GDPR

Cross-Border Data Breach Lawsuits: Courts Are Coming for You

Scott Dooley
6 min read · Mar 11, 2026

An Estonian crypto company with no office in the US just got dragged into a California courtroom. A facial recognition firm with no UK presence just lost its appeal against a £7.5m ICO fine. The message from courts on both sides of the Atlantic is the same: if you collect data from a jurisdiction’s residents, you can be held accountable there.

For years, foreign tech companies have treated geographical distance as a legal shield. Two recent rulings show that shield is crumbling. Whether you operate under US law or UK GDPR, regulators and courts are reaching further than ever to hold data controllers responsible.

The Ninth Circuit’s Freeman v. 3Commas Ruling

In March 2026, the US Ninth Circuit Court of Appeals reversed a lower court decision that had let an Estonian crypto platform off the hook. The case, Freeman v. 3Commas Technologies OU, No. 24-6158 (9th Cir., 2 March 2026), arose from a late 2022 breach in which an attacker stole approximately 100,000 API keys from 3Commas, an automated crypto trading platform. Users lost roughly $22 million. 3Commas initially denied the breach and delayed disclosure.

The district court dismissed the case on jurisdictional grounds. 3Commas was an Estonian company with no US offices, employees, or servers. Case closed, surely.

The Ninth Circuit disagreed. Applying the three-part specific jurisdiction test, the court found three factors that connected 3Commas to California.

Vendor Contracts as Jurisdictional Hooks

3Commas had contracted with Cloudflare, a California-based infrastructure provider, and that contract included a California choice-of-law clause. The court treated this as evidence of purposeful direction toward the state. Your vendor relationships create legal connections, whether you intend them to or not.

Privacy Policies as Targeting Evidence

3Commas included California-specific privacy disclosures in its privacy policy, referencing CCPA rights, while mentioning no other jurisdiction by name. The court read this as an intentional decision to target California users. If you single out a jurisdiction in your privacy policy, you are telling courts you knowingly operate there.

Data Collection Creates Constructive Knowledge

3Commas collected IP addresses and billing data from users. The court held this gave the company “constructive knowledge” that it was serving California residents. You may not know exactly where each user sits, but if you collect location-revealing data, courts will hold you to that knowledge.

This ruling built on Briskin v. Shopify, 135 F.4th 739 (9th Cir. en banc, April 2025), which rejected the older requirement that a company must “differentially target” a state’s residents. Simply operating a platform accessible to those residents, combined with the factors above, is now enough.

The UK’s Clearview AI Ruling

On the other side of the Atlantic, the UK Upper Tribunal confirmed in October 2025 that UK GDPR can reach a company with no UK establishment whatsoever.

The ICO originally fined Clearview AI £7,552,800 on 23 May 2022 for scraping facial images of UK individuals from the internet to build a facial recognition database. Clearview had no UK office, no UK employees, and no UK customers. The First-Tier Tribunal overturned the fine in October 2023, accepting Clearview’s argument that a law enforcement exemption applied.

The Upper Tribunal reversed that decision in October 2025, making two findings with broad implications. First, scraping the faces of UK individuals from publicly available photos constitutes “monitoring behaviour” under UK GDPR Article 3(2)(b). That alone triggers the extraterritorial application of UK data protection law. Second, the law enforcement exemption does not apply to private companies. Clearview is not a “competent authority” under the relevant legislation, regardless of whether its clients are police forces.

The Enforcement Gap

There is a significant caveat. Clearview has been fined a combined EUR 90.5 million across the EU: EUR 20 million each from Italy, Greece, and France, and EUR 30.5 million from the Netherlands. None of these fines has been enforced against a company with no EU or UK establishment. Clearview was also granted permission to appeal the UK ruling to the Court of Appeal in December 2025.

The legal principle is established. The enforcement mechanism is still catching up. But for organisations that do have assets, customers, or business relationships within these jurisdictions, the principle alone carries real teeth.

How Organisations Create Jurisdictional Exposure

These rulings show that jurisdiction is not about where your headquarters sit. It is about the trail your operations leave. Three common business decisions can pull you into foreign courts or under foreign regulators.

Your Privacy Policy

Including jurisdiction-specific disclosures, such as a CCPA section or UK GDPR section, signals intentional targeting. The 3Commas court treated California privacy disclosures as direct evidence that the company purposefully directed its activities toward that state. If you mention a jurisdiction’s laws, expect that jurisdiction’s courts to take notice.

Your Vendor Contracts

Contracting with service providers in a jurisdiction, particularly with local choice-of-law clauses, creates a connection that courts can use to establish jurisdiction. The 3Commas-Cloudflare contract was a key piece of evidence. Review where your vendors are based and what your contracts say about governing law.

Your Data Collection Practices

Collecting IP addresses, billing addresses, or location data gives you constructive knowledge of where your users are based. Under GDPR Article 3(2), monitoring the behaviour of individuals in the EU or UK triggers extraterritorial application regardless of where you are established. Under the Ninth Circuit’s approach, that same data collection establishes a factual connection to the jurisdiction.

What Organisations Should Do

If you operate a platform or service accessible to users in multiple countries, these rulings require a practical reassessment.

  • Audit your privacy policy for jurisdiction-specific disclosures. Every jurisdiction you mention is a jurisdiction whose courts may claim authority over you. That does not mean you should remove those disclosures. You likely need them. But you should understand the legal exposure they create.
  • Review vendor contracts for forum selection and choice-of-law clauses. A contract with a California vendor governed by California law is evidence of purposeful direction toward California. The same logic applies to contracts governed by English law or any EU member state’s law.
  • Recognise that data collection creates a compliance trail. If you collect IP addresses, billing data, or any other location-revealing information, courts and regulators will hold you to the knowledge that data implies. You cannot claim ignorance of where your users are while actively collecting data that reveals exactly that.
  • Plan compliance around where your users are, not where your servers sit. Both the US and GDPR approaches are converging on the same principle: if you collect data from a jurisdiction’s residents, that jurisdiction can hold you accountable.

Conclusion

The gap between “we have no presence in your country” and “you cannot touch us” is closing quickly. Two different legal systems, approaching the question from different angles, have reached the same conclusion in recent months: data collection creates accountability.

For organisations handling personal data across borders, the practical takeaway is straightforward. Build your compliance programme around where your users are, not where your company is registered. The courts and regulators have made clear they will do the same.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. California CCPA/CPRA: 101 – What You Need to Know
  2. California’s DROP Tool: Delete Your Data From 500+ Brokers With One Request
  3. £300,000 ICO Penalty for Illegal Automated Marketing Calls: Home Improvement Marketing Ltd Case Analysis
  4. Indiana Consumer Data Protection Act: 101 – What You Need to Know
  5. Virginia Consumer Data Protection Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR