In terms of harmonizing rules and considering how rules are done in different places, it's tremendously important but also tremendously difficult. Ideas about privacy and the appropriate limits of the private sphere, as well as how your personal information should be handled, vary tremendously from place to place, so it's very difficult to come up with a common standard on issues like privacy or data protection.
I do think, though, that you hit on something that I absolutely agree with, which is that the opacity of these data flows is a huge problem. Rather than focusing on the location where information is specifically being stored, to me it's the identity of the players that is a bigger concern and the fact that you can make an agreement with Google or Facebook and you can read their terms of service—difficult to understand as they are, at least you have it in front of you—and then Google or Facebook can pass your information on to a third party data broker and from there it's just a black box.
There is a huge need for transparency on where this information is going after it's been collected by the person you're contracting it with, and generally more information about how information is being processed behind the scenes.