One word, use tax havens in the Caribbean. Who doesn't do that?
If a company says that what you do is public, there is no recourse. As long as what they are sharing is clearly stated (how it's used, I'm not so sure). If a company says blatantly that certain information is public, then it can be so.
For a while I worked for an US based international insurance company, with several years on an underwriting project (medical record images and data). The project didn't involve business in the US, there was already a system for that. We kept UK data in our UK servers. European data was stored in Canada (latency is a bitch). The Asian/Australian data was in Australia, Malaysia, and Hong Kong. South African and Indian data were in South Africa.
One day the Indian office was told that keeping the personal records (medical info) in South Africa wasn't good enough for Indian records. Data privacy. We had to move personal data to the UK.
The distributed service design I put together allowed us to move personally identifying data to the UK (database moves), and a simple endpoint update to the client configuration was all that was needed on the code side. The latency increase was substantial (> 1 second per request for personal info) but the regulatory requirements were met.
International data can be complicated, but if it is made clear that things are public the situation is much more simple.