We have to follow the law everywhere we operate, and the law is different in different countries.
I was in our Singapore office recently and we were discussing, specifically, how you regulate privacy law in Singapore, but in that case, it was a Canadian business going there. The jurisdictional rules around privacy law are such that where the operation takes place, where the information is collected, must always correspond to the laws of the country where it is collected.
However, there are different laws for cross-border. There are countries that do not allow the cross-border transfer of personal information from their citizens, except with very tight rules, conditions, and so on. There are other countries who are mainly requiring due diligence, saying you can go cross-border but make sure that through the transfer you protect the information at the same level as, say, Canadian law requires you to. They do that by, first, choosing very trustworthy contractors, and second, by having contractual clauses that specify, the contractor will protect the information at the level they, the customer who's using the contractor to transfer the information, are held to and that they will audit and inspect the contractor. There are compliance measures like that.
Yes, it is definitely a conflict of laws challenge, but one that is governed by rules of conflicts of laws.