Europe's General Data Protection Regulation Makes Privacy Global

I think these issues of who has jurisdiction are a bit more complicated in a digital world. Sure, in dealing with traditional goods that have to actually cross a border the EU can have their customs enforce their laws as @jtbayly pointed out. They can seize goods, the can refuse entry, etc. Along those lines it’s easy to think of jurisdiction as being solely based on territory. In that world it’s no surprise you would expect jurisdiction to stop at the border and hence the US doesn’t get to enforce its prostitution laws for US citizens in the EU as @neil1 points out. (*)

However, this is no longer the world of 1880 where trade consists of actual goods that cross actual borders. In today’s digital economy goods can be personal data (eg. Facebook mining your data to sell to their advertisers). Now where do you block those goods from crossing which border? How do you enforce your laws, especially those designed to protect your citizens from bad market actors?

Sure, the EU could attempt to set up their digital “customs” like the Chinese do with the Great Firewall. Sniff all IP traffic, block IPs and ports, all that nonsense. But who wants that? The only reason China gets away with it is because the Communist Party of China is running an unopposed brutal dictatorship that we in the western world have simply chosen to do business with, human rights be damned. No sane person would want to have the physical border and customs of the 1880s economy implemented in this technical fashion in today’s global economy.

Another approach would be that the US simply tells the EU to get lost with their GDPR. Then how would the EU deal with that if they wish to enforce their citizens’ protection through the GDPR? Well they can do what the US does in such cases. Seize all assets, have managers arrested as soon as they travel abroad into countries with extradition treaties, shutter any local business presence, start prosecuting any other businesses who have business relations with the extraterritorial entity in question, etc. Sounds familiar? Yeah, that’s how the US enforces its laws in other countries (if you’re still having trouble remembering, try these cues: Cuba, Swiss bankers and Nazi gold, VW). The EU could take a page from that same playbook and make life as difficult as possible for any US company that does business with EU citizens but doesn’t want to abide by laws protecting said EU citizens. Sure you can say, so what I’m not in the EU. Doesn’t matter. Your business partners are. Sure, that’s extreme. But it has all been done before, by the US itself actually. So would you really want Google fined in the EU because they do business with you and you chose to give the EU the finger? How long do you think Google will keep your gmail account open then? Or do you want to get arrested next time you fly to Cabo? Do you want your IPs blocked in all of the EU? Probably not. Probably its better to either stick to the GDPR when doing business with EU citizens, or simply chose not to do business with EU citizens. US companies always have this choice regardless of how the US decides to react to GDPR.

That all said, it will be interesting to see how the US reacts when the EU decides to go after a US company that has violated GPDR while doing business with EU citizens. Because of the above concerns, the US will definitely not chose to just say “jurisdiction” and act as if can ignore the issue. There is far too much trade involved for any kind of knee-jerk simplifications and it will be interesting to see what solution the government comes up with.

*) This by the way is not such a clear cut issue. There are countries that do indeed prosecute their citizens for things illegal in country that these citizens have committed abroad - even when it was legal in the country the citizen was at the time. A recent example is Sweden convicting a Swedish citizen for solicitation for an act committed while on vacation in Thailand. Prostitution is illegal in Sweden, but perfectly fine in Thailand. On return to country the citizen was charged and convicted.

1 Like