cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Armandt_R
Newcomer I

GDPR extrateritorial enforcement

Greetings to all, I am currently busy with the GDPR course presented by (ISC)². 

 

The company I work for does not deal with the EU or any EU citizens officially, but the possibility is always there that this kind of data might make its way onto our systems. I also am involved with a few other projects that also have this kind of potential compliance issues in the future. 

 

As information security professionals this kind of compliance is our responsibility and convincing executives to heed our warnings is vital.

 

I am fully aware of all the penalties and fines, and that is great. I have spoken to a few local (South African) legal professionals and none of them have been able to answer my question directly.

 

How will the EU be able to enforce this regulation in South Africa? If a South African company hypothetically causes an EU citizen material or immaterial damage, how will the EU hold that company accountable? How will they impose the fine?

 

If this South African company just says, " I'm not paying, to hell with the EU, this is Africa", how will the EU go about this? Is there an onus on the South African government to get involved? 

 

I am still doing research on this topic, but so far I have had little success. Yes, I know it affects companies outside the EU, but my question is how this is going to be enforced.

 

I cannot convince my superiors to invest in compliance if there isn't a real threat of "non-compliance" punitive measures. 

 

If anyone has any insight, I would greatly appreciate it. 

10 Replies
mgorman
Contributor II

Everything I have read would indicate that they cannot enforce the fines, and frankly, they have no right to in another sovereign nation.  Privacy isn't covered (yet) in any international law that I am aware of, though I am not a lawyer.  That said, they can take actions against any assets or business in the EU.  If you are truly 100% not doing business in the EU, I would not be concerned with the specifics.  That is the caveat I would put to your leadership, and they have to own that. I would also make sure to look through the privacy community in South Africa, as it seems more and more countries are putting in privacy laws, and starting with a GDPR model may get you well ahead, if it is already on the agenda of the South African government, as GDPR is the model many of them are using.

dcontesti
Community Champion

@mgorman 

 


@mgorman wrote:

Everything I have read would indicate that they cannot enforce the fines, and frankly, they have no right to in another sovereign nation.  Privacy isn't covered (yet) in any international law that I am aware of, though I am not a lawyer.  That said, they can take actions against any assets or business in the EU.  If you are truly 100% not doing business in the EU, I would not be concerned with the specifics.  That is the caveat I would put to your leadership, and they have to own that. I would also make sure to look through the privacy community in South Africa, as it seems more and more countries are putting in privacy laws, and starting with a GDPR model may get you well ahead, if it is already on the agenda of the South African government, as GDPR is the model many of them are using.


Could not agree more with your statements.  We are seeing more  privacy laws coming at us that include many of the concept in GDPR, especially around the use and care of the personal data.  The models differ slightly in the language or definitions but basically most are saying the same things...we are now seeing States within the US legislating new laws around privacy (the CCPA, the NY Shield Act, etc.) that all state if you have data from someone who lives in my State, you must do certain things whether or not you do business here.

 

Unless Governments get together and form an alliance, I am not sure how the fines, etc will or can be imposed.  Of course if you work for a Global organization, one of your subsidiaries may bear the penalty for not complying with a law in a specific state or country.

 

 

 

 

rslade
Influencer II

> Armandt_R (Viewer) posted a new topic in GDPR on 11-07-2019 02:41 AM

 

> I have spoken to
> a few local (South African) legal professionals and none of them have been able
> to answer my question directly.

 

Not surprising: ask a lawyer *anything,* and the answer is usually "It depends."

 

>   How will the EU be able to enforce this
> regulation in South Africa? If a South African company hypothetically causes an
> EU citizen material or immaterial damage, how will the EU hold that company
> accountable? How will they impose the fine?   If this South African company just
> says, " I'm not paying, to hell with the EU, this is Africa", how will the EU go
> about this?

 

Extraterritoriality and jurisdictional issues are always messy. Yes, the South African company can probably get away with that, but, at some point, if they want to do (any) business in the EU, they are probably in for a world of hurt.


(And, in the meantime, you can ask Meng Wanzhou how things are working out.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Armandt_R
Newcomer I

I can't seem to find a "reply to all" button, but thanks to everyone's insight, I appreciate it greatly. It appears that my interpretation isn't that far off then. I spoke to some more legal experts this weekend and unless our government signs a treaty with the EU to enforce GDPR, then there would be no consequences for a South African company with no other interests in the EU.

 

We do have the POPI act, the protection of personal information act, but I nobody seems to care very much for it here. 

 

What I'll do from here is to complete the course and start drafting a plan of action for the future, just to be on the safe side. 

 

Once again thank you to everyone that replied. Hopefully I may return some knowledge in the future. Cheers from Stellenbosch, South Africa,. 

denbesten
Community Champion


@Armandt_R wrote:

...no consequences for a South African company with no other interests in the EU....


As @rslade  earlier mentioned, Google "Meng Wanzhou" and consider with whom the EU has extradition treaties.  Admittedly, this is a long-shot, but if you manage to poke the wrong bear, governments are pretty good at making life difficult.

Armandt_R
Newcomer I

I agree that is why I try to keep the governmental bears at bay and avoid poking where possible. Unfortunately if you google "Al-Bashir", you'll notice that our government doesn't care much for international policy or at least when it suits them... Not that I want to get involved in politics. If our government wants to poke bears, that's way outside of my sphere of influence and there is little that I can legally do to stop them.

 

I am actually in favour of privacy laws and the enforcement thereof. 

 

Consider this scenario and see how easily one can be guilty of an offence (applicable to my country, in my town, Stellenbosch at least). 

 

A medium sized tourism company,  a guest house: About 10 - 15 employees. They cater mostly for foreign tourists and have a lot of German visitors. They have to capture, the Name, Surname, ID no. and credit card details as well as dietary information.

 

Being a guesthouse, they don't spend a lot on IT, they have two computers, still running windows XP and office 2007. 

 

A data breach occurs (as it will, since most business don't even bother segregating their local networks), and they are liable to pay a fine according to GDPR, since there is literally nothing in place. 

 

There are many such examples in Stellenbosch, not to mention the rest of the country. If I were to bring this under their attention, I better have something concrete to convince them of the possible fines. 

JLVigouroux
Viewer II

GDPR Article 3 and particularly 3-3 "Territorial Scope of the GDPR" answers your question. 

If I understand correctly,  your group (let’s define it as your company and all of its affiliates) is not established in the EU, is not proposing any service to EU data subject (even from abroad),  is not processing any EU data subject personal data and is not monitoring EU data subjects behaviors.

And  your group has no affiliates inside a country where international agreements with EU exists.

If So then your company should not be concerned by GDPR.

To ensure concerning the agreements you should ask to a specialized lawyer with the list of countries of your group.

Another reflection could as well be to consider and compare POPIA (South Africa's Protection of Personal Information Act 2013) to GDPR so that you should evaluate the difference of investment needed to cover one and the other. This could help your answer.

Last but not least do not forget your middle terms group development strategy…

Remark:

Note that GDPR applies not only to EU citizens but as well to EU Residents or visitors... In fact it applies to anyone who is on the EU territory. Professional contact data are as well personal data.

Note as well that you should consider the number of EU personal data you could be processing and the risk for these data subject concerning their personal data. Is it a high risk?

 

iluom
Contributor II


In your case the data controller(could be data processor as well ) is not established in the EU , the data subject does not reside or stay in the EU and the data subject not travelling in the EU , so GDPR does not apply- as simple as that/
However, you need to consider your country's privacy laws and regulations if there are any to be compliant with...

 

 

Does the processing relate to the offering of goods or services of any kind as given below
Does the controller pay a search engine operator for access to the site by consumers in the EU?
Is there marketing or advertising in the EU?
Are there dedicated addresses or phone numbers in the EU?
Is there use of a language or a currency of an EU state?
Is there delivery of goods in the EU?


Does the processing relate to the monitoring of behaviour in the EU?
Is there behavioural advertisement?
Are there geo-localization activities?
Is there online tracking through cookies?
Are there market surveys or other behavioural studies?
Is there monitoring or regular reporting on an individual's health status?

 

If the answer is NO for these questions then GDPR is not applicable

Chandra Mouli, CISSP, CCSP, CSSLP
Caute_cautim
Community Champion

Hi All

 

I work for a global organisation, which spans the world in multiple countries and centres.  GDPR is taken very seriously indeed, as we tend to work across borders in Europe, USA, Japan, Australia and many others.

 

We have been well prepared internally via the dedicated Privacy team, with various assessments and every time we engage GDPR is part of that every time.  It involves every part of the business.

 

A lot of the problems are cross border information and interactions, where does the data reside, does it belong to a European entity, and will they request as they can "what information are you holding on me" etc. 

 

From a penalties perspective, we have fully adopted GDPR, and those privacy legislation's, whereever it resides.

 

Penalties, mean bad PR, lost of reputation and trust.  So we take it very seriously indeed.

 

So I come from the opposite position i.e. paranoia and in fact it is part of our Business Conduct Guidelines (BCGs) inherently.

 

Regards

 

Caute_Cautim