It doesn't really matter from what country the company is. If you do business in the EU then EU laws apply to the business you do in the EU. Just like EU companies adhere to US law for the business they do in the US.
Because we're talking about the personal data of EU citizens. If it's to be permitted to be sent to America at all, that must come with a guarantee that EU-standard protections will continue to apply regardless of American law.
I say temporary because it keeps being shot down in court for lax privacy protections and the EU keeps refloating it under a different name for economic reasons. Before this name it was called safe harbor and after that it was privacy shield.
Of course you don't need permission to do something with your own data. But if someone wants to process other people's data, that's absolutely a special privilege that you don't get without committing to appropriate safety protocols.
I'm not sure they are "retrieving" data. People register on the website and upload stuff they want to be processed and used.
I mean, sometimes the government steps in when you willingly try to hand over something on your own will, such as very strict rules around organ donation, I can't simply decide to give my organs to some random person for arbitrary reasons even if I really want to. But I'm not sure if data should be the same category where the government steps in and says "no you can't upload your personal data to an American website"
Likewise, why should America be able to override European laws regarding European users in Europe?
It's all about jurisdiction. Do business in Country X? Then you need to follow Country X's laws.
Same as if you go on vacation to County Y. If you do something that is illegal in Country Y while you are there, even if it's legal in your home country, you still broke the law in Country Y and will have to face the consequences.
Ditto for service vendors who also deal with user data.
Even within the EU, this is a mess and companies would rather use a simple heuristic like put all servers and store all data for EU users in the most restrictive country (I’ve heard Germany).
If outside EU, then they need to accept EU jurisdiction and notify who is representative plenipotentiary (== can make decisions and take liability on behalf of the company).
> Where does the company operate?
Geography mostly doesn't matter as long as they interact with EU people. Because people are more important.
> What country is the individual user in?
Any EU (or EEA) country.
> What country do the servers and data reside in?
Again, doesn't matter, because people > servers.
It's almost like if bureaucrats who are writing regulations are experienced in writing regulations in such a way they can't be circumvented.
EDIT TO ADD:
From OpenAI privacy policy:
> 1. Data controller
> If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.
> If you live in the UK, OpenAI OpCo, LLC, with its registered office at 1960 Bryant Street, San Francisco, California 94110, United States, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.
As you astutely note, the company probably has it's "HQ" (for some legal definition of HQ) a mere 30 minutes across Dublin (Luas, walk in rain, bus, more rain) from the Data Protection Commission. It's very likely that whatever big tech data-hoarder you choose has a presence very close to their opposite number in both of these cases.
If it was easier or more cost-effective for these companies not to have a foot in the EU they wouldn't bother, but they do.
> It's almost like if bureaucrats who are writing regulations are experienced in writing regulations in such a way they can't be circumvented.
Americans often seem to have the view that lawmakers are bumbling buffoons who just make up laws on the spot with no thought given to loop holes or consequences. That might be how they do it over there, but it's not really how it works here.
EU companies are required to act in compliance with the GDPR. This includes all sensitive data that is transfered to business partners.
They must make sure that all partners handle the (sensitive part of the) transfered data in a GDPR compliant way.
So: No law is overriden. But in order to do business with EU companies, US companies "must" offer to treat the data accordingly.
As a result, this means EU companies can not transfer sensitive data to US companies. (Since the president of the US has in principle the right to order any US company to turn over their data.)
But in practice, usually no one cares. Unless someone does and then you might be in trouble.
