> I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced.
What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).
That and privacy shield (or equivalent). The EU courts could simply go the the US courts and tell them that under privacy shield, the company violated the EU law. Then the US court could decide that, yes, the company did indeed violate EU privacy law and enforce the fine on their side.
If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)
> While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.
So how does that affect companies that don't elect to join Privacy Shield?
Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...
Without privacy shield, I guess the EU might still try to go through the US court system to have a foreign claim enforced in the US.
I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)
Apparently, existing treaties that the US has allow for the domestication of EU civil judgments in US courts. The prevailing logic right now is that nothing new would need to be passed to allow for that to include judgments issued under the GDPR. Here is one article, there are many more:
> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...
What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).