GDPR’s Legal Reach, the long arm of EU regulations

Is your company US-based and assuming that GDPR doesn't have an impact since you don't have offices in the EU? Wrong!

Kristina Podnar
April 26, 2018

There are 29 days and counting  until the EU’s General Data Protection Regulation (GDPR) comes into effect.  How are you feeling?  You might be feeling good about how your organization communicates and markets to EU prospects and customers. Or you might be closing your eyes really hard, like when you were three and afraid of the monster in the closet, hoping GDPR will be gone by the time you open them. Then again, you might fall into a third category of digital managers and directors who are ignoring GDPR completely and repeating the mantra “It is an EU thing and I am in the US. What can they do to me?”


If you are continuing on your GDPR journey, congratulations and best of luck for continued progress! If you haven’t started yet or are holding out because you think the EU’s arm of the law can’t reach you in one of the 50 US states, let me help you.  While I am not a lawyer, here is some useful legal information from a  digital policy perspective:


1.     Not worried about EU citizens suing you because they aren’t US citizens? In America, the right to  make legal claims is not affected by citizenship. This means that a foreign citizen can sue your US-based company for violation of their privacy rights. While many have argued that a US court would not enforce an EU-law, there are similar privacy violations (think Children’s Online Privacy Protection Act, or COPPA) that apply in the US and can form the basis of a suit. Just because someone is a foreign citizen does not mean they cannot  file a complaint in the US.

2.     Not concerned about being taken to court for violating a single person’s privacy? You might want to speak with your legal representative about the potential of a class action suit, as the requirements to file one in the US are far lower than a criminal or civil complaint. For example, if you were to collect the names, email addresses, mailing addresses, and phone numbers of 40 tourists who are taking a summer excursion to the US and continue to market and target them once they return to the EU, the group could file a civil lawsuit in the US.

3.     Not troubled because it is far-fetched that any EU subject would take up a case in the US given that it is costly and a potential challenge? Note that someone in an EU country could sue you under their country law and look for enforcement of the judgement in the US. While the US is not required to enforce foreign court judgements, there are conventions in place that support US court enforcement of arbitration awards (see the New York Convention and the Panama Convention). This means that if an EU subject sought foreign arbitration with a complaint under GDPR, awards issued in alignment with the New York and Panama Conventions could be enforced.


The legal ramification of GDPR and its reach in the US is just another incentive for your organization to come to terms with the mandate and ensure prospect and customer privacy. If you get it right, not only do you protect yourself legally, but your organization could see profitable spin-offs in areas such as data governance and customer trust. And that seems like a legal, and financial, win!

Image Credit: NASA

Related industries:
Related functions: