US Companies within the EU
If you collect an IP address, you are collecting personal data therefore it falls under EU law therefore falling under GDPR law – “any information relating to an identified or identifiable natural person” that can be used to directly or indirectly identify someone.
Therefore, any US businesses that collect EU data, directly or indirectly are subject to GDPR.
US Companies outside the EU
GDPR is requesting that companies without an establishment in the EU, but actively conducting business in the EU, designate a ‘representative’ located in the EU.
EU courts will then have the discretionary ability to determine if a US company was purposely collecting EU resident data and ignoring GDPR. Companies will be fined if the EU finds the collection of personal data “likely to result in a risk to the rights and freedoms of natural persons.”
Written into GDPR itself is a clause stating that any action against a company from outside the EU must be issued in accordance with international law. This means that EU regulators can fine US companies for violating GDPR with the help of the US authorities.
The UK Government announced its intention of leaving the EU in March 2017 within a two-year timeframe, which may take longer. Therefore, GDPR will be in place before the UK is out of the EU so GDPR will still apply.
In August 2017, the UK Government put forward a new Data Protection Bill replicating the requirements of GDPR into UK legislation so those compliant with GDPR should be compliant with the new UK data protection law.
The UK intends to ensure that uninterrupted data flows continue between the UK, the EU and other countries.