• bamboo@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    That’s a really interesting point, has it been tested in court? The article is about US companies and US websites so I figured EU law was irrelevant, but I am curious to see if the EU can claim jurisdiction for actions foreign companies take outside the EU, regardless of if they have any official EU presence.

    • hoshikarakitaridia@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      11 months ago

      Well I can not give you a specific case for that, but it widely accepted that online actions against users from the EU that violate laws in the EU can get persued.

      Do you remember seeing some US websites saying “we don’t service EU users at the moment”? That’s because they didn’t want to get a lawyer so they can comply with the EU GDPR back then. I assume this is because they knew there was some precedent.

      If you are keen on it I can go digging for case law though.

      EDIT: Nevermind I literally only had to do one Google search and here’s an official link: https://gdpr.eu/compliance-checklist-us-companies/

      Note that one of the headings literally says “Why US companies must comply with the GDPR” and the answer is “because it is extra-territorial in scope”.

      • bamboo@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        On that page you linked, they say “So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.” So it hasn’t really been tested yet it seems. It’s true that there are extradition treaties and interpol that aid in cross-border prosecution, but that tends to be used primarily when the alleged crime happened in the prosecuting country’s jurisdiction, or the alleged crime is handled similarly in both countries. A GDPR violation by a US company wouldn’t be considered a crime at all in the US, so it’s entirely possible that they might decline to assist in prosecution.

        • hoshikarakitaridia@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 months ago

          Ok you wound me up now so I had a little scouring of the internet.

          Yes, I can not find case law of extradition of US based companies through US entities.

          What I can find is a couple of cases against bigger companies that also act in the realm of the EU. Google has been fined in the Netherlands for global violations if I understand correctly. Meta has been fined even a few times for global violations, enforced in Ireland.

          So yes, technically enforcement in the US is not guaranteed, but they basically can’t build up their company in the EU anymore unless they deal with it. It’s not perfect, but violations can still suck for business expansion, and that is good. and then I do have to look into the new EU data privacy laws if they changed enforcement or anything else important.

          • bamboo@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            11 months ago

            That makes sense. Companies with no presence in the EU can likely skirt the rules, but any large company with an EU presence will be compelled to follow them.