Europe's General Data Protection Regulation Makes Privacy Global

This is not a question about whether privacy and data protection are good. They are.

This is a question of whether the EU has the right to enforce laws on US companies that are not under their jurisdiction.

Apple and Google do business and even have incorporated businesses in those countries. If they want to keep doing business in those countries they must follow the laws of those countries.

This is just like taxes. Ohio can’t even force a small business in Virginia to collect taxes and pay them across state lines. Only Ohio or a federal law can force that.

The EU can claim all they want that they have jurisdiction over every company in the whole world, but unless the USA decides to enforce their law, it simply doesn’t apply to businesses that are solely in the US.

Has the USA made clear in their trade or tax laws that this kind of law will be enforced? I have no idea, but I doubt it. And I wouldn’t want to be the test case.

But let’s be entirely clear on one thing. The EU cannot claim jurisdiction outside its borders. And advocating that they do so simply because they claim to on a law we like is asking for serious problems.

What if the law said that anybody in possession of personal data of an EU citizen had to be armed with a gun during the duration of the possession for the protection of the data? You’d laugh at them. Why? Because they don’t have jurisdiction.

You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices…and again, eventually it comes down to whether the US would enforce an EU court decision.

For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction…if EU citizens choose to do business with that company then does the company really have a legal requirement to do what the EU says…or have the EU citizens granted permission by doing business with the company.

The EU will continue to claim they have jurisdiction…and large multinationals will likely abide because they have business interests in the EU…but as I see it…I’m not a lawyer, but it seems like common sense to me…then the EU has no jurisdiction in the US…just like we have no jurisdiction to state that drugs or prostitution which are legal in certain areas of the EU are against the law if a US citizen partakes.

1 Like

Yep, except Apple and Google etc. all have business presences or enough income in that country that they don’t want to be prevented from doing business there.

That’s the main recourse for the EU. They can say, “Fine. You don’t want to follow our laws regarding data? Then you can’t send physical products into our country.” I’m having a hard time figuring out any recourse for them with digital products except for making it against the law for their consumers to purchase from you. (Or convincing the original court of jurisdiction to take action.)

It is an open question whether EU data authorities or individuals will attempt to bring a suit against US-based organizations over the GDPR: if it happens, it’s almost certainly going to be a “big data” case, not a mom-and-pop operation using cookies to identify forum users. In big data cases, the legal foundation for action would be granted by the (contested) US-EU Privacy Shield. The Privacy Shield has a complicated background (it’s the replacement for a “Safe Harbor” agreement that was nullified by the European Court of Justice in 2015), but requires the United States cooperate with European data authorities. So, at a very basic level, the US has entered into a treaty with the European Union regarding data privacy, and some of the terms are transparency and redress of complaints brought by EU individuals or data authorities.

The US-EU Privacy Shield (and a corresponding agreement with Switzerland, and probably a corresponding agreement with the UK once Brexit happens) basically requires companies to self-certify that they meet the regulatory requirements; if they’re found not to be complying, the FTC can bring action against them in the United States. Again, whether or not that will actually happen is an open question.

Also, size does matter (a bit). The GDPR requires data controllers outside the EU selling goods or services to consumers in the EU (or profiling them) designate a representative in the EU to respond to any privacy inquiries or complains from data protection authorities or individuals. (It’s in Article 25 if anyone wants to look.) There are three notable categories of exception: firms with fewer than 250 people, firms which “only occasionally” offer goods or services to EU residents, or countries deemed to offer “adequate” levels of legal protection for personal data. The United States’ current protections do not qualify as “adequate” under the terms of EU law. The UK says it’s aiming for better-than-adequate in its final data protection agreement with the EU.

2 Likes

That’s great info. Thanks.

I think these issues of who has jurisdiction are a bit more complicated in a digital world. Sure, in dealing with traditional goods that have to actually cross a border the EU can have their customs enforce their laws as @jtbayly pointed out. They can seize goods, the can refuse entry, etc. Along those lines it’s easy to think of jurisdiction as being solely based on territory. In that world it’s no surprise you would expect jurisdiction to stop at the border and hence the US doesn’t get to enforce its prostitution laws for US citizens in the EU as @neil1 points out. (*)

However, this is no longer the world of 1880 where trade consists of actual goods that cross actual borders. In today’s digital economy goods can be personal data (eg. Facebook mining your data to sell to their advertisers). Now where do you block those goods from crossing which border? How do you enforce your laws, especially those designed to protect your citizens from bad market actors?

Sure, the EU could attempt to set up their digital “customs” like the Chinese do with the Great Firewall. Sniff all IP traffic, block IPs and ports, all that nonsense. But who wants that? The only reason China gets away with it is because the Communist Party of China is running an unopposed brutal dictatorship that we in the western world have simply chosen to do business with, human rights be damned. No sane person would want to have the physical border and customs of the 1880s economy implemented in this technical fashion in today’s global economy.

Another approach would be that the US simply tells the EU to get lost with their GDPR. Then how would the EU deal with that if they wish to enforce their citizens’ protection through the GDPR? Well they can do what the US does in such cases. Seize all assets, have managers arrested as soon as they travel abroad into countries with extradition treaties, shutter any local business presence, start prosecuting any other businesses who have business relations with the extraterritorial entity in question, etc. Sounds familiar? Yeah, that’s how the US enforces its laws in other countries (if you’re still having trouble remembering, try these cues: Cuba, Swiss bankers and Nazi gold, VW). The EU could take a page from that same playbook and make life as difficult as possible for any US company that does business with EU citizens but doesn’t want to abide by laws protecting said EU citizens. Sure you can say, so what I’m not in the EU. Doesn’t matter. Your business partners are. Sure, that’s extreme. But it has all been done before, by the US itself actually. So would you really want Google fined in the EU because they do business with you and you chose to give the EU the finger? How long do you think Google will keep your gmail account open then? Or do you want to get arrested next time you fly to Cabo? Do you want your IPs blocked in all of the EU? Probably not. Probably its better to either stick to the GDPR when doing business with EU citizens, or simply chose not to do business with EU citizens. US companies always have this choice regardless of how the US decides to react to GDPR.

That all said, it will be interesting to see how the US reacts when the EU decides to go after a US company that has violated GPDR while doing business with EU citizens. Because of the above concerns, the US will definitely not chose to just say “jurisdiction” and act as if can ignore the issue. There is far too much trade involved for any kind of knee-jerk simplifications and it will be interesting to see what solution the government comes up with.

*) This by the way is not such a clear cut issue. There are countries that do indeed prosecute their citizens for things illegal in country that these citizens have committed abroad - even when it was legal in the country the citizen was at the time. A recent example is Sweden convicting a Swedish citizen for solicitation for an act committed while on vacation in Thailand. Prostitution is illegal in Sweden, but perfectly fine in Thailand. On return to country the citizen was charged and convicted.

1 Like

I agree with much of what you said above, but this is untrue. Read the “Can you avoid GDPR Compliance by blocking EU visitors from your website?” Section on this page. Some salient quotes:

it covers any and all personal data, even that which you collected prior to GDPR going into effect

under the language of GDPR, if Joe Smith who is a U.S. citizen is signing up for your U.S.-based service, or placing an order through your U.S.-based website - while on an airplane flying over an EU country - by the language of GDPR, the data that Joe provides to you is covered by GDPR.

1 Like

Interesting issues.

But in that case, you could terminate business relations with EU citizens and discard their old data.

This I simply don’t believe is correct. And I don’t imagine the EU is going to battle the US over something which involves somebody who isn’t even an EU citizen doing business in no relationship with the EU. But just to play devil’s advocate, fine then. You refuse to do business with EU citizens and then in your ToS you require of your customers (those from outside the EU who you are doing business with) to confirm that they will not do business with you from within the EU. If they still do so (let’s say on a plane over the EU) they have violated the terms of contract, you stop doing business with them, you delete their data.

In these cases I would assume you’d only be getting yourself into trouble if you refused to delete their data. But why would you do that? You already ended your business relationship. And with no data, no GDPR issues, right?

I have to admit, I’m a bit skeptical of the doom & gloom coming from “compliance specialists”. Compliance lawyers need business. This is a business opportunity. What can actually happen to you legally as a small time business in Godknowswhere, USA is not necessarily the same as the big black picture some of these people now paint. Not saying they’re wrong, I’m just a bit cautious when things sound super urgent and super dangerous.

2 Likes

You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

If a website based in the EU wants to collect data from a visitor in a non EU country they have to give that person the right to approve or not approve. If they do approve, they also have the right to opt out and have the data that was accumulated deleted, and while people remain in the system they must have the ability to easily review any information that was collected. If they don’t approve, the site can block access to the site, or they can allow the visitor to access the site without being tracked. Sites are also required to report any security breeches to the EU within either 2 or 3 days.

It doesn’t matter if the site is selling anything or not. The US Courts ruled that a US based company used information collected in the US serve targeted information in the EU or visa versa, the US gets to collect on the sale of the data. I do wish the US went the extra miles the EU did to ensure privacy, data security and the ability to determine and makes decisions about what can be sold about me.

It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices

Nope, Google and Facebook fought tooth and nail all the way to the US Supreme Court over the tax issue and spent fortunes in attorneys. And Apple fought tooth and nail and probably even made a little dent in their big cash pile to protect its privacy policy. I think MS currently has a privacy case before the Supreme Court, but the one I was referring to was the Netscape monopoly case.

It’s not the way the corporate world works. If a big corporation doesn’t fight a particular battle of this magnitude and settle instead, it it most likely to cause an epidemic of suits that would either bankrupt the company or eventually end up in the Supreme Court anyway.

and again, eventually it comes down to whether the US would enforce an EU court decision.

The EU can enforce rules in the US the same way the US enforces litigation in other countries. They garnish the revenues they collect, or the holdings companies have, within their boundaries. If I remember correctly, the new EU law requires a % of annual income. They can freeze bank accounts and assets while in litigation.

For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction

Whether or not they do or don’t, the government is unlikely to go after some sweet little grandma’s site about knitting and crocheting. But if millions of grandmas and grandpas are signed up with a second or third party ad network, then the network could possibly be sued. If they lost, grannies and grampies might not collect the few dollars from ads served on their site. But Facebook and Google would have to pay up.

Marilyn

The problem is with the persistence of data. Unless it can be confirmed that data was actually deleted and will remain deleted, it can, and probably will be sold and sold and sold ad infinitum.

Marilyn

And there is no way to confirm that every copy of a piece of data has been deleted.

It is absolutely not absurd. The law applies to any company that holds data on/for/about EU citizens, regardless of where that company is. Sure, some Chinese company might ignore it, but if it’s anything of any consequence the EU has a large array of tools for dealing with it, including blacklisting the company’s Internet addresses.

As for whether the EU has the right to enforce its laws outside the EU, that ship has sailed long ago with the US having a multi-decade tack record of doing this exact thing. The EU routinely, and successfully, claims jurisdiction over its citizens regardless of where they physically are.

If you do business with the EU in anyway (even if you don’t know it), you better comply with GDPR.

And it’s honestly pretty easy to comply and the regulations are surprisingly sensible for something that came out of a committee.

1 Like

Of course not. Persistent data is when data is passed on to other parties, and at the moment there is no solution I know of for this problem.

Marilyn

1 Like

Practical reality for most companies? Comply. Simply the easier and simpler thing to do. And the public, no matter where, benefit.

It’s easy? Really?!

Are you aware that this very forum is running on software that is not compliant?

Go ahead, go read that post and tell me again how easy it is.

1 Like

I’d love for somebody to explain how I can easily and simply keep backups for a website that will allow me to recover from a disaster by restoring to a previous state, and at the same time guarantee that if somebody asks to be “forgotten” that none of their data remains in my backups.

Uh. Yeah. It’s um… deleted.

If that’s what everybody means by “comply” then I guess I’d agree that the EU has “jurisdiction.”

All change is hard, without question. And we’ll be looking at all the stuff TidBITS does to see if it’s compliant, or how we’d deal with the possible requests. Luckily, things like Discourse will likely just solve some of those problems with updates.

That said, many businesses have long understood the need to abide by foreign regulations. For instance, when we owned Take Control, one of the reasons we worked with eSellerate on the sales was because eSellerate had an entire team of people who dealt with collecting and remitting VAT to European countries. Ebooks are subject to VAT in the EU and a number of other countries around the world. It was a cost of doing business.

Would anything bad have happened to us had we ignored the need to remit VAT for sales into those countries? We had no way of knowing, but the potential cost of being dragged into court as a result of ignoring VAT, or worrying if we wanted to travel to one of those countries, or even the effect on authors who lived in those countries, was enough to ensure that we collected and paid the taxes.

1 Like

Didn’t say it was easy… easier than court, that was all.

I was responding to this comment:

Anyway, I agree that it’s easier than being a test case in court. What I think is going to happen is the same thing that happened with PCI compliance. A lot of small business will make a couple of changes and claim that they are compliant, when they aren’t really, because nobody really knows what it looks like to truly be compliant. But with PCI, you had to at least claim you were compliant to do any credit card business. My guess is that greater than 50% of the businesses in the US do nothing to become compliant because the risk/reward tradeoff is too unbalanced, and nobody is forcing them to do anything to keep accepting money online.

In other words, the chances are so small that you’ll be a test case in court that a lot of people will just cross their fingers and proceed with business as usual.

The solution is the massive fines the EU will impose if you’re caught not complying. They are based on revenue (not profits) and a maximum fine would severely impact any company. this is no case of Corporation deciding it is cheaper to deal with lawsuits than fix the exploding products.