I agree, but they aren’t completely powerless, either. A CEO of a company that has been convicted won’t be able to visit a conference in London, go on holiday to Paris, etc. for example. Also, any assets on accounts in the EU could be frozen or confiscated.
Not just assets: they have ISPs block access to fb, sure you can get around that but 99% of the population won't bother. Even worse: they can have central banks block payments to fb.
Unless they are willing to go to war they can't do shit to people outside their jurisdiction by definition, if they had power over that place it would be part of their jurisdiction.
What they can do however is turn off access to any resources being acquired in the EU. As the EU is the largest economic bloc in the world atm, and with the massive connectedness of the modern global economy, there's no way for a major internatial to flaunt the EUs laws without losing money unless the EU decides to allow it
> Unless they are willing to go to war they can't do shit to people outside their jurisdiction by definition, if they had power over that place it would be part of their jurisdiction.
True, but effective jurisdiction can be much bigger than you might think, especially in civil matters.
Suppose X is in country Cx, and Y is in country Cy.
X travels to Cy, and while there sells some item to Y, and then goes home to Cx. X ends up getting sued in Cy over this transaction, and loses, and the court in Cy awards a civil judgment to Y.
In many countries Cx, Y can bring that judgment he got in Cy to a court in Cx, and that court will decide if the court in Cy had jurisdiction. In this example, there is a good chance they will say that it did. They will say it had personal jurisdiction over X because X was in Cy for the transaction. They also will look at how the courts work in Cy to ensure that they meet similar standards for fairness as the courts in Cx. If they do the court in Cx might issue a civil judgment good in Cx to enforce Cy's judgment.
(If X did not defend himself in the Cy court, the Cx court might hold its own trial to allow a defense, applying Cx procedure but using Cy substantive law).
In the above example, X was actually in Cy when the transaction happened that led to a civil action in Cy. I think most countries would agree that gives Cy personal jurisdiction.
If X is not actually in Cy, but conducts business with people in Cy by mail, phone, or internet it would be less clear. If you were specifically targeting Cy people with ads and shipping goods to there, there is probably a good chance Cx would decide that is sufficient. If you were not shipping physical goods and not doing anything specifically to target Cy, then Cy might not have personal jurisdiction.
Anyway, the bottom line is that if you are actually doing business with people in another jurisdiction, even if you have no physical presence in that jurisdiction and no assets in that jurisdiction, it is not wise to just assume that a civil judgment against you in that jurisdiction will not be enforceable. You really need to look at exactly how your jurisdiction deals with foreign judgments.
1. The primary mechanism for enforcing GDPR is via regulators, not legislation. This is something of an EU/USA culture clash, but the person _complains to a regulator_ rather than lawyering up, so the courts would only be involved in extreme case
2. The jurisdiction is geographical; GDPR applies to persons physically located in the EU irrespective of nationality
In addition to what 'claranmcnulty said, that just means that your local government is willing to enforce their allies laws because your society has decided that's valuable to them. You're not going to see north Korea and the us supporting each other's citizens for instance. If your government doesn't want to support EU decisions then the EU still can't do anything to you beyond limiting what you can take in and out of the EU
For instance, if a UK citizen is concerned how their data is being processed by a USA company:
* They complain to the UK's Information Commissioner's Office (ICO)
* ICO talks to their US equivalent (I want to say it's somehow the Treasury's job), on the basis of international treaties (Data Shield legislation)
* That US regulator deals with the US company and imposes fines / process changes as appropriate
