8

This question is inspired by this other question asks about how a (fictional) Small Town News USA Inc could prepare for GDPR.

Although opportunistic lawsuits against US-based businesses on their handling of EU-residents data might be possible, I find it doubtful that EU would audit businesses outside their jurisdiction for GDPR compliance.

This is why I wanted to ask:

  1. Is it actually necessary for businesses (such as a Small Town News USA Inc) that do not reside in EU to care about GDPR?
  2. If it is then how (and by whom) would compliance be audited and/or enforced?
Dee
  • 245
  • 1
  • 5
  • 1
    In an edit to the other question I added this link which may yield some insight as to enforcement: https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr – Paul Apr 28 '18 at 03:37

2 Answers2

9

Is it actually necessary for businesses (such as a Small Town News USA Inc) that do not reside in EU to care about GDPR?

Only if they offer goods/services to or monitor behavior of people in the EU (Art. 3(2)).

Note that:

having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services in the EU. Rather, a business must show intent to draw EU customers, for example, by using a local language or currency.

If it is then how (and by whom) would compliance be audited and/or enforced?

Supervisory Authorities will care of it.

Greendrake
  • 27,460
  • 4
  • 63
  • 126
  • 1
    So it would be enough to have site in English? (A local language in still-in-EU-GB) –  May 25 '18 at 11:25
  • 1
    @9ilsdx9rvj0lo English is way too global language to hint applicable territory. Using currency (e.g. dollars vs pounds) would be way more effective. Or just explicitly say in which countries the business is done. – Greendrake May 25 '18 at 11:35
  • What is the supervisory authority in the US? This article seems to suggest that at present time, GDPR has been unenforceable against the Washington Post. The "Supervisory Authorities" can audit all they want, but if I understand correctly, it would still take US intervention to actually enforce... – Mars Jan 08 '20 at 05:45
  • This anwswer also suggests that the details of enforcement are not yet there – Mars Jan 08 '20 at 05:49
  • @Mars GDPR matters won't be tried or enforced in the US. Rather, a US company serving customers in the EU has to either comply or go home. – Greendrake Jan 08 '20 at 06:10
  • 1
    @Greendrake Meaning what? Say Small Town News has their website and allows EU subscriptions. They're based in Small Town, they operate via the web. They don't block EU subscriptions. What can the EU do? – Mars Jan 08 '20 at 06:13
  • @Mars EU can fine Small Town News. It can seize its EU assets, if any. Google got fined. – Greendrake Jan 08 '20 at 06:18
  • 1
    Google exists as a legal entity in the EU. Small Town News doesn't, and it has no EU assets. From what I linked, it seems they cannot actually fine someone outside of their jurisdiction – Mars Jan 08 '20 at 06:20
  • @Mars Yes if the owners/directors of Small Town News never travel to or transact with the EU they're safe. – Greendrake Jan 08 '20 at 06:25
  • 1
    Are you implying that owners/directors of companies in violation of GDPR are subject to travel restrictions by the EU? That seems like an answer! But it needs a source – Mars Jan 08 '20 at 06:27
  • Or alternatively, if the EU cannot do anything in such a situation, that is also an answer – Mars Jan 08 '20 at 06:28
  • @Mars I only mean that if a EU court issues a judgement that Small Town News has to pay a fine, EU authorities will be watching out for opportunities to collect the fine and may create troubles for Small Town News people visiting the EU. – Greendrake Jan 08 '20 at 06:30
  • @Greendrake Interesting. I'm not familiar with that aspect at all, but it seems like that is the answer to question 2--"How is compliance enforced*. And the answer to question 1 (in addition to what you already have) is "They only need to care if the owners/directors intend to travel to/through the EU" – Mars Jan 08 '20 at 06:47
  • @Mars My answer assumes that the OP aims to stay legitimate in all jurisdictions (versus not minding to break the EU law provided that he can get away with it). Feel free to post your answer under the latter angle. – Greendrake Jan 08 '20 at 07:36
  • 1
    @Greendrake But part of the question is asking if it's even necessary to be legitimate in a jurisdiction to which the company is not even a part of (hence zero or indirect enforceability) – Mars Jan 08 '20 at 07:42
  • @Mars You may indeed interpret "is it ... necessary ... to care about ... ?" as "will I get caught?". But I prefer to take it as "will I break the law?". – Greendrake Jan 08 '20 at 08:06
  • 1
    @Greendrake I'm not interpreting it as "will I get caught", I'm interpreting it as "do I need to follow Country X's super strict laws even though I've never been there and never will?" – Mars Jan 08 '20 at 08:09
  • @Mars Whether you "need to follow" depends on whether you only care of not being caught, or of not breaking the law. – Greendrake Jan 08 '20 at 08:11
  • 1
    related? As far as the US is concerned, Small Town News has broken no laws – Mars Jan 08 '20 at 08:15
  • 1
    In principle the EU could try to enforce a fine via the banking system: that is, they could try to block or intercept funds flowing from EU consumers to US suppliers. That's unlikely to happen against Small Town News, but I could see it happening for example against an off-shore gambling site that's blatantly ignoring local laws. – Michael Kay Jan 08 '20 at 09:41
0

Greendrake has some great points about what businesses are considered to be operating in the EU. It should of course be noted that the US is not part of the EU and is thus not part of the EU's jurisdiction.

Which brings us to the question of how is the GDPR enforced in this case:

This answer in Politics suggests that there isn't really a way to enforce outside of the EU

Basically, their method of non-EU enforcement seems to be "we'll figure it out". Depending on what 'appropriate steps to develop international cooperation mechanisms' means, it appears like treaties or others agreements will be the mechanism for enforcing the GDPR outside the member states.

This article (updated Jan 2019) also suggests that there is little actual enforcement:

The UK ICO issued a warning to the Washington Post over how it was obtaining consent for cookies. The ICO concluded that consent was not freely given under GDPR Article 7 because the paper did not offer a free alternative to accepting cookies. However, the ICO noted that there was little that it could do if the Washington Post decided not to change its practices. This comment by the ICO leaves its ability and likelihood to bring enforcement actions in doubt.

Greendrake suggests in the comments of his answer that the EU may cause issues for the owners/directors of Small Town News inc if they ever pass visit or pass through the EU, but that needs a source still.

Mars
  • 123
  • 4
  • 2
    Well, if the company is receiving payments from customers in the EU, the EU can stop this payments. – Josef Jan 08 '20 at 09:40
  • @JosefsaysReinstateMonica Citation needed? – Mars Jan 08 '20 at 14:13
  • 1
    In short the EU can do the same to a US company that the US does to European companies when they do not comply with US laws. Sample FATCA. If European banks don't collect and send (at their cost) all bank data of their US customers living in Europe to the IRS - then any funds sent to that bank from the US can be blocked and transfered to the IRS. https://www.investopedia.com/articles/personal-finance/102915/tax-implications-opening-foreign-bank-account.asp – Mark Johnson Jan 08 '20 at 19:55
  • @MarkJohnson That sounds like a fairly specific agreement and is also at a bank-level, rather than consumer-level. Is there any evidence, even anecdotal, that GDPR can do anything similar? – Mars Jan 09 '20 at 00:24
  • Is is doubtfully that **Foreign Account Tax Compliance Act (FATCA) would ever pass as a law in the European Union. And if did would probably be stopped by some high court. Of the hoped for $8.7 billion about $2.5 billion is believed to have been achived. Implementation costs in the EU (which the banks have to pay) is estimated at $10 billion. A compleatly uneffective law for all participants. – Mark Johnson Jan 09 '20 at 01:37
  • @MarkJohnson Interesting! But I think that then brings us back to the point that (at least currently) the EU/GDPR is not currently enforceable outside the EU – Mars Jan 09 '20 at 02:28
  • 1
    Yes, the only was would be through court rulings in each individual case. That could, if the Court deemed it severe enough, effect entry in to the Schengen Area or other financial measures. The infrastructure needed to prevent subscription of a newspaper, that does not apply the GDPR, would be just as uneffective as FATCA. That bad sample should (possibly its only positive aspect) serve as a lesson that should not be repeated. – Mark Johnson Jan 09 '20 at 02:44
  • @Mars why are you so pissed? One thing the EU can do is block your service to be hindered or blocked for non-encrypted data transfer. Say, block the access of Small Town News in the EU. Done. Very simple. – kisspuska Jul 06 '21 at 02:09
  • @kisspuska What makes me sound pissed? I thought me and Mark had a productive conversation. As for your suggestion, if you know of any specific thing that the EU can actually do in that case, it would make for a good answer. – Mars Jul 06 '21 at 04:51
  • @Mars I beg your pardon, dear sir, ma’am [insert any appropriate respectful addressing]! My suggestion is: The EU can block non-encrypted internet traffic of Internet user’s accessing domains affiliated with a service provider incompliant with GDPR. That can be devastating for some businesses and a proportionate measure – kisspuska Jul 06 '21 at 05:10
  • @kisspuska I understood what you said, but as far as I know, the GDPR does not have that power. From what I've seen in the past, websites block themselves in order to avoid incompliance. But if you have sources that say otherwise, I'd be very interested in seeing them! – Mars Jul 06 '21 at 09:00