So you store customer data in an offshore location and the host then sells this information to marketers. An obvious privacy breach. No drama, your contractual clauses will relieve you of any liability, right? Maybe not. You could soon be up for a $1.1m fine.