@Tony, thanks for starting a new thread. I was about to do so, realizing I had hijacked a perfectly good dump-scrubbing thread.
There was a lot of "how are they going to enforce it on us?" at the SHARE sessions. My reply was "if you have deep pockets, I'm sure there is a team of lawyers that would be happy to help you be a test case." I'm not a lawyer, but my daughter is (albeit not an international justice lawyer) and might have some experience in this area. I am with her next week and will ask her. The borderline examples are myriad. Here was mine. You are a bank. A customer checks off US citizen on the account form and gives a US address. But she also is an EU National and has an EU residence. You would have no way of knowing that. And pity the poor Brits! Brexit comes *after* the effective date of GDPR, so they have to make all the preparations for a law that will soon not affect them. There was discussion about how you would erase every trace of someone's existence if you have DB2 volume backup tapes buried deep in Iron Mountain. And what if the lawyers were also telling you "you can't erase that -- we have an open discovery action going on that"? I thought the most interesting observation came from two different companies that said "we have to implement this -- so we might just as well do it for all of our customers." Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Thigpen Sent: Saturday, August 12, 2017 12:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: GDPR for US companies (Was: Scrubbing sensitive data in dumps) Charles, Even if the regulation says: "Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU." What legal recourse does the EU have to go after a US company that does not "appoint a representative in the EU"? I think the trick here is that should a company "appoint a representative in the EU" thinking that it's something simple to appease the EU, then they have a business presence in the UA. Once they have "a representative in the EU", then the EU has a legal entity to go after for non-compliance. The company I work for has determined that under no circumstance will we "appoint a representative in the EU". And, if the EU attempts legal action, our defense is that EU do not apply to a US business that only does work in the US. Just because a EU citizen chooses to use our services while in the US, that does not constitute a EU business presence. (No matter what the GDPR is trying to claim.) Take a simple example. A EU person stays at a Florida based Bed & Breakfast. And, the guest supplies his address and phone number. The GDPR 'claims' that the GDPR now applies. But, such a claim violates the the sovereignty of the USA. And, since the Bed & Breakfast does not have a presence in the EU, that sovereignty protects it. In other words, the GDPR can claim to reach into other countries, but legally, it can not. It's just trying to scare people into compliance. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN