Could Data Subjects or EU Supervisory Authorities Use the US Court System to Enforce GDPR?
United States companies without a presence in Europe often ask us whether they need to comply with GDPR. Often the answer (as with most things GDPR) is that it’s complicated.
Under Article 3 of GDPR, the law applies to an organization without an “establishment” in Europe if that organization processes the personal data of individuals in the EU in connection with either (i) “the offering of goods or services” to those individuals, or (ii) the “monitoring of their behavior” within the EU.
The law makes clear that merely operating a website accessible to individuals in the EU is not enough to trigger those criteria. But according to the European Data Protection Board (EPDB), it may not take too much more: late last year the EDPB issued Guidelines that take an expansive view of GDPR’s territorial scope under Article 3. They suggest, for example, that a US cloud storage provider that does not itself direct any activities toward the EU can still fall within GDPR’s territorial scope if its customers use the provider’s services as part of an app targeted toward individuals in the EU.
The broad language used in Article 3, combined with the EDPB’s expansive interpretation of its scope, suggest a desire by EU authorities to apply and enforce GDPR beyond the EU’s borders. But can that desire translate into successful enforcement of GDPR against US companies that don’t have a presence in Europe?
Last week, the Sedona Conference Working Group Eleven on Data Security and Privacy Liability (WG11) published a paper for public comment that looks at that question. In its Commentary on the Enforceability in US Courts of Orders and Judgments Entered under GDPR, WG11 explores whether and how an individual or supervisory authority who obtains an order or judgment in the EU against a US organization for violating GDPR can then enforce that order or judgment in a US court.
This post summarizes some key takeaways from the Sedona Conference Commentary, and their implications for US organizations without an establishment in the EU who are seeking to understand the risks that GDPR might pose to their business.
Data Subject Claims and Judgments for Compensatory Damages under GDPR Article 82
GDPR gives individuals who suffer damages as a result of a controller or processor’s violation of GDPR the right to recover compensation through proceedings in an EU member country court. That aspect of GDPR has already led to US-style data breach class actions in the UK, including most recently one against EasyJet that seeks up to £18 billion ($22 billion) in damages.
Could an enterprising EU plaintiff in one of these class actions obtain a judgment in an EU court against a US company and then enforce that judgment through a lawsuit in a US court?
WG11’s analysis in the Commentary suggests it’s possible. As the Commentary explains, there is an established body of US law that sets out the rules for the recognition and enforcement of foreign judgments by US courts. Rooted in the principles of international comity, those rules will generally permit a US court to enforce a foreign judgment that grants or denies a sum of money and is final, conclusive, and enforceable in the rendering country. Data subject compensation claims that have been adjudicated by an EU court could meet those criteria. Thus, a prevailing plaintiff in the EU could potentially enforce a resulting judgment against a US defendant through the US court system—even if the US defendant doesn’t have an establishment in Europe.
GDPR Administrative Fines and the Rule Against Recognizing Foreign Fines and Penal Judgments
According to the Commentary’s analysis, the same is likely not true for the massive administrative fines that supervisory authorities in the EU can issue against GDPR violators. That’s because the rules on the recognition and enforcement of foreign judgments by US courts generally exclude foreign judgments for the collection of taxes, fines, or penalties.
As the Commentary explains, the test for applying this exception is whether the judgment is in favor of a foreign state and is “primarily punitive rather than compensatory in character.” Administrative fines under GDPR would appear to fit that bill: as the Article 29 Working Party recognized in its Guidelines on the Application and Setting of Administrative Fines, one of the key goals of such fines is to “punish unlawful behavior.”
This rule against enforcing foreign fines and penal judgments is not, however, always mandatory. The Commentary notes that a US court could, in theory, choose to recognize and enforce a judgment imposing an administrative fine against a US company and in favor of an EU supervisory authority under common law principles. But as the Commentary also observes, such a move would be unprecedented: no US court appears ever to have enforced a foreign judgment or order that would require payment of a fine to a foreign government body—at least without an applicable international treaty.
In short, under the Commentary’s analysis, while an EU supervisory authority could issue an order imposing an administrative fine against a US company without an EU establishment, that supervisory authority would not likely be able to use the US court system to collect if the company doesn’t pay.
Other Corrective Orders
Along with data subject compensation claims and administrative fines, GDPR also contemplates that EU supervisory authorities can issue various other orders as part of their “corrective powers” under GDPR Article 58. Those can include orders requiring a controller or processor to bring their personal data processing into compliance with GDPR, and orders imposing bans or limitations on processing, or on the transfer of personal data to countries outside the EU.
According to the Commentary, these orders are also unlikely to be enforceable through the US court system, for three reasons:
- US law generally only recognizes foreign “judgments” that are final and conclusive, and would unlikely extend to administrative orders;
- US law generally only recognizes foreign judgments that grant or deny recovery of a sum of money; and
- Nonmonetary corrective orders, if they are meant to punish the GDPR violator, could conflict with the above-mentioned rule against recognizing foreign penal judgments.
Defenses Available to US Organizations
Even if an EU plaintiff or supervisory authority can establish that a particular GDPR judgment or order issued in the EU can be recognized in a US court, as the Commentary notes, a US defendant would still have several potential defenses in any enforcement action.
The US defendant can argue, for example, that the EU forum in which the judgment was rendered lacked personal jurisdiction over them. If the defendant can make that showing, the US court is prohibited from recognizing the judgment entered against that defendant. But a defendant can waive that jurisdictional defense in several ways, including, the Commentary predicts, by appointing a representative in the EU under GDPR Article 27, or a Data Protection Officer in the EU under GDPR Article 37.
Another potential defense is that the foreign judgment is “repugnant to the public policy” of the United States. As the Commentary observes, that defense could be useful in cases involving GDPR’s much-touted “right to be forgotten,” which could in some cases conflict with the First Amendment to the US Constitution.
The EDPB’s aggressive interpretation of GDPR’s extraterritorial scope under GDPR Article 3suggests that EU supervisory authorities may have more of an appetite for extraterritorial enforcement than the brief history of the law would otherwise suggest. The Sedona Conference’s Commentary offers answers to some key questions about how that enforcement might work in practice here in the US. It’s worth a read for any US-based organization seeking to understand its GDPR exposure. And if you’re so inclined, the Sedona Conference is seeking comments from the public on the Commentary through August 31.
 Full disclosure: the author is a WG11 member and was the Editor-in-Chief for the Commentary.