> This specific API seems pretty innocuous. They're not doing black magic, it's just aggregating data that people willingly put out there about themselves.
That's has always been illegal in my country though (you can't even keep a record of people with pen and paper), and now with GDPR would of course be illegal with actual consequences if it contains data about EU citizens.
Regardless, they're not based in Europe. Unless they do business in the EU, they can't touch them. This is due to the fact that extradition requires something to be a crime in both countries, so unless the EU has assets to seize, nothing they can do.
And if they try, any American court will be very leery of setting the precedent that Brussels can tell Americans what to do in any sense, particularly with respect to data stored on their servers.
Perhaps not directly, but if they're processing the information of EU data subjects on behalf of another company that does business in the EU, then that company will have to justify using this service, which is clearly not GDPR compliant.
I imagine the company using them will want to recover financial losses they incur after getting reamed by whatever european Data Protection Authority decides to go after them - especially if the culprits did promote themselves as being GDPR compliant.
The point of the EU's strong data protection rules is to have accountability - and it will fall on someone along the chain that caused the mess. Companies can't be allowed to completely disregard how they collect and store data and then go "Oops, haha sorry about that!" when the shit inevitably hits the fan, and just continue their business as usual.
That's has always been illegal in my country though (you can't even keep a record of people with pen and paper), and now with GDPR would of course be illegal with actual consequences if it contains data about EU citizens.