*" PS: For anyone who came into the middle of this argument, my point isthat if you have no EU nexus, the realistic chances of the EU takingaction against you round to zero. If you do have EU nexus, you betterbehave."* I'd say this is accurate with a few caveats and most of those won't apply to NANOG folks. One, if you or your company is involved in direct marketing then you'd better pay attention now even if you don't intentionally market to people in the EU. Two, if you work on sensitive PII (by the GDPR definitions) and you may have EU data subjects' PII. Three, if you or your company are making public statements about GDPR not applying to you or making false statements publicly about how your opt out set up is GDPR compliant (when it can't be). When I first was involved with international contracts we had a series of meetings with our executives and legal. The first thing we heard from legal were things like, "your contracts aren't enforceable in Europe or Asia". When we dived into those statements what we found was that was practically true, because enforcing them required us to go down one of two (both expensive) pathways. Establish a corporate identify in all the places we wanted to do business and then we could more easily sue in the local court system where our customers were located _or_ we could sue in US court and then (provided we won) take that US ruling to the local courts with jurisdiction over the customer in question. Both were entirely possible from a legal standpoint, but neither were practical since the cost of taking either path would greatly exceed the value of the contract in question. Instead of doing that we simply set things up so that we can quickly turn off services and we billed a month in advance rather than post billing the way we did in North America. What I'm getting at is that international enforcement of decisions is expensive and while the EU has a lot of resources, lawyers, and money they're still going to be prioritizing their "target" selection. They're definitely (as we see from the Facebook fine) going after the big, and in their minds, egregious abusers of privacy. Unless you or your company is very large, international in nature, or doing something they'd consider very abusive then you're not likely to be at the top of that list. Having said that, once things shake out and the big fish are all either compliant or in court then the regulators will start looking down list. In fairness, the regulators I spoke with emphasized that they're not "head hunting" (their words) and that don't want to harm companies that might inadvertently be violating GDPR in small ways. I expect that many more warning letters will be sent than actual fines or regulatory actions this year. On Thu, May 24, 2018 at 6:31 PM John Levine <johnl@iecc.com> wrote:
In article <0BB31BBB-388D-4832-85DD-30C01C187BA1@jeffmurphy.org> you write:
There’s speculation that enforcement could occur via the FTC Privacy Shield program.
Privacy Shield is entirely optional. Joining it requires a lot of paperwork and a substantial administrative fee. If you don't do all that, it doesn't apply to you. Please see my previous comment about people who think they understand the GDPR vs. people who actually do.
https://www.privacyshield.gov/welcome
Also, Privacy Shield is a retread of the Safe Harbour deal which EU courts invalidated in 2015. Max Schrems, the guy who filed the case against Safe Harbour, has filed a similar suit against Privacy Shield, with Facebook as the defendant. I wouldn't bet a lot on Privacy Shield lasting any better than Safe Harbour did.
https://techcrunch.com/2018/04/13/privacy-shield-now-facing-questions-via-le...
R's, John
PS: For anyone who came into the middle of this argument, my point is that if you have no EU nexus, the realistic chances of the EU taking action against you round to zero. If you do have EU nexus, you better behave.