8 Replies Latest reply on Mar 23, 2018 7:11 AM by Grégoire Michel

    GDPR Enforcement in the U.S. ?

    Betsy Landon

      Can anyone provide information about (or provide a link to) how GDPR will be enforced in the U.S.?

      I work for a small company with one location in the U.S. Our customers are located in the U.S. only. Sales does not pursue prospects located outside of the U.S.

      People from around the world visit our website and submit forms to access gated content.

      Just to be clear - my question is not about compliance. It's about enforcement, especially given my company scenario.

        • Re: GDPR Enforcement in the U.S. ?
          Nicholas Manojlovic

          I'm not a lawyer (nor do I want to be) but it appears to me that you are not affected by the scope of the legislation and there is therefore nothing to enforce.

           

          But that's only prima facie based on that one paragraph you wrote. Maybe you have other factors that do require you to comply. That will require real advice from someone qualified to give advice.

          • Re: GDPR Enforcement in the U.S. ?
            Macarena Mazzeo

            Hi Betsy,

             

            I was explained in a GDPR training session that:

             

            - If a non E.U. data controller is managing personal data of a person from outside the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.

            - If a non E.U. data controller is managing personal data of a person from outside the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.

            - If a non E.U. data controller is managing personal data of a person from the E.U. that is outside the E.U. the moment the communication takes place, GDPR does not apply.

            - If a non E.U. data controller is managing personal data of a person from the E.U. that is in the E.U. the moment the communication takes place, GDPR does apply.

             

            GDPR for data controllers managing personal data applies based on where the person IS, rather than where the person is from.

            Please refer to the difference between data controller and data processor: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf

             

            Hope this helps you!

            4 of 5 people found this helpful
              • Re: GDPR Enforcement in the U.S. ?
                Betsy Landon

                Again, I would like information about how GDPR will be ENFORCED in the U.S. for companies that do not have a presence outside the U.S. nor sell to the E.U.

                Is there or will there be any legal agreement between the E.U. and the U.S. where the U.S. government will impose penalties on behalf of the E.U.?

                I understand who it applies to and what the criteria is.

                  • Re: GDPR Enforcement in the U.S. ?
                    Macarena Mazzeo

                    Hi Betsy,

                     

                    As I mentioned, only if the person you are targeting (although not in the EU) is in EU the moment you communicate with them will GDPR be applied.

                    There is currently no further impact or implication on US data controllers not targeting EU.

                     

                    Thanks.

                    • Re: GDPR Enforcement in the U.S. ?
                      Grégoire Michel

                      Hi Betsy,

                       

                      Cross border law enforcement and extraterritoriality is quite difficult to enforce. 2 examples:

                      • US citizens who have been living outside of the US and who "forgot" to send their tax sheet to the IRS. There real problems occur the day they decide to visit their family in the US.
                      • Large non-US banks being sued in the US, after the 2008 crisis or for doing business in forbidden countries. They have no choice but coming to a settlement with the US gov because they have some key activities (such as trading) in the US that would have been threatened otherwise.

                       

                      So, as long as you do not intend to do any business in the EU, you are quite safe. The problem will  occur the day you start shipping goods to the EU or want to open an office there. That day, you might get into trouble for non compliance from the past years (I do not know what the limitation period is for GDPR breaches).

                       

                      Another consideration you might have is about whether or not the US will in the future adopt a regulation similar to the EU's GDPR. Good question, and I do not have the answer but one thing is sure, the companies that already comply with GDPR will have a easier life when and if that time comes.

                       

                      -Greg

                      2 of 2 people found this helpful