International Privacy Law

International Privacy Law & AI Supply Chains

Definition: The complex ecosystem of regulations governing data sovereignty and individual rights, now increasingly focused on the friction between rapid AI adoption and established principles of data minimization and access control.

The Common Threads (The OECD Lineage)

Despite the fragmented global landscape, nearly all modern privacy frameworks—from the EU’s GDPR to Australia’s Privacy Act—derive their core logic from the 1980 OECD Guidelines. These create a universal “grammar” for privacy compliance:

• Lawfulness & Fairness: Data must be acquired legally and used in ways a user would reasonably expect.
• Purpose Limitation: Data collected for “Reason A” cannot be quietly used for “Reason B” without new consent.
• Data Minimization: Collect only what is strictly necessary, not what might be useful later.
• Accountability: The organization holding the data is responsible for its safety, regardless of where it is processed.

Divergence in Execution

While the principles are shared, the mechanism of enforcement creates friction for international organizations:

1. The European Model (GDPR): Focuses on Fundamental Rights. It prohibits cross-border data transfer unless the recipient country offers “adequate” protection. It is the gold standard for extra-territorial reach.
2. The Australian Model (APPs): Focuses on Accountability. Under APP 8, an organization can send data overseas but remains legally liable for any mishandling by the recipient. It relies on “reasonable steps” rather than strict adequacy lists.
3. The Chinese Model (PIPL): Focuses on National Security and Localization. Unlike the western focus on individual commerce, the Personal Information Protection Law (PIPL) emphasizes strict data localization and security assessments for cross-border transfer.

The AI Disruption: Two Vectors of Risk

The rise of Generative AI and “Agentic” workflows has destabilized this legal equilibrium, introducing two distinct threat vectors:

1. The “Permissiveness” Paradox (Privacy Risk)

Platforms prioritize “first-to-market” dominance, often training models on data in ways that violate Purpose Limitation.

• Example: Sales Engagement Platforms scraping LinkedIn public profiles to train outreach bots.
• The Conflict: Data posted for professional networking is repurposed for commercial AI training without consent, creating a “Black Box” where organizations cannot explain how an individual’s data was processed.

2. The Supply Chain Vector (Security Risk)

To function, AI Agents require deep integration into core systems (CRMs, Email, Slack). This creates a massive attack surface where “non-human” identities hold administrative privileges.

Case Study: The Salesloft / Drift Compromise (August 2025) In August 2025, a threat actor (tracked as UNC6395) compromised OAuth tokens associated with the AI-powered sales tool Salesloft Drift.

• The Mechanism: Instead of hacking Salesforce directly, the attacker used the valid, over-privileged OAuth tokens granted to the Drift integration.
• The Impact: The actor systematically exported massive datasets (Users, Accounts, Opportunities) from victim Salesforce instances and searched this data for further secrets (AWS keys, Snowflake credentials).
• The Lesson: This highlights the failure of Data Minimization. AI tools are often granted “Full Access” scopes by default, meaning a breach of a tertiary marketing tool becomes a breach of the organization’s “Crown Jewels.”

References

• Google Cloud Threat Intelligence: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
• GDPR Article 5: Principles relating to processing of personal data
• OAIC: Cross-border disclosure of personal information (APP 8)