GDPR outside Europe, was Whois vs GDPR, latest news

Fri May 25 12:47:06 UTC 2018

*" PS: For anyone who came into the middle of this argument, my point
isthat if you have no EU nexus, the realistic chances of the EU
takingaction against you round to zero.  If you do have EU nexus, you
betterbehave."*

I'd say this is accurate with a few caveats and most of those won't apply
to NANOG folks.  One, if you or your company is involved in direct
marketing then you'd better pay attention now even if you don't
intentionally market to people in the EU.  Two, if you work on sensitive
PII (by the GDPR definitions) and you may have EU data subjects' PII.
Three, if you or your company are making public statements about GDPR not
applying to you or making false statements publicly about how your opt out
set up is GDPR compliant (when it can't be).

When I first was involved with international contracts we had a series of
meetings with our executives and legal.  The first thing we heard from
legal were things like, "your contracts aren't enforceable in Europe or
Asia".  When we dived into those statements what we found was that was
practically true, because enforcing them required us to go down one of two
(both expensive) pathways.  Establish a corporate identify in all the
places we wanted to do business and then we could more easily sue in the
local court system where our customers were located _or_ we could sue in US
court and then (provided we won) take that US ruling to the local courts
with jurisdiction over the customer in question.  Both were entirely
possible from a legal standpoint, but neither were practical since the cost
of taking either path would greatly exceed the value of the contract in
question.  Instead of doing that we simply set things up so that we can
quickly turn off services and we billed a month in advance rather than post
billing the way we did in North America.

What I'm getting at is that international enforcement of decisions is
expensive and while the EU has a lot of resources, lawyers, and money
they're still going to be prioritizing their "target" selection.  They're
definitely (as we see from the Facebook fine) going after the big, and in
their minds, egregious abusers of privacy.  Unless you or your company is
very large, international in nature, or doing something they'd consider
very abusive then you're not likely to be at the top of that list.  Having
said that, once things shake out and the big fish are all either compliant
or in court then the regulators will start looking down list.

In fairness, the regulators I spoke with emphasized that they're not "head
hunting" (their words) and that don't want to harm companies that might
inadvertently be violating GDPR in small ways.  I expect that many more
warning letters will be sent than actual fines or regulatory actions this
year.

On Thu, May 24, 2018 at 6:31 PM John Levine <johnl at iecc.com> wrote:

> In article <0BB31BBB-388D-4832-85DD-30C01C187BA1 at jeffmurphy.org> you
> write:
> >There’s speculation that enforcement could occur via the FTC Privacy
> Shield program.
>
> Privacy Shield is entirely optional. Joining it requires a lot of
> paperwork and a substantial administrative fee.  If you don't do all
> that, it doesn't apply to you.  Please see my previous comment about
> people who think they understand the GDPR vs. people who actually do.
>
> https://www.privacyshield.gov/welcome
>
> Also, Privacy Shield is a retread of the Safe Harbour deal which EU
> courts invalidated in 2015.  Max Schrems, the guy who filed the case
> against Safe Harbour, has filed a similar suit against Privacy Shield,
> with Facebook as the defendant.  I wouldn't bet a lot on Privacy
> Shield lasting any better than Safe Harbour did.
>
>
> https://techcrunch.com/2018/04/13/privacy-shield-now-facing-questions-via-legal-challenge-to-facebook-data-flows/
>
> R's,
> John
>
> PS: For anyone who came into the middle of this argument, my point is
> that if you have no EU nexus, the realistic chances of the EU taking
> action against you round to zero.  If you do have EU nexus, you better
> behave.
>