On 5/23/18, 12:10 PM, "NANOG on behalf of Anne P. Mitchell Esq." <nanog-bounces@nanog.org on behalf of amitchell@isipp.com> wrote: > On May 23, 2018, at 9:59 AM, Owen DeLong <owen@delong.com> wrote: > > > >> On May 23, 2018, at 08:53, John Levine <johnl@iecc.com> wrote: >> >> In article <CAE-M_OBdDv1+DFto=h1O-ghLbs2TQ_x_P9kuw4LS24mSBaw9Ww@mail.gmail.com> you write: >>> I asked one of the EU regulators at RSA how they intended to enforce GDPR >>> violations on businesses that don't operate in their jurisdiction and >>> without hesitation he told me they'd use civil courts to sue the offending >>> companies. >> >> He probably thought you meant if he's in France and the business is in >> Ireland, since they're both in the EU. Outside the EU, on the other >> hand, ... >> >> If they try to sue in, say, US courts, the US court will ask them to >> explain why a US court should try a suit under foreign law. There is >> a very short list of reasons to do that, and this isn't on it. > > Actually, due to treaty, it is. At least according to some lawyers that have been advising ICANN stakeholder group(s). >
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
Isn't "better" a factor of how much it costs to become compliant with GPDR? I'm no expert, but some of the things I've heard sounded not trivial to implement (read potentially BIG investment). -dan