No Domicile, No Law: The Imperative of a Global Treaty on the International Collection of Personal Data

Table of Abbreviations

| Abbreviation | Meaning | |---|---| | AI | Artificial Intelligence | | ANPD | National Data Protection Authority (Brazil) | | APD | Data Protection Authority (Spanish acronym) | | BCR | Binding Corporate Rules | | CJEU | Court of Justice of the European Union | | ETN | Transnational Enterprises | | FTC | Federal Trade Commission (United States) | | GDPR | General Data Protection Regulation (EU) | | GPA | Global Privacy Assembly | | ICO | Information Commissioner's Office (United Kingdom) | | LGPD | Lei Geral de Proteção de Dados (Brazil) | | OECD | Organisation for Economic Co-operation and Development | | RIPD | Ibero-American Data Protection Network | | SCC | Standard Contractual Clauses | | SIC | Superintendence of Industry and Commerce (Colombia) | | TIDP | International Transfer of Personal Data | | UN | United Nations | | URCDP | Regulatory and Control Unit for Personal Data (Uruguay) |

Abstract

The rapid evolution of the digital economy has shifted the axis of data governance from the traditional concept of "international transfer" to the emerging phenomenon of the "international collection of personal data" (ICPD). Whereas classic normative frameworks, such as Convention 108 and the General Data Protection Regulation (GDPR), are based on regulating flows between exporters and importers, ICPD enables the direct capture of information by foreign entities without a physical presence in the data subject's territory. This article analyzes the global regulatory deficit, the erosion of the strict territoriality principle, and the jurisdictional challenges posed by transnational enterprises (TNEs). Through a comparative study of the laws of the European Union, Brazil, and the administrative litigation in Colombia, it proposes the creation of a binding international treaty that harmonizes extraterritorial responsibility and guarantees the continuity of human rights protection in cyberspace.

I. Introduction

1.1 The Paradigm Shift: From Static Transfer to Massive and Ubiquitous Collection

For decades, international data protection law has been structured around the "continuity principle," designed for scenarios where a sender in country A exports information to a receiver in country B. Under this scheme, local authorities maintain control over the exporter located within their jurisdiction, ensuring that protection "travels" with the data. However, the global infrastructure of the internet has fostered a transition toward models of massive and direct collection.

Today, any entity with an internet connection can act as an international collector, extracting data from foreign citizens through invisible tools such as cookies, tracking pixels, and mobile applications. This paradigm shift implies that there is no longer necessarily a local "exporter" to supervise, leaving national authorities facing a control vacuum at the point of capture.

1.2 Statement of the Problem: The Erosion of Physical Borders by Informational Power

The cross-border and decentralized nature of cyberspace challenges the traditional political division based on nation-states and physical borders. TNEs have adopted business models in which they provide global services ubiquitously, processing data of millions of people without establishing a physical headquarters in each jurisdiction where they operate. This "technological presence" allows them to collect sensitive information — including browsing habits, geolocation, and preferences — under the claim that local laws do not apply to them due to lack of domicile.

This scenario generates a power asymmetry where the fundamental rights of data subjects may be violated in "data havens" — jurisdictions with weak or non-existent protection standards that attract entities seeking to evade legal responsibility. If the law limits itself to a strict understanding of territoriality, the internet risks becoming a zone of impunity for mass surveillance and the commodification of privacy.

1.3 Research Objectives and Delimitation of the Subject Matter

The primary objective of this research is to analyze the sufficiency of current normative frameworks in addressing the international collection of data and to propose a de lege ferenda response that harmonizes protection on a global scale. To this end, the study is limited to the analysis of personal data processing carried out in the context of commercial relationships between TNEs and consumers, where the data subject is the weaker party to the contractual relationship.

The analysis will focus on the case of Google LLC v. Superintendence of Industry and Commerce (SIC) in Colombia, as well as the extraterritorial application of Article 3 of the GDPR and Brazil's General Data Protection Law (LGPD). The research seeks to determine whether the tools of international transfers are replicable to direct collection and under which relevant connecting factors national courts may exercise jurisdiction over acts occurring in virtual space.

II. Conceptual Framework: The Dichotomy Between Collection and Transfer

2.1 International Transfer of Personal Data (TIDP): Export and the Continuity Principle

The International Transfer of Personal Data (TIDP) has historically been the pillar of cross-border regulation, defined by the OECD since 1980 as the "movements of personal data across national borders." This legal phenomenon presupposes a tripartite structure: a data exporter located in the jurisdiction of origin, an importer abroad, and the flow of data crossing the territorial boundary. The doctrinal foundation of TIDP is the continuity principle, which requires that the level of protection guaranteed by national law not diminish when information is sent to a third country.

Under the GDPR and similar laws in Ibero-America, the lawfulness of the transfer depends on the existence of an "adequate level of protection" in the destination country or, failing that, the implementation of "appropriate safeguards" such as standard contractual clauses (SCCs) or binding corporate rules (BCRs). In this model, responsibility falls primarily on the local sender, facilitating supervision by national control authorities over a subject physically present in their territory.

2.2 International Collection of Personal Data (ICPD): Direct Capture and "Technological Presence" Without a Physical Seat

Unlike transfer, ICPD constitutes a "direct capture" of information by a foreign entity without the intermediation of a local exporter. This phenomenon occurs when a collector located in country A gathers data from citizens located in country B through information systems and digital infrastructure. ICPD is characterized by a "technological presence" that ignores physical borders, allowing TNEs to operate ubiquitously without establishing a domicile or operating center in the data subject's territory.

The distinguishing features of ICPD are the following: First, absence of a local data handler or processor within the national territory to whom supervisory authority may address compliance orders or administrative sanctions. Second, the collection instruments — cookies, pixels, mobile application programming interfaces (APIs), and software development kits (SDKs) — are surreptitious, automated, and most of the time, unknown to the data subject. Third, the economic incentive structure of ICPD is fundamentally extractive: the more data collected from a jurisdiction without incurring the institutional cost of a local presence, the greater the margin of profit.

The emergence of ICPD has created a situation wherein the regulatory framework designed to control data transfers is rendered inoperative. The traditional tools — standard contractual clauses, binding corporate rules, and declarations of adequacy — presuppose the identification and accountability of a local exporter. In the absence of such an entity, these mechanisms collapse, creating a regulatory void that TNEs exploit.

III. Comparative Analysis of National Responses to ICPD

3.1 The European Union's Extraterritorial Application of the GDPR

The European Union has consistently adopted an expansionist interpretation of its territorial jurisdiction in matters of data protection. Article 3 of the GDPR establishes that the regulation applies to the processing of personal data of data subjects who are in the Union, regardless of the establishment of the processor in EU territory. This provision extends EU jurisdiction over any entity, irrespective of location, that offers goods or services to persons in the EU or monitors the behavior of such persons.

The case law of the Court of Justice of the European Union (CJEU) has reinforced this interpretation. In Schrems II, the Grand Chamber confirmed that when a controller established outside the EU processes personal data of EU residents through means localized in the territory (such as cookies placed on EU devices), the GDPR applies extraterritorially. The court held that the essence of the regulation is to protect the fundamental right to privacy of data subjects, not to shield controllers from enforcement merely because they lack physical domicile in EU territory.

However, this extraterritorial reach encounters significant practical limitations. The enforcement capacity of EU authorities over TNEs established in jurisdictions with weak data protection records — such as the United States, following the invalidation of the Privacy Shield and subsequent restrictions on adequacy determinations — remains a persistent challenge. The Schrems II decision did not resolve the broader question of how EU authorities can effectively impose sanctions on controllers located outside their enforcement reach.

3.2 Brazil's LGPD: A Middle Path Between Territoriality and Extraterritoriality

Brazil's General Data Protection Law (Lei Geral de Proteção de Dados — LGPD) adopts a more nuanced approach. Article 1 of the LGPD establishes that the law applies to the processing of personal data carried out by a natural person or legal entity, whether public or private, domiciled in Brazil or not, insofar as (1) the processing is carried out in the territory of Brazil, (2) the personal data is of individuals located in Brazil, or (3) the processing is in connection with the supply of goods or services or the conduct of commercial activities to data subjects located in Brazil.

This formulation is more explicit than the GDPR in recognizing direct collection without a local intermediary. The National Data Protection Authority (ANPD) has developed a doctrine of "practical effects" whereby a TNE located abroad incurs obligations under the LGPD if its conduct has material impact on Brazilian data subjects, even absent a physical presence.

Notwithstanding this legislative clarity, enforcement remains contingent on international cooperation mechanisms and the willingness of foreign states to recognize Brazilian jurisdictional claims. The ANPD has pursued administrative investigations against multinational technology companies, yet the actual capacity to impose meaningful sanctions remains limited by the territorial boundaries of sovereign enforcement.

3.3 Colombia's SIC and the "Technical Jurisdiction" Standard

The case of Google LLC v. Superintendence of Industry and Commerce (SIC) in Colombia exemplifies a middle-ground approach. In Resolution 53593 of 2020, the SIC found Google liable for alleged violations of Colombian data protection law (Statute Law 1581 of 2012) based on the principle of "technical jurisdiction." The SIC determined that Google's use of cookies and tracking technologies to collect data from individuals physically located in Colombia constituted a sufficient connection to Colombian territory to trigger the application of local law.

The SIC's reasoning relied on the notion that the "technological infrastructure" through which data collection occurs — specifically, the devices and internet connections located within Colombian territory — constitutes a relevant jurisdictional nexus. This doctrine does not require a physical presence of the TNE but instead focuses on the location of the technological means of collection.

Subsequently, Colombia's Constitutional Court reinforced this doctrine in Judgment T-256 of 2025, establishing what may be termed a "moderate country-of-destination" standard. The court held that while digital sovereignty cannot stop at the lack of physical domicile of platforms, the extraterritorial exercise of jurisdiction must be based on a clear and material connection between the challenged conduct and the fundamental rights of local residents. The use of tracking technologies targeting Colombian residents constitutes such a connection.

IV. The Regulatory Deficit: Why Current Frameworks Are Insufficient

4.1 The Obsolescence of the Continuity Principle

The continuity principle, which underpins international data protection law since the OECD Guidelines of 1980 and Convention 108, presupposes a dyadic relationship between an exporter and an importer. This model is predicated on the assumption that identification and supervision of the exporter — the party located within a jurisdiction — can serve as the mechanism to ensure ongoing protection of data.

However, ICPD dismantles this assumption. When a foreign entity collects data directly from a jurisdiction without establishing a local intermediary, the continuity principle offers no mechanism of enforcement. The principle fails because its foundational premise — that a local exporter can be held accountable — is negated.

4.2 The Jurisdictional Asymmetry and "Data Havens"

The absence of unified global standards has created what may be aptly termed "data havens" — jurisdictions with minimal or non-existent data protection laws that attract TNEs seeking to evade stricter regimes. Singapore, the United Arab Emirates, and certain jurisdictions within the Caribbean have become hubs for data-intensive businesses precisely because they offer weak regulatory frameworks.

This jurisdictional arbitrage creates a perverse incentive structure: TNEs establish their main processing centers in low-protection jurisdictions while collecting data globally. Since ICPD enables collection without local presence, TNEs can assert that the locus of processing — and therefore the applicable law — is determined by the location of their servers, not the residence of data subjects.

4.3 The Conflict Between Data Sovereignty and Digital Commerce

States have competing interests in the digital economy. On one hand, they wish to protect the privacy and data rights of their residents (data sovereignty). On the other hand, they seek to attract digital commerce and technological investment (economic interests). This tension has led to a fragmented regulatory landscape.

The GDPR represents the strictest application of data sovereignty. The United States, by contrast, privileges the free flow of data and has resisted multilateral binding data protection treaties, instead relying on sectoral and voluntary frameworks. China's approach subordinates individual privacy rights to state surveillance and control, asserting a novel conception of "digital sovereignty" that prioritizes state power over individual rights.

This fragmentation enables TNEs to "forum shop" — selecting the jurisdiction with the most lenient framework for their primary operations while arguing that local laws do not apply to their global collection activities.

V. Jurisprudential Developments: The Case of Colombia and the Google Precedent

5.1 The Factual Background of Google LLC v. SIC

In 2020, Colombia's Superintendence of Industry and Commerce initiated administrative proceedings against Google LLC based on allegations that the company had engaged in unlawful data collection from Colombian residents through the placement of cookies on their devices without adequate notice or consent.

The case presented a novel jurisdictional question: Could a Colombian administrative authority assert jurisdiction over a foreign legal entity that had never established a physical presence in Colombia, based solely on the fact that its technological infrastructure (cookies and tracking pixels) was operating on devices physically located within Colombian territory?

5.2 The SIC's Determination: Technological Presence as a Jurisdictional Nexus

The SIC ruled affirmatively. In Resolution 53593, the authority determined that Google's use of tracking technologies constituted an exercise of data collection activities within Colombian territory and therefore triggered the application of Colombian law. Significantly, the SIC rejected Google's argument that lack of physical domicile exempted the company from Colombian jurisdiction.

The SIC's reasoning established a doctrine whereby the "technological presence" — that is, the deployment of automated systems within a territory for the purpose of data collection — constitutes a sufficient basis for the assertion of national jurisdiction. This doctrine challenges the traditional understanding of territoriality, which has historically been premised on the physical location of persons or physical assets.

5.3 Constitutional Endorsement: Judgment T-256 of 2025

The Colombian Constitutional Court subsequently endorsed and refined the SIC's doctrine in Judgment T-256 of 2025. The court recognized that the digital economy had fundamentally altered the relationship between jurisdiction and territoriality. The traditional concept of sovereignty — rooted in control over a physical territory — could no longer adequately address the realities of cyberspace.

However, the court imposed a limiting principle: the assertion of jurisdiction over foreign actors must be based on a "clear and material effect" on the fundamental rights of local residents. The mere fact that a TNE's systems operate globally is insufficient. Rather, the TNE must be intentionally or knowingly targeting the local population or operating systems in such a manner that the local population is significantly affected.

The court's decision reflects a synthesis of two competing principles: deference to the traditional limitations of territorial jurisdiction and recognition of the need to protect fundamental rights in the digital sphere.

VI. The Digital Sovereignty Crisis: Conflicts of Law in Cyberspace

6.1 The Clash Between the GDPR and the U.S. CLOUD Act

A significant jurisprudential conflict has emerged between the European Union's data protection regime and the United States' national security and law enforcement interests. The U.S. CLOUD Act, enacted in 2018, requires technology companies to disclose personal data held on U.S. servers in response to lawful U.S. government demands, even if such disclosure would violate GDPR obligations.

The tension arises as follows: A U.S.-based company processes personal data of EU residents in compliance with GDPR. A U.S. federal court issues a demand for disclosure under the CLOUD Act. Compliance with the CLOUD Act would violate GDPR provisions prohibiting transfer of data to third countries without adequate safeguards. The TNE faces a direct legal conflict.

The CJEU addressed this question partially in Schrems II, holding that standard contractual clauses might remain valid even when transfers occur to jurisdictions with government surveillance regimes, provided the company implements supplementary technical safeguards. However, the decision left unresolved the question of whether supplementary safeguards can ever adequately protect against demands for mass surveillance.

6.2 The Deployment of Digital Sovereignty: A Crisis of Normative Interoperability

The conflict between the GDPR and the CLOUD Act is symptomatic of a broader crisis of "normative interoperability" among different power blocs. The European Union asserts data protection as a fundamental human right and applies its law extraterritorially. The United States asserts national security and law enforcement interests and applies its law extraterritorially. China asserts state surveillance as an instrument of social control and applies its law extraterritorially.

TNEs operating globally face contradictory legal obligations. The deployment of digital sovereignty currently faces a crisis of normative interoperability among different power blocs. The conflict of laws arises when states attempt to assert the extraterritorial application of their domestic regulations over data processed outside their physical borders. The tension between the "free flow of data" necessary for digital commerce and the "data sovereignty" of individuals remains an unresolved conflict that weakens the effectiveness of judicial remedies in the face of massive violations.

VII. Proposals De Lege Ferenda: Toward a Binding International Treaty

7.1 The Proposal of the UN Special Rapporteur: A Global Instrument for ICPD

The insufficiency of current legal frameworks to address ICPD has prompted a strong call from the UN Special Rapporteur on the right to privacy. According to Report A/HRC/61/48 (2024), presented by Dr. Ana Brian Nougrères, there is a critical regulatory gap: while international law governs the transfer of data between states, direct capture from abroad lacks effective accountability mechanisms.

Faced with this systemic vulnerability, the Special Rapporteur proposes the creation of a binding international treaty that transcends the principle of physical territoriality. This universal instrument should not only standardize minimum levels of protection but also redefine jurisdiction in cyberspace based on criteria of "technological presence" and clear effects in the data subject's territory. The proposal seeks to make human rights protection as "borderless" as the data it aims to safeguard.

7.2 The Role of the Ibero-American Data Protection Network (RIPD) in Regional Harmonization

On the path toward a global consensus, the RIPD emerges as an indispensable harmonization engine in the Global South. As an integrating forum, the RIPD has developed the "Data Protection Standards for Ibero-American States," which serve as a compass for local legislation to align with robust protection models similar to the European one. A substantial contribution of these standards is the inclusion of a territorial application criterion for controllers who, without domicile in the country, use digital means located in the territory to process information of local residents.

7.3 Toward a Regime of Strict Liability and Global Corporate Accountability

The consolidation of an international legal order requires moving from reactive supervision to a system of proactive accountability and global corporate accountability. Following the logic of Convention 108+, it is proposed that TNEs assume the obligation to carry out prior impact assessments for high-risk data processing, especially in contexts of AI and mass capture. This regime must be complemented by mechanisms of algorithmic transparency.

To give effect to these principles, the implementation of a regime of civil liability and effective remedies is suggested, enforceable regardless of the geographic location of the infringer. This would entail strengthening cooperation among control authorities to conduct joint cross-border investigations and imposing proportionate sanctions that disincentivize jurisdictional arbitrage.

VIII. Conclusions

This research has identified that international data protection law is undergoing a foundational crisis derived from the obsolescence of the physical territoriality criterion in the face of the ubiquity of cyberspace. The transition from a TIDP model — based on flows between an exporter and an importer — to an ICPD paradigm — characterized by direct and remote capture — has created a regulatory vacuum that TNEs exploit to evade state oversight.

It is concluded that the traditional tools of the "continuity principle," designed to control the local sender, are inoperative in the face of ICPD, where there is no national intermediary to hold accountable. This asymmetry has fostered the emergence of "data havens," where the absence of minimum privacy standards allows massive information processing without real accountability mechanisms.

Comparative jurisprudential analysis demonstrates that authorities such as Colombia's SIC and the CJEU have reacted by adopting criteria of "technical jurisdiction" and "technological presence." The use of cookies and other tracking devices is consolidated as a relevant connecting factor that allows the state to assert its competence over foreign agents, as long as the act of collection occurs on devices located within the national territory.

Likewise, Colombian constitutional jurisprudence (Judgment T-256 of 2025) has established a "moderate country-of-destination" standard, recognizing that digital sovereignty cannot stop at the lack of physical domicile of platforms. The constitutional judge has the duty to intervene when conduct in cyberspace produces clear and relevant effects on the fundamental rights of local residents.

However, extraterritorial application encounters significant limits, as evidenced by the collision between the GDPR and the U.S. CLOUD Act, only partially resolved by the Schrems II jurisprudence. Therefore, unilateral efforts are insufficient.

Finally, it is imperative to move toward the adoption of a binding international treaty that standardizes levels of protection, redefines the extraterritorial responsibility of TNEs, and resolves conflicts of laws through human rights prevalence clauses. Only through global harmonization that transcends regional blocs will it be possible to ensure that the internet is a space of freedom and not of impunity.

IX. Bibliography

Normative and International Sources

• Agencia Española de Protección de Datos [AEPD], Guía sobre el uso de las cookies (May 2024).
• Agência Nacional de Proteção de Dados [ANPD] (Brazil), Resolution CD/ANPD No. 19 of August 23, 2024 (Regulation on International Data Transfer).
• Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), January 28, 1981.
• Council of Europe, Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+), June 2018.
• Congress of the Republic of Colombia, Statutory Law 1581 of 2012, October 17, 2012.
• Global Privacy Assembly, Resolution on Data Free Flow with Trust and an effective regulatory framework, November 2024.
• European Parliament and Council of the European Union, Regulation (EU) 2016/679 (GDPR), April 27, 2016.
• Ibero-American Data Protection Network [RIPD], Data Protection Standards for Ibero-American States, 2017.

Jurisprudential Sources

• Constitutional Court of Colombia, Judgment C-1147/01.
• Constitutional Court of Colombia, Judgment C-748/11.
• Constitutional Court of Colombia, Judgment T-067 of 2025.
• Constitutional Court of Colombia, Judgment T-256 of 2025.
• Superintendence of Industry and Commerce [SIC] (Colombia), Resolution 53593 of 2020 (Google LLC Case).
• Court of Justice of the European Union [CJEU] (Grand Chamber), Judgment of October 1, 2019, Case C-673/17 (Planet49).
• Court of Justice of the European Union [CJEU] (Grand Chamber), Judgment of July 16, 2020, Case C-311/18 (Schrems II).

Doctrinal and Institutional Sources

• Banchio, P. R., Convention 108+ of the Council of Europe and Data Protection in the Digital Age, Zenodo (2024).
• Brian Nougrères, A. (UN Special Rapporteur), Report on the Right to Privacy: International Collection of Personal Data, Document A/HRC/61/48, January 12, 2026.
• Kuner, C., Transborder Data Flows and Data Privacy Law, Oxford University Press (2013).
• Remolina Angarita, N., International Data Collection: A Challenge of the Post-Internet World, Editorial Ibáñez / Universidad de los Andes, Bogotá (2015).
• Serna Molina, N. & Murillo Quiroz, I., Data Protection in Colombia with respect to Transnational Enterprises in light of the Google v. Superintendence of Industry and Commerce Case, Universidad EAFIT, Medellín (2025).