You are an American company. While you sell product or otherwise interact with Europe, and thereby collect personal information about European residents, you have no assets or facilities on that continent. Nonetheless, you are concerned about the reach of the European Union’s General Data Privacy Regulations (GDPR), whether you must comply with its requirements, and potential liabilities set out in those regulations.
Moreover, in the last two years since the GDPR became effective on May 25, 2018, you have been inundated with addenda to your contracts from your vendors, customers, and just about everyone else with whom you do business, even those who themselves are located in the United States, intended to respond to the privacy requirements of the GDPR, further complicated by the more recent January 1, 2020, effective date of the California Consumer Privacy Act (CCPA). The various privacy addenda that you have received reference such things as “standard contractual clauses” and similarly purposed documents such as “binding corporate rules.” You wonder whether these are just forms that everyone is using, what risks they entail, and whether you should just sign them.
The answer, it turns out, may well be “no.” The reason is the Uniform Foreign Country Money Judgments Recognition Act (UFCMJRA).
Liability Exposures Under the GDPR
So much has been written by so many about the GDPR that one can easily find dozens of articles about its requirements. For present purposes, our focus is on the monetary consequences of failing to meet those requirements. It should be kept in mind, however, that Article 58(2) makes a wide range of nonmonetary, injunctive remedies available to European Union (EU) tribunals, including banning further data processing and suspending data transfers, which can have significant monetary implications for a company’s revenue, even if the remedy is not itself financial in nature.
Most articles discussing financial remedies for “infringement” of the GDPR highlight the attention-getting maximum of “administrative fines” provided in Article 83, up to €20 million, or 4 percent of total worldwide annual turnover, whichever is higher. These fines, when levied, are issued by an EU “supervisory authority” as established by each Member State. While the odds of an administrative fine reaching that high are remote in most circumstances, and Article 83(2) provides a list of factors (including failure to comply with an order for injunctive relief issued pursuant to Article 58) to be used by the supervisory authority in assessing the amount of any particular administrative fine, it remains true that one of the liability exposures for a GDPR violation is an administrative fine.
Less discussed is the potential for claims by data subjects themselves, as set out in Articles 79, 80, and 82. Article 79 establishes the right “of each data subject… to an effective judicial remedy,” and further, it states that the proceedings may be brought either “where the controller or processor has an establishment” (and recall that under our hypothetical, we posit that there is no such establishment in the EU), or alternatively, “before the courts of the Member State where the data subject has his or her habitual residence.” Thus, the GDPR contemplates that American companies that collect or process EU personal data may face proceedings in whichever nation the data subject resides.
Article 80 potentially broadens this exposure, because it permits the data subject to “mandate” a not-for-profit organization to make the claim on the data subject’s behalf and “to exercise the right to receive compensation referred to in Article 82 on his or her behalf.” This broadening potentially allows for collective actions, perhaps not in the American class action sense, but creates the risk that such an organization could bundle together groups of similar individual claims.
Article 82, titled “Right to compensation and liability,” provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” Article 82(4) further establishes the joint and several liability of each controller or processor, while Article 82(5) allows contribution claims against other controllers and processors “corresponding to their part of responsibility for the damage.” And while the administrative fines established in Article 83 are capped, even though that cap is massively high, there is no cap on damages for data subjects.
So, faced with such exposures, both monetary and nonmonetary, should an American company, with no EU-based assets against which an EU judgment can be enforced, find and hire an EU attorney in the forum state to defend against a complaint filed by either a supervisory authority or a data subject (or its mandated not-for-profit organization)?
The Uniform Foreign Country Money Judgments Recognition Act
Suppose that either an administrative fine or a damages judgment is entered by an EU tribunal against an American company with no assets based in the EU against which to enforce the judgment. The only way, then, to recover the amount of that judgment would be for the complainant whether the supervisory authority or the data subject, to seek recognition of the EU judgment in a U.S. court, and then seek enforcement of that judgment against the U.S.-based assets of the American company.
The United States is not a party to any international treaty on the subject of recognition of foreign country judgments. Congress has, to date, enacted no federal statute on this subject. The only body of U.S. law is that applied by various states.
State law is determined by either legislation or common law. In 1962, the Uniform Law Commission (ULC) proposed—and thirty-two states enacted—the Uniform Foreign Money Judgments Recognition Act. That proposed legislation primarily involved enforcement of judgments entered in one state by courts in another state, to implement the Full Faith and Credit Clause of the U.S. Constitution. But that clause does not apply to judgments entered by other countries; and while the 1962 version of the Uniform Law Commission’s proposed act included some sparse provisions pertaining to foreign country judgments, the ULC deemed it necessary to propose a more comprehensive scheme in 2005: the UFCMJRA. According to the ULC’s website, twenty-four states plus the District of Columbia have enacted the 2005 version, and it is pending in three additional state legislatures as of this writing.
As for those states that have not enacted the 2005 version, the common law is likely to vary, but it will generally follow the principles set out in the UFCMJRA.
The UFCMJRA first provides that the act does not apply at all to, among other things, “a fine or other penalty.” Section 3(b)(2). Thus, without any other mechanism, a strong argument can be made that EU-entered administrative fines will not be recognized—and therefore cannot be enforced—in the United States.
Note, however, a possible—and unpredictable—exception: as ULC’s comments to section 3 indicate, “[u]nder Section 11, however, courts remain free to consider whether such judgments should be recognized and enforced under comity or other principles.” Therefore, while the general rule appears to be that administrative fines will not be recognized, the rule is not absolute.
Section 4 provides that a state court “shall” recognize a foreign country money judgment unless one of the exceptions applies. It then sets out exceptions where a court “may not” recognize a judgment and where a court “need not” do so—the first being mandatory and the second being discretionary.
In the “may not” category are situations (1) where the judicial system rendering the judgment does not have impartial tribunals or procedures compatible with the requirements of due process of law; (2) the foreign court did not have personal jurisdiction over the defendant; and (3) the foreign court did not have jurisdiction over the subject matter. While it is possible that disputes and defenses may arise out of any of these three situations, the most likely one— and the one most important for present purposes—is the second situation, dealing with personal jurisdiction.
The “need not” provisions include eight exceptions, including that the specific proceeding (as distinct from the court system itself) lacked due process, that the claim on which the judgment is based “is repugnant to the public policy of this state or of the United States,” and (most important for present purposes), “in the case of jurisdiction based solely on personal service, the foreign court was a seriously inconvenient forum for the trial of the action.”
It is difficult to imagine a more “seriously inconvenient forum” for an American company with limited to zero EU-based assets or presence than a forum separated by an ocean. But note the mystery of the introductory phrase (“… jurisdiction based solely on personal service….”). Why this proviso? ULC’s comments to section 4 shed no light on the reason why this phrase was included. Should the foreign judgment be more recognizable if service was based on, say, service by publication? One would think not, but perhaps the explanation can be found in section 5 of the UFCMJRA, which defines the grounds for personal jurisdiction.
Section 5 does not contemplate that a foreign court may acquire personal jurisdiction over an American company by publication or other non-personal service. It is a negative prohibition; subsection (a) states: “A foreign-country judgment may not be refused recognition for lack of jurisdiction if….” It next lists the grounds on which recognition may not be refused. The list includes where “the defendant was served with process personally in the foreign country.” It does not list any form of non-personal service, with the caveat that section 5(b) says that the list “is not exclusive” and that courts “may recognize bases of personal jurisdiction other than those listed in subsection (a) as sufficient to support a foreign-country judgment.”
Thus, unless a representative of the American company happens to be in the Member State and happens to be served with process while there, the American company is likely not subject to jurisdiction of the EU tribunal; therefore, a foreign money judgment against that company would likely not be recognizable by a U.S. court applying the standards established by the UFCMJRA, except where the company has performed specific other actions specified in section 5, and this is where the intersection with the “standard contractual clauses” and “binding corporate rules,” mentioned above, occurs.
The actions that submit a defendant to personal jurisdiction are similar to those applied by U.S. courts. Three sections are equivalent to general U.S. law on general jurisdiction, specific jurisdiction, and long- arm jurisdiction: section 5(a)(4) (domiciled or principal place of business in the foreign country); section 5(a)(5) (proceeding arises out of business done by the defendant through its business office in the foreign country); and section 5(a)(6) (action arises out of defendant’s operation of a motor vehicle or airplane in the foreign country).
But more interesting for the current discussion are two others: section 5(a)(2) (defendant voluntarily appeared other than to protect seized property or to contest jurisdiction) and section 5(a)(3) (defendant agreed to submit to jurisdiction before commencement of the proceeding).
Section 5(a)(2) presents a partial answer to whether an American company without EU-based assets should hire an EU attorney and contest the merits of a GDPR claim. There may be good reasons to do so under certain circumstances, but companies should only do so recognizing that they have likely waived some important potential defenses to recognition of any judgment rendered by the EU tribunal by U.S. courts.
Section 5(a)(3), however, is more insidious. Unsuspecting companies may waive jurisdictional defenses to U.S. recognition of EU judgments without even realizing it until it is too late.
Potential Effect of Standard Contractual Clauses on UFCMJRA Defenses
A full discussion of standard contractual clauses, binding corporate rules, and other similar GDPR-contemplated documents is beyond the scope of this article. The purpose of these documents is to comply with the GDPR requirements for cross-border transfers of personal data, to ensure that proper security measures are in place in countries (such as the United States) that have not been certified by the European Union as “adequate jurisdictions.”
As the name implies, standard contractual clauses are “standard”: they are not subject to negotiation. One either accepts them as-is, or one does not sign the agreement. The same is true for binding corporate rules: to be acceptable for cross-border transfers, certain provisions are mandatory.
The mandatory provisions relevant to the current discussion are those that relate to jurisdiction, because section 5(a)(3) of the UFCMJRA waives personal jurisdiction defenses, thereby potentially rendering a foreign country money judgment enforceable in the United States if “the defendant, before commencement of the proceeding, had agreed to submit to the jurisdiction of the foreign court with respect to the subject matter.”
Both standard contractual clauses and binding corporate rules include provisions that expressly allow data subjects to enforce the GDPR against data exporters. They include provisions by which the data exporter agrees that persons who suffer damages are “entitled to receive compensation from the data exporter,” and the data exporter agrees to the jurisdiction of a tribunal of the where the data exporter “is established,” governed by the laws of the Member State.
Thus, an American company that is not otherwise subject to EU personal jurisdiction and therefore has potential grounds for contesting recognition of an EU judgment by a U.S. court risks losing that defense if it agrees to standard contractual clauses or binding corporate rules.
Many small to mid-sized American businesses sell only within the United States, but nonetheless, they communicate with (and thereby collect personal information about) foreign individuals, including suppliers, in professional associations, and in a myriad of other contexts. Websites know no borders, and persons in the European Union who interact with such websites may leave digital footprints that could be considered personal information by some. Many other U.S.-based companies deliberately interact with EU counterparts even as they have no EU-based assets.
And even if an American company does not itself have any contacts with EU individuals, many of the companies, such as vendors, or customers with whom it does business may themselves have EU connections.
It is in this context that digital privacy addenda and similarly named contract documents are being received daily by most companies from vendors, customers, and others whose own inside or outside counsel have devised contract forms designed to meet GDPR (and now, CCPA) requirements. Wisdom suggests, however, that companies should think twice before agreeing to these contract provisions.
It may be, in the end, that the better business choice is to take the risk that comes with accepting the requirements of such proposed contracts. But in many instances, the better choice is to say “no” and to negotiate provisions that preserve a company’s ability to assert defenses to attempts to recognize and enforce GDPR judgments in U.S. courts, against U.S.-based assets.
Such choices can only be made, however, if one is aware that a choice exists in the first place.
Note, a version of this article was published in the Summer 2020 edition of DRI’s “In-House Defense Quarterly.” All rights retained by author David Levitt.