European data and Artificial Intelligence regulations are increasingly reaching beyond the continent and creating compliance obligations for US-based companies that lack a substantial connection to the European Union. The issue gained recent attention after testimony in Washington DC highlighting concerns about sovereignty and free speech, and it focuses on the General Data Protection Regulation and the EU Artificial Intelligence Act. Both regimes can expose companies to heavy sanctions, with the GDPR providing fines up to 4 percent of global annual turnover and the EU Artificial Intelligence Act up to 7 percent.
The article explains how the GDPR achieves broad territorial reach through Article 3, which captures processing tied to an EU establishment and, under Article 3(2), non-EU controllers or processors that offer goods or services to EU residents or monitor behavior. Practical consequences include the requirement in Article 27 to appoint an EU representative, the duty to adopt lawful transfer mechanisms and to apply standards from Court of Justice of the European Union jurisprudence such as Schrems II, and exposure to investigations and fines by EU supervisory authorities. The EU Artificial Intelligence Act likewise has wide scope under Article 2, covering providers and deployers whose outputs are used in the Union, and can require classification under risk tiers, conformity assessments, technical documentation, post-market monitoring, and human oversight. The piece illustrates how even a US vendor of an AI-driven resume-screening tool could be brought within the law by a single EU customer.
For US companies seeking to resist extraterritorial application, the authors set out several legal pathways available within the European system. A national court confronted with enforcement can refer questions to the Court of Justice of the European Union via the preliminary ruling procedure. Companies or trade associations might seek an administrative exemption, provoking a challenge to a national decision that can trigger a preliminary reference. Member state implementing or delegated acts can be contested and, where applicable, the direct action mechanism under Article 263 of the Treaty on the Functioning of the European Union permits annulment claims against delegated or implementing measures. While some direct challenges are time-limited or unavailable for older regulations, the multi-level EU governance framework offers multiple points of entry to contest perceived overreach when claims are framed in alignment with constitutional principles.