The Internet of Things is the latest paradigm that encompasses the potential of connecting a physical object to the Internet, and then utilizes cloud services to collect, store and process data generated by these connected devices. In order to reduce the service latency of computations, processes, and storage at further situated Cloud nodes, the Fog paradigm was born, which brings data management closer to the end user or to the edge of the network of a provider. Fog nodes can not only be geographically distributed, but also more dynamic in nature than cloud nodes, therefore it is even more difficult to ensure data protection. The operation of such complex systems, thus, raises legal issues such as who owns or processes the data, who is liable in terms of a possible security breach. In this paper we aim to discuss the latest advances of corresponding legislation in the European Union and in the United States of America that affect these technology developments. First, we investigate IoT and Fog characteristics and identify different use cases of loT-Fog-Cloud environments that will be then used to discuss possible legal issues. We conclude the paper with role mappings for the identified cases, and by proposing recommendations on how to govern data management in these complex systems to ensure data protection as mandated by current legislations across these two regions. Our investigations imply that as we broaden the scope and complexity of the managed systems, the user control of the sensed private data weakens, and the responsibility of data protection are shifting towards fog, cloud and service providers.