5

The GDPR is a law the EU passed requiring businesses, even foreign businesses, to protect the privacy of EU citizens.

Now of course, the EU's jurisdiction is not global, but the EU does have treaties with other countries they may permit it to enforce the GDPR in those countries or requires those countries to enforce it on the EU's behalf. For example, this answer implies the U.S. is one of those countries.

In which jurisdictions outside the EU can the GDPR be enforced?

Note that I am assuming that the whoever is violating the GDPR does not live nor has any assets in the EU that the EU could seize.

Christopher King
  • 1,724
  • 2
  • 15
  • 21

1 Answers1

1

The GDPR applies to anyone anywhere who is collecting data on people in the EU, including visitors.

As far as enforcement goes, it would depend on the circumstances. Ultimately the directors of whatever company was involved could be extradited, or if they ever visited the EU they could be arrested.

Paul Johnson
  • 13,533
  • 2
  • 38
  • 60
  • 1
    "Ultimately the directors of whatever company was involved could be extradited" do you know which jurisdictions would respect a request to extradite someone based on a GDPR violation? In particular, which jurisdictions recognize the GDPR as applying to within them. – Christopher King Jan 29 '19 at 00:34
  • Citizenship has nothing to do with the GDPR. It applies to data subjects who are in the EU, regardless of their citizenship, and does not apply to data subjects outside the EU when the data controller and processor are outside the EU, even if the data subject is an EU citizen. Your link shows this by virtue of its reference to "data subjects who are in the Union." – phoog Jan 29 '19 at 02:26
  • @phoog Good point. Answer edited. – Paul Johnson Jan 29 '19 at 09:48
  • @PyRulez No I don't. Descriptions of enforcement stop with financial penalties assessed against companies, and presumably these are thought to be sufficient. However I would expect that once a penalty has been charged there are going to be broader legal mechanisms for enforcing it against the recalcitrant. Exactly how that would play out in reality is going to depend on lots of political, legal and economic factors that I'm not going to even try to explore. https://en.wikipedia.org/wiki/Data_haven – Paul Johnson Jan 29 '19 at 09:52
  • @PaulJohnson okay. Is there a simple answer to if there are any large jurisdictions (i.e. the size of a large country) that formally reject the applicability of the GDPR within it's boundaries? Or is that more involved than I think as well? – Christopher King Jan 29 '19 at 13:08
  • 1
    @PyRulez, as described in the linked answer, several nations, including the US, have treaties by which they should enforce the judgments of courts o nations within the EU. If a judgment is first obtained in an EU country, there can then be an application to enforce it in the country where the person or entity subject to the judgment is located. Until there are more actual cases available, we can't say if the GDPR will be treated differently from other laws under this process. – David Siegel Jan 29 '19 at 13:37
  • 3
    In the US, my understanding is that we won't extradite anybody for a crime which we recognize as a constitutional right (free speech, which parts of the GDPR infringes on). I'm not sure a court would enforce fees, either. – Ask About Monica Jan 29 '19 at 18:01