@Tony, thanks for starting a new thread. I was about to do so, realizing I had 
hijacked a perfectly good dump-scrubbing thread.

There was a lot of "how are they going to enforce it on us?" at the SHARE 
sessions. My reply was "if you have deep pockets, I'm sure there is a team of 
lawyers that would be happy to help you be a test case." I'm not a lawyer, but 
my daughter is (albeit not an international justice lawyer) and might have some 
experience in this area. I am with her next week and will ask her.

The borderline examples are myriad. Here was mine. You are a bank. A customer 
checks off US citizen on the account form and gives a US address. But she also 
is an EU National and has an EU residence. You would have no way of knowing 

And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so 
they have to make all the preparations for a law that will soon not affect them.

There was discussion about how you would erase every trace of someone's 
existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And 
what if the lawyers were also telling you "you can't erase that -- we have an 
open discovery action going on that"?

I thought the most interesting observation came from two different companies 
that said "we have to implement this -- so we might just as well do it for all 
of our customers."


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Thigpen
Sent: Saturday, August 12, 2017 12:21 PM
Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps)


Even if the regulation says:

"Non-Eu businesses processing the data of EU citizens will also have to appoint 
a representative in the EU."

What legal recourse does the EU have to go after a US company that does not 
"appoint a representative in the EU"?

I think the trick here is that should a company "appoint a representative in 
the EU" thinking that it's something simple to appease the EU, then they have a 
business presence in the UA. Once they have "a representative in the EU", then 
the EU has a legal entity to go after for non-compliance.

The company I work for has determined that under no circumstance will we 
"appoint a representative in the EU". And, if the EU attempts legal action, our 
defense is that EU do not apply to a US business that only does work in the US. 
Just because a EU citizen chooses to use our services while in the US, that 
does not constitute a EU business presence. (No matter what the GDPR is trying 
to claim.)

Take a simple example. A EU person stays at a Florida based Bed & Breakfast. 
And, the guest supplies his address and phone number. The GDPR 'claims' that 
the GDPR now applies. But, such a claim violates the the sovereignty of the 
USA. And, since the Bed & Breakfast does not have a presence in the EU, that 
sovereignty protects it.

In other words, the GDPR can claim to reach into other countries, but legally, 
it can not. It's just trying to scare people into compliance.

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to