United Kingdom — UK GDPR + Data Protection Act 2018

Primary law: The UK GDPR (post-Brexit retained EU law, mirrors EU GDPR with domestic amendments) + Data Protection Act 2018.

Structurally identical to EU GDPR with national variations.
Tension with IPA 2016 — UK Investigatory Powers Act 2016 enables surveillance + Technical Capability Notices. EU adequacy decision (effective 2021, reviewed 2024) currently maintained.
Enforcement — Information Commissioner's Office (ICO).
Reform — Data (Use and Access) Act 2025 amends IPA oversight. Data Protection and Digital Information Bill stalled; expect future reform.

Sources: DPA 2018 (legislation.gov.uk) · ico.org.uk

United States — sectoral + state-level + extraterritorial reach

The US has no comprehensive federal data-protection law. The framework is a patchwork:

Sectoral federal: HIPAA (health), GLBA (finance), COPPA (children under 13), FCRA (credit), FERPA (education).
State comprehensive laws: CCPA + CPRA (California), CDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and ~20 more enacted since 2023.
US CLOUD Act 2018 (18 U.S.C. §2713) — extraterritorial: compels US-incorporated providers to produce data regardless of storage location.
Enforcement: FTC + state Attorneys General. No federal DPA.

Sources: CCPA — oag.ca.gov · US CLOUD Act · FTC privacy

India — Digital Personal Data Protection Act 2023 (DPDPA)

Primary law: Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023). Replaces the prior Sec. 43A regime under the IT Act. Implementation rules notified progressively from 2024 onwards.

Terminology: "Data Principal" = data subject. "Data Fiduciary" = controller. "Data Processor" = processor.
Extraterritorial scope — Sec. 3(b): applies to processing of digital personal data outside India if in connection with offering goods or services to Data Principals within India.
Lawful processing: consent (Sec. 6) OR "certain legitimate uses" (Sec. 7 — limited closed list, narrower than GDPR's legitimate interests).
Cross-border transfers — Sec. 16(1): permitted by default, except to countries restricted by Central Government notification. The default is permissive — opposite of the GDPR default of "restricted unless adequacy/SCCs/derogations."
Significant Data Fiduciaries — Sec. 10: Government may designate organisations with extra obligations (DPO, DPIA, audits).
Enforcement: Data Protection Board of India (DPBI). Penalties up to ₹250 crore per instance.
Children's data — Sec. 9: verifiable parental consent required for under-18s.

Sources: indiacode.nic.in (Act text — official) · meity.gov.in (Ministry of Electronics & IT — DPDPA implementation)

China — PIPL + DSL + CSL trilogy

Primary laws: Personal Information Protection Law (PIPL, 2021), Data Security Law (DSL, 2021), Cybersecurity Law (CSL, 2017). Applied together by the Cyberspace Administration of China (CAC).

Extraterritorial scope — PIPL Art. 3: applies to processing of personal information of natural persons in China outside Chinese territory when (i) for offering products or services to such persons, (ii) for analysing or assessing their activities, or (iii) other circumstances provided by laws.
Cross-border transfer mechanisms — PIPL Arts. 38-43: one of three required:
1. CAC security assessment (mandatory for "important data," CIIOs, large-volume processors)
2. Standard Contract (CAC SCCs, effective 2023, easier path for small/medium volume)
3. Personal information protection certification (third-party certification body)
Data localisation — PIPL Art. 40 + CSL Art. 37: Critical Information Infrastructure Operators (CIIOs) and processors handling "important data" must store such data in China; cross-border transfer requires security assessment.
DSL classifications: "general data," "important data," "core data." "Core data" near-impossible to transfer abroad. "Important data" catalogues being defined sector-by-sector.
Subject rights — PIPL Arts. 44-50: access, correction, deletion, portability, restriction.
Penalties — up to ¥50 million OR 5% of preceding year's revenue (PIPL Art. 66).

Sources: PIPL English translation (NPC Observer) · cac.gov.cn · DigiChina (Stanford) PIPL translation

Brazil — LGPD

Primary law: Lei Geral de Proteção de Dados Pessoais (LGPD) — Law No. 13.709/2018. Effective August 2020. Highly aligned with GDPR but with important divergences.

Lawful bases — Art. 7: ten bases (vs. GDPR's six). Includes consent, contract, legal obligation, public administration, research, legitimate interests, credit protection, plus regulated-profession-specific bases.
Subject rights — Art. 18: confirmation, access, correction, anonymisation, portability, deletion, information about sharing, revocation.
International transfers — Arts. 33-35: adequacy decision by ANPD, SCCs, BCRs, specific authorisation, or derogations (consent + a few others).
Extraterritorial scope — Art. 3: applies when processing occurs in Brazil, when offering services to people in Brazil, or when data was collected in Brazil.
Enforcement: Autoridade Nacional de Proteção de Dados (ANPD). Penalties up to 2% of revenue capped at R$50 million per infraction.

Sources: planalto.gov.br (LGPD) · gov.br/anpd

Russian Federation — Federal Law 152-FZ + State Duma amendments

Primary law: Federal Law No. 152-FZ "On Personal Data" (2006), heavily amended by the State Duma. Key amendments: FZ-242 (2014, data-localisation), Yarovaya laws (2016, telecom data retention), FZ-266 (2022, breach notification + scope).

Data-localisation — Art. 18(5) (FZ-242, 2014, effective 2015): when collecting personal data of Russian citizens, the operator must ensure recording, systematisation, accumulation, storage, modification, retrieval are performed using databases located on the territory of the Russian Federation.
Breach notification — FZ-266 (2022): notify Roskomnadzor within 24 hours of breach awareness, with follow-up within 72 hours.
Extraterritorial scope — Art. 1.1: applies to processing of personal data of Russian citizens by foreign operators offering goods/services in Russia or analysing/profiling such individuals.
Subject rights — Arts. 14-17: access, correction, blocking/deletion of unlawful processing, right to object.
Yarovaya Laws — Federal Laws 374-FZ + 375-FZ (2016): require telecom operators and ISPs to store metadata for 3 years and content for 6 months; require providers of "information dissemination services" to provide decryption keys to FSB.
Enforcement: Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media). Penalties up to ₽18 million for repeat data-localisation violations (FZ-572, 2024).

Sources: consultant.ru (FZ-152 consolidated text) · garant.ru (FZ-152 reference)

Canada — PIPEDA + provincial regimes

Primary law: Personal Information Protection and Electronic Documents Act (PIPEDA, 2000). Provincial laws apply in BC, Alberta (PIPA), and Quebec (Law 25 / Act 64).

Consent-based with reasonable-purposes carve-outs.
Quebec Law 25 (effective 2022-2024 in stages) significantly tightened obligations: consent-by-default, mandatory privacy impact assessments, data-portability rights, breach notification within "as soon as possible."
Reform in progress: Bill C-27 (Consumer Privacy Protection Act + AI and Data Act) introduced 2022, status pending.
Enforcement: Office of the Privacy Commissioner of Canada (federal); provincial commissioners for BC/AB/QC.

Sources: laws-lois.justice.gc.ca (PIPEDA) · priv.gc.ca

Asia-Pacific

Australia — Privacy Act 1988

Thirteen Australian Privacy Principles (APPs) under Schedule 1, governing collection, use, disclosure, accuracy, security, access.
Notifiable Data Breaches scheme (Part IIIC, since 2018): notify OAIC + affected individuals "as soon as practicable" after assessing likely serious harm.
2024 Privacy Act Reform (first tranche enacted Dec 2024 as Privacy and Other Legislation Amendment Act 2024): introduces children's online privacy code, statutory tort for serious privacy invasions, automated decision-making transparency, increased penalties.
Cross-border: APP 8 — sender accountable for overseas recipient's compliance unless one of seven specified exceptions applies.
Enforcement: Office of the Australian Information Commissioner (OAIC). Penalties up to A$50M / 30% of adjusted turnover / 3× benefit (whichever greater).

Sources: legislation.gov.au (Privacy Act) · oaic.gov.au

New Zealand — Privacy Act 2020

Replaced Privacy Act 1993. Twelve Information Privacy Principles (IPPs).
Mandatory breach notification (s.114): notify Privacy Commissioner + affected individuals if breach causes serious harm.
Cross-border — IPP 12: must take reasonable steps to ensure overseas recipient has comparable safeguards. Standard wording mechanism via OPC-issued model clauses.
Privacy Commissioner has compliance-notice and access-direction powers; criminal penalties for some offences.
Enforcement: Office of the Privacy Commissioner (OPC).

Sources: legislation.govt.nz (Privacy Act 2020) · privacy.org.nz

Japan — APPI (Act on the Protection of Personal Information)

Original 2003. Major amendments 2017, 2020 (effective 2022), 2022 (effective 2023).
2022 amendment: mandatory breach reporting to PPC + affected individuals; expanded data-subject rights; clarified extraterritorial scope.
Cross-border transfer — Art. 28: requires consent OR transfer to a country recognised by PPC as having adequate protection (e.g., EU, UK) OR contractual safeguards equivalent to APPI.
Pseudonymously processed information (kanyo-joho) — reduced obligations vs. personal information.
Enforcement: Personal Information Protection Commission (PPC). Criminal penalties for severe violations.

Sources: ppc.go.jp/en/legal (English) · elaws.e-gov.go.jp (Japanese authoritative)

South Korea — PIPA (Personal Information Protection Act)

Original 2011. Substantial amendment effective Sept 2023 — aligned with international standards, expanded data-subject rights.
Considered one of the strictest regimes globally — high consent requirements, sectoral rules.
2023 amendment: eased rigid consent rules, introduced legitimate-interest-style basis, automated-decision rights, formal cross-border transfer mechanisms.
Mandatory breach notification (Art. 34): within 72 hours.
Enforcement: Personal Information Protection Commission (PIPC). Penalties up to 3% of total revenue.

Sources: pipc.go.kr/eng · PIPA English (KLRI)

Singapore — PDPA (Personal Data Protection Act)

Original 2012, effective 2014. Major amendments 2020 (effective 2021).
Consent + reasonable-purposes-deemed-consent framework; Notification + Access + Correction + Care obligations.
2020 amendments: mandatory breach notification (within 3 days to PDPC if significant harm OR ≥500 individuals affected); data portability; new offences for egregious mishandling.
Cross-border: transferring organisation must take steps to ensure recipient is bound to comparable standards.
Enforcement: Personal Data Protection Commission (PDPC). Penalties up to S$1M or 10% of annual turnover (whichever higher) post-2022.

Sources: sso.agc.gov.sg (PDPA) · pdpc.gov.sg

Thailand — PDPA (Personal Data Protection Act B.E. 2562)

Enacted 2019, fully effective 1 June 2022 after multiple delays.
GDPR-influenced: lawful bases, rights, DPO requirement, breach notification.
Extraterritorial scope — Sec. 5: applies to processing outside Thailand offering goods/services to data subjects in Thailand or monitoring their behaviour.
Breach notification: within 72 hours to PDPC (Art. 37).
Cross-border: requires adequate protection in destination OR appropriate safeguards (BCRs, contractual clauses).
Enforcement: Personal Data Protection Committee (PDPC, under MDES — Ministry of Digital Economy and Society).

Sources: etda.or.th (PDPA resources) · pdpc.or.th

Vietnam — Decree 13/2023 on Personal Data Protection

Effective 1 July 2023. First comprehensive PDP regulation in Vietnam (full law expected 2025).
Strict consent requirements — written or electronic, separate from other consents.
Data Localisation: Decree 53/2022 + Cybersecurity Law 2018 — required for certain categories of data + offshore providers offering services in Vietnam.
Cross-border transfer — Art. 25: requires Transfer Impact Assessment (TIA) and notification to MPS Cybersecurity Department.
Breach notification: within 72 hours to MPS Cybersecurity Department.
Enforcement: Ministry of Public Security (MPS), specifically the Cybersecurity and High-Tech Crime Prevention Department (A05).

Sources: thuvienphapluat.vn (Decree 13/2023)

Africa

South Africa — POPIA (Protection of Personal Information Act 4 of 2013)

Enacted 2013, fully effective 1 July 2021.
Eight conditions for lawful processing (similar to GDPR principles).
Cross-border — Sec. 72: transfer permitted if recipient subject to similar law / binding corporate rules / consent / contract performance / benefit of data subject.
Mandatory breach notification — Sec. 22: notify Information Regulator + data subjects "as soon as reasonably possible."
Enforcement: Information Regulator (South Africa). Penalties up to R10 million OR 10 years imprisonment.

Sources: gov.za (POPIA) · inforegulator.org.za

Kenya — Data Protection Act 2019

Enacted Nov 2019, GDPR-influenced.
Eight principles + lawful bases + data-subject rights.
Mandatory data controller / processor registration with the ODPC.
Cross-border transfer — Sec. 48: requires adequate protection OR safeguards (BCRs, SCCs, certification) OR consent.
Breach notification: within 72 hours to ODPC.
Enforcement: Office of the Data Protection Commissioner (ODPC).

Sources: kenyalaw.org (DPA 2019) · odpc.go.ke

Nigeria — NDPA (Nigeria Data Protection Act 2023)

Enacted June 2023 — replaces NDPR 2019. Establishes Nigeria Data Protection Commission (NDPC).
Six lawful bases (consent, contract, legal obligation, vital interests, public interest, legitimate interests).
Data Protection Compliance Organisations (DPCOs) — licensed third-party auditors.
Cross-border transfer — Part IX: requires adequate protection in destination + standard contractual clauses + BCRs + consent.
Mandatory breach notification: within 72 hours to NDPC.
Enforcement: NDPC. Penalties up to ₦10 million OR 2% of annual gross revenue.

Sources: ndpc.gov.ng · NDPA Act text (PLAC)

Latin America

Argentina — Law 25.326 (Personal Data Protection Act, 2000)

One of the earliest comprehensive PDP laws in Latin America. EU adequacy decision since 2003 (renewed under GDPR).
Reform bill under discussion since 2018; comprehensive update expected.
Habeas data — constitutional right (Art. 43, Constitution): individual access + correction + deletion.
Cross-border transfer — Art. 12: prohibited to countries without adequate protection unless consent / vital interest / legal cooperation.
Enforcement: Agencia de Acceso a la Información Pública (AAIP).

Sources: infoleg.gob.ar (Law 25.326) · argentina.gob.ar/aaip

Chile — Law 19.628 + Law 21.719/2024

Original Law 19.628 (1999) was outdated. Law 21.719 enacted Dec 2024 (effective Dec 2026 after 24-month vacatio legis): comprehensive GDPR-style reform.
Establishes new Personal Data Protection Agency (Agencia de Protección de Datos Personales).
Six lawful bases, comprehensive subject rights, mandatory DPIAs for high-risk processing.
Cross-border transfer: adequacy decision, BCRs, SCCs, certification, derogations.
Penalties: up to UTM 20,000 (~US$1.4M) for serious violations.

Sources: bcn.cl (Law 19.628) · bcn.cl (Law 21.719/2024)

Middle East

Turkey — KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698, 2016)

Effective April 2016, modeled partly on EU Directive 95/46/EC (pre-GDPR).
Six lawful bases similar to GDPR.
Cross-border transfer (Art. 9): transfer requires (i) explicit consent OR (ii) adequate protection in destination (very few countries declared adequate by KVKK Board) OR (iii) written undertaking with KVKK Board approval. 2024 amendment (Law 7499): introduced standard contractual clauses + BCRs as new mechanisms.
Mandatory breach notification: within 72 hours to KVKK Board (Art. 12(5)).
Enforcement: Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK). Fines + imprisonment for some offences.

Sources: mevzuat.gov.tr (KVKK) · kvkk.gov.tr

Israel — Privacy Protection Law 1981 + 2024 Amendment 13

Original Privacy Protection Law 5741-1981. Amendment 13 enacted Aug 2024, effective Aug 2025: substantial GDPR-alignment update.
EU adequacy decision since 2011 (under reassessment post-Amendment 13).
Amendment 13 introduces: mandatory breach notification, expanded subject rights (access, correction, deletion, restriction, portability), DPO requirement for certain controllers, increased penalties (up to ₪5M).
Cross-border transfer — Privacy Protection Regulations (Transfer of Data Abroad) 2001: permitted only to recipients ensuring no less protection than Israeli law OR with explicit consent OR for specific purposes.
Enforcement: Privacy Protection Authority (PPA, under Ministry of Justice).

Sources: gov.il (Privacy Protection Authority)

Saudi Arabia — PDPL (Personal Data Protection Law, Royal Decree M/19, 2021)

Royal Decree M/19 of 9/2/1443H (Sep 2021). Initial enforcement deferred multiple times; Implementing Regulations issued Sep 2023; PDPL fully enforceable from 14 Sep 2024.
Hybrid GDPR/region-specific framework. Six lawful bases.
Cross-border transfer — Art. 29: requires National Data Governance and Authority (SDAIA) approval; relaxed via Implementing Regulations to allow more permissive transfers based on adequacy + safeguards.
Mandatory breach notification: within 72 hours.
Enforcement: Saudi Data and AI Authority (SDAIA). Penalties up to SAR 5M + criminal penalties for severe violations.

Sources: sdaia.gov.sa · boe.gov.sa (PDPL)

UAE — Federal Decree-Law No. 45 of 2021

Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Effective Jan 2022; Executive Regulations expected.
Sectoral overlay: DIFC has its own DP law (DIFC Data Protection Law 2020); ADGM has separate law (ADGM Data Protection Regulations 2021); Healthcare-specific (Federal Law 2 of 2019).
Six lawful bases. Subject rights: access, correction, deletion, restriction, portability.
Cross-border transfer — Art. 22: requires adequate level of protection / contractual safeguards / BCRs / consent / specific exemptions.
Mandatory breach notification: to UAE Data Office "without delay."
Enforcement: UAE Data Office.

Sources: u.ae (Data protection overview) · uaelegislation.gov.ae

Other notable regimes (briefly)

Switzerland — revFADP (revised Federal Act on Data Protection, effective 1 Sep 2023). GDPR-aligned with Swiss specifics. EU adequacy maintained.
Norway / Iceland / Liechtenstein (EEA) — GDPR applies directly via EEA Agreement.
Mexico — LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties, 2010) + LGPDPPSO (public sector, 2017). INAI enforces.
Egypt — Law 151 of 2020 on Personal Data Protection. Pending Implementing Regulations.
Indonesia — UU 27/2022 (PDP Law). Effective Oct 2024 after 2-year transition.
Philippines — Data Privacy Act 2012 (RA 10173). NPC enforces.
Malaysia — Personal Data Protection Act 2010 (PDPA). Major amendments enacted 2024 (PDPA Amendment Act 2024).
Pakistan — Personal Data Protection Bill (under consideration since 2018; not yet enacted as of 2026).
Bangladesh — Draft Personal Data Protection Act under consideration.
Sri Lanka — Personal Data Protection Act No. 9 of 2022.
EU Member States — national supplementary laws: each Member State has a Data Protection Act supplementing GDPR (e.g., DE: BDSG, FR: Loi Informatique et Libertés, IT: Codice in materia di protezione dei dati personali, ES: LOPDGDD, NL: UAVG, PT: Lei 58/2019, SE: Dataskyddslagen). Member State laws typically address employment data, special categories, derogations.

The pattern is now clear: most major economies have a comprehensive data-protection law, and the global trend is toward GDPR-influenced rights-based regimes with mandatory breach notification, cross-border transfer controls, and dedicated supervisory authorities. The substantive differences are in (i) cross-border transfer mechanisms — some jurisdictions are restrictive, others permissive-by-default; (ii) data localisation — some jurisdictions impose hard residency rules; (iii) extraterritorial reach — most modern regimes apply to processors outside the jurisdiction offering services to local data subjects.

For your specific situation, the only authoritative source is qualified counsel in your jurisdiction. This guide gives you the structural language and the citations to start the conversation.

GDPR Article 48, in plain language

"Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter." — Regulation (EU) 2016/679, Art. 48

In plain English:

If a non-EU government or its authority asks a GDPR controller to hand over personal data, the request by itself is not a lawful basis to comply.
A Mutual Legal Assistance Treaty (MLAT) between the requesting country and the EU (or a Member State) is. The US and most EU Member States have MLATs; the EU and the UK have law-enforcement cooperation provisions under the Trade and Cooperation Agreement.
The provision explicitly says "without prejudice to other grounds for transfer" — other Chapter V mechanisms (SCCs, adequacy decisions, binding corporate rules) can still apply if their own conditions are met.

Article 48 does not make the US CLOUD Act or UK IPA invisible. It says: these laws do not, by themselves, create a lawful basis for a GDPR controller to release data. The proper channel is the MLAT.

What this means for individuals

If you are the data controller — the person who decides what to do with data — and you are in an EU Member State, Article 48 gives you a concrete, textual basis to:

Decline to respond to a direct extraterritorial request without legal assistance channels.
Require the requesting authority to route through the MLAT.
Document your position factually, without escalation.

None of this requires confrontation. It requires understanding the framework and having the records to show you operated within it.

The practical steps

1. Know your dependencies

Use the jurisdiction registry specification (on foundation-protocols-spec) — a JSON file where you list every provider you send data to, their incorporation country, and what extraterritorial laws apply. The schema and tools are distributed with IAS. For most individuals, populating this file takes 30 minutes and clarifies more about your posture than hours of reading articles would.

2. Minimise the data flow

The simplest mitigation is sending less data. If an AI API accepts "a prompt to summarise a document," you often don't need to send the document — you can send a derived question. If a service lets you pass identifiers instead of names, use identifiers. If you can run a model locally for the sensitive part and call the API for the generic part, do that.

Data that never left your control cannot be produced by anyone.

3. Prefer matching-jurisdiction providers where practical

A German individual processing German collaborator data who uses a German-incorporated cloud provider is in a simpler compliance posture than one using a US-incorporated provider. This is not a moral judgement about providers — it's a statement about how many legal frameworks the data flow passes through. Fewer crossings = fewer interaction questions.

For AI services: at the time of writing, the major frontier AI APIs are US-incorporated. Mitigations (DPAs with zero-retention clauses, no-training commitments, data minimisation) are the practical path. Document them. Store the DPA. Re-check its terms annually, per EDPB Recommendations 01/2020.

4. Have an incident plan

The compliance action protocol specification (on foundation-protocols-spec) specifies timer cadences grounded directly in statutory text:

72 hours from awareness to notify the supervisory authority — GDPR Art. 33(1).
24 hours early warning for significant security incidents — NIS2 Art. 23(3), if NIS2 applies to you.
Progressive warnings at T+6h, T+12h, T+18h, T+22h, T+23h so you have time to prepare, not to panic.

Install the deadline tracker. You don't need an incident to use it — run it in test mode once to see the flow. When an incident actually happens, you start the tracker and have a timestamped record of everything that followed.

5. Keep the records

If questions ever arise about your compliance — from a regulator, a client, an auditor, a court — the evidence that matters is timestamped records showing what you knew, when, and what you did about it.

GDPR Art. 83(2)(c) and (f) explicitly tell supervisory authorities to consider mitigating factors when calibrating administrative fines. A complete record trail from awareness → progressive warnings → dispatched notification is exactly the kind of evidence those factors contemplate.

6. If you are asked

If you ever receive a direct extraterritorial request — through a provider, directly to you, or by any other channel — you do not have to answer that day. You have options:

Consult qualified counsel immediately.
Respond factually, noting GDPR Art. 48 and requesting the request be routed through the MLAT if one exists between the requesting country and your Member State.
Do not destroy records.
Do not confront.

The goal is to use the legal framework that exists, calmly.

What this guide will not do for you

It will not tell you which country's laws are better, or worse. Those questions have answers, but they're political and context-dependent, not technical.

It will not make legal risk zero. Legal risk isn't zero for anyone; the goal is to understand it and respond proportionately.

It will not replace counsel. When the stakes become real — contracts with significant liability, regulatory enforcement, disputes — get counsel involved early. The records you kept will make that lawyer's job much easier.

Starter kit

Everything you need to follow this guide is Apache-2.0 and sits in the IAS repository. All items below ship in IAS v1.1:

Component	What it does	Status
schemas/dependency-jurisdiction-v1.0.json	JSON Schema for your populated jurisdiction file	✓
schemas/compliance-record-v1.0.json	JSON Schema for incident + periodic-compliance records	✓
templates/dependency-jurisdiction.example.json	Populated example file to adapt (generic providers)	✓
templates/confidentiality-denylist.example.json	Template for Gate 7.5.1 denylist	✓
templates/incident-response-playbook.md	Fill-in-the-blanks GDPR Art. 33(3) template	✓
tools/jurisdiction-audit/audit.py	Produce human-readable + JSON report from your config	✓ MVP
tools/compliance-deadline-tracker/track.py	Progressive pre-deadline warnings from awareness timestamp	✓ MVP
tools/check-versions.sh	Gate 6.1 — verify dependency versions exist before bump	✓
tools/check-confidentiality.sh	Gate 7.5.1 — pre-deploy/pre-push confidentiality scan	✓

MVP notes: the audit + deadline-tracker are functional first cuts. Planned enhancements (PagerDuty adapter, daemon mode, snapshot-diff for the audit) are tracked as TODOs in each tool's README.

None of these require Matrix, a bot, AGPL code, or any particular infrastructure. A JSON file, Python, and a cron job are enough.

Clone and start:

git clone https://codeberg.org/openearth/ias.git
cd ias/docs
cat individual-protection.md   # this guide

Glossary — acronyms & deep-dive links

Every term used above, with a one-line plain-English meaning and an authoritative source you can read directly. Not a substitute for legal advice — these links are the source texts lawyers cite.

Laws & frameworks

Term	Meaning	Source
GDPR	General Data Protection Regulation — the EU's comprehensive data-protection law. Applies to anyone processing personal data of EU residents.	Regulation (EU) 2016/679
NIS2	Network and Information Security Directive 2 — EU cybersecurity law with supply-chain security obligations and hard incident-reporting deadlines.	Directive (EU) 2022/2555
US CLOUD Act	Clarifying Lawful Overseas Use of Data Act (US, 2018) — allows US authorities to compel US-incorporated providers to produce data, regardless of where data physically sits.	18 U.S.C. §2713
UK IPA	UK Investigatory Powers Act 2016 — UK surveillance law including Technical Capability Notices that can compel providers to assist with data access.	IPA 2016, c.25
EUDR	EU Deforestation Regulation (2023/1115) — places due-diligence obligations on operators placing commodities like cocoa, coffee, palm oil on the EU market.	Regulation (EU) 2023/1115
MLAT(s)	Mutual Legal Assistance Treaty — bilateral or multilateral agreements between countries that provide the lawful channel for cross-border data access.	US DOJ MLAT overview · Wikipedia: Mutual legal assistance treaty
SCCs	Standard Contractual Clauses — EU Commission-approved template clauses controllers can use to lawfully transfer personal data to third countries.	Commission Decision (EU) 2021/914

Institutions & supervisory authorities

Term	Meaning	Source
EDPB	European Data Protection Board — the EU-wide body harmonising GDPR interpretation across national DPAs. Issues Guidelines and Recommendations.	edpb.europa.eu
ENISA	European Union Agency for Cybersecurity — produces NIS2 guidance, supply-chain security recommendations, and threat-landscape reports.	enisa.europa.eu
CJEU	Court of Justice of the European Union — the highest court interpreting EU law, including landmark data-protection decisions (Schrems I, Schrems II).	curia.europa.eu
DPA(s)	Data Protection Authority (plural: DPAs) — national supervisory authorities enforcing GDPR. Examples: BfDI (DE), CNIL (FR), IMY (SE), DPC (IE), ICO (UK).	EDPB list of national DPAs
BfDI	Bundesbeauftragte für den Datenschutz und die Informationsfreiheit — German federal DPA.	bfdi.bund.de
CNIL	Commission nationale de l'informatique et des libertés — French DPA. One of the most active enforcers.	cnil.fr
IMY	Integritetsskyddsmyndigheten — Swedish Authority for Privacy Protection.	imy.se
DPC	Data Protection Commission (Ireland) — lead supervisory authority for most Big Tech companies with EU HQs in Ireland.	dataprotection.ie
ICO	Information Commissioner's Office — UK DPA under UK GDPR and the Data Protection Act 2018.	ico.org.uk

Instruments & concepts

Term	Meaning	Source
DPA (contractual)	Data Processing Agreement — a contract between a controller and a processor setting out how personal data will be handled. Required by GDPR Art. 28. Distinct from "DPA" meaning Data Protection Authority (see above).	GDPR Art. 28
DPO	Data Protection Officer — internal role required for many controllers/processors. Independent contact point for data subjects + supervisory authority.	GDPR Arts. 37–39
DPIA	Data Protection Impact Assessment — structured assessment required before high-risk processing.	GDPR Art. 35 · EDPB DPIA guidelines
RoPA	Record of Processing Activities — living inventory of all processing a controller performs, with purposes, categories, retention periods.	GDPR Art. 30
TIA	Transfer Impact Assessment — case-by-case assessment whether a third-country transfer provides GDPR-equivalent protection. Required since Schrems II.	EDPB Recommendations 01/2020
EEA	European Economic Area — EU27 + Iceland, Liechtenstein, Norway. GDPR applies uniformly across the EEA. "Third country" = outside the EEA.	EFTA EEA page
CSIRT	Computer Security Incident Response Team — national authorities that receive NIS2 Art. 23 incident notifications.	EU CSIRTs Network
Art. 33(1)	GDPR requirement: personal-data breach notification to the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware."	GDPR Art. 33
Art. 34	GDPR requirement: when a breach is likely to result in high risk to data subjects, notify the subjects themselves (not just the authority).	GDPR Art. 34
Art. 48	GDPR: foreign court/administrative orders are only recognisable if based on an international agreement (e.g., MLAT). Core protection against extraterritorial access.	GDPR Art. 48
Art. 83(2)(c), (f)	Mitigating factors the supervisory authority must consider when calibrating administrative fines — includes measures taken and degree of responsibility.	GDPR Art. 83
NIS2 Art. 23	Incident-reporting cadence: 24h early warning, 72h notification with details, 1-month final report, measured from awareness of a significant incident.	NIS2 Art. 23

Key court cases

Case	Meaning	Source
Schrems I (C-362/14, 2015)	CJEU invalidated the EU-US Safe Harbour framework for cross-border data transfers.	curia.europa.eu C-362/14
Schrems II (C-311/18, 2020)	CJEU invalidated the EU-US Privacy Shield and set the obligation on controllers to conduct case-by-case Transfer Impact Assessments.	curia.europa.eu C-311/18

This guide is part of the IAS protocol suite and is released under the Apache License, Version 2.0. It is not legal advice. Glossary entries summarise publicly available material and link to the original authoritative sources.