GDPR Enforcement in the U.S. ?

Betsy_Landon1
Level 2

GDPR Enforcement in the U.S. ?

Can anyone provide information about (or provide a link to) how GDPR will be enforced in the U.S.?

I work for a small company with one location in the U.S. Our customers are located in the U.S. only. Sales does not pursue prospects located outside of the U.S.

People from around the world visit our website and submit forms to access gated content.

Just to be clear - my question is not about compliance. It's about enforcement, especially given my company scenario.

Tags (3)
8 REPLIES 8
Nicholas_Manojl
Level 9

Re: GDPR Enforcement in the U.S. ?

I'm not a lawyer (nor do I want to be) but it appears to me that you are not affected by the scope of the legislation and there is therefore nothing to enforce.

But that's only prima facie based on that one paragraph you wrote. Maybe you have other factors that do require you to comply. That will require real advice from someone qualified to give advice.

Anonymous
Not applicable

Re: GDPR Enforcement in the U.S. ?

Hi Betsy,

I was explained in a GDPR training session that:

- If a non E.U. data controller is managing personal data of a person from outside the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.

- If a non E.U. data controller is managing personal data of a person from outside the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.

- If a non E.U. data controller is managing personal data of a person from the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.

- If a non E.U. data controller is managing personal data of a person from the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.

GDPR for data controllers managing personal data applies based on where the person IS, rather than where the person is from.

Please refer to the difference between data controller and data processor: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-gu...

Hope this helps you!

Betsy_Landon1
Level 2

Re: GDPR Enforcement in the U.S. ?

Again, I would like information about how GDPR will be ENFORCED in the U.S. for companies that do not have a presence outside the U.S. nor sell to the E.U.

Is there or will there be any legal agreement between the E.U. and the U.S. where the U.S. government will impose penalties on behalf of the E.U.?

I understand who it applies to and what the criteria is.

Anonymous
Not applicable

Re: GDPR Enforcement in the U.S. ?

Hi Betsy,

As I mentioned, only if the person you are targeting (although not in the EU) is in EU the moment you communicate with them will GDPR be applied.

There is currently no further impact or implication on US data controllers not targeting EU.

Thanks.

Grégoire_Miche2
Level 10

Re: GDPR Enforcement in the U.S. ?

Hi Betsy,

Cross border law enforcement and extraterritoriality is quite difficult to enforce. 2 examples:

  • US citizens who have been living outside of the US and who "forgot" to send their tax sheet to the IRS. There real problems occur the day they decide to visit their family in the US.
  • Large non-US banks being sued in the US, after the 2008 crisis or for doing business in forbidden countries. They have no choice but coming to a settlement with the US gov because they have some key activities (such as trading) in the US that would have been threatened otherwise.

So, as long as you do not intend to do any business in the EU, you are quite safe. The problem will  occur the day you start shipping goods to the EU or want to open an office there. That day, you might get into trouble for non compliance from the past years (I do not know what the limitation period is for GDPR breaches).

Another consideration you might have is about whether or not the US will in the future adopt a regulation similar to the EU's GDPR. Good question, and I do not have the answer but one thing is sure, the companies that already comply with GDPR will have a easier life when and if that time comes.

-Greg

Betsy_Landon1
Level 2

Re: GDPR Enforcement in the U.S. ?

We sell services only and will never sell products.  I think we are safe for now. Greg, your reply is helpful.

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR Enforcement in the U.S. ?

GDPR doesn't distinguish between products or service providers.  For example, we sell cloud/IT/digital services - we don't have a product - yet, GDPR applies to us fully.

Grégoire_Miche2
Level 10

Re: GDPR Enforcement in the U.S. ?

Hi Betsy,

Selling services or products does not make any difference with regards to the GDPR

It's to whom you are selling that matters, and more precisely where these people are located.

-Greg