Any fight for privacy in the modern technology environment is such an extreme case of power asymmetry that I'm starting to think it's hopeless.
On the one side you have individuals that don't want their private information to be revealed without their consent. On the other are device manufacturers, advertisers, startups, and giants like Google and Facebook. Often, maintaining privacy while viewing a single website requires either trusting or subverting the intentions of multiple such organizations.
It's like going to war with the British Royal Navy at the height of its power in a dinghy. So far it's been possible because the navy has made a promise that they'll "play fair". But that can change on a whim and there's ultimately very little you can do if that happens.
That sounds nice in theory, but in a global setting, how will it really work?
Per GP comment, there is a whole tech stack of N providers, each piece made or running in a different country, pushing data to servers in another country, which data is bought by interests in a third country, for M destinations. Then you get the providers who intentionally don't store data in GDPR countries specifically so they can avoid these rules. Look at what Uber already does to skirt the authorities. So you have at least MxN countries possibly involved or whatever. If your data is released, it'll rattle around in a pachinko machine of jurisdiction debate for years against well funded, malicious corporations.
It doesn't seem like any rule is enforceable in practice.
If a company even stores a record of a single EU citizen, the GDPR applies to it, and the EU has the right to seize the assets of the company for the purpose of enforcing it.
If you were to only offer your service in North America, but someone from the EU comes over to North America on vacation, and somehow becomes recorded in your service.
It'll work for the big, entrenched companies like Facebook who couldn't bear to be without its UK customers, for example. But I don't see the EU successfully going after every little dot-com startup from Alabama to Angola, many of them in jurisdictions that barely have a functioning legal system, let alone respect for EU law.
If such extraterritorial enforcement was actually possible, there would be no 419 scammers.
For now that is certainly true, but as is obvious, we don't know yet which laws will be retained after Brexit, and with even such major things as the ECHR still undecided, I wouldn't put it past them to repeal this as well in the future.
On the one side you have individuals that don't want their private information to be revealed without their consent. On the other are device manufacturers, advertisers, startups, and giants like Google and Facebook. Often, maintaining privacy while viewing a single website requires either trusting or subverting the intentions of multiple such organizations.
It's like going to war with the British Royal Navy at the height of its power in a dinghy. So far it's been possible because the navy has made a promise that they'll "play fair". But that can change on a whim and there's ultimately very little you can do if that happens.