Can the EU Fine a US Company Under GDPR?

Yes, the EU can fine a US company under GDPR if the company is found to be in non-compliance with the data protection rules. The General Data Protection Regulation (GDPR) empowers Data Protection Authorities (DPAs) with various options to address non-compliance. In cases of likely infringement, a warning may be issued. However, in cases of confirmed infringement, DPAs have the authority to impose fines of up to €20 million or 4% of the company's total annual worldwide turnover, whichever is higher.

It's important to note that fines can be imposed in addition to other penalties such as reprimands or temporary bans on data processing. When determining the appropriate fine, DPAs consider factors such as the nature, severity, and duration of the infringement, whether it was intentional or negligent, any measures taken to mitigate harm, and the level of cooperation from the organisation. The aim of these fines is to ensure that penalties are effective, proportionate, and serve as a deterrent against future violations.

For example, Uber faced significant penalties and a reminder about transparent information in a data protection infringement case. The French data protection authority, CNIL, collaborated with its Dutch counterpart to investigate a complaint representing over 170 Uber drivers. 

The investigation revealed multiple breaches, including complications in drivers' access requests to their personal data, with access forms buried deep within the app. Uber's privacy terms lacked transparency regarding data retention periods and security measures for non-EEA data transfers, raising privacy concerns. Consequently, the Dutch Data Protection Authority imposed a €10 million fine on Uber for failure to disclose data retention policies and non-EEA data recipients.