I don't think, in general the DPAs need to use lawsuits. If they discover (by their own, or by means of a customer claim) that a company (never mind is from the EU or outside) is not following the GDPR, they will just fine it and the corresponding government authorities are the responsible to cash the fine, even with "bank account embargos". If the company is outside the EU, but there are agreements with that country, they can proceed to that via the third country authorities. Same as when you don't pay a traffic fine in the EU and you are from non-EU countries (some allow the embargo, others not). This has been happening, in most of the EU countries for a while. In recent months, the Spanish DPA has ordered fines of 600.000 euros (with the previous law, LOPD), to companies such as Facebook, Google, Whatsapp, and many others ... Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Nick Hilliard <nick@foobar.org> Fecha: sábado, 26 de mayo de 2018, 11:29 Para: Seth Mattinen <sethm@rollernet.us> CC: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news Seth Mattinen wrote on 26/05/2018 08:41: > Good luck getting multiple millions worth of fines out of small > businesses that never even touch a million a year in revenue, let alone > the added expenses of trying to do all the crap GDPR thinks everyone can > suddenly afford out of nowhere. You can put the straw man away - Europe isn't the US. No Data Protection Authority in Europe is going to sue a mom & pop business in the US for millions because they haven't clarified their cookies policy. The upper limits of the fines are aimed at the robber barons of the world. The DPAs in Europe are for the most part lawsuit-averse and engage with companies to build alignment rather than taking the punitive approach and liberally dishing out lawsuits and fines. The emphasis on GDPR compliance is aiming at reasonable steps rather than pretending that every organisation is going to end up redesigning their entire existence around GDPR on may 25. Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.