In accordance with Chapter 5 of the GDPR, non-EU enforcement is supposed to be the result of steps taken by the European Commission and supervisory authorities to:
- develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
- provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
- engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
- promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
While there are ways to enforce EU-judgements in the US, this depends on a number of factors, including the degree each member state enforces GDPR regulations that may have been violated, whether a US entity has EU presence or not, or whether reciprocity will allow US judges to enforce EU- judgments. Since this is an area that has not been tested yet, the sensible approach for website operators in the US and other countries outside the EU that target EU customers are to take their own legal advice and to keep that advice under review as the implementation of the directive progresses.