Since the EU General Data Protection Regulation became effective May 25, 2018, most American companies have been inundated with contract addenda from vendors, customers and just about everyone else with whom they do business, intended to respond to the privacy requirements of the GDPR. Many proposed addenda include requirements to include standard contractual clauses or similarly purposed documents, such as binding corporate rules. Should American companies without significant EU-based assets sign these addenda?

The answer may well be “no.” The reason is the Uniform Foreign Country Money Judgments Recognition Act. 

Liability exposures under GDPR

Most discussion of financial remedies for “infringement” of the GDPR highlights the attention-getting maximum of “administrative fines” provided in Article 83. These fines, when levied, are issued by an EU supervisory authority, as established by each member state.

Less discussed is the potential for claims by data subjects themselves as set out in Articles 79, 80 and 82. These articles contemplate proceedings in whichever nation the data subject resides, as well as potentially allowing for collective actions, bundling of groups of similar individual claims. And while the administrative fines established in Article 83 are capped (even though that cap is massively high), there is no cap on damages for data subjects.

So, faced with such exposures, should an American company with no EU-based assets nevertheless hire an EU attorney in the forum state to defend against a complaint filed by either a supervisory authority or data subject?

UFCMJRA

If either an administrative fine or a damages judgment is entered by an EU tribunal against an American company with no assets based in the EU, the complainant would have to seek recognition of the EU judgment in a U.S. court and then enforcement of that judgment against the U.S.-based assets of the American company.

The U.S. is not a party to any international treaty on the subject of recognition of foreign country judgments. Congress has, to date, enacted no federal statute on this subject. The only applicable body of U.S. law is that applied by U.S. states.

The Uniform Law Commission proposed a comprehensive scheme in 2005, the UFCMJRA, including specific provisions for recognition of foreign country judgments. Per the ULC’s website, 24 states plus the District of Columbia, have enacted the 2005 version, and it is pending in three additional state legislatures as of this writing. As to those states that have not enacted the 2005 version, the common law is likely to vary but will generally follow the principles set out in the UFCMJRA.

The UFCMJRA provides that the act does not apply at all to, among other things, “a fine or other penalty.”  Thus, a strong argument can be made that EU-entered administrative fines will not be recognized — and therefore cannot be enforced — in the U.S.

Section 4 sets out exceptions in which a court “may not” recognize a judgment and where a court “need not” do so — the first being mandatory and the second being discretionary.

In the “may not” category are lack of due process of law, lack of personal jurisdiction over the defendant and lack of jurisdiction over the subject matter. Most disputes will most likely arise under dealing with personal jurisdiction.

The “need not” provisions include eight categories. Most important for present purposes is “in the case of jurisdiction based solely on personal service, the foreign court was a seriously inconvenient forum for the trial of the action.” It is difficult to imagine a more “seriously inconvenient forum” for an American company than a forum separated by an ocean.

Unless a representative of an American company happens to be in the member state and served with process while there, the American company is likely not subject to personal jurisdiction of the EU tribunal — and therefore a foreign money judgment against that company would likely not be recognizable by a U.S. court under the UFCMJRA — unless it has performed specific other actions specified in Section 5. And this is where the intersection with SCCs and BCRs occurs.

While the UFCMJRA describes actions that submit to personal jurisdiction similar to those applied by U.S. courts for general or specific jurisdiction, more relevant to the current discussion are Sections 5(a)(2) (defendant voluntarily appeared other than to protect seized property or to contest jurisdiction) and 5(a)(3) (defendant agreed to submit to jurisdiction before commencement of the proceeding).

Section 5(a)(2) presents a partial answer to the question of whether an American company without EU-based assets should hire an EU attorney and contest the merits of a GDPR claim. There may be good reasons to do so under certain circumstances, but companies should only do so in recognition that by voluntarily appearing, they have likely waived some important potential defenses to the recognition of any judgment rendered by the EU tribunal by U.S. courts.

Section 5(a)(3), however, is more insidious. Unsuspecting companies may waive jurisdictional defenses to U.S. recognition of EU judgments without even realizing it until it is too late.

Potential impact of SCCs on UFCMJRA defenses

The purpose of SCCs, BCRs and other similar GDPR-contemplated documents is to comply with the GDPR requirements for cross-border transfers of personal data, for countries (like the U.S.) that have not been certified by the EU as “adequate jurisdictions.”

As the name implies, SCCs are “standard” — not subject to negotiation and must be accepted as is. The same is true for BCRs.

Both SCCs and BCRs include provisions that expressly allow data subjects to enforce GDPR against data exporters. They include provisions by which the data exporter agrees that persons who suffer damages are “entitled to receive compensation from the data exporter” and agree to the jurisdiction of a tribunal of the member state where the data exporter “is established,” governed by the laws of the member state.

Thus, an American company that is not otherwise subject to EU personal jurisdiction and therefore has potential grounds for contesting recognition of an EU judgment by a U.S. court risks losing that defense under Section 5(a)(3) of the UFCMJRA if it agrees to SCCs or BCRs, thereby agreeing to jurisdiction of the EU tribunal.

Many small- to mid-sized American businesses sell only within the U.S. but nonetheless communicate with (and thereby collect personal information about) foreign individuals in a myriad of contexts. Websites know no borders, and many U.S.-based companies interact with EU counterparts even as they have no EU-based assets.

And even if an American company does not itself have any contacts with EU individuals, many of the companies with which it does business may themselves have EU connections.

It is in this context that digital privacy addenda and similarly named contract documents are being received daily by most companies from vendors, customers and others whose own inside or outside counsel have devised contract forms designed to meet GDPR (and now, California Consumer Privacy Act) requirements. Wisdom suggests, however, that companies should think twice before agreeing to these contract provisions.

Photo by Leon Seibert on Unsplash