At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.

The practical impact of such enforcement measures is the ability to devastate a product, service, or business.

Many US companies may still be wondering:

How can regulators enforce the GDPR on companies in the United States?

The answer, at this point, depends on principles of jurisdiction and international law. In general, international law distinguishes between the ability to apply law versus enforce law extraterritorially. As such, even if the GDPR is applicable to certain condu penalties for violating the law may or may not reach beyond EU member states.

  • While a US-EU civil enforcement mechanism for the GDPR doesn't yet exist, a cooperation agreement is possible in the future.
  • Without such an agreement, through the doctrine of comity, US courts will grant extraterritorial effect to the valid judgments of foreign courts. However, the US court must first be satisfied that the foreign court properly had jurisdiction over the matter and that the judgment was not contrary to public policy.
  • Only time will tell whether the GDPR satisfies these requirements.

This analysis relates to enforcement for GDPR noncompliance in general. However, some violations of the GDPR may also be violations of the EU-US Privacy Shield Framework for the transfer of personal information from the the US. In those instances, the FTC has indicated that it will enforce the Privacy Shield against US companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.