On 21 Nov 2018, at 9:03, Rupert Gallagher wrote:
On Wed, Nov 21, 2018 at 03:41, John Hardin <jhar...@impsec.org> wrote:
[...]
The US is not a signatory to the GDPR as far as I am aware, and I
have
*no* legal presence outside the US.
The US signed a bilateral agreement with the EU:
https://www.privacyshield.gov/
It's widely misunderstood how hard it is for the US government to
enforce the laws of other countries on US people and companies.
Participation in Privacy Shield is an entirely voluntary program and the
only punishment for a self-certifying entity that claims to be complying
is that if the FTC determines that they persist in non-compliance, they
are removed from the list of complying entities and added to a list of
persistent non-compliers. Beyond that, the only punishment would be if
they continue to claim participation in Privacy Shield (i.e. simple
fraud.)
There is no reason for anyone without a commercial presence in the EU or
CH to be concerned with GDPR.
