14

My family has a small side business selling some things through the internet. As far as I know, we aren't likely to have any customers who are EU citizens, but it's certainly not outside the realm of possibility, and I wouldn't be opposed to shipping to the EU if I got an order from someone in an EU country.

However, in reading about the GDPR, I have mostly seen what appears to me to be bare assertion of the GDPR's global applicability to any business, anywhere, who transacts with an EU citizen.

My business only has a presence in the US. I am not a citizen of the EU, I'm not represented in any legislative body in an EU nation, neither am I represented in the European Parliament. I am not a subject of the EU in any way, shape or form. Why would the EU expect that any of its laws would apply to my business?

More importantly, regardless of what the EU regulators think, how could they possibly enforce any of it against me?

Improve this question
4
  • 1
    I found this on Politics SE: politics.stackexchange.com/q/30509/2008 and it seems to me the answer is really that the applicability and/or enforceability of the GDPR outside the EU is primarily a political question, not a legal one.
    – Ben Collins
    Commented May 21, 2018 at 17:51
  • 1
    I was about to post an answer but your main question is how it is enforced. I don't think for your store you'll need to worry about it if you use English / $US on your site and don't especially target EU users as per here if you read the last paragraph carefully: privacy-regulation.eu/en/recital-23-GDPR.htm.
    – PeterJ
    Commented May 22, 2018 at 14:01
  • 1
    @PeterJ actually I’m pretty interested in theories of applicability too because I just can’t see how the European Parliament has any authority whatsoever over people or activities that occur entirely outside of Europe.
    – Ben Collins
    Commented May 22, 2018 at 14:20
  • @PeterJ how is the use of English relevant? There are tens of millions of native English speakers in the EU and probably several times more who speak it non-natively at least well enough to navigate a retail site.
    – phoog
    Commented May 23, 2018 at 6:01

4 Answers 4

Reset to default
7

Why would the EU expect that any of its laws would apply to my business?

It doesn't.

Unless you choose to do business in the EU (which is possible, thanks to the wonders of the World Wide Web).

Then, and only then, do you have to comply with EU law, including the GDPR.

From a comment by @BenCollins:

I'm talking about non-EU online retail that does allow Europeans (particularly those not actually in the EU at the time of the transaction) to place orders.

Basically, GDPR Article 3 says that the GDPR

applies to the processing of personal data of data subjects who are in the Union

The phrase "in the union" is clearly open to interpretation, but according to the website Security Now, Dr. Michèle Finck says this:

Most people seem to agree that the relevant criterion is whether you're based in the EU at the moment data is collected - citizen or not (my emphasis).

While Michèle Finck is a well-respected legal scholar, she is not an authoritative legal source, so we need to wait for to case-law to nail this. For what it is worth, (not much I am afraid) I think it would be against common sense to define the territorial scope so broad that brick and mortar stores in the USA risks to be prosecuted in Europe if they sold goods or services to European tourists.

However, what most US based businesses that chooses to be open to business for orders that are placed by natural persons who are in the [European] Union need to know that there is this: According to European law, the GDRP does apply to them when they conduct such business.

From a comment by @BenCollins:

I question the notions that (a) there is a basis by which the law would apply

The legal basis is European law, in particular GDPR Article 3.

and (b) that it has any enforcement mechanisms outside the EU.

As for enforcement, I think a good answer has already been provided by Dale M. but for completeness: The USA has treaties with EU that mean that after a legal case has been decided in a court of law in the EU, it can request that the USA enforce the judgement (typically by collecting the fine the USA-based business incurred when conducting business in Europe).

To make this answer more general, here are a breakdown of the the regulation of territorial scope of the GDPR for businesses that are not located in the EU:

The scope is clearly spelled out in Article 3, and if you're not "a controller or a processor in the Union", you are only subject to the GDPR if your processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

US based companies that engage in business practices that are illegal in Europe know about this, and has already taking steps to protect themselves from the being prosecuted in Europe under the GDPR by using firewalls to block access to their services from the EU.

The bottom line is that if you:

  1. have no presence in Europe, and
  2. don't offer goods or services to people who are in the Union, and
  3. you don't collect personal data about European natural persons,

then the GDPR does not apply to you. If at least one of the above applies then you need to follow the GDPR if you do not want to be prosecuted in the EU.

Improve this answer
18
  • 3
    Wait, what? Are we even reading the same text on the screen? I'm talking about non-EU online retail that does allow Europeans (particularly those not actually in the EU at the time of the transaction) to place orders, and I'm questioning the assertion that the GDPR applies to such businesses who otherwise have no connection to the EU. Specifically, I question the notions that (a) there is a basis by which the law would apply and (b) that it has any enforcement mechanisms outside the EU.
    – Ben Collins
    Commented May 21, 2018 at 16:26
  • 2
    @BenCollins an EU citizen who is outside the EU is not covered by GDPR when doing business with a company outside the EU. GDPR applies if any party is "in the Union" (Article 3), without regard to any person's nationality. The situation that is most interesting to your question, therefore, would be an online business that is outside the EU and a customer inside the EU.
    – phoog
    Commented May 21, 2018 at 17:39
  • 3
    +1 for improving your answer, but I still feel as though the real question hasn’t been answered. It seems to me that European Law is an invalid basis because of the simple fact that I am not European, nor am I doing anything in Europe.
    – Ben Collins
    Commented May 22, 2018 at 4:12
  • 2
    ... Let us assume some US based business a lot nastier than yours compiled massive amount of personal data about europeans, and sold that information to all takers, including murderers (this is unfortunately not a fictional example - in October 1999 Liam Youens bought personal data about Amy Boyer from Docusearch and used the personal data to locate her and kill her). Even if such a business was based in the US, had no european presence, I think the EU should stop such a nasty business from profiling european citizens, and the GDPR gives the EU that power.
    – Free Radical
    Commented May 22, 2018 at 6:49
  • 3
    I did read the answer; I just don't see any clear distinction between selling something to someone from the EU who takes it home with them, and selling something to someone from the EU and then mailing it to them. They're probably using the same credit card, the info you collect is likely to be the same, lots of brick-and-mortar stores will even help you ship merchandise to your home. Why does how the customer found you (walked by your store vs found your non-EU website) make such a difference?
    – 1006a
    Commented May 23, 2018 at 3:09
3

Regarding the question of whether your particular small business will need to comply with the GDPR depending on a few things I think the answer may be no. I was recently reading an Australian government document Australian businesses and the EU General Data Protection Regulation that describes how it affects Australian entities. It contains the following examples of businesses that need to comply and I'm sure the same would apply to the US:

  • an Australian business with an office in the EU

  • an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros

  • an Australian business whose website mentions customers or users in the EU

  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes

That section references Recital 12 that includes the following paragraph:

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Which seems to backup the Australian government's interpretation that if you just use your local currency / language rather than specifically targeting the EU by means of currency, language or mentioning the area specifically you shouldn't need to comply. You would have to be careful of the last point of analyzing and predicting personal preferences if you are using some sort of web store that shows "products you may like" pages that are based on a user's past behavior.

I imagine the exemption has been put in place to handle the millions of businesses on the Internet that have a fairly inconsequential number of customers in the EU who might otherwise simply stop selling goods and services to the EU.

Improve this answer
3
  • 1
    I certainly don't expect the EU to dispatch its storm troopers to destroy any company operating from outside the EU without displaying a privacy policy (as required by the GDPR), so I think this is pretty good practical advice. However, from a legal perspective Recital 23 only tells you about indicators that may "make it apparent" that you are doing business in the Union. It does not tell you when you're exempt (provided you do sell to Europeans).
    – Free Radical
    Commented May 23, 2018 at 9:45
  • Does it count as "mentioning the area specifically" if EU countries show up as options in a drop-down list of all countries on the shipping address form?
    – Damian Yerrick
    Commented Oct 31, 2023 at 18:51
  • @Damian it's hard to know for sure, but because most e-commerce software does have a list of all countries they'd be a fair argument it didn't target them specifically, especially if you don't get the list until you check out.
    – PeterJ
    Commented Oct 31, 2023 at 23:15
1

If your business breaches the law in say, France, the French government can prosecute it in a French court. Assuming they win (which is likely if you don’t defend the prosecution), the US has treaties with France that means (with some exceptions) the French government can seek enforcement in a US court.

That���s how.

Improve this answer
6
  • 3
    By that logic, then wouldn't pretty much any non-French business be breaching some sort of French law? For example - I don't have any kind of French business licenses. Why couldn't the French government simply prosecute all American businesses, assess a fine, and then ask the US government to enforce it and collect lots of money?
    – Ben Collins
    Commented May 21, 2018 at 5:40
  • 1
    @BenCollins There are specific laws and regulations for foreign businesses etc. in France. Or pretty much any country in the world, as this is an almost completely unavoidable situation in the modern world. One of the reasons small businesses often do not conduct business outside of their country is because they cannot afford the legal (such as a lawyer specializing in this area) and technical necessities of the endeavor. Big companies can afford these things. The US has various agencies meant to help small businesses with these things, though, as might other countries.
    – zibadawa timmy
    Commented May 21, 2018 at 7:02
  • @BenCollins Because most American businesses do no business in France - your doctor for example.
    – Dale M
    Commented May 21, 2018 at 7:42
  • 1
    There are things considered when determining doing business in a country. For example, using a language or currency accepted in that country are among the valid considerations. None of them alone are enough to say a company is doing business in or targeting a place, but rather a determination is made on the overall nature and operation of the business. Also, France wouldn’t do that because almost certainly their licensing requirements explicitly apply to French companies.
    – A.fm.
    Commented May 21, 2018 at 13:34
  • 2
    I don't think France will get too far. I will gladly file a motion to vacate in the US court on the grounds my constitutionally protected right to a jury trial would otherwise be violated.
    – Joshua
    Commented Apr 22, 2019 at 16:08
1

I'm not a lawyer, I'm thinking of norms of international law (which are above treaties), and allowing that treaties can create some kinds of exceptions, but this looks like a case of overclaiming legal rights by the EU. The EU might be allowed to claim jurisdiction because of use of euros, which in a sense are property of the EU (much as the US has the right to forbid money laundering using dollars), but not because of language, because, e.g., France does not own French, no one does, even though France through L'Académie française sets standards for proper French. The EU can forbid its citizens from buying from US businesses but cannot bar US businesses from selling to the EU citizens. From the above posts, it appears litigation in and out of the EU will have to set boundaries on the GDPR's applicability. While treaties apparently provide for international enforcement, the US put an end to libel tourism in the US after someone won a case in the UK against a book with sales of about 27 copies due to concession and then tried to stop book sales in the US where sales were large. So a domestication treaty may be subject to a similar limit and I suspect the US Congress or states will legislate a limit on the GDPR's reach, setting the ground for litigation. The notion that foreign monitoring of someone's public activity can be banned by the EU means that US citizens reading about the heads of state of EU nations would be violating the law; you can imagine how far an effort to enforce that ban would get in the US. Imagine the EU suing CBS-TV or NY Times for monitoring EU public figures or private citizens such as by interviewing a Berlin shopkeeper. So, to answer the original question, if the poster has no additional connection to EU, he probably is not under EU jurisdiction even for sales to Europeans, but he should stay in touch with news reports of litigation to see how things shake out.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .