GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.
Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.
The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.
If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.
Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws?
In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.
The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.
You use the legislation to guide your internal processes, systems and employee/user education. You ask your legal counsel for advise. Other than what you'd normally do anyway, you'd provide evidence of disclosure only to the DPA that asks. The DPA doesn't care about your local laws - seek local legal counsel instead.
To a developer used to systems thinking this should not be rocket science. Most of it is just good practice. Kim Cameron came up with the laws of identity many years ago, which the GDPR is surprisingly similar to.
If the ICO (UK) issued a fine, you wouldn't appeal in Spain, would you? Because of course you respond to the DPA that issued the fine or complaint. Am I not understanding your question?
The only entities that can enforce GDPR are the DPAs in various EU countries. So if some action is taken against a non-EU company, it's anyway done by one of the DPAs - e.g. if there's a complaint against some USA company by a German citizen, it would be the German DPA handling that.
Any decisions of German DPA can be contested just as any other administrative decisions in German courts, the German DPA is fully under their authority. Yes, you won't have your local courts, but it doesn't mean that you can't appeal - you simply have to file this appeal where the contested decision was made.
You get the courts that the person you're servicing uses. Like when you sell to someone in a particular country and have to abide by their sales and tax laws.
That’s not true on both accounts EU courts have no jurisdiction over non-EU entities and there is no process on how to arbitrate a lawful retention requirement which trumps GDPR between EU and none EU entities.
As for the taxation part of your comment that is again an incorrect statement in fact it’s categoriclaly false.
If I as say a Brazillian company want to sell goods to an EU resident I do not perform any tax collection other than the local taxes in my country.
In fact it likely means that I can forgoe some local taxes like VAT or sales tax due to export.
You as the customer are obliged to pay all taxation related to this purchase which is usually paid when the item clears customs as the customs duty.
The only cases when one would collect tax on behalf of another country is when there is an explicit tax agreement to do so and process to support it. This is extremely rare and usually only happens within shared customs unions.
As a non-EU entity I legally can not collect VAT on behalf of EU customers because I have no way of paying that tax on their behalf.
What, like US courts have no jurisdiction in the EU? I can pirate US movies, and as a EU bank, not report on US citizens in the EU to the US?
Those weird things aside, this isn't about collecting VAT. It's about remaining within the confines of the law of the country you're conducting your affairs in.
It's like if I, as a Russian, wanted to sell a car to someone in the US, I'd have to ensure that my car meets whatever requirements/standards the US sets out for vehicles. If my vehicle doesn't meet those standards, which court do you think I'd have to appeal in, as a Russian selling a car to an American?
Those copyright laws are enforced through local copyright holders and or existing trade agreements which again is something that understood and is established in international law including WTO regulations.
The GDPR has no mandate under existing international law.
The level of strawmaning is getting ridiculous when 2 countries sign a trade agreement you have 2 electorates which have a say in what is going to happen.
The GDPR extra-territorial application isn't just extra-territorial it's extra-judicial in which you have a law forced on you that you have had no saying in how it was passed and you have no saying it how it would be interpreted and or enforced.
That's not correct as a non-EU entity I'm under no obligations to register for MOSS or to collect VAT unless under TBES (which is nothing new since it's an extension of the old VOES scheme) which applies to a limited number of services only:
https://ec.europa.eu/taxation_customs/business/vat/telecommu...
Even if by some chance you are a small business that for an inexplicable reason does fall under this you can get out of this scheme fairly easily (VAT exemption rules apply) and more importantly VAT can be handled by a proxy e.g. a payment processor.
For businesses there is no VAT collection at all and all businesses must pay reverse VAT when purchasing (or providing) services from (and to) outside of the EU regardless if they fall under TBES or not.
Again only if the goods fall under the criteria set by TBES if you are above the limit in a specific country which in the UK for example is £85,000 and it's more or less similar across the EU.
This means that most businesses it's not an issue since you can have a turn over of a few 100,000 EUR spread across the EU without being required for registration.
This is also solved via your payment processors and what would you know the EU also offers you the infrastructure to register where is the one stop shop for GDPR?
34,000 EUR on average 31,000 without the UK, and 37,000 without the Nordic countries.
You also must provide a service that is qualified for VAT since it doesn't cover all non-tangible goods e.g. anything that is actually produced by a human but is delivered digitally like professional services.
> UK company and need to deal with the GDPR (till Brexit do us part)
Brexit will make little or no difference unless you refuse to deal with EU citizens in any way the involves you having access to their PII or storing any information about them (including traces of their activity in your product/app/site.
GDPR will be carried over post-brexit, and even if it is later revoked by act of parliament and not replaced by something equivalent you'll still need to deal with it if you want to trade with EU citizens. If the UK refused to play ball and somehow blocked us from the punishments for non-compliance we will face inconvenient sanction by other means.
GDPR isn't perfect (is any regulation?) and their are certainly significant questions to be answered from the PoV of people operating outside the EU, and even some issues that may still require more clarity for those entirely operating here, but I wholeheartedly welcome it (UK citizen here, FWIW) despite being a data specialist and therefore having a bad nervous-twitch reaction to any idea of a non-soft delete operation!
I'm not a lawyer, but I would think your Argentina company can be in one of 2 states:
1. You have a subsidiary in EU, in which case that is who will get fined or will have to deal with the DPA where it is registered
2. You don't, in which case the EU can not fine you?
Well the GDPR doesn’t define that it applies to anyone who touches PII belonging to EU residents.
The logic dictates is that it won’t apply to companies that simply dont have any legal presence in the EU.
But that is not defined because again there are no exceptions.
However PayPal might enforce it on you in fear of the EU going after PayPal because it’s expected that all EU companies would require GDPR compliance from their business partners overseas that perform any data processing for them or are exposed to EU PII.
However how this compliance to be achieved, validated and arbitrated isn’t defined either.
Article 3 is clear about the scope of the regulation when an entity is outside the EU. It states that it will apply where that entity is offering goods/services or is monitoring data subjects in the EU. Enforcement is a separate matter but the underlying law is clear. Art 2 then contains general exceptions to the application of the regulation also.
It’s not clear at all by this definition if I sell guitar picks on my personal store and I’m located in say Zimbabwe I’m either forbidden form selling it to the EU or will have to comply with the GDPR which can be prohibitive to me due to local laws.
The GDPR isn’t clear only anything it rewrittes agreeable concepts of localization which have much more severe applications than simply the GDPR.
It also provides zero channels and infrastructure for non-EU entities to comply to the GDPR in a manner which is offered to local EU companies.
If the GDPR would define its scope as if I can buy form you you must comply what stops the EU form mandating I must collect VAT on their behalf?
Laws are not always crystal clear in each case because to do so risks making them capable of being worked around (and of course in some cases they are just badly drafted - but I don't see this so much with GDPR). Laws are then subject to interpretation by the courts and by lawyers. If you're having issues with understanding laws, then you may need an expert to guide you, as in many areas of life.
Recital 23 of GDPR will give you insight into how your Zimbabwean guitar pick seller would be treated. If they are consciously offering picks to data subjects in the EU, either through specifically referencing EU data subjects, or through offering picks in EU currencies or tailoring the site for different European languages, then they are likely in scope.
Conflict of laws provisions are a separate point, however in various areas, the GDPR expressly states that legal obligations override GDPR obligations in various areas.
Whenever any company considers that a law may apply to them (whether as a result of operating in the country or because of the extra-territorial implications of certain laws, like GDPR) they generally take advice from local lawyers as to the implications or do independent research.
The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
Yes laws are not crystal clear but you don't understand the problem because when laws are unclear in your country / union there is a clear channel to debate it which is the regulator and the courts this channels are not available to extra-territorial parties.
Add to that the fact that you now have laws enforced on you that you have no control on how they were written or are enforced because you are not part of the electorate that passed them.
International law is applied when 2 countries agree on a common set of rules in which case you have 2 representative electorates which are mediating an agreement.
The GDPR has no legal basis of application it's not part of any trade agreement or any other international agreement between the EU and other countries.
The claim that it somehow applicable is essentially tyrannical despite the intent of the law the means through which and the fact that people support it's universal application is terrifying.
What is even more terrifying is the likely means of enforcement which will be through the multinationals.
>The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.
Mandating that I would create a local legal entity to serve as a proxy in a member state is a violation of existing trade agreements and WTO rules.
Enforcement of extra-territorial laws must be done through a process which is agreeable and understood by all parties.
>If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
This entire debate is about the extra-territorial application of the GDPR, bringing international tax treatment is super relevant because it's an established framework and it already establish things like localization which are critical for extra-territorial application that the GDPR must follow.
People really need to wake up and understand that the GDPR isn't about Facebook or eBay, Amazon or the likes it applies to them equally as it applies to your local dry cleaner or hair dresses which collect and process Personal Information as defined under the GDPR and are subject to the full extent of it's regulatory requirements.
What is more frighting is that through commerce of either tangible goods or services this regulation can be applied to non-EU entities in not only a extra-territorial fashion but in also extra-judicial one.
The reality is that either many small businesses or businesses regardless to which the volume of trade they have with the EU is less than the cost of compliance would likely be forced to stop offering services to EU consumers or switch to a proxy like well eBay or Amazon.
The scope of regulation like FATCA or SOX which were mentioned here as examples applies to institutions that can afford it and can handle it.
The GDPR applies to everyone equally, actually that isn't true if it applies to non-EU entities it doesn't apply equally it's much more costlier to them. If nothing else is then just by your ridiculous example "consult a lawyer" then a GDPR lawyer in Belgium or the UK would be fairly cheap since it's an established local law, to get the same level of advice and to get arbitration with a DPA in say Bolivia you can't go to an ambulance chaser you'll be limited to an international law firm.
Not to mention that getting legal advice for such services can be achieved for free in the EU through the local DPA and or various organizations like Citizen Advice which provide legal assistance.
> What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.
I was responding to your point that there were zero channels to help non-EU companies to comply.
I’m really not sure on what resources you think are available to EU companies that are not available to non-EU companies? You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with. To the extent a local regulator would provide guidance to an EU company, I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply is not the case!
We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
Local DPA, local courts, local MPs, industry unions, EU MPs, EU high courts.
And please tell me how say I as a small merchant in any country outside of the EU can get in touch with them and get services from any of them.
Better yet please tell me how a lawyer in Mexico or the Philippines would be able to advise me on GDPR unless they are part of a top tier international law firm which operates in the EU and has experience with GDPR.
Please let me know to which non-EU bar associations were provided with materials and guidance and have conducted workshops and seminars in order to ensure that they would be able to provide legal advice on this manner by a DPA or any other EU regulatory agency.
>You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with.
Wanna bet? citizens information board (CA in Ireland) already offers such service (so does Citizens Advice Edinburgh), in the UK the ACF provides GDPR related legal council to foundations, a lot of other industry organizations offer similar services.
> I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply
They will not provide any service or information to you, in fact they are forbidden from doing so trying contacting an MP who isn't yours or an agency outside of your member state.
>We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
There is anything to disagree about, this isn't about extra-territorial law this is about extra-judicial application of it which is tyranny since you are applying laws and regulation outside of the scope of international law and frameworks. The fact that you accept this as something good makes me think that the brexiters might have had a point.
>Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
I think you should practice on your reading comprehension I'm in the EU on the 25th of May I am submitting a data access request letter to my dry cleaner (I like my hairdresser), Pristine Dry Cleaners just for the lolz and to show just how ridiculous it can be.
I know for a fact that they have my name, address and phone number since it was required during registration and I also know that their branch in East Finchley shares the same database as the one in Lancaster Gate since I've used both despite being different franchises so I really want to know who they shared those with.
Ok, my apologies for not picking up on the fact you are in the EU. Is it the cost that is stopping you from making a subject access request today under existing laws?
Apologies also - I took Citizens' Advice in the narrow sense of the Citizens Advice Bureau (I used to work there so it's in my subconscious) who generally deal with benefits, employment and housing law queries. I took a look at the citizensinformation.ie and did a search for GDPR - I can't see much in the way of materials unfortunately. ACF makes materials available which can be read by anyone regardless of location. Sure, they might make advice available to local entities, but this would be a small benefit to EU orgs vs non-EU orgs.
However I still don't really follow your point how organisations will approach GDPR compliance in general and the idea that there is a massive gap between what is available to EU entities versus non EU entities.
For lots of organisations, GDPR will not be on their radar, and life will go on as normal post May 25th.
For organisations aware of GDPR, their route to compliance will be through reading the source materials and supporting materials available on the Art 29 Working Party website. That is the case regardless of whether the organisation is in or out the EU. They can consult materials from third parties like ACF but the core materials are as above.
I don't really think contacting your MP or actually contacting a regulator is something which many entities have actually done because actually the base regulation and the interpretation notes are sufficient to understand what an organisation has to do to comply (again available to anyone who cares to read). In terms of court access
In terms of access to legal advice, then I don't quite think it's as bad you paint out here! I've instructed local counsel in multiple countries direct and it's a straightforward process and those firms were not part of a top tier international law firm network. Often smaller local firms have firms of similar sizes in other countries that they can refer work to. If other peoples' implementations of GDPR are anything like my company's then the extent of legal advice sought will have been limited.
I think overall I take your point that resources on offer to non EU companies may be a more limited, but overall the core resources are the same. Lots of non-EU entities have been working very hard on looking to comply with GDPR using the above resources and taking local legal advice where relevant. I agree that for smaller organisations this is more problematic, but this is the case regardless of location to an extent.
I do take your point about the extra-judicial nature though. We will have to see how things work out. My instinct is that for lots of companies it will be business as usual and the local regulators will have bigger targets that they want to go after.
The company I work for has been working on GDPR compliance for the better part of 3 years.
We also maintain compliance in the financial sector and we have both very good in house and external counsel which works with both the ICO and political institutions to ensure we meet our compliance.
The fact is that as an EU citizen you have a say about how the GDPR is applied and you have a say in how it will be enforced and interpreted.
As a non-EU entity you have no voice.
You also cannot ask for assistance from any EU or member state body.
Now if you want a good comparison as you have worked for a legal aid organization before you can likely estimate the hourly billable of a lawyer in the UK to provide you counsel on UK or EU law vs say FATCA or SOX.
My bet is that it would likely be at least 3 zeros in difference.
The fear isn’t that a DPA would go after you, but rather that they’ll force service providers to compell you to comply.
Under the GDPR for PayPal to remain compliant it needs to ensure that all merchants that use it to receive payments from EU residents are also compliant because you share your Personal Information with PayPal who then shares it with the merchant (name, email, address, phone number etc.).
This is going to be the likely channel of enforcement not them dragging you to court.
I don't think any of this is entirely clear, but from my understanding it seems like the EU wants to apply GDPR even if you don't have an EU presence.
In practice, I doubt that they'd get the US to enforce judgements. But it might mean that I can never risk going to Europe again lest I risk having a default judgement enforced against me for one of my businesses.
The threshold for determining establishment is a low threshold however there will still be various factors taken into account in determining whether that establishment is there (for Art 3(1), and indeed whether goods and services are being offered to data subjects in the EU (for Art 3(2)).
The mere availability of a website is not sufficient however to satisfy the above. Recital 23 below gives more details about those factors:
*Whereas the mere accessibility of the controller's,
processor's or an intermediary's website in the Union, of
an email address or of other contact details, or the use
of a language generally used in the third country where
the controller is established, is insufficient to
ascertain such intention, factors such as the use of a
language or a currency generally used in one or more
Member States with the possibility of ordering goods and
services in that other language, or the mentioning of
customers or users who are in the Union, may make it
apparent that the controller envisages offering goods or
services to data subjects in the Union.*
Yes, I should have better specified "accessible". If you ship to those customers, and make that publicly known, that appears to satisfy the intent to provide service to that country?
Add on language and currency, basics of accessibility, and you're meeting the definition AFAICT.
No if you aren’t a legal entity in the EU you have no presence in the EU.
If you would push for this the only thing that would happen is that companies would stop accepting orders from the EU.
If this is going to be the definition expect a lot of store fronts to be closed to EU residents following May 25th or more likely the first time this precedence will be set in court.
It seems a direct parallel of being tried for copyright infringement in USA when you have an offshore website - like O'Dwyer who had to bribe himself out of being extradited from UK to face charges of copyright infringement in USA. He'd never been there, didn't have servers there, and was acting legally in his jurisdiction of residence.
Similar things happened with USA's actions on Silk Road, KAT, with Kim Dotcom, and I'm sure many other legal situations I'm not aware of.
EU is seemingly extending logical contact to be equivalent to entry to a jurisdiction as USA appear to have established is desirable as a facet of inter-national application of law in the internet age.
I much prefer the extension of jurisdiction in protection of member states citizens rights than in the service of media conglomerates.
Copyright is enforced via local copyright holders / representatives, trade agreements and WTO rules AKA local or international law.
In no way shape or form does US law has a direct mandate outside of the US.
All the examples you've given were those of actions performed through established legal channels to which all parties had and have a saying in.
Extra-territorial application of the GDPR under existing frameworks (or the lack thereof) is tyrannical because you apply it to people that have had no saying in the establishment of the regulation and have no control over the interpretation and or the enforcement of it.
So, given that there's no DPA in the US (as far as I'm aware, there are also none in China, India, Australia, etc), how would the GDPR be enforced against an entity with no physical presence in the EU?
On paper it can’t.
In practice since the EU expects EU entities to essentially mandate GDPR compliance form their non-EU partners in order to be complaint it’s is pretty simple at least for ecommerce.
PayPal could tell you you must comply to accept payments form the EU and likely in the same manner they handle everything which means no guidance, benchmarks or clear directions and it would be up to you to figure it out.
By PayPal I don’t mean just PayPal but any other payment processor or service provider which you are dependent on.
GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.
Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.
The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.
If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.
Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws? In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.
The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.