Don't conflate people's privacy and random laws that say they are about privacy.
With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.
If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.
That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.
Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.
The two are not incompatible; EU countries are already fining companies that leak private data, and talking about increasing those fines (the EP suggests a max of 5% of global revenue or €100M, whichever is higher).
With prevalent encryption on-the-wire, fibre tapping is less useful. So the way people get their privacy leaked is via hacking or other compromises. Saving to disks in a person's country of origin is probably rather far down on threats to their privacy. (Yeah, I know, if you host it all on disks in the US, then the FBI can come steal those disks. But that's less a risk than a hacking group dumping your DB on pastebin.) And a compromise to the company will compromise the data no matter where the disk are.
If countries were really concerned, they'd mandate strong security for personal info. Not like PCI where technical details are spec'd, but somehow offload it so that companies must make reasonable steps. Then have enforcement to fine companies that misbehave. Perhaps make it something where companies will want to get insurance.
That way, a startup, instead of grabbing everything, they'll ask themselves: "Hey, do we really wanna capture this info?" Just like PCI shot a lot of plans to store card numbers and CVV, a strong law could make companies think twice and plan around handling private info.
Location of storage devices might end up on the list of requirements, somewhere. Like once you store info on more than X people, you're required to address how you handle differing jurisdictions or something.