The preceding chapters focused primarily on the cybersecurity obligations that U.S. companies face within the United States. However, many U.S. companies must worry not only about U.S. laws and regulations but about the laws and regulations of other nations. In this chapter, we review the primary cybersecurity laws of the five largest U.S. trading partners: the European Union, Canada, China, Mexico, and Japan.
As this chapter demonstrates, other jurisdictions have more clearly articulated a comprehensive data security and privacy legal framework than the United States has done. The U.S. cybersecurity and privacy laws often vary by sector (and, in some cases, by state), while other large countries have adopted across-the-board laws that severely restrict the collection, storage, use, and disclosure of personal information.
At the outset, many of the other jurisdictions' laws, unlike many of those in the United States, focus on the terms “data controller” and “data processor.” This is a key distinction that, under many of these laws, affects the legal responsibilities of companies. The definitions vary by jurisdiction, but the easiest way to generally view this distinction is that data controllers help determine precisely how data is used, distributed, shared, collected, or otherwise processed, while data processors merely follow instructions from the data controllers. For instance, ...