Can anyone provide information about (or provide a link to) how GDPR will be enforced in the U.S.?
I work for a small company with one location in the U.S. Our customers are located in the U.S. only. Sales does not pursue prospects located outside of the U.S.
People from around the world visit our website and submit forms to access gated content.
Just to be clear - my question is not about compliance. It's about enforcement, especially given my company scenario.
I'm not a lawyer (nor do I want to be) but it appears to me that you are not affected by the scope of the legislation and there is therefore nothing to enforce.
But that's only prima facie based on that one paragraph you wrote. Maybe you have other factors that do require you to comply. That will require real advice from someone qualified to give advice.
I was explained in a GDPR training session that:
- If a non E.U. data controller is managing personal data of a person from outside the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.
- If a non E.U. data controller is managing personal data of a person from outside the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.
- If a non E.U. data controller is managing personal data of a person from the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.
- If a non E.U. data controller is managing personal data of a person from the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.
GDPR for data controllers managing personal data applies based on where the person IS, rather than where the person is from.
Please refer to the difference between data controller and data processor: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-gu...
Hope this helps you!
Again, I would like information about how GDPR will be ENFORCED in the U.S. for companies that do not have a presence outside the U.S. nor sell to the E.U.
Is there or will there be any legal agreement between the E.U. and the U.S. where the U.S. government will impose penalties on behalf of the E.U.?
I understand who it applies to and what the criteria is.
As I mentioned, only if the person you are targeting (although not in the EU) is in EU the moment you communicate with them will GDPR be applied.
There is currently no further impact or implication on US data controllers not targeting EU.
Cross border law enforcement and extraterritoriality is quite difficult to enforce. 2 examples:
So, as long as you do not intend to do any business in the EU, you are quite safe. The problem will occur the day you start shipping goods to the EU or want to open an office there. That day, you might get into trouble for non compliance from the past years (I do not know what the limitation period is for GDPR breaches).
Another consideration you might have is about whether or not the US will in the future adopt a regulation similar to the EU's GDPR. Good question, and I do not have the answer but one thing is sure, the companies that already comply with GDPR will have a easier life when and if that time comes.
GDPR doesn't distinguish between products or service providers. For example, we sell cloud/IT/digital services - we don't have a product - yet, GDPR applies to us fully.
Selling services or products does not make any difference with regards to the GDPR
It's to whom you are selling that matters, and more precisely where these people are located.