So if I’m an American company and have no offices in Europe and ignore GDPR for my free customers, what happens? Will I get arrested by the Polizei when I land in Berlin? Will the US force me to pay these fines?
My suspicion is that only companies with significant business interests in the EU are targeted, investigated and fined. Otherwise they could just ignore it.
No, they will not. If you're a company with a substantial enough userbase in their country to be investigated under their regulations, then failing to follow them and/or ignoring fines will most likely result in them preventing your services from being accessed in their country.
Why would European countries extradite american criminals to the US? Because we established a trust in each other and want to keep it that way for both sides benefits.
this is a poor comparison. Extradition treaties exist and contain specific legal obligations. It is not based on trust and there are several pairs of countries that do not have specific extradition treaties.
How are these treaties enforced? All international treaties are ultimately based on trust. There is no higher authority, only elective councils of and voluntary commitment to procedures (a.k.a. promises) by sovereign states.
Specifically not even these formal promises have been given by e.g. the United States of America which to this day has signed but never ratified either the VCLT[1] or the VCLTIO[2], so is figuratively giving a lukewarm "let's see about the convenience of that when it comes up".
I think, de facto, nothing will happen. But if you start to evade taxes on your foreigner paying costumers, and you avoid local regulations, then you expose yourself to a risk.
Probably nothing happens. I doubt they're going to spend time investigating a company that doesn't do any business in Europe, when there's a very long list of bigger companies that do operate here and break our privacy and sell our data.
No. GDPR isn't tied to citizenship. EU citizens & residents are not covered by GDPR when they are outside of EU unless member state's law applies by virtue of public international law (https://gdpr-info.eu/art-3-gdpr/).
A bit more unclear situation is if non-resident is visiting EU and uses services from their home country.
like most EU law it's badly written, but it states "to such data subjects in the Union"
given "within the Union" is used separately in the next sub-article to mean physically located within, it's arguable that "in the Union" could mean citizen of
My question as well. Can a non-EU company simply refuse to pay, and also refuse to block users from the EU? I wonder if the EU would decide to block access to the foreign service as a result. It would at least force them to be honest about the fact that they're effectively turning the internet into a legal-regional network rather than a global one.
> It would at least force them to be honest about the fact that they're effectively turning the internet into a legal-regional network rather than a global one.
This happened a long time ago. And it was started by the US, I'm quite sure.
More than that, the American way to manage the "global network" is basically to impose US laws everywhere in the world.
You can receive DMCA notices outside the US, for example.
> The case raised some concerns of civil rights and legal process in the United States, and ended in the charges against Sklyarov dropped and Elcomsoft ruled not guilty under the applicable jurisdiction.
So it's an example of "law enforcement can and sometimes do illegally attest / cause other issues unfairly", but not really a good example of a law being imposed outside the country which made that law.
That's just an egregious example, but there were also literal international trade treaties where the US basically imposed adoption of the DMCA as a condition.
Also the fact that many major tech companies are American means that US laws are basically enforced on all of their users, which is super crazy.
> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
This includes foreign based subsidiaries!
So if the US Gov decides that Facebook needs to give something over, everything and everyone owned by Facebook, everywhere around the world, needs to comply. So Facebook Zambia needs to hand over the data to Facebook US. On paper there are some protections, but I'd really, really want to see how well they're enforced (I doubt it).
Where they basically say: "yeah, it's true, we'll fight in a court of law on your behalf, because otherwise a huge chunk of you in other countries would never use us".
