Have any GDPR-related court judgements been successfully enforced on companies without presence in the EU?

Question

GDPR has been in effect for 5 years now and theoretically applies to any company worldwide that processes personal data belonging to EU residents. The EU claims extraterritorial jurisdiction by virtue of Regulation (EU) 2016/679, Article 3, which states:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Here's a scenario that would satisfy the requirements of this question:

1. A website is operated by a non-EU company without any EU subsidiaries, significant revenue from EU customers, or other assets under EU jurisdiction.
2. An EU Data Protection Authority (DPA) or court issued enforcement actions requiring the company to comply with GDPR because it targets EU users or processes large amounts of EU citizens' data.
3. The company completely disregarded the regulatory orders, refusing to comply with any enforcement actions. [Added] Example from 2024: Clearview.ai refused to comply with decisions from multiple national DPAs and has consistently refused to pay administrative fines imposed for GDPR violations.
4. The EU successfully convinced authorities in the company's home country to enforce the administrative penalties.

I'm interested in any country outside of the EU, EEA, or the UK where this has occurred. If Clearview.ai is eventually forced to comply by a U.S. court, this would constitute a successful case of extraterritorial enforcement.

Answer 1

EU Member State Data Protection Authorities ("DPAs") have fined foreign legal entities (pursuant to Articles 58(2)(i) and 83 GDPR and further national provisions), however it is not publicly documented whether the specific situation you described has occured. Even if such situation would arise, I would think that it is unlikely that DPAs imposing administrative fines could enforce their (fine imposing) decisions outside the EU, even if the decision in question was confirmed by a court. For instance, in the Netherlands there is not a strong legal basis for the (mutual) recognition and enforcement of foreign administrative decisions. I could imagine that the same applies to other EU Member States.

However, please note (possible) civil liability

Your question seems to refer to enforcement of the GDPR under instruments of administrative / public law. Please note however that the GDPR can also be enforced by private individuals and organizations, e.g. through tortious liability claims. See for example Amsterdam District Court 2 september 2019, ECLI:NL:RBAMS:2019:6490 for a situation (albeit purely national), in which the Court awarded damages for a GDPR breach to a data subject. Possibly, a similar case could be brought against an entity outside the EU that processes data of EU data subjects, contingent upon the outcome of certain questions of International Private Law. With regard to civil damages, there is an extensive international legal framework that covers the cross-border enforcement of rewards for civil damages. Likely, such rewards for damages could more easily be enforced outside the EU. However, I must note that such (private) cross-border enforcement of the GDPR has not happened in practice (yet) either (as far as I know).

(Please note that this answer assumes (per the question) that the GDPR is applicable and only deals with the question of the territorial aspects of subsequent enforcement. See about the territorial scope of the GDPR: What is the legal mechanism by which the GDPR might apply to a business with no presence in the EU?).