May 25 - GDPR..its here!

Come hell or high water, the EU will be enforcing GDPR and what say you?

1 Like

Bring it on! (what choice do we have anyway) California is voting on their version in November. Will that prompt companies to go all in across the US? Probably. Segregating them may be IT painful.

1 Like

Thanks for the heads up re California.

My 2 cents:

It will be very interesting to see if it is upheld in US district court if an American company is sued in the states by the EU for a GDPR violation. GDPR doesn’t really mesh well with the American legal tradition, and may not even be constitutional in the USA. Without testing it in American courts, it’s all completely theoretical at this point.

I suspect that if the fines end up being as harsh as they say (which remains to be seen) there would be a lot of internet companies fleeing for countries that don’t respect the GDPR rules.

Businesses who rely on Advertising and Data Sales for their revenue (like most internet companies) will see a big hit to their profits if GDPR ends up being upheld in US courts. I suspect that seeing an outpouring of those kinds of companies for countries that don’t uphold GDPR will make US legislators hesitant to write GDPR into our own privacy laws.

Similarly, if California passes their own version of a GDPR-like law, expect to see it fought in the Senate immediately, since congress has the right under the commerce clause to regulate interstate trade.

My perspective: Wait and see. There are a lot of consultants and vendors out there drumming up fears around GDPR so they can make sales. It’s best to act cautiously until we see GDPR upheld in court, and taking real damages.


Disclaimer: Opinions are my own, and should not be considered legal counsel.

Richard, I am eager to see this play out soon. It is not making the news in my neck of the woods at this time. I’ve been keeping abreast of its development through various information management forums such as this

I don’t think there is much of a legal issue. US companies have paid EU fines like price fixing and advertising claims. You sell to their citizen and collect information, you will have an issue. Fines are rarely the maximum as you have to have been pretty stupid to tick them off that much. Where to flee to? Latin American and Asian countries are reviewing GDPR like laws. Running out of places.

Regardless of hype, many companies have been working towards these types of laws for nearly fours years now. We knew what was coming and figure it will continue to spread. Some will use what they have designed as a selling point to consumers. There may/may not be a DC battle over Ca law if passed. It will not help those who are headquartered in CA.

US companies have paid EU fines, but there must be one of several tests passed to give the foreign government jurisdiction over a US company:

  1. Territoriality Principle-- If you’re physically committing a crime within a country’s borders, it doesn’t matter if you’re incorporated overseas. In this case, GDPR would not have teeth unless the US company was physically storing the illegal data on servers located within the EU. I don’t see many US companies keeping the illegal data in the EU now that GDPR is live.

  2. Nationality Principle – The EU could fine EU citizens living in the US breaking the GDPR laws, but this wouldn’t allow them to fine US nationals in the US.

  3. The Protective Principle – The EU could fine US companies if GDPR was determined by a US court to be a national security concern for the EU state. This is unlikely to happen.

  4. The Passive Personality Principle – In a couple cases, US courts have held that violence perpetrated against foreign citizens overseas meant that US citizens could be taken to US courts over it, but this is only ever really used in terrorism cases. Like number 3, GDPR doesn’t seem to satisfy this principle.

The US lawyers defending the US Company in US Courts against EU government will say something along the lines of:
“Can a foreign government fine me for not throwing out a business card of a foreign national? Can a foreign government fine me for writing down names of foreign citizens that I discover during standard business operations? Why does it matter if it’s in a computer vs. written down?”

There’s also the First Amendment implications of not allowing people to write down information that they discovered legally.

Chances are, GDPR will collapse under those arguments in the US, since the US’s Common Law system means that our judges would be extremely hesitant to provide precedence for the idea that a foreign government could fine you for writing things down.

Here’s a good argument article about it from the legal perspective:

Disclaimer: Opinions are my own, and should not be considered legal counsel.

Hi Richard, thanks for sharing this perspective.

Have you all noticed the increase in emails related to privacy policy and consent especially last week just prior to 25 May? It was hilarious!

1 Like

Too often a main legal argument is about the right to be forgotten. That will be one of the least used in companies selling products to people. US Courts have already shielded Google from a Canadian de-listing ruling. Companies will have issues regarding consent, data processing and security. It will stand a test as others do. Our FCPA applies if you list on the stock exchange. You don’t need an employee here or anything else. The UK version is even broader. Then there is the myriad of treaties that exist between countries whether in law (US Tax Treaties) or agreement in standing (may not be the right term) forged by a company and other countries.

In the vast majority of cases, these laws stick. Companies rarely fight them as the cost to do so is not worth the amount in question or risking further goodwill. For the next couple of years, this topic will recede into the background as most Privacy officials do not yet know how it will be enforced without further discussion. A number of countries have not even come up with the needed funding for their Privacy officials for the work involved.