What you are describing in the case of the GDPR would be like a US company - Facebook for example - being regulated by the GDPR. But while Facebook is in the US the data someone in the EU is creating is inside the EU, so it doesn't really matter if Facebook is targeting EU citizens or not since the data is not (at first at least) in the US and transferring it there is illegal if it doesn't follow the GDPR. That being said I'm aware that there are situations where a country will punish something happening elsewhere but it still isn't reaching outside its borders. If the EU want to punish Mark Zuckerberg it cannot touch him or his assets unless they are inside the EU without the cooperation of the local court or government. That was the reason Privacy Shield got overturned.