Why does the GDPR matter to me, a US citizen with no property in Europe?

Question

I run a Web site. I am a natural-born US citizen. I own no property outside the US. Why does my Web site have to be GDPR compliant? Even if a European court convicts me of a crime, does it really affect me?

Answer 1

As of 2024, there are no legal precedents where:

1. A website was operating outside the EU, with no EU legal entity established and no payments accepted from EU users
2. An EU court ruled that they must still comply with GDPR because they happen to have visitors living in the EU
3. Said website ignored the EU court ruling entirely, refusing to comply
4. The EU managed to convince the authorities of the country where the website is located to enforce the judgement on their behalf

See As of 2020, have any GDPR-related court judgements been successfully enforced on companies without presence in the EU? for a prior discussion of this question.

So as of today, you're likely fine not complying with GDPR as long as you don't take any payments from users in the EU and don't have a legal entity there. Things might change in the future if a successful foreign enforcement occurs, but until then it's highly likely you'll be just fine. While EU authorities would love to force the whole world to comply with their laws, in reality its unclear if this is possible, as otherwise every single website would face a huge headache trying to comply with laws from Turkmenistan or Iran despite not taking any payments from these nations.

Answer 2

As stated by GDPR article 3 you are required to follow it under the following circumstance:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
• the monitoring of their behaviour as far as their behaviour takes place within the Union.

You can read the recourse better at What is the legal mechanism by which the GDPR might apply to a business with no presence in the EU?, but in short the US will allow the EU court to press it's rulings due to wanting to keep its trades, treaties and other similar things in place.

Answer 3

This is a partial answer to only some part of the question.

I run a Web site. I am a natural-born US citizen. I own no property outside the US. Why does my Web site have to be GDPR compliant?

People and firms are routinely held liable for civil wrongs and breaches of contract in countries where they have no physical presence and own no property. Often (honestly, usually) a money judgment entered against someone in another country can be enforced against someone in the U.S. against their U.S. assets, if it has a Western-style legal system, under general U.S. law comity principles.

The assumption that a lack of a physical presence in GDPR countries and a lack of assets in those countries is sufficient to protect you from liability in those countries that can be enforced against your U.S. assets is clearly and obviously wrong.

You may be subject to GDPR enforcement actions in a country that has adopted the GDPR, even if you are not present in that country and have no assets there, if your online activities are sufficiently connected to that country to give it what is called "long arm jurisdiction" in the interstate domestic context. I am not familiar enough with the GDPR (or the relevant technologies, for that matter) to know what exactly that kind of sufficient connection looks like.

A new treaty may formalize the foreign judgment enforcement process in the U.S., its political prospects are unclear.

A treaty for the enforcement of foreign judgments in the U.S. was signed by President Biden and sent to the U.S. Senate for ratification about two years ago:

On 2 March 2022, the United States signed the Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters (the “Hague Judgments Convention” or the “Convention”). The Hague Judgments Convention seeks to enhance access to justice and facilitate international trade and investment by encouraging the free flow of judgments across national borders. It does so by providing a set of clear, predictable rules under which civil and commercial judgments rendered by the courts of one Contracting State are recognized and enforced in other Contracting States. While not yet in force, the Hague Judgments Convention could provide an important complement to the widely adopted 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the “New York Convention”) (which provides for the recognition and enforcement of arbitral awards), as well as its sister treaty, the 2005 Hague Choice of Court Convention.

The full text of the treaty is here.

The treaty entered into force on 1 September 2023 for the European Union (applicable in all 27 Member States, except Denmark) and Ukraine. The U.K. plans to agree to the convention as soon as possible. In the U.S., the treaty was signed by the President two years ago, but has not yet been ratified by the required two-thirds majority of the U.S. Senate. Russia has likewise only partially completed the process of ratifying the treaty, despite agreeing to it on a preliminary basis that sets the stage of ratifying it.

How are judgments in civil cases against non-resident's entered and enforced?

The way that GDPR concerns would typically manifest for a U.S. based person would be for there to be some kind of civil proceeding, either administrative or in court in a country subject to the GDPR alleging that it applies to you and that you violated it (I am not knowledgable enough about the GDPR to answer that part of the question). This would then lead to a civil money judgment against you in the foreign country.

The foreign court would typically have jurisdiction over you if you are within the class of persons covered by GDPR article 3 (discussed in another answer) and you have been personally served with court process by a process server.

Then, the person entitled to money under the money judgment would go to a U.S. court that has jurisdiction over you and ask it to enforce that money judgment under general U.S. law comity principles.

The details of how this is done and when it is possible are beyond the scope of this limited answer. But, in broad outline, usually, money judgments from another country entered in a lawsuit over which the other country's court has jurisdiction over you under both its own laws, and U.S. constitutional requirements for jurisdiction in a civil case, will be honored in the U.S. if the judgment is for something that is not contrary to a strong U.S. public policy.

You usually can't re-litigate the issues that could have been litigated in the foreign country in the U.S. court when enforcement is sought from a U.S. court pursuant to legal principles like collateral estoppel and res judicata. Once the foreign money judgment is "domesticated" in the U.S. court, it can be enforced just like any U.S. money judgment against your U.S. assets.

Since some U.S. states have laws similar to the GDPR, it is unlikely that the U.S. courts would find that a money judgment entered in connection with the GDPR was contrary to U.S. public policy.

A lack of GDPR specific precedents isn't all that meaningful, because there are lots of precedents involving the only slightly broader topic of international enforcement of foreign money judgments.

Even if a European court convicts me of a crime, does it really affect me?

Most things which are illegal are not crimes.

GDPR violations are seldom, if ever, crimes. Thinking along these lines represents the common fallacy that everything that is illegal is a crime. In fact, lots of things that are illegal are not crimes and only have civil remedies.

How do transnational criminal prosecutions work if there are foreign criminal charges against you?

There are few, if any, crimes in the countries to which the GDPR applies, that try people for crimes in abstentia. If you commit a crime over which a European country has jurisdiction and you are not physically present in that country, that country must seek to have your arrested and extradited by the country where you are located. Generally speaking, a country has jurisdiction over crimes committed in its territory and crimes directed at the country or its citizens.

The U.S. has extradition treaties with all or most of the countries that are subject to the GDPR. Extradition is usually available when (1) the crime is serious, (2) the U.S. has a crime similar to the one for which the country is seeking extradition that is punishable by a similar or less serious punishment than the comparable U.S. crime, and (3) the foreign country has jurisdiction over that crime under the standard summarized above.

After you are arrested pursuant to the other country's request, you would be entitled to a court hearing in a U.S. court to determine if you really are the person for whom extradition is sought and if the conditions necessary to extradite you to the foreign country have been met. Your actual guilt or innocence would not be an issue, but the extradition hearing could probe whether the request to arrest and extradite you is supported by probable cause that you committed a crime in the foreign country.

If you lose in your extradition hearing, you are then transported to the country that wants to try you for the crime in their country. If you are convicted, that country incarcerates you or otherwise punishes you pursuant to its laws.

Again, the likelihood of some sort of GDPR related criminal offense existing is probably remote, but if it does exist, this would be the process.