This gets repeated over and over on HN but it isn't true. I feel this is because so many try to make GDPR seem too hard and breaking everything (likely people with something to lose).
GDPR is for data in the EU. That is it. Not data outside the EU and not people outside the EU. An American in the EU is covered, an EU citizen in the US is not.
What you are saying would require that the EU could create laws that were above the Supreme Court in the US for example. It simply isn't true.
> I feel this is because so many try to make GDPR seem too hard and breaking everything (likely people with something to lose).
Or people who wish to extend the reach of GDPR so that others outside of the EU are protected too.
> What you are saying would require that the EU could create laws that were above the Supreme Court in the US for example
This is not true for multiple reasons. Check out https://en.wikipedia.org/wiki/PROTECT_Act_of_2003 specifically "Authorizes fines and/or imprisonment for up to 30 years for U.S. citizens or residents who engage in illicit sexual conduct abroad". The EU could punish US companies that have offices in the EU or income from the EU. Alternatively it could sanction them.
Let me rephrase: If the data is in the EU it is covered by GDPR no matter where the person that creates the data is at (yes in the US too) but the person isn't covered by the GDPR, the data (that is in the EU) is covered. It is not the same thing. What most people seem to think is the EU overreaching and "making laws that reach outsides its borders" is in cases where a foreign company (like Facebook) gets regulated by GDPR even though the company is outside the EU. This is because the data is in the EU and of course data in the EU isn't under US or any other entities law but EU (and member states). If you transfer data outside the EU you either do so illegally or have to follow the rules of the GDPR. It still doesn't reach outside the EU borders. Of course if you do something criminally the EU might judge you no matter where you are at just like the US with PROTECT Act of 2003 but that is another matter.
Hmm. I actually said that because that's what the GDPR training that I was forced to undertake by my employer taught me. That being said, reading the reguglation now shows me that was a misunderstanding.
That being said it wouldn't require the EU to create laws which have jurisdiction above the US supreme court - if a company has any activity within Europe the European courts can act. There are other examples - for example UK libel law allows people under certain circumstances to sue for libel in the UK even if both parties are not UK citizens and the libel itself occurred outside the UK. Another example is the US CFTC which claims jurisdiction over all swaps transactions even if both parties are non-US and the swap itself happened outside the US.
What you are describing in the case of the GDPR would be like a US company - Facebook for example - being regulated by the GDPR. But while Facebook is in the US the data someone in the EU is creating is inside the EU, so it doesn't really matter if Facebook is targeting EU citizens or not since the data is not (at first at least) in the US and transferring it there is illegal if it doesn't follow the GDPR. That being said I'm aware that there are situations where a country will punish something happening elsewhere but it still isn't reaching outside its borders. If the EU want to punish Mark Zuckerberg it cannot touch him or his assets unless they are inside the EU without the cooperation of the local court or government. That was the reason Privacy Shield got overturned.
GDPR is for data in the EU. That is it. Not data outside the EU and not people outside the EU. An American in the EU is covered, an EU citizen in the US is not.
What you are saying would require that the EU could create laws that were above the Supreme Court in the US for example. It simply isn't true.