The preceding chapters focused primarily on the cybersecurity obligations that U.S. companies face within the United States. However, many U.S. companies must worry not only about U.S. laws and regulations but also about the laws and regulations of other nations. In this chapter, we review the primary cybersecurity and privacy laws of the five largest U.S. trading partners: the European Union, Canada, China, Mexico, and Japan.

As this chapter demonstrates, other jurisdictions have more clearly articulated a comprehensive data security and privacy legal framework than the United States has. The U.S. cybersecurity and privacy laws often vary by sector (and, in some cases, by state), whereas other large countries have adopted across‐the‐board laws that severely restrict the collection, storage, use, and disclosure of personal information.

At the outset, many of the other jurisdictions' laws, unlike many of those in the United States, focus on the terms “data controller” and “data processor.” This is a key distinction that, under many of these laws, affects the legal responsibilities of companies. The definitions vary by jurisdiction, but the easiest way to view this distinction generally is that data controllers help determine precisely how data is used, distributed, shared, collected, or otherwise processed, whereas data processors merely follow instructions from the data controllers. For instance, an employer that collects tax information ...