It is a well established principle in private international law that
The driving force behind development of ordre public externe is the same as that which motivates public policy: no country can afford to open its tribunals to the legislatures of the world without reserving for its judges the power to reject foreign law that is harmful to the forum. 1
This principle affects directly the power of local EU jurisdictions to impose fines on non-EU countries, notwithstanding what the GDPR says.
So far, none of the EU Data Protection Authorities fines and orders issued against non-EU companies located abroad have been challenged in Court or, at least, there are no public information about.
In the known cases – starting from Google Spain / Costeja – the local jurisdiction has been affirmed adopting a highly questionable interpretative trick so to issue a decision against the local subsidiary rather than the holding located elsewhere.
So far, and understandably, (big) companies avoided a full-frontal legal attack against the GDPR, resorting to a less threatening, skirmish-based strategy, nonetheless the problem remains.
Time will tell.
- Kent Murphy, The Traditional View of Public Policy and Ordre Public in Private International Law, 11 Ga. J. Int’l & Comp. L. 591 (1981). ↩