After reading this post by Brendon Lynch, Microsoft's director of privacy, I began to think about the rules that companies can look for to ensure that they are complying with privacy laws in order to minimize their risk of exposure, without following every countries laws on a daily basis. In order to do that, you would have to be Google, or Microsoft.

The Article 29 Working Group has put together several rules and regulations in regards to privacy laws, and is by far one of the most "progressive" groups in regards to digital privacy in the world. (Progressive should be interpreted loosely here, as it is not necessarily to establish positive or negative, as much as they are one of the few groups that are actively pursuing regulation.)

It appears that most search engines, and other groups are following suit by adhereing to the Article 29 rules and regulations as their default privacy guidelines.  The group has defined how to transfer data internally and externally between companies both located in the EU and outside of the EU.

However, there is a current trend that states are passing more and more privacy rules, regulations and disclosure requirements. (Massachusetts and New Jersey as of recent), which is making compliance an increasingly large minefield for corporate compliance.  Everything from anonymizing data, such as with search engines, to encrypting customer information, such as with companies located in Massachusetts, to disclosing whether your dating website does criminal background checks in New Jersey.

All of this begs for some sort of standardization across state borders at the risk of federalization of privacy standards.  But if companies are all adopting EU Article 29 standards anyways, aren't we leaning towards federalization/globalization of legal standards?