How do regulators cooperate internationally?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Email doesn't respect national borders, and regulators increasingly work across them. Here's how that cooperation actually functions.
Formal frameworks: GDPR includes a one-stop-shop mechanism where EU-based businesses primarily answer to the regulator in the country where they're headquartered, but other national Data Protection Authorities can still investigate. The European Data Protection Board coordinates positions across member states.
Cross-border investigation requests: Under GDPR Article 60, supervisory authorities in different EU countries can request each other's assistance on cases involving senders in other jurisdictions. If a UK-based company emails German residents, the German DPA can cooperate with the UK ICO on an investigation.
Informal networks: M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) provides an industry forum where ISPs, ESPs, and regulators across countries share intelligence about spam operations. It's not enforcement, but it informs what regulators and technical operators do about cross-border spam.
Bilateral cooperation: The US FTC has cooperation agreements with several countries' consumer protection agencies. CASL enforcement includes provisions for international cooperation with agencies like the FTC.
For email senders, the practical implication is simple: the jurisdiction of your recipients matters, not just where you're based. If you send to EU residents, GDPR applies regardless of where your server sits. Check which laws apply based on your audience geography and understand CASL enforcement if you reach Canadian recipients.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.