With less that three weeks to go until the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th, many US companies still inhabit a world of wishful thinking about this far-reaching law.

The GDPR will impose strict data management and privacy protection requirements on any organisation, anywhere, that handles the data of EU citizens, or of anyone physically within the EU, or anyone of any citizenship inside or outside the EU whose data is processed within the EU.

US companies will be particularly implicated here, due to the preponderance of data-processing multinationals.

The US attitude has always been dismissive towards EU privacy and data protections. I’ve sat through countless sessions at events in the US where EU protections that were supposed to be observed already under the former principles of Safe Harbour data transfer, and later its current replacement Privacy Shield, were discussed with, at best, mild annoyance and too often, belittling contempt.

"It will likely take years of practical application, court challenges and fines, to determine how the GDPR will actually work both in the EU and outside of it."

This is is why I’ve always doubted that many US organisations took either seriously. And I know from talking to individuals who know the position at first hand, that, in practice, many haven’t.

Panic

So it didn’t surprise me last week to see evidence that some US companies are going into a panic as the GDPR deadline approaches. Especially because the GDPR has serious penalties for non-compliance – up to 4 per cent of global revenue. Note: that’s revenue, not profit. And a lot of tech companies, including many of the social media giants, have billions in revenue, but little, if any, profit.

So, the contempt that used to be reserved for the EU’s “toothless” data protection has been replaced with focused action to comply. As well as by ignorant hysteria.

Companies supposedly withdrawing from Europe could end up with EU data for any range of reasons, such as taking in data from US customers who happen to be passing through the EU

Last week, the chief risk officer of security company F-Secure, Mikko Hypponen, tweeted a list of companies that have decided they’ll avoid GDPR compliance by refusing to offer services anywhere in the EU, or blocking anyone in the EU from visiting their websites.

Among this list are: Brent Ozar Unlimited; Verve; Ragnarok; Super Monday Night Combat; Unroll.me; Tungle Services… you can see Hypponen’s whole thread here.

He also mentions gdpr-shield.io, a company that promises to enable businesses to “save thousands on GDPR compliance” by offering code to block anyone with an EU-based IP address.

"I’ve sat through countless sessions at events in the US where EU protections that were supposed to be observed already under the former principles of Safe Harbour data transfer, and later its current replacement Privacy Shield, were discussed with, at best, mild annoyance and too often, belittling contempt."

The whole thread offers lots of GDPR-ignorance lols. For most of these companies, none of these things will relieve them of compliance obligations, and they are setting themselves up for possible fines. Not least because Europeans sometimes use VPNs – virtual private networks – or location-secure browsers like Tor, that hide location.

But companies supposedly withdrawing from Europe could end up with EU data for any range of reasons, such as taking in data from US customers who happen to be passing through the EU, or from EU citizens travelling in the US and visiting their site or using their service.

US lawyer Alexander Stern thinks Silicon Valley companies, in particular, are grossly underestimating their GDPR obligations. He notes: “Companies that think they can just block EU IP addresses and avoid the GDPR are kidding themselves. There are plenty of legitimate reasons for an EU user’s IP address to appear as if it is from outside the EU. As soon as that happens, the company likely has GDPR obligations.”

Case searches

His startup, which offers intelligence-based case searches, recently conducted a survey of law professors for thoughts on GDPR and of case law for potential relevance. One intriguing conclusion is that US companies may be breaking US law by not offering US citizens the same data protection rights as EU citizens.

“The Civil Rights Act of 1964 prohibits national origin discrimination. Often that means banning polices that have a disproportionate advantage for people from certain countries. If the courts accept this line of reasoning here, that means companies are underestimating compliance obligations by orders of magnitude,” he says.

US courts could decide (as they have on disability grounds in the past) that websites are “public accommodation” and therefore must offer equal data protection to US citizens, he says.

Because of such regulatory and legal complexities, it will likely take years of practical application, court challenges and fines, to determine how the GDPR will actually work both in the EU and outside of it. But the logical outcome is that all boats will have to rise to the level of EU data protection, if only because it is easier and less risky.

That’s good news for individuals – we, the “data subjects” – whose personal data has been at the centre of a largely hidden and surreptitious, unregulated and underprotected global feeding frenzy for years.