[slamdance]

eh. Maybe. If they copy the data to a 3rd party in America (i.e. sell the data a marketing company, for "research" purposes), then the EU can't really go after the marketing company. I'm not saying it's right. I don't see why they couldn't anonymize the data (morally or ethically). But, I don't own a marketing company.

[vidarh]

If a company based in the EU is transferring the data to a 3rd party in America without appropriate safeguards to ensure said data is treated in a way that complies with EU law, then the transfer itself is unlawful, and the EU can go after the company for that.

[stordoff]

They don't need to. By selling the data on without ensuring the requirements continue to be met, the original company can be taken to court.

[rmc]

> If they copy the data to a 3rd party in America (i.e. sell the data a marketing company, for "research" purposes), then the EU can't really go after the marketing company.

No, but they can go after the original company who transfered the data. Remember, under EU law, companies don't own that personal data. It's not theirs to give away.

[kuschku]

Actually, the EU wrote into the GDPR that they can do exactly that. Any company with data on EU citizen is liable, no matter where they got it from.