How can the EU enforce GDPR requirements on a US company?
April 23, 2022 4:55 PM Subscribe
Imagine the case of a US-based company that has no business presence in the EU. And this company has a website that is clearly intended to sell goods and services to EU residents following the criteria of GDPR. According to the EU's rules, this company must comply with GDPR. But how would the EU enforce this?
My question is based on the premise of "who must comply" as described by the EU -
It seems that since a solely US-based company has no presence in the EU, it wouldn't be in a jurisdiction where the law could be enforced.
Maybe there is some treaty with the EU that requires the US to enforce GDPR?
Or is the EU stating a requirement that has no real consequences if it isn't followed? They may hope that companies just go along with it to be safe.
Or possibly the EU has ways of penalizing companies for not following GDPR that don't involve legal action against the violator. For example, banning violators from domain name hosts, banks, and payment processors.
Of course, it's wise to seek legal counsel to figure out what is needed for a specific company. But I am asking this question in a general way to learn about situations where countries can extend their legal influence into other countries.
My question is based on the premise of "who must comply" as described by the EU -
It seems that since a solely US-based company has no presence in the EU, it wouldn't be in a jurisdiction where the law could be enforced.
Maybe there is some treaty with the EU that requires the US to enforce GDPR?
Or is the EU stating a requirement that has no real consequences if it isn't followed? They may hope that companies just go along with it to be safe.
Or possibly the EU has ways of penalizing companies for not following GDPR that don't involve legal action against the violator. For example, banning violators from domain name hosts, banks, and payment processors.
Of course, it's wise to seek legal counsel to figure out what is needed for a specific company. But I am asking this question in a general way to learn about situations where countries can extend their legal influence into other countries.
Best answer: I can tell you what the answer would be if the situation were reversed. Purposefully advertising goods and services for sale in the U.S. would be sufficient under U.S. law to establish legal jurisdiction over a foreign entity for acts in connection with those transactions. That means a state or regulator or other enforcer could sue in the appropriate U.S. court and win a judgment. The foreign country in which the entity is resident would have its own standards for recognizing and enforcing a judgment in a court in another country, which the U.S. judgment creditor would need to meet in order to reach the foreign entity's assets in the foreign country. (A new multilateral convention for the enforcement of foreign civil judgments is in the works, but has not yet taken effect.) However, in order for the foreign entity to get paid by U.S. residents, money is almost certainly flowing through certain U.S. banks and processors, so a determined and sophisticated U.S. judgment creditor would seek to identify them and seize funds (via court order) to satisfy the judgments from them.
As you can see, it's a messy process with a number of potential gaps, but something roughly equivalent would happen in a case like the one you mention.
posted by praemunire at 5:55 PM on April 23, 2022 [5 favorites]
As you can see, it's a messy process with a number of potential gaps, but something roughly equivalent would happen in a case like the one you mention.
posted by praemunire at 5:55 PM on April 23, 2022 [5 favorites]
« Older Expected symptoms / when to be concerned | what is this person's service that makes decisions... Newer »
This thread is closed to new comments.
I am no EU compliance officer but that seems like a good enforcement vector.
posted by Sauce Trough at 5:17 PM on April 23, 2022 [3 favorites]