cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

GDPR extrateritorial enforcement

Greetings to all, I am currently busy with the GDPR course presented by (ISC)². 

 

The company I work for does not deal with the EU or any EU citizens officially, but the possibility is always there that this kind of data might make its way onto our systems. I also am involved with a few other projects that also have this kind of potential compliance issues in the future. 

 

As information security professionals this kind of compliance is our responsibility and convincing executives to heed our warnings is vital.

 

I am fully aware of all the penalties and fines, and that is great. I have spoken to a few local (South African) legal professionals and none of them have been able to answer my question directly.

 

How will the EU be able to enforce this regulation in South Africa? If a South African company hypothetically causes an EU citizen material or immaterial damage, how will the EU hold that company accountable? How will they impose the fine?

 

If this South African company just says, " I'm not paying, to hell with the EU, this is Africa", how will the EU go about this? Is there an onus on the South African government to get involved? 

 

I am still doing research on this topic, but so far I have had little success. Yes, I know it affects companies outside the EU, but my question is how this is going to be enforced.

 

I cannot convince my superiors to invest in compliance if there isn't a real threat of "non-compliance" punitive measures. 

 

If anyone has any insight, I would greatly appreciate it. 

6 Replies
Contributor I

Re: GDPR extrateritorial enforcement

Everything I have read would indicate that they cannot enforce the fines, and frankly, they have no right to in another sovereign nation.  Privacy isn't covered (yet) in any international law that I am aware of, though I am not a lawyer.  That said, they can take actions against any assets or business in the EU.  If you are truly 100% not doing business in the EU, I would not be concerned with the specifics.  That is the caveat I would put to your leadership, and they have to own that. I would also make sure to look through the privacy community in South Africa, as it seems more and more countries are putting in privacy laws, and starting with a GDPR model may get you well ahead, if it is already on the agenda of the South African government, as GDPR is the model many of them are using.

Community Champion

Re: GDPR extrateritorial enforcement

@mgorman 

 


@mgorman wrote:

Everything I have read would indicate that they cannot enforce the fines, and frankly, they have no right to in another sovereign nation.  Privacy isn't covered (yet) in any international law that I am aware of, though I am not a lawyer.  That said, they can take actions against any assets or business in the EU.  If you are truly 100% not doing business in the EU, I would not be concerned with the specifics.  That is the caveat I would put to your leadership, and they have to own that. I would also make sure to look through the privacy community in South Africa, as it seems more and more countries are putting in privacy laws, and starting with a GDPR model may get you well ahead, if it is already on the agenda of the South African government, as GDPR is the model many of them are using.


Could not agree more with your statements.  We are seeing more  privacy laws coming at us that include many of the concept in GDPR, especially around the use and care of the personal data.  The models differ slightly in the language or definitions but basically most are saying the same things...we are now seeing States within the US legislating new laws around privacy (the CCPA, the NY Shield Act, etc.) that all state if you have data from someone who lives in my State, you must do certain things whether or not you do business here.

 

Unless Governments get together and form an alliance, I am not sure how the fines, etc will or can be imposed.  Of course if you work for a Global organization, one of your subsidiaries may bear the penalty for not complying with a law in a specific state or country.

 

 

 

 

Highlighted
Community Champion

Re: GDPR extrateritorial enforcement

> Armandt_R (Viewer) posted a new topic in GDPR on 11-07-2019 02:41 AM

 

> I have spoken to
> a few local (South African) legal professionals and none of them have been able
> to answer my question directly.

 

Not surprising: ask a lawyer *anything,* and the answer is usually "It depends."

 

>   How will the EU be able to enforce this
> regulation in South Africa? If a South African company hypothetically causes an
> EU citizen material or immaterial damage, how will the EU hold that company
> accountable? How will they impose the fine?   If this South African company just
> says, " I'm not paying, to hell with the EU, this is Africa", how will the EU go
> about this?

 

Extraterritoriality and jurisdictional issues are always messy. Yes, the South African company can probably get away with that, but, at some point, if they want to do (any) business in the EU, they are probably in for a world of hurt.


(And, in the meantime, you can ask Meng Wanzhou how things are working out.)


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Newcomer I

Re: GDPR extrateritorial enforcement

I can't seem to find a "reply to all" button, but thanks to everyone's insight, I appreciate it greatly. It appears that my interpretation isn't that far off then. I spoke to some more legal experts this weekend and unless our government signs a treaty with the EU to enforce GDPR, then there would be no consequences for a South African company with no other interests in the EU.

 

We do have the POPI act, the protection of personal information act, but I nobody seems to care very much for it here. 

 

What I'll do from here is to complete the course and start drafting a plan of action for the future, just to be on the safe side. 

 

Once again thank you to everyone that replied. Hopefully I may return some knowledge in the future. Cheers from Stellenbosch, South Africa,. 

Community Champion

Re: GDPR extrateritorial enforcement


@Armandt_R wrote:

...no consequences for a South African company with no other interests in the EU....


As @rslade  earlier mentioned, Google "Meng Wanzhou" and consider with whom the EU has extradition treaties.  Admittedly, this is a long-shot, but if you manage to poke the wrong bear, governments are pretty good at making life difficult.

Newcomer I

Re: GDPR extrateritorial enforcement

I agree that is why I try to keep the governmental bears at bay and avoid poking where possible. Unfortunately if you google "Al-Bashir", you'll notice that our government doesn't care much for international policy or at least when it suits them... Not that I want to get involved in politics. If our government wants to poke bears, that's way outside of my sphere of influence and there is little that I can legally do to stop them.

 

I am actually in favour of privacy laws and the enforcement thereof. 

 

Consider this scenario and see how easily one can be guilty of an offence (applicable to my country, in my town, Stellenbosch at least). 

 

A medium sized tourism company,  a guest house: About 10 - 15 employees. They cater mostly for foreign tourists and have a lot of German visitors. They have to capture, the Name, Surname, ID no. and credit card details as well as dietary information.

 

Being a guesthouse, they don't spend a lot on IT, they have two computers, still running windows XP and office 2007. 

 

A data breach occurs (as it will, since most business don't even bother segregating their local networks), and they are liable to pay a fine according to GDPR, since there is literally nothing in place. 

 

There are many such examples in Stellenbosch, not to mention the rest of the country. If I were to bring this under their attention, I better have something concrete to convince them of the possible fines.