You’re going to get downvoted for that comment, but you do raise a legitimate question of enforceability. Sure the EU can say any company in the world who has EU residents’ data should comply with GDPR. But... or what exactly? The EU doesn’t have the power to fine companies outside of their jurisdiction. I mean, they can try. But as far as I know there is no enforceability to ensure that the company actually pays the fine.
For larger companies with offices in the EU (especially the ones headquartered there for tax purposes), they obviously have no choice to comply. But what about a small startup, with its only domicile and employees in the US?
What exactly could the EU do to punish a startup in that case? Unless they have some enforceability treaty with the US, I don’t see how they have any legal ground to extract fines for arbitrary laws defined in their jurisdiction. The worst they could do is ask EU ISPs and/or payment networks to block the offending sites, right?
Corporate counsel, who actually went to many of the lead-up conferences for GDPR, said the data authorities from many member countries didn’t even hesitate before saying they would file civil lawsuits against non-EU companies.
Such a suit could be ignored too, but it would certainly be a PITA for vacationing executives who get locked up in Italy for an outstanding summary judgement.
I won't DV anyone. I use an addon that hides the down arrows. [0]
I suppose when I asked the question, I am assuming internet businesses for the most part don't isolate themselves to a specific region, so their reply probably makes more sense for the businesses that operate in a small locality. Perhaps they have such a business. I should have considered that prior to asking.
Where this might start to get interesting is if people use infrastructure that is in multiple regions and that infrastructure provider has an agreement to block companies that do not comply. So if AWS for example had such an agreement, then non compliant companies could find their sites broken, even if they are only hosted in the U.S., not that this would ever happen, but it could.
If they have significant business in the EU then they can be fined regardless of size but the rules indicate that working towards compliance can go a long way to reducing the size or even existence of fines. Plus to get to that stage you have to ignore someone's request to remove their personal data.
It applies to companies that do business in the EU. They could at least seize any assets that you have in the EU, including future profits there. If you don't do any business in the EU to disrupt then this doesn't apply to you anyway.
For larger companies with offices in the EU (especially the ones headquartered there for tax purposes), they obviously have no choice to comply. But what about a small startup, with its only domicile and employees in the US?
What exactly could the EU do to punish a startup in that case? Unless they have some enforceability treaty with the US, I don’t see how they have any legal ground to extract fines for arbitrary laws defined in their jurisdiction. The worst they could do is ask EU ISPs and/or payment networks to block the offending sites, right?