GDPR, the General Data Protection Regulation, goes live on May 25th and many have asked the question: If my company is located outside the EU, can GDPR actually be enforced against it? The short answer is: “Yes.” The long answer is “Yes, but the ‘how’ is murky.”
GDPR is straightforward in its layout and clear in its language, which is fitting since that’s what it requires companies to be as well. GDPR requires any company that collects data or interacts with EU citizens to follow its regulations and those that don’t will be hit with steep fines. 2% of Global Revenue is the “small” fine in GDPR, with the standard being 4% instead. The smallest punishment in GDPR is frequent audits by the governing body, which will incur the costs of the audit but that should be smaller than 2% of a company’s global revenue. Before we explore “how will GDPR be enforced internationally?” we first need to answer “Do I need to care about GDPR?” Companies that use targeted ads, as well as other online and marketing businesses need to wary about running afoul of GDPR.
For example, a user from Germany uses Google and finds themselves on the landing page to your (US based) website. The website is entirely in English and isn’t specifically targeted at that user (there are no ads for German products or EU citizenz); in this case, your company doesn’t have to comply with GDPR regulations because you’re not targeting the German user for being from the EU. If your ads and other services are all generic to anyone who accesses your website, you should be safe from GDPR regulations. Lets consider a similar scenario, the same German user comes to your landing page which auto-translates to German and shows a series of ads for German products or services found in the EU. Your company is now on the hook for violating GDPR by using the user’s personally identifiable information without their consent. If your German user got sent to a .DE domain or your website accepted Euros as payment then you must comply with GDPR regulations.
GDPR requires that all companies lay out how a users data will be used in a clear and easy-to-read format that requires the user to opt-in rather than opt-out. Additionally, if a user’s data will be used for multiple purposes such as email marketing, targeted ads, and receiving a white paper than that user must be given an opt-in for EACH of those uses. Users must also be given easy access to an opt-out at any time, which is the “right to be forgotten” and current users must have their consent positively reaffirmed as if they were a new user.
Assuming that your company has to be compliant with GDPR, can the EU really pursue damages against you for failing to follow the GDPR regulations? Yes, it can. GDPR doesn’t explicitly state how these punishments would be pursued, as the language used is that “[the commission will] develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data” which means that the EU will work through pre-existing channels or create new ones to enforce GDPR. If a company was found to be in violation of GDPR and a fine was placed on it then an EU court would send the case over to the US, where the US based court would decide whether or not to enforce the collection. The US and EU courts work together frequently, so there’s no reason to assume that a fine won’t be enforced just because it comes from the EU. Additionally, if the US blocked fines from the EU then it would set a precedent of the EU doing the same thing for US courts attempting to enforce damages against companies in the EU. Finally, GDPR requires any company that complies with GDPR regulations to have a representative in a EU member country and this representative will be the on to receive the penalties. This is a way to avoid the possibility of another country’s court system declining to enforce a GDPR fine. Presumably, there are regulations already (or soon to be) in place that stop a company from having their representative declare bankruptcy to avoid paying the fine before being replaced by a new representative.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.