American companies and GDPR – Can one take “GDPR compliance” at face value?

This is an interesting article, for anyone concerned about Privacy, from Reuters. Basically, Facebook members outside the United States and Canada currently fall under terms of service agreed with the company’s international headquarters in Ireland – inside the EU, so GDPR applies. Next month, that will only apply to European users, so less onerous US privacy laws will apply to everyone else.

I am not a lawyer, but I’m not sure that will always work. What about EU citizens living and working in India, say, who sign up with Indian Facebook?

In any case, it underlines the fact that many US companies see GDPR simply as a restriction of trade, to be avoided at all casts. Could they sometimes be adhering to the letter of GDPR law whilst evading its spirit whenever possible?

I think that there is simply a cultural difference – Europeans think that people override corporations in issues of personal data privacy, Americans don’t – but it’s obviously not as black-and-white as that. Simply stated, I think that any emerging Mutable Business with a global reach needs to do some due diligence, not only on its own data processing but also on its non-European partners – it can’t simply rely on assurances that “we are entirely GDPR compliant”.

Check out Saleforce’s GDPR site, which – on the face of it – seems a lot more thorough than most, and decide for yourself on the small print. There is great play made of Binding Corporate rules and Standard Contractual Clauses but my Bloor colleague Peter Howes reminds me that these may include references to other documentation that is subject to change. As an example, Salesforce’s lists of these Rules and Clauses and sub-processors, etc., are full of links to the Salesforce website “for the latest version”. Note also that Safe Harbour and Privacy shield are quoted, and that the EC authorities are not wildly enthusiastic about either of these – Safe Harbour has been overthrown and Privacy Shield is being challenged (one challenge has been dismissed but there are others).

The bottom line, I think, is that (regardless of GDPR and its jurisdiction) a mutable company can’t afford to have a breakdown of trust with its customers and other stakeholders – as Facebook is discovering. GDPR may simply be a catalyst for bringing data-related trust issues to the surface.

David Norfolk

My current main client is Bloor Research International, where I am Practice Leader with responsibility for Development and Governance. I am also Executive Editor (on a freelance basis) for Croner's IT Policy and Procedures (a part-work on IT policies). I am also on the committee of the BCS Configuration Management Specialist Group (BCS-CMSG). I became Associate Editor with The Register online magazine – a courtesy title as I write on a freelance basis – in 2005. Register Developer, a spin-off title, started at the end of 2005, and I was launch editor for this (with Martin Banks). I helped plan, document and photograph the CMMI Made Practical conference at the IoD, London in 2005 ( I have also written many research reports including one on IT Governance for Thorogood. I was freelance Co-Editor (and part owner) of Application Development Advisor (a magazine,, now defunct) for several years. Before I became a journalist in 1992, I worked for Swiss Bank Corporation (SBC). At various times I was responsible for Systems Development Method for the London operation, the Technical Risk Management framework in Internal Control, and was Network Manager for Corporate group. I carried out a major risk evaluation for PC systems connecting across the Bank’s perimeter to external systems and prioritised major security issues for resolution by the Bank’s top management in London. I also formulated a Security Policy for London Branch and designed a secure NetWare network for the Personnel Dept. Before 1988 I was an Advisory Systems Engineer in Bank of America, Croydon in database administration (DBA). on COBOL-based IMS business systems. Before 1982, I worked in the Australian Public Service, first as a DBA in the Dept of Health (responsible for IMS mainframe systems) and latterly as a Senior Rserach Officer 2 in the Bureau of Transport Economics. Specialties: I have the ability to extract the essence of significant technical developments and present it for general consumption, at various levels, without compromising the underlying technical truth.

Have Your Say:

CIO WaterCooler