Does using overseas hosting break GDPR?

webwalrus · July 6, 2022, 4:29pm

That’s the question though. If a company is solely a US company, and they break GDPR by leaking an EU citizen’s data, how would the EU penalize / fine them since they don’t have jurisdiction in the US?

WayneG · July 6, 2022, 4:52pm

Here’s one opinion:

How the EU Will Fine US Companies for GDPR Compliance Violations (spiceworks.com)

geoffaire · July 6, 2022, 5:00pm

Yeah, especially as you cannot visit them.

Ulli · July 6, 2022, 5:09pm

I don´t understand the problem?
There are international rules and contracts, that take care about a functioning international law system.
At least between more or less civilized Countries…

webwalrus · July 6, 2022, 5:31pm

I find it fascinating how all of it seems to be speculation at this point, with the only fines levied so far being against US companies that basically have EU subsidiaries / divisions.

This is an interesting note though (https://www.clarip.com/data-privacy/gdpr-united-states/)

The first insight into the approach that may be taken to GDPR enforcement by a DPA in cases of US companies came out of the United Kingdom in November 2018. The UK ICO issued a warning to the Washington Post over how it was obtaining consent for cookies. The ICO concluded that consent was not freely given under GDPR Article 7 because the paper did not offer a free alternative to accepting cookies. However, the ICO noted that there was little that it could do if the Washington Post decided not to change its practices. This comment by the ICO leaves its ability and likelihood to bring enforcement actions in doubt.

Even with treaties and such, I would think that US courts would be very sketchy on participating in enforcement on any organization that wasn’t already pretty much de facto a major international player.

Ulli · July 6, 2022, 5:57pm

Dream on!
It is a long tradition, that the US and Europe is working Hand-in-Hand on the most issues regarding Law Enforcement.
If a US Court is ruling against an European Person/Company it could be enforced within Europe, and vice versa.

Shruggie · July 6, 2022, 6:52pm

If you think US companies can store information about EU citizens without being vulnerable to GDPR, I think you have a very different risk tolerance than we do at my consultancy, but that tracks. We mostly work with government agencies, including some with data that are considered “high value targets”.
Naturally, that means that we will advise our customers to be very restrictive.

I think any EU court you wished to try that interpretation in would find against you, though, so I’m going to give you some unpaid advice: Have that interpretation backed up by someone else before you give it to someone in a professional capacity - cover your ass