I run a Web site. I am a natural-born US citizen. I own no property outside the US. Why does my Web site have to be GDPR compliant? Even if a European court convicts me of a crime, does it really affect me?
15
-
5Who says your website has to be compliant? Just cut your EU audience off (by both Geo IP and by terms explicitly excluding anyone in the EU using non-EU VPNs).– GreendrakeCommented Jun 30, 2022 at 9:05
-
1@Greendrake - depends who you ask, I suppose, but no harm in considering every possibility. But if you only consider "the EU" you will definitely miss at least three places that are likely to bite you for Data Protection legislation.– ItWasLikeThatWhenIGotHereCommented Jun 30, 2022 at 10:13
-
7And then there are the other countries that have similar to (often based on) GDPR: 17 Countries with GDPR-like Data Privacy Laws: Australia, Brazil, Canada, Chile, China, Egypt, India, Israel, Japan, New Zealand, Nigeria, South Africa, South Korea, Switzerland, Thailand, Turkey and some US states such as California.– Mark JohnsonCommented Jun 30, 2022 at 10:41
-
2Interesting read, though copyright-related, not GDPR related: American project Gutenberg had to geoblock Germany from access because they hosted several books in German, which were out of copyright in the US but still copyrighted in Germany, which a German court ruled as targeting a German audience. teleread.org/2018/03/03/… So yes, EU laws and court rulings can and do affect American web sites as long as those websites target EU citizens.– Guntram BlohmCommented Jun 30, 2022 at 14:48
-
1Are you asking what the law is or arguing what the law should be?– o.m.Commented Jun 30, 2022 at 16:07
|
Show 10 more comments
3 Answers
As of 2024, there are no legal precedents where:
- A website was operating outside the EU, with no EU legal entity established and no payments accepted from EU users
- An EU court ruled that they must still comply with GDPR because they happen to have visitors living in the EU
- Said website ignored the EU court ruling entirely, refusing to comply
- The EU managed to convince the authorities of the country where the website is located to enforce the judgement on their behalf
See As of 2020, have any GDPR-related court judgements been successfully enforced on companies without presence in the EU? for a prior discussion of this question.
So as of today, you're likely fine not complying with GDPR as long as you don't take any payments from users in the EU and don't have a legal entity there. Things might change in the future if a successful foreign enforcement occurs, but until then it's highly likely you'll be just fine. While EU authorities would love to force the whole world to comply with their laws, in reality its unclear if this is possible, as otherwise every single website would face a huge headache trying to comply with laws from Turkmenistan or Iran despite not taking any payments from these nations.
answered Jun 30, 2022 at 18:37
-
7Are you suggesting that you wouldn't want to abide by Iran's Global Data Extraction Resolution requiring that all personal data from everyone on your server be handed over for personal review by the Grand Ayatollah unless you've specifically geofenced Iranians from accessing your website? :)– reirabCommented Jun 30, 2022 at 19:12
-
6@reirab or the Turkmenistani law requiring you to pay 10 manat to the government for every 1000 visitors that you get :-) Commented Jun 30, 2022 at 19:24
-
2@Someone I don't know but it shows the absurdity of expecting websites to comply with the laws of 200+ nations just because they happen to be accessible from those countries via the Internet. If you're taking payments from the EU, then sure, it makes sense to follow their laws, but otherwise you shouldn't bother. Commented Jun 30, 2022 at 21:21
-
3@Someone No, it was a parody (and reductio ad absurdum argument) poking fun at the idea of claiming extraterritorial jurisdiction over websites that aren't even conducting actual business in the legitimate jurisdiction of the government body in question. It's a terrible precedent to set, even if it were to get upheld, with extreme potential for abuse. Clearly, MEPs didn't think that one through very well.– reirabCommented Jun 30, 2022 at 22:07
-
2Yeah, if countries had to enforce each other's court rulings, I would just find some deserted island, start a micronation, put myself on the Supreme Court of Iwanttofinemegacorporationsland, rule that Amazon violated my (ex post facto, but that doesn't matter because I don't have a constitution forbidding it) privacy laws, and fine them for $1,000,000,000.– SomeoneCommented Jun 30, 2022 at 22:19
As stated by GDPR article 3 you are required to follow it under the following circumstance:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
You can read the recourse better at What is the legal mechanism by which the GDPR might apply to a business with no presence in the EU?, but in short the US will allow the EU court to press it's rulings due to wanting to keep its trades, treaties and other similar things in place.
-
-
5The reality is, unless you're Google or Amazon, just ignore the GDPR and nothing will happen. The EU will have a difficult time trying to enforce their laws against your small time ecommerce website or whatever.– SnakeDocCommented Jun 30, 2022 at 23:54
-
1@SnakeDoc and especially given the risk of failing to enforce the GDPR on a foreign entity, resulting in humiliation for the EU. Commented Jul 1, 2022 at 20:22
This is a partial answer to only some part of the question.
I run a Web site. I am a natural-born US citizen. I own no property outside the US. Why does my Web site have to be GDPR compliant?
People and firms are routinely held liable for civil wrongs and breaches of contract in countries where they have no physical presence and own no property. Often (honestly, usually) a money judgment entered against someone in another country can be enforced against someone in the U.S. against their U.S. assets, if it has a Western-style legal system, under general U.S. law comity principles.
The assumption that a lack of a physical presence in GDPR countries and a lack of assets in those countries is sufficient to protect you from liability in those countries that can be enforced against your U.S. assets is clearly and obviously wrong.
You may be subject to GDPR enforcement actions in a country that has adopted the GDPR, even if you are not present in that country and have no assets there, if your online activities are sufficiently connected to that country to give it what is called "long arm jurisdiction" in the interstate domestic context. I am not familiar enough with the GDPR (or the relevant technologies, for that matter) to know what exactly that kind of sufficient connection looks like.
A new treaty may formalize the foreign judgment enforcement process in the U.S., its political prospects are unclear.
A treaty for the enforcement of foreign judgments in the U.S. was signed by President Biden and sent to the U.S. Senate for ratification about two years ago:
On 2 March 2022, the United States signed the Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters (the “Hague Judgments Convention” or the “Convention”). The Hague Judgments Convention seeks to enhance access to justice and facilitate international trade and investment by encouraging the free flow of judgments across national borders. It does so by providing a set of clear, predictable rules under which civil and commercial judgments rendered by the courts of one Contracting State are recognized and enforced in other Contracting States. While not yet in force, the Hague Judgments Convention could provide an important complement to the widely adopted 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the “New York Convention”) (which provides for the recognition and enforcement of arbitral awards), as well as its sister treaty, the 2005 Hague Choice of Court Convention.
The full text of the treaty is here.
The treaty entered into force on 1 September 2023 for the European Union (applicable in all 27 Member States, except Denmark) and Ukraine. The U.K. plans to agree to the convention as soon as possible. In the U.S., the treaty was signed by the President two years ago, but has not yet been ratified by the required two-thirds majority of the U.S. Senate. Russia has likewise only partially completed the process of ratifying the treaty, despite agreeing to it on a preliminary basis that sets the stage of ratifying it.
How are judgments in civil cases against non-resident's entered and enforced?
The way that GDPR concerns would typically manifest for a U.S. based person would be for there to be some kind of civil proceeding, either administrative or in court in a country subject to the GDPR alleging that it applies to you and that you violated it (I am not knowledgable enough about the GDPR to answer that part of the question). This would then lead to a civil money judgment against you in the foreign country.
The foreign court would typically have jurisdiction over you if you are within the class of persons covered by GDPR article 3 (discussed in another answer) and you have been personally served with court process by a process server.
Then, the person entitled to money under the money judgment would go to a U.S. court that has jurisdiction over you and ask it to enforce that money judgment under general U.S. law comity principles.
The details of how this is done and when it is possible are beyond the scope of this limited answer. But, in broad outline, usually, money judgments from another country entered in a lawsuit over which the other country's court has jurisdiction over you under both its own laws, and U.S. constitutional requirements for jurisdiction in a civil case, will be honored in the U.S. if the judgment is for something that is not contrary to a strong U.S. public policy.
You usually can't re-litigate the issues that could have been litigated in the foreign country in the U.S. court when enforcement is sought from a U.S. court pursuant to legal principles like collateral estoppel and res judicata. Once the foreign money judgment is "domesticated" in the U.S. court, it can be enforced just like any U.S. money judgment against your U.S. assets.
Since some U.S. states have laws similar to the GDPR, it is unlikely that the U.S. courts would find that a money judgment entered in connection with the GDPR was contrary to U.S. public policy.
A lack of GDPR specific precedents isn't all that meaningful, because there are lots of precedents involving the only slightly broader topic of international enforcement of foreign money judgments.
Even if a European court convicts me of a crime, does it really affect me?
Most things which are illegal are not crimes.
GDPR violations are seldom, if ever, crimes. Thinking along these lines represents the common fallacy that everything that is illegal is a crime. In fact, lots of things that are illegal are not crimes and only have civil remedies.
How do transnational criminal prosecutions work if there are foreign criminal charges against you?
There are few, if any, crimes in the countries to which the GDPR applies, that try people for crimes in abstentia. If you commit a crime over which a European country has jurisdiction and you are not physically present in that country, that country must seek to have your arrested and extradited by the country where you are located. Generally speaking, a country has jurisdiction over crimes committed in its territory and crimes directed at the country or its citizens.
The U.S. has extradition treaties with all or most of the countries that are subject to the GDPR. Extradition is usually available when (1) the crime is serious, (2) the U.S. has a crime similar to the one for which the country is seeking extradition that is punishable by a similar or less serious punishment than the comparable U.S. crime, and (3) the foreign country has jurisdiction over that crime under the standard summarized above.
After you are arrested pursuant to the other country's request, you would be entitled to a court hearing in a U.S. court to determine if you really are the person for whom extradition is sought and if the conditions necessary to extradite you to the foreign country have been met. Your actual guilt or innocence would not be an issue, but the extradition hearing could probe whether the request to arrest and extradite you is supported by probable cause that you committed a crime in the foreign country.
If you lose in your extradition hearing, you are then transported to the country that wants to try you for the crime in their country. If you are convicted, that country incarcerates you or otherwise punishes you pursuant to its laws.
Again, the likelihood of some sort of GDPR related criminal offense existing is probably remote, but if it does exist, this would be the process.
-
1I'd note that any enforcement action faces a large frictional barrier: someone has to notice you're in violation, then they have to report it, then it has to get through the pile of complaints, then a government authority has to send out a warning letter. If the offending website refuses to comply in any shape or form things get even more difficult: the government authority has to file for court proceedings, get a judgement, then transfer it to the US for processing, etc. This is why defacto only large commercial websites see any real enforcement. Commented Mar 28 at 16:35
-
1And note that since GDPR violations are not a criminal offense, a business might choose to just treat the potential costs of GDPR non-compliance as a cost of doing business. This is how Uber grew from nothing to a $160b company: ignoring (some) regulations can pay off handsomely in the long run. Commented Mar 28 at 16:36
-
1@JonathanReez I don't disagree with either of your comments. The risk of actually suffering an economically important loss of property for a GDPR violation by a small U.S. based website with no non-U.S. property is modest even though there is a genuine risk of legal exposure which is material if you are a large enterprise against which the effort would be proportional for the government enforcing the law. Of course, sometimes, governments act in economically irrational ways to prove a point or for political reasons. They have ample resources to pursue it if they wish to use those resources. Commented Mar 28 at 16:43
-
1@JonathanReez For example, if the GDPR complaint is lodged by a politician or a celebrity, or has gotten attention in the mass media, a government might pursue an otherwise trivial claim that it would usually ignore to the fullest possible extent. Commented Mar 28 at 16:46
-
1There's risk in the other direction: if a complaint is lodged but then a US court refuses to enforce it (which is not out of the question), the EU would immediately 'lose face' and this might cause diplomatic repercussions between the two countries. So I suspect in practice the EU would rather not waste their time on small time violators, though I agree anything is possible if a celebrity or politician puts some weight behind it. Commented Mar 28 at 16:51