GDPR, the new data protection law – strategies for protecting yourself against requirements and sanctions

On the 25th May the law that has enraged online entrepreneurs was passed, the GDPR.

Behind these four letters hides the name ‘the EU General Data Protection Regulation, which was approved 2 years ago, but which was legally came into force on the 25th May 2018.

The reality is that even after the initial wave of hysteria, during which many companies tried to adapt their processes and websites, very few business owners are really prepared for the GDPR.

Faced with this situation, the only ones who are happy are those who make up the industry of lawyers dedicated to sending requests and threats for this type of infraction.

Of course, there are many articles which explain how this new data protection law works and what you need to do to comply with it.  However, the aim of this guide isn’t to explain how to correctly apply the GDPR, but what to do to avoid being sanctioned, which I call regulatory arbitrage.

Regulatory arbitrage consists in finding and capitalising on loopholes in laws and regulations.

Every regulation has a weak point, a point that is usually removed by another additional regulation. Of course, no regulator understands that this creates a never-ending regulatory spiral that as it ends with a weak spot calls life to a new one.

Regulations themselves don’t have to be bad.  What sometimes needs to be questioned in regulations is not the ‘what’ but the ‘who’.  Who regulates regulators and ensures they act in the public interest?

The GDPR, as well as most EU initiatives, gives the impression that there are hidden interests (yes, I know this sounds like a conspiracy theory but I can’t think of another way to describe it).

It seems as if this law was driven by uneconomic socialist powers, written by the online lawyers sector and then watered down so that it doesn’t harm big American corporations too much. As if the EU wanted to cash in on the many fines that lay ahead.

It is custom in our jurisdiction that laws be the same for all. But do we really want to force small and medium business owners (as well as the self-employed) to abide by the same laws intended for big American companies?

Where the regulator fails, it is in my legitimate opinion to opt for regulatory arbitrage.

With reference to the GDPR, the main aim of regulatory arbitrage is the minimise risk and avoid the draconian penalties announced in the event of non-compliance with the GDPR.

It’s obvious that these extortionate fines, of between 10 and 20 million euros and 2 to 4% of the previous year’s turnover, do not make sense for ‘normal’ online business owners.

It should logically only be possible to apply them to companies like Google, Amazon, Apple and the like. On the other hand, these companies have the least to worry about.

Minimising the risk posed by the General Data Protection Regulation comprises several factors. The typical flags in Flag Theory play a crucial role here.

Although GDPR also affects companies outside the EU, they are much more protected than EU businesses. Furthermore, there are big differences in how GDPR is applied even within the EU, as we can see in the most recent example of Austria, a country that has opted to relax the law.

Partial compliance with GDPR

If your personal residence and the company’s head office are located in an EU country, you won’t be able to avoid complying with the data protection regulation at least partially.

Minimising the risks here is aimed at becoming a less visible and difficult prey in case someone is thinking of ‘hunting’ you and cashing in on you.

In general terms, the threat comes from 5 different sources:

• Lawyers specialised in data protection
• Consumer protection associations with lawyers specialised in data protection
• Your competition
• Your customers
• The state or the EU itself

In principle, as a small online entrepreneur you will probably never be caught in the spotlight of the EU data protection authorities.

This group isn’t going to waste resources going after small business owners. Moreover, a high sanction that could jeopardise the existence of the business (or even the personal economy) would cause a lot of negative publicity.

Ultimately, the danger comes not so much from public bodies, but rather from the private sector. The solution here therefore consists of becoming a bad prey, such that it’s not worth the effort. This can be achieved relatively easily.

By partially complying with GDPR you will have armed yourself effectively against your competition and lawyers.

We shouldn’t forget our own customers here either, who could be a source of scares and problems. This isn’t simply because they can sue us, but because they could decide that they don’t want anything to do with a company that doesn’t respect their privacy in the slightest.

Some of the important point of partial compliance are things that can be identified superficially on a web page:

• Email address confirmation when you sign up to a newsletter or something similar (also called a double opt-in)
• Clear and voluntary registration to the newsletter (without hiding the box to unsubscribe or without using the trick of the pre-ticked box).
• Getting the email using some kind of gift-like hook (lead magnet or freebie)
• Information on cookies policy
• Tracking pixels
• Updating privacy policy

Many online business owners rightly wish to avoid just a few of these points (especially that of the freebie).

By following the strategies we talk about in this article this is also possible. However, in these cases you’ll have to have created a structure that makes it difficult to find the offender and costly to take him to court.

As well as complying with the above points, companies must create internal process protocols and fact sheets, documents that they may need in the event of controls by data protection authorities.

It is important to bear this in mind because it should complement the strategies we explain in this article.  However much you have a holding company for your websites and domains, the company not only exists on the Internet, but also in real life. The law also obliges you in this case to take care of the way you collect and store data (from customers, suppliers and employees, for example).

Every business owner must draw up a document that serves as a guide to processes and can be shown to any authority, employee or customer who requests it.  This guide is not difficult to create; two or three hours should be enough.  What data protection authorities ultimately what to know, especially in the case of small companies, is that time has been taken to reflect on how they are processing other people’s data.

I don’t want to go into specifics on the processing directory to be prepared with the so-called control measures (technical-administrative measures).

There are plenty of examples of this in numerous online sources. Or you can hire a specialist lawyer to ensure greater legal certainty.

As I’ve been saying, what I want to demonstrate in this article is how you can minimise the risk of GDPR becoming a problem for you, not how to comply with it.

We’ll reach our goal by following four fundamental principles that a good perpetual tourist always bears in mind:

• Flag Theory (‘Go where you’re treated best’)
• Asset protection (‘Own nothing, control everything’)
• Regulatory arbitrage (‘With each additional regulation, new gaps are created’)
• Concealment (‘Eyes that don’t see, heart that doesn’t feel’)

Regulatory arbitrage in GDPR

One of the key points of regulatory arbitrage in terms of GDPR has to do with the market, i.e. the place where the customers are.

Regulators have found that it was really clever that the new data protection regulations not only apply to EU companies, but to all companies all over the world that have customers in the EU.

This means that, almost without exception, all Swiss companies, for example, will be affected by GDPR, because as well as having Swiss customers, they also have Austrian, German, Italian or French customers.

However, GDPR won’t apply if the company (Swiss or not) only sells to Swiss customers.  Here we could fall within the scope of Switzerland’s much more lax data protection law, which barely applies to foreign companies.

So, in terms of GDPR, what would happen if we only sold in Switzerland?

Of course, no company will decide to exclude important markets to avoid GDPR. However, it may be worth putting on your website that Switzerland is your target market and not Germany or Austria. Or the US instead of England. Or Argentina instead of Spain.

Just by using a suitable domain, showing prices in dollars, mentioning Canadians or Australians in your articles or even putting a legal notice just for American customers, it gives the superficial impression that the GDPR is not relevant for you because your customers do not seem to be in the EU.

With just this you could escape the first superficial glance of lawyers on the hunt for easy prey, who would have to demonstrate the opposite by investigating your business in depth (which, again, is not worth it given the amount of easy prey they undoubtedly have).

Even if your customers are within the EU, not all countries apply the rule equally. Ultimately, GDPR gives local state authorities ample room for manoeuvre in interpreting and applying GDPR. Many countries, including recently Austria, have relaxed regulation on quite a few points.

Some EU countries doubt whether it’s really in their interest to comply with GDPR.  In this case, we can talk about Ireland, a country where many large American corporations have their head office and whose data protection enforcement authorities already have more than enough on their plate with them.

These big businesses are not there by chance. As well as for tax reasons, they also do it due to local regulation.  The laxity of data protection legislation there is also an advantage.

As a small business there you’ll undoubtedly be invisible next to such a data devouring giant. Therefore, appearing to target only Irish customers (if you’re in the English-speaking market) can be an excellent option if you’ve also registered an Irish Foundation Limited (which we’ll talk about later).

Authorities in Eastern European countries won’t cause much trouble for their entrepreneurs either.

In any case, in countries like Spain, France, or Germany, things work differently. Below I explain how you can minimise risks using strategies for those who do not meet the requirements.

Non-compliance with GDPR

Those who do not wish to adhere to General Data Protection Regulation, or who just want to do so partially, must turn to a complete anonymisation of their website’s infrastructure.

As we’ve said, GDPR also applies to non-EU countries with customers in the EU. However, the scope for action against non-EU companies is clearly more limited.

Thus, by anonymising the owners or separating the operational business from the online part by interposing a company with registered domains in its name and hosting can help a lot.

If you decide not to comply with GDPR, you’ll have to pay special attention to a few points.

• This is not possible for website owners whose business is linked to a personal brand or where the person behind it is clearly identified (trainers, coaches, influencers, etc.). In these cases there will always be the risk of the so-called piercing the corporate veil, i.e., the separate legal entity is repealed and the owner is charged.  If you use your name on the website but you want to minimise risks you’ll have to live outside the EU. However, even in this case you could have problems entering the EU depending on the crimes you are accused of.  In cases where it is not possible to find the person, requirements are often communicated at EU entry or exit controls. The strategy to follow here is thus not being the owner of a domain or website that does not comply with data protection regulation.  In order to avoid problems, a foundation, an association or a third party could be used as an owner.  Piercing the corporate veil is impossible here because there is not an owner (or it is a third party).

 

• Some business models will not work with the strategy of separating website infrastructure from the operational business.  This particularly applies to many platforms for digital products and affiliate marketing, where the affiliated company must comply with certain rules to be accepted as an affiliate (legal notices, data protection…). Of course, depending on the intensity of the inspection, you can ‘cheat’ (change the legal notices again once you have already registered as an affiliate). However, you have to be clear that you’re violating the terms and conditions and that if someone complains and is reviewed you could be blocked.

 

• It is not absolutely necessary to separate website infrastructure from the operational business, but it is generally recommended for Spanish, German, French, Portuguese, Austrian and Swiss people due to the strict rules that make controlling foreign companies more difficult. Anonymity can be guaranteed through the use of trustees.

 

• The safest way of leaving the Inland Revenue behind in the country of origin is to create substance abroad.  If you operate in the EU, if you want achieve greater anonymity it is advisable to look for a location for the company outside Europe, as in the EU the tendency is to create a common register of beneficiaries.  Fiscally speaking, there should be a double taxation agreement for this location to be recognised. Typical countries for this are the United Arab Emirates, Singapore, Hong Kong and the US.

 

• Anyone who resides in a low or zero-tax country can generally act with anonymous offshore companies that do not comply with GDPR, as long as the person behind the brand is not openly named (personal brand) In this case, we recommend at least a partial compliance and a foundation (see above).

 

• It should be noted that many service providers and platforms require or at least expect their customers to comply with GDPR so that non-compliance could lead to such providers not wanting to work with companies that do not comply (especially if customers complain). It is therefore advisable to comply with the data protection laws at least on the uppermost surface.

The safest variant, wherever possible, is the creation of a holding company outside the EU.  We’re talking about creating a company that acts as a holding company and the entire infrastructure of the website.  A holding that has no revenue and, therefore, won’t have problems with CFC rules or with effective management even if it is a mere shell company.

You have to be careful with 2 important aspects for the holding company:

• Achieving the greatest level of anonymity possible for the structure of the company
• Achieving the greatest level of anonymity possible for the structure of the website

Separating the website and operational business using a holding company

We explain below the most advisable variant, where possible:  Separating websites from the operational business with the relocation of domains into a ‘dedicated holding’.

Billing would continue to be done through the original company, a company which is practically ‘non-existent’ on the internet and, therefore, is going to be a very difficult target. It only has to comply with the internal regulations of the data protection law, in case there is an inspection (we refer here to the compilation of the register).

The safest holding companies are in the framework of an offshore company or foundation in the Marshall Islands. The Marshall Islands is a US territory under special administration in the Pacific.  It’s an extremely inconvenient location for anyone looking to sue their local businesses, as the journey there is really long.

The Marshall Islands are under US protectorate (as you may know, GDPR in the US has not been particularly warmly received), but are in legal terms totally autonomous and do not recognise sentences from other countries.

For the Administration in the Marshall Islands to decide to identify the owner of a local company, a conviction by a local judge is necessary.

In any case, you won’t even discover what kind of company is behind the website (unless, of course, if you report the company name in the legal notice) until you have gone through the protection afforded by anonymous hosting platforms (this is explained below).  Either way, if the company in the Marshall Islands is properly structured, the plaintiff hasn’t got a chance.

Properly structured means being made up of mobile bearer shares. This type of bearer share was widespread in its day, but are now only possible  in their fullest sense in the Marshall Islands.  Companies founded with bearer shares are not registered anywhere.  No registry or employee of the same knows the company or its owners.  No leak in the world can reveal the owner of an anonymous corporation to the bearer.  And each owner can declare under oath that they do not own such a company.

Bearer shares mean that the owner of a company is the owner of the ‘share’.  As a result, the company can change ownership any time by issuing the ‘share certificate’. If the shares are well deposited, it is impossible to find out who the owners are.

In addition to the Marshall Islands, there are many other jurisdictions in the world that still offer bearer shares. However, the problem is that they are immobilised. This means that the bearer share must be kept in a bank safe so that the bank knows who the real owner of the company is.

In this case we no longer have absolute anonymity, but in exchange we have a company that can open bank accounts (currently no bank will open a bank account to a company with mobile bearer shares).

Be that as it may, out holding company has no operational income and therefore does not require a bank account.  You just have to pay for your domains and servers, which can be done using cryptocurrency, especially if you choose one of the recommended anonymous hosting platforms.

In conclusion, the company in the Marshall Islands would be the best way of protecting you website from lawsuits, injunctions and sanctions.

A company in the Marshall Islands isn’t very expensive and can be set up using bearer shares with a founding cost of €1900 and a payment of €900 from the second year onwards. Passport, utility bill and bank reference are required only for reasons of compliance with international standards of KYC procedures (customer verification).

Of course, you don’t necessarily have to go to the optimal option. Any offshore jurisdiction without public business records will offer you a high level of security, especially if you use front men. The plaintiff must therefore first obtain access to the non-public register and then to the real owners behind the front men.

Practically no state, company, individual or lawyer will invest that much time and money for a mere breach of GDPR.

If you want to have a cheaper company than the Marshall Islands, you can found an LLC in New Mexico for around $400.   New Mexico is the state that offers the greatest anonymity in the US and does not share information on the company’s owners.

Prominent offshore jurisdictions such as Nevis or the Cook Islands, which are known for their asset protection, are also recommended. They do not offer bearer shares, but, in exchange, equally advantageous legislation when it comes to lawsuits from abroad.

For example, in order to file a lawsuit in Nevis you’ll have to deposit $100,000 in cash in court, pay the lawyers from the outset (which is also very expensive) and bear all the costs of the court and the other party’s lawyers in the likely case of failure.

Another strategy you could follow consists of separating the business from yourself. In theory, you won’t even need a company.  You can get the domain or server directly using a foundation or an association. The three structures (offshore company, foundation or association) are great options for protecting yourself.

As soon as there is a minimum of two owners, it may be attractive to create an unregistered Swiss association (nicht eingetragenen Schweizer Verein) as a holding company. This is almost free. All you need is a physical address in Switzerland to register the association.  Instead of letting the association have the domains themselves, you can also, of course, have the association participate in offshore companies.

Another alternative is to create a family foundation, but even in the cheapest country, which is Panama, it costs more than $2,500.  Even cheaper are the typical trusts in common law countries (the UK and its former colonies).

However, you have to bear in mind that a trust is not an independent legal entity, but a contract by which assets, such as companies, are transferred to a third party. This often provides tax and legal protection to the original owner, and causes the trustee to fail to comply with GDPR. However, since trustees usually live in tax havens, the likelihood of successfully suing them is minimal.

Options when it is not possible to have a holding for domains and websites.

We have so far talked about the strict separation of a website management company and the operational business.  For commercial reasons, this won’t always be possible, so other strategies will have to be used. For example, many affiliate marketing or product sales platforms require the company to appear with the same information on the website as on its invoices, bank account and so on.

A separation may be attempted, although you run the risk of violating the conditions of use.  In many offshore jurisdictions where it makes sense to have your holding company, you can freely choose to add the acronyms of other legal forms.  For example, you could have an IBC in Nevis with the acronym SL, LTD or GmBH and rent a virtual office space in France, Mexico, the UK or Germany. It will thus appear to be a ‘normal’ onshore company, but without being listed in the commercial register, of course.

The so-called ‘Name Mismatch’ is a common strategy, so it is often overlooked. In many cases it will be sufficient if the holding company has the same name as the operational company. For example, someone setting up a company with bearer shares in the Marshall Islands and that, therefore, does not have a bank account, can simply found a second company in the Marshall Islands without bearer shares with an account with the same name but with a small change. The lower-case ‘l’ and upper-case ‘I’ are virtually identical, just as 0 (zero) and the upper-case ‘O’, or ‘nn’ and ‘m’, are difficult to tell apart.

In any case, it is obviously better to link protection against GDPR to tax optimisation and this is what we are going to talk about next.

In this case, given that the company is used operationally (it will invoice clients), anti tax evasion aspects come into play, at least if the administration or the partners have their residence in a high-tax country (such as the UK, Ireland, Canada, Australia, etc.).

Neither perpetual tourists nor those residing in a country with territorial or zero taxation will have problems with these laws and, in principal, won’t need to keep reading what we explain in this section, the domain holding of which we spoke before will be sufficient for them, they will simply have to use it in an operational way.

For those who still fiscally reside in a high-tax country, there are two options (in the fiscal part):

• Set up a company abroad that builds substance
• Set up a company abroad that operates anonymously

The second variant entails tax evasion, which we will not go into.

Ultimately, the owner of the company must decide if they want to try to have their foreign company recognised or whether they’d prefer to pay tax as if it were a national company (international tax transparency scheme).  Due to the strict regulations on foreign companies in some countries, attempting to have the tax advantages of foreign companies’ residence recognised is only worthwhile from a certain benefit between €70,000 and €100,000 per year.

Bulgaria is attractive because, as well as the low 10% corporation tax, it is one of the cheapest countries in the EU for  building a business substrate. After all, the costs of setting up, a director, and local employees are very low.

However, due to the likely Beneficial Owner Register, it could be better (in terms of protection against GDPR) to set up a company outside the EU. In this case, attention must be paid to the existence of a double taxation agreement with the country of residence, as this makes the requirements for the business substrate must easier to meet compared to what happens without such an agreement.

Typical countries are again in the US, as well as Switzerland, Liechtenstein, Singapore, Hong Kong, Georgia, or a company in a UAE free zone, in which anonymity can largely be guaranteed with front men.

Own nothing, control everything.

Within the domain holding I have already discussed the possibility of trusts, foundations and associations.  I would like to reiterate this once more.  Ultimately, these structures are usually completely ignored.  In addition to the Flag Theory slogan ‘Go where you’re treated best’, we also have the asset protection slogan, ‘Own nothing, control everything’ which is equally important.

While the world’s rich people have lived under this motto for centuries, the middle classes have developed an exorbitant pride in ‘property’ and in no way wish to transfer it to others (least of all in Latin American countries).

However, this attitude should be reconsidered, especially in the case of the high risk posed by regulations such as GDPR, the new regulations regarding cryptocurrencies, wealth taxes, exit tax and so on.

As we described before, in some cases limiting liability may lapse and a crime may be attributed to the owners of the company (‘piercing the corporate veil’).

As we said, this piercing of the veil will occur especially if the business consists of a personal brand, i.e. the website cannot be done anonymously (the typical business of coaching).

Some structures, like foundations or associations, are a great solution in this case, because they are owned by themselves. There is no owner to which a crime can be attributed.

Instead of outsourcing the ownership of your website to a domain holding company, you can do it the other way around: you withdraw all your assets and leave them in foundations and trusts that you control.

Christoph, for example, works with a family foundation in Panama and owns nothing more than is hand-luggage.  In this case you can keep the domains in your name or in your company’s name, because there is nothing to get anyway.  In the worst cases the company would go bankrupt or you would declare yourself bankrupt.

This doesn’t even require foundations.  If you don’t have any money anyway, there’s nothing to get.  Of course, you could also register your domains on behalf of people without assets, who would receive a small compensation for any risk of inconvenience.

These people can be located anywhere in the world, they just have to choose the domain well. Here you can quickly find possibilities through the most common online job portals.  In this way, the risk of non-compliance with GDPR is drastically reduced.

You are, of course, theoretically ceding domain ownership, which is probably valuable, but you can arrange everything in such a way that you can still control the domain and transfer it at any time, especially if you’re dealing with someone who doesn’t know how domains work.

You can, for example, found a German association with fellow businessmen to use as a domain holding for the sole purpose of managing websites and domains. The responsibility of the association’s members is excluded.  Only a ‘penniless’ person should be appointed as an administrator, as in case of doubt he can be held liable.

As we said, when it is not possible to opt for a domain holding, the business owner can always protect his private wealth using associations or foundations.

A more advisable alternative is the operating company owned by the association or foundation. As interesting design option in German-speaking countries is the Limited by guarantee companies. Thanks to EU legislation, an Irish limited foundation can theoretically also be entered into the German commercial register.

In cases where you have to appear publically on your websites or you have to be public for certain reasons, you can act relatively safely with GDPR. Because a limited foundation owns itself and, therefore, cannot be seized.

In tax terms it is treated like a national company, but in terms of company law Irish or English law applies.  However, given that this type of operational foundation does not exist in German law, many notaries now reject entry into the German commercial register, which is actually legal under EU law. Business accounts are also difficult to open.

The operation of foundations and associations can be very complicated. However, if you only use them to maintain a website, considerations of tax and foundation law are entirely secondary. Even so, it is clear that you should let an expert in this field advise you at the time of creation.

Summary of options for someone who cannot or does not want to comply with the new data protection law (GDPR).

Let’s now briefly summarise the possibilities available to you based on personal situation:

• EU resident, public person: use of foundations or associations
• EU resident, anonymous, domain holding: Offshore company register (trustee/bearer shares)
• EU resident, anonymous, operational business without substrate: foreign company which is taxed as if it were a local business.
• EU resident, anonymous, operational business with substrate: creation of a business substrate in the EU or in countries with a double taxation agreement
• Non-EU resident, public person: use of trusts, foundations or associations
• Non-EU resident, anonymous, domain holding: creation of an offshore company
• Non-EU resident, anonymous and operational business: generally, any non-EU company. Greater anonymity using front men.

In the best cases, these options can be combined if one can afford to create a structure of foundations and several companies, something that is only possible with adequate personal residence. In this way, you can develop a legally unbreakable structure.

You have to bear in mind that, with every little step or protection we add, we’re greatly increasing the cost for the suing party, such that we ultimately become too difficult a prey that just isn’t worthwhile.

Anonymous domain registration and holding providers

If you’re using a suitable structure you won’t have to worry anymore.  It’s no problem for the lawyer to get hold of the company’s data in the Marshall Islands as they won’t discover who’s behind it (especially if this is a business with mobile bearer shares).

Anonymising the hosting and domain is thus just one more measure to further complicate things for whoever wants to sue you for not having complied with European data protection law.

Creating an anonymous infrastructure for the website is much more important for those who, for whatever reason, want to do without the possibilities mentioned above.

It will not be enough to make the domain anonymous through protection with the WHOIS TCP protocol and the server through the DNS system. This is undoubtedly an advisable measure to take in order to increase the costs of identifying the website’s operator, but not for complete protection.

European providers often cede owners’ data when faced with threats from lawyers, at the latest when faced with a court judgement. For this reason, it is advisable that you websites be hosted in countries that guarantee the greatest possible anonymity and that do not reveal your data, even if foreign authorities request it.

The best option is to host website in Nordic countries: Iceland, Norway, and Russia are still fairly advisable.

If possible, it’s also interesting to use the domain of various tiny countries. For example, .to (Tonga), .io (British Indian Ocean Territory), .tv (Tuvalu) or also .is (Iceland), are all very well-known. Of course, using these domains can carry other disadvantages (in terms of SEO or the trust your website arouses)

Blocking these domains is much more difficult than with an EU domain, for example. The Swiss domain, .ch, is also interesting because Switzerland does not participate in the GDPR.

When registering your domains you can use fiduciary services such as nja.la. In this case you sign a contract with them that assures you total control of the domains despite being in the name of Njala.

What you must also take into account when anonymising your websites is keeping the flow of payments in order.

It’s no use having the entire company structure anonymously if your private data can be tracked by credit card payments.  Therefore, you have to pay the corresponding providers using Bitcoin, Paysafecard or similar anonymous means, never with a personal credit card or operational company credit card. If your holding does not accept any cryptocurrencies, you might have to look for another one.

In conclusion, you must again bear in mind the four central principles for minimising the danger of becoming a victim of the General Data Protection Regulations. These four principles are:

• Flag Theory (‘Go where you’re treated best’)
• Asset protection (‘Own nothing, control everything’)
• Regulatory arbitrage (‘With each additional regulation, new gaps are created’)
• Concealment (‘Eyes that don’t see, heart that doesn’t feel’)

Ideally, you should first register a company in the jurisdiction that offers you greater anonymity and advantages (Flag Theory), managed by a structure that belongs to itself (asset protection), and that meets at least part of the GDPR (regulatory arbitrage) guidelines, as well as hiding as much as possible who is behind it (Eyes that don’t see…). If you incorporate the four principles into your anti-GDPR strategy, you won’t have much to worry about.

However, even if you only apply one of the four aforementioned principles, you’ll already have achieved a lot, the costs for whoever wants to sue you or threaten you will go up considerably, such that it won’t be worth their while and they’ll leave it be.

If after reading this article you still have a doubts, you can book a consultation in which we’ll study your case and look for the best option. Of course, you can also get in touch with us to register through our partners a partnership in the Marshall Islands or a foundation in Panama.

Because your life is yours!