Fines under EU GDPR in non-EU jurisdictions: Enforceable or Mere Reputation Risk?

Mostafa Al Khonaizi
Vol. 40 Executive Editor

It has been five months since the execution of the European Union’s General Data Protection Regulation (“GDPR) in May, 2018.[1] It is the most recent technology law regulation worldwide, and it pushes its predecessor aside, EU Data Protection Directive (“DPR”) enacted in 1995 before the contemporary proliferation of social media and data transfers.[2] DPR was a directive, where EU member states had wide discretion in policy making strategies and decisions.[3] GDPR, on the other hand, is highly substantive and provides Data Protection Authorities (“DPAs”) with the authority to impose hefty fines on non-compliance or violations by data controllers or processers, such as tech companies or governmental agencies.[4] The fines go up to 20 Million Euros or 4% of revenue, whichever is higher.[5] GDPR provides comprehensive guidance to EU member states on how to impose regulations, monitor entities, track complains, conduct investigations, and impose fines or warnings, and requiring justifications of deviations from such guidance.[6] It seeks to provide consistent ground and an optimal balance for private rights of EU citizens and the ability to conduct business within the EU.[7] Yet, since EU GDPR’s implementation, not a single DPA has issued a fine against any entity, despite the rapid increase of complaints received.[8] DPAs, however, have issued several notices to data controllers to notify them of the violations, requesting prompt response and timeline to avoid escalation to a fine.[9] This is consistent with the EU’s approach to regulation, as it fulfills the objective of ensuring the highest rate of compliance and resort to fines only as punitive measures. Or perhaps the European Data Protection Board, the EU body responsible for GDPR oversight[10], is reserving its resources to regulate behemoths like Facebook and Google[11]. No doubt that the risk of incurring a fine is imminent and enforceable for EU entities or foreign businesses with EU representation. The question remains open whether such fines are enforceable in non-EU jurisdictions against actors that have no presence in the EU but deal with EU citizens’ data. GDPR enforcement, like similar regulations–national regulations with international scope–turns to international law to enforce its provisions and penalties against violators.[12] Principles of jurisdiction under international law determine how the EU can exercise jurisdiction and whether such authority is lawful.[13] Enforcing GDPR in non-EU jurisdictions falls under the effects doctrine, which consider jurisdiction assertion “with regard to the conduct of a foreign national occurring outside the territory a State which has a substantial effect within that territory,” while not requiring any element of the conduct to take place in the State.[14] This is the most controversial basis to assert jurisdiction in international law, but it has been used to regulate conduct inherently ubiquitous and cross-jurisdictional subject matters such as the internet.[15] Unlike other regulations that target industries with national comprehensive regulatory framework, GDPR fine and penalties enforcement may prove difficult in jurisdictions where technology and data protection regulations are virtually non-existent, let alone in agreement with the EU’s approach to data protection. In all cases, the EU needs to rely on other jurisdictions’ authorities to enforce its fines and judgements against entities outside the EU. Several non-EU jurisdictions are deemed by the EU commission to have adequate data protection laws where, for compliance purposes, data processors and controllers can transfer data freely from the EU to such jurisdictions, Canada and Israel for example.[16] These jurisdictions with adequate data protection measures for compliance with GDPR can also be said to be in agreement with EU privacy laws and have the interest to enforce fines if applicable. The issue, however, gets more complicated when a non-EU jurisdiction (like the United States) has various technology businesses that deal with cross-jurisdictional data transfers, but lacks comprehensive data protection laws comparable to the GDPR.[17] The European Commission recognized the role of the U.S. market in data analytics and technology innovation and established the EU-US Privacy Shield agreement (the “Privacy Shield”) initiatives in collaboration with the Federal Trade Commission and U.S. Department of Commerce[18]. The Privacy Shield as a regulatory framework sets ground rules for data transfers between the EU and the United States and binds voluntarily registered businesses in the Privacy Shield to EU enforcement actions under GDPR, including fines and injunctions.[19] If, on the other hand, a U.S. business is not registered in the Privacy Shield, the court will enforce international judgements only if the GDPR judgement doesn’t implicate constitutional rights, rights established under federal or state laws, or public policy considerations[20]. An illustrative example would be a U.S. media company asserting First Amendment rights against a GDPR fine or judgement issued by a DPA. If the U.S. courts side with the media company, the GDPR fine is effectively unenforceable. The media company might still comply nonetheless for the sake of its reputation, as other businesses, post-GDPR judgement, might see its data protection compliance subpar to the normative international standards. The company might also lose significant business prospects by failing to comply with GDPR, as other U.S. businesses registered under the Privacy Shield are pressured to avoid conducting business with the company since it exposes them to the risk of non-compliance with GDPR. Prospects of GDPR enforcement is diminished significantly in a non-EU jurisdiction with no comparable data protection regulations and no agreement with the European Commission such as the Privacy Shield. The question then becomes whether extraterritorial regulations are enforced in such jurisdiction by local courts, where they consider idiosyncratic public policy concerns, analogous local data protection regulations, and any relevant agreement with the EU (e.g. Memorandum of Understanding).[21] In conclusion, no fines have been issued yet. And it is highly unlikely that fines will be issued against non-EU entities lacking EU representation. Issuing fines against potentially unreachable entities might undermine the severity of the message the EU is sending to data controllers and processors in implementing legislation such as GDPR. Rather, the more predictable event, and following a sound policy, is imposing fines against internationally-known and massive actors whom are conclusively under EU jurisdiction to strengthen enforcement efforts and GDPR’s perceived reach. Unpredictability of GDPR enforcement underscores the role this regulation plays internationally: not a comprehensive framework that can regulate data privacy internationally, but a state-of-the-art standard that should be seriously considered and followed by non-EU jurisdictions to ensure consistent enforcement worldwide.

[1] Kurt Wimmer, The Long Arm of the European Privacy Regulator: Does the New EU GDPR Reach U.S. Media Companies? Comm. Law., Summer 2017, at 16. [2] Council Directive 95/46, 1995 O.J. (L 281) 31. See generally Paul M. Schwartz, European Data Protection Law and Restrictions on International Data Flows, 80 Iowa L. Rev. 471, 480 (1995). [3] Jan Philipp Albrecht, How the GDPR Will Change the World, 2 Eur. Data Prot. L. Rev. 287 (2016). [4] Council Directive 2016/679, art. 24, 28, 83, 2016 O.J. (L 119) 1; See also Charlie Osborne, UK Issues First-ever GDPR Notice in Connection to Facebook Data Scandal, ZDNet (Sep. 25, 2018), [5] Id. [6] Albrecht, supra note 3. [7] Id at 288. [8] Robin Kurzer, GDPR Complaints Stack Up Across the EU as Regulators Prepare to Issue Fines, Martech (Oct. 10, 2018), [9] See, e.g., id.; Osborne, supra note 4. [10] Council Directive 2016/679, art. 70, 2016 O.J. (L 119) 1. [11] See Case C-131/12, Google Spain v. AEDP, 2014 E.C.R. 317 (May 13, 2014); Case C-362/14, Schrems v. Data Prot. Comm’r, 2015 E.C.R. 650 (Oct. 6, 2015) (The European Court of Justice invalidated the Safe Harbor Decision which Facebook relied upon to execute its cross-jurisdictions data transfers). See also Vivienne Walt, Europe’s Top Court Just Gave U.S. Tech Firms a Huge Headache, Fortune (Oct. 6, 2015), [12] Wimmer, supra note 1. [13] Int’l Law Comm’n, Rep. on the Work of Its Fifty-Eighth Session, U.N. Doc. A/61/10, at 520–523 (2016). [14] Id. at 523. [15] Id. at 525 n. 29. [16] General Data Protection Regulation (GDPR), Third Countries, GDPR (Oct. 30, 2018), [17] Id. [18] Paul M. Schwartz & Karl-Nikolaus Peifer, Transatlantic Data Privacy Law, 106 Geo. L.J. 115, 163 (2017). See also Patrick Nohe, The GDPR and Privacy Shield – Compliance for US Businesses, Hashed Out (Mar. 30, 2018), [19] U.S. Dep’t of Com., EU– U.S. Privacy Shield Framework Principles 7 (2016), [20] See Matusevitch v. Telnikoff, 877 F.Supp. 1, 2 (D.D.C. 1995) (summary judgement granted against libel cause of action since it is “repugnant to the public policies of the State of Maryland and the United States”); Mata v. Am. Life Ins. Co., 771 F. Supp. 1375, 1384 (D. Del. 1991) (court declined to recognize foreign judgment as the process failed to comport to due process clause of the Fourteenth Amendment); Abdullah v. Sheridan Square Press, Inc., No. 93CIV.2515 (LLS), 1994 WL 419847, at *1 (S.D.N.Y. May 4, 1994) (defamation cause of action under British law is dismissed since it opposed First Amendment case law). [21] See generally RV Anuradha, India: What the European Union’s Data Protection Rules Mean for Your Business, Mondaq (Sep. 18, 2018), The views expressed in this post represent the views of the post’s author only.