(UIA Congress – Data Privacy Panel, Guadalajara)
At the 69th Congress of the International Association of Lawyers (UIA) in Guadalajara, Anna Klein spoke in the panel entitled “Data Without Borders: A Comparative Look at Cross-Border Data Transfer Laws and Their Impacts on Litigation.”
Her core message was clear: in cross-border data transfers, compliance is never “one size fits all.” Even within supposedly harmonized systems, divergences remain and can have a decisive impact in litigation.
Comparative Data Protection: Apparent Harmonization, Real Differences
Any international strategy must begin with a simple observation: each jurisdiction has its own legal framework.
In the United States, data protection is not federalized. State laws play a major role, creating a fragmented landscape.
By contrast, the European Union relies on the GDPR, a regulation with direct effect that provides a higher level of harmonization than the former directive model. Yet this harmonization is not absolute.
Two factors explain why “GDPR compliance” may still differ across Member States:
First, national legislation may supplement the GDPR with additional rights or requirements, generally in favor of stronger data protection. In France, for example, individuals may set post-mortem instructions regarding their personal data.
Second, the GDPR establishes a general framework. Concepts such as “legitimate interest,” “legal obligation,” or “contractual necessity” require interpretation. National supervisory authorities therefore play a central role through guidelines and enforcement practice. Even as soft law, their positions carry significant weight given their sanctioning powers.
Data Transfers in Litigation: Lawful Basis and Clean Compliance Chain
In cross-border disputes, international data transfers are frequent: production of documents, responses to court orders, or disclosure of evidence.
Under the GDPR, any transfer of personal data must rely on a valid legal basis.
In litigation, two legal grounds commonly apply:
– legitimate interest, where a party voluntarily discloses personal data, including third-party data, to defend its interests;
– legal obligation, where disclosure is required by a court order or equivalent binding requirement.
One critical aspect is often overlooked: the lawfulness of the initial data collection. If the data was not lawfully collected, that defect may contaminate the entire processing chain, including any subsequent international transfer.
Why “Compliant in One Country” Does Not Mean “Compliant Elsewhere”
Even within the European Union, differences may have practical consequences.
Some divergences stem from national legislation. Age of consent is a clear example: while the GDPR sets a default threshold of 16 for parental consent, it allows Member States to choose between 13 and 16. France has set the age at 15; other countries maintain 16; Spain applies 13.
Beyond the text itself, supervisory authorities may interpret the same legal basis differently. A common example concerns promotional emails sent to existing customers without prior consent. In France, this practice may rely on legitimate interest under strict conditions (recent customer relationship, similar products, simple opt-out mechanism). In other Member States, additional or different requirements may apply.
As a result, processing that is lawful in one Member State may not be lawful under the same conditions in another.
A Methodical and Coordinated Approach
The practical implication is clear: local counsel remains essential, even within the European Union.
For international projects, a structured methodology is required: mapping jurisdiction-specific requirements, defining a common baseline, validating local specificities, and harmonizing practices—often by applying the most stringent standard.
International professional networks such as the UIA can significantly facilitate this coordination, helping identify trusted local counsel and align compliance and litigation strategies across jurisdictions.
In a world where data flows without borders but laws remain territorial, the ability to integrate data protection compliance with international litigation strategy has become a decisive strategic advantage.
