Even if the regulation says:

"Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU."

What legal recourse does the EU have to go after a US company that does not "appoint a representative in the EU"?

I think the trick here is that should a company "appoint a representative in the EU" thinking that it's something simple to appease the EU, then they have a business presence in the UA. Once they have "a representative in the EU", then the EU has a legal entity to go after for non-compliance.

The company I work for has determined that under no circumstance will we "appoint a representative in the EU". And, if the EU attempts legal action, our defense is that EU do not apply to a US business that only does work in the US. Just because a EU citizen chooses to use our services while in the US, that does not constitute a EU business presence. (No matter what the GDPR is trying to claim.)

Take a simple example. A EU person stays at a Florida based Bed & Breakfast. And, the guest supplies his address and phone number. The GDPR 'claims' that the GDPR now applies. But, such a claim violates the the sovereignty of the USA. And, since the Bed & Breakfast does not have a presence in the EU, that sovereignty protects it.

In other words, the GDPR can claim to reach into other countries, but legally, it can not. It's just trying to scare people into compliance.

Tony Thigpen

Charles Mills wrote on 08/12/2017 10:05 AM:
My understanding is that the XBridge product was successful at this technically. CA has a new 
product in this area that is successful technically. (By "technically" I mean that the 
technology is successful in recognizing credit card numbers, SSNs, and so forth. There is more 
pattern to a credit card number than just "16 numeric digits.")

These products address files and datasets, but the same pattern recognition 
would apply to dumps.

The problem as I see it -- after taking several sessions at SHARE on data privacy -- is that the 
definition of "personal information" is endlessly elastic. Read "What constitutes 
personal data?" on

And by the way, if you are in the US and think that the GDPR is a Europe-only thing, read "Who 
does the GDPR affect?" and "What are the penalties for non-compliance?" on the same 
page. Also note the countdown clock on their home page!


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Friday, August 11, 2017 11:23 PM
Subject: Re: Scrubbing sensitive data in dumps

On Fri, 11 Aug 2017 17:09:10 -0400, Jim Mulder wrote:

  We did have a meeting in z/OS development quite a few years ago to
discuss someone's wish for this type of function for z/OS dumps.  We
concluded that in general, identifying the sensitive data to be
modified would be so problematic that it was not worth pursuing.

This is reminiscent of a question posed (here?) (years?) ago concerning 
detecting credit card numbers in data sets, with the objective of obfuscating 

OK.  Any 16 numeric digits, or packed, or 64-bit binary in range, or ...
Validate check digit?

Same answer.

Or SSNs.

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to with the message: INFO IBM-MAIN

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to with the message: INFO IBM-MAIN

Reply via email to