8

This question is inspired by this other question asks about how a (fictional) Small Town News USA Inc could prepare for GDPR.

Although opportunistic lawsuits against US-based businesses on their handling of EU-residents data might be possible, I find it doubtful that EU would audit businesses outside their jurisdiction for GDPR compliance.

This is why I wanted to ask:

  1. Is it actually necessary for businesses (such as a Small Town News USA Inc) that do not reside in EU to care about GDPR?
  2. If it is then how (and by whom) would compliance be audited and/or enforced?
Dee
  • 255
  • 1
  • 5

2 Answers2

9

Is it actually necessary for businesses (such as a Small Town News USA Inc) that do not reside in EU to care about GDPR?

Only if they offer goods/services to or monitor behavior of people in the EU (Art. 3(2)).

Note that:

having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services in the EU. Rather, a business must show intent to draw EU customers, for example, by using a local language or currency.

If it is then how (and by whom) would compliance be audited and/or enforced?

Supervisory Authorities will care of it.

Greendrake
  • 28,487
  • 5
  • 71
  • 135
0

Greendrake has some great points about what businesses are considered to be operating in the EU. It should of course be noted that the US is not part of the EU and is thus not part of the EU's jurisdiction.

Which brings us to the question of how is the GDPR enforced in this case:

This answer in Politics suggests that there isn't really a way to enforce outside of the EU

Basically, their method of non-EU enforcement seems to be "we'll figure it out". Depending on what 'appropriate steps to develop international cooperation mechanisms' means, it appears like treaties or others agreements will be the mechanism for enforcing the GDPR outside the member states.

This article (updated Jan 2019) also suggests that there is little actual enforcement:

The UK ICO issued a warning to the Washington Post over how it was obtaining consent for cookies. The ICO concluded that consent was not freely given under GDPR Article 7 because the paper did not offer a free alternative to accepting cookies. However, the ICO noted that there was little that it could do if the Washington Post decided not to change its practices. This comment by the ICO leaves its ability and likelihood to bring enforcement actions in doubt.

Greendrake suggests in the comments of his answer that the EU may cause issues for the owners/directors of Small Town News inc if they ever pass visit or pass through the EU, but that needs a source still.

Mars
  • 123
  • 4