Skip to main content
Sujets à suivre
Featured Insights
Voir tout
Voir tout
À propos de notre cabinet d’avocats
  • Accueil
  • Insights
  • Legal Grounds for Challenging the Overreach of European Regulations on US-Based Companies
novembre 05 2025

Legal Grounds for Challenging the Overreach of European Regulations on US-Based Companies

Auteurs:
Télécharger le PDF
Share

As European data and artificial intelligence (AI) regulations increasingly reach across borders, American companies find themselves ensnared in a web of foreign compliance obligations, which raises questions about sovereignty and the future of global digital governance. This issue recently came to the forefront when UK Member of Parliament Nigel Farage spoke before a US congressional committee in Washington DC, urging the US Government to use “diplomacy and trade” to defend American free-speech values from the perceived encroachment of European law.

While Mr. Farage’s testimony was raised within the context of his criticism of UK rules regarding freedom of speech, it sheds light on European regulations, particularly the General Data Protection Regulation (GDPR) in the United Kingdom and European Union and the recently passed EU Artificial Intelligence Act (EU AI Act), which are also capable of affecting innovation and business efficiency in the United States. His testimony may resonate with US-based enterprises that have no brick-and-mortar footprint in Europe, yet find themselves subjected to complex compliance obligations and exposed to severe penalties imposed by foreign regulators (up to 4% and 7% annual global turnover under the GDPR and EU AI Act, respectively). The crux of the concern being put forward is not merely cost; it is an objection in principle to the increasingly expansive European theory of jurisdiction, which risks undermining the United States’s sovereign prerogatives in regulating its own commercial and technological ecosystem.

The GDPR entered into force on May 25, 2018, as a sweeping overhaul of Europe’s data-protection regulations, anchoring individual privacy as a fundamental right. Its global footprint is codified in Article 3, the GDPR’s territorial-scope provision. Article 3(1) applies the GDPR to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not.” While that clause focuses on entities with at least one EU establishment, Article 3(2) extends the GDPR further by capturing any non-EU controller or processor that merely offers goods or services to EU residents or monitors their behavior within the EU. Article 3(3) also broadens the GDPR’s jurisdictional scope by covering controllers situated outside the European Union but operating “in a place where Member State law applies by virtue of public international law.” Together, these provisions may apply the GDPR’s geographic reach to, for example, a US company headquartered in Idaho that hosts its servers in California, and merely has certain trackers on its website that can monitor EU residents or some innocuous targeting of the EU market (e.g., advertisement that uses EU languages or currency). Following Brexit, a separate version of the GDPR applies in the United Kingdom, raising similar issues.

The practical consequences for American enterprises, particularly small and medium-sized businesses, are impactful. First, Article 27 obliges a non-EU controller or processor that falls under Article 3(2) to appoint a representative established in an EU Member State. Identifying, contracting, and continuously supervising an appropriate representative imposes recurring fees and logistical strain that may be disproportionate to the de minimis European revenue stream. Second, data exporters must navigate the GDPR’s cross-border transfer regime. Even if a US company merely happens to process minimal personal data pertaining to EU residents, it must undertake a lawful transfer mechanism (e.g., standard contractual clauses, binding corporate rules, or an adequacy decision) and perform risk assessments modeled on Court of Justice of the European Union decisions, such as Schrems II. This requires US entities to scrutinize US surveillance law to demonstrate to EU regulators that exported data will enjoy equivalent safeguards. Third, once within the GDPR’s scope, an American company may become answerable to an EU supervisory authority empowered to investigate, audit, and impose fines of up to 4% of global annual turnover. The company may need to maintain EU-style records of processing activities, designate data protection officers, respond to data subject privacy rights requests, and adopt breach notification procedures consistent with EU standards.

Like the GDPR, Article 2 of the EU AI Act also has a broad territorial reach. Under Article 2(1)(a), the EU AI Act applies to “providers” that place AI systems or general-purpose AI models on the market or put them into service in the European Union “irrespective of whether those providers are established or located within the Union or in a third country.” Article 2(1)(c) includes within the scope of the law providers and deployers in a third country, such as the United States, “where the output produced by the AI system is used in the Union.” In effect, a software company in Texas that sells an AI-driven resume-screening tool to a single French employer may now need to, among other things, classify its AI system under the EU AI Act’s risk tiers, conduct conformity assessments, maintain technical documentation, conduct post-market monitoring, and implement human oversight consistent with EU-defined standards. Moreover, US companies may potentially face recourse from European national competent authorities if, for example, a US employer’s AI-assisted screening system rejected a European job applicant.

Proponents of the GDPR and the EU AI Act argue that data flows and AI outputs do not recognize national borders and thus, effective protection requires rules that are country-agnostic. However, this position should be balanced against the European Union asserting authority to dictate compliance requirements on entities that lack a substantive connection to the European Union other than the incidental accessibility of their products or services. Moreover, for American companies, the proliferation of global privacy and AI frameworks compounds the already complex patchwork of data privacy and AI regulations they need to comply with in the US that are also intended to protect individuals. This includes twenty different state-by-state comprehensive privacy laws, state and federal sector-specific laws applicable to children’s, financial, health, biometric, and employment data, comprehensive and context-specific AI laws, and broad consumer protection, employment and unfair competition laws.

Notably, this burden may cause US start-ups to abandon European expansion due to GDPR compliance costs that are higher than projected revenues. Indeed, venture capital term sheets now incorporate line items for EU representative services, data protection officer staffing, and legal opinions on standard contractual clauses—capital that could otherwise fund research and development. For AI ventures, the impending comprehensive and horizontal EU AI Act regime likewise threatens to divert talent from innovation toward paperwork.

In the coming years, the friction between Brussels and Washington DC over data and AI governance may intensify as each new technological leap makes territoriality less meaningful. With this backdrop, what can purely US-based companies do to challenge the extraterritorial reach of EU regulations? In our analysis below, we provide some of the legal mechanisms they can leverage to challenge potential overreach.

The most conventional—yet effective—way to challenge the extraterritorial reach of EU regulations is through the preliminary ruling procedure. This key mechanism of EU law allows courts and tribunals of EU Member States, before which a dispute arises, to refer questions to the Court of Justice of the EU (CJEU) regarding either the interpretation or the validity of EU law.

In practice, a company could challenge national enforcement measures taken against it for an alleged breach of an EU legislative act (e.g., the EU AI Act). During such proceedings, the company may invite the national judge to request a preliminary ruling from the CJEU on the validity of the act at issue. However, this route is only available when the company is already subject to an enforcement action, which significantly limits the opportunities to bring a challenge before the CJEU.

To overcome this limitation, one could envisage a scenario in which the company—or a trade association acting on behalf of its members—proactively requests the competent national authority to grant it an exemption from the application of the EU act at issue, on the ground that the legislation should not apply extraterritorially. A refusal from the authority would generate an administrative decision that could be challenged before the courts of that particular EU Member State. Again, the courts could, in turn, refer questions to the CJEU concerning the validity of the extraterritorial application of the act.

Similarly, interested companies or trade associations could also challenge measures adopted by EU Member States that implement or give effect to provisions of an EU act (e.g., executive orders, decrees or other instruments). These measures could also be referred by national courts to the CJEU for preliminary references.

Lastly, the extraterritorial reach of EU regulations could also be challenged via the direct action mechanism of Article 263 of the Treaty on the Functioning of the European Union (TFEU). Many EU legislative acts empower the European Commission to supplement or adapt the legal framework through delegated or implementing acts—17 such acts are envisaged in the EU AI Act—which could be subject to an action for annulment before the CJEU (provided the action is submitted to it within the applicable timeline). In the course of these proceedings, the company could raise a plea of illegality—i.e., challenge incidentally the validity of the overarching act, which constitutes the legal basis of the contested measure—on the basis of, e.g., an ultra vires intervention by the European Union due to the extraterritorial scope of the act at issue.

These legal strategies and the multi-level governance structure of the European Union offer a few points of entry to challenge the extraterritorial scope of certain overly burdensome EU regulations. Each approach, provided that the relevant conditions are met, has the potential to trigger a meaningful review by the CJEU. While direct actions against regulations that are already several years old are now off-limits, opportunities remain to contest the European Union’s regulatory reach through careful legal strategy and by framing claims in alignment with broader “constitutional” principles.

Auteurs

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2025 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. More information about the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.