[adventured]

If they're doing no business in Europe, they do not need to worry about complying with GDPR at all and can freely track European users any way they see fit.

The EU has no jurisdiction over newspapers in South Carolina. It is that simple legally.

If I visit a random popular Chinese site, landing on a Chinese mainland server in the process, the US Government is not going to get to tell that Chinese site how it can legally use my data in their country. Shouting that I'm an American citizen and that they must comply with US privacy laws, will do no good: the US Government has no jurisdiction over the matter. It works exactly the same way for the US-EU-GDPR as it pertains to a newspaper from South Carolina.

[repolfx]

The EU has asserted it does have such jurisdiction.

The risk to local newspapers is low for now, but comes from the possibility of future agreements by the USA to cooperate with the EU on GDPR enforcement (e.g. as part of some trade deal), or their executives going to the EU for a business trip or holiday and coming under jurisdiction that way, or selling or wanting to be sold to a firm with EU presence, etc etc. Lots of ways the EU can end up with leverage over an apparently small and local firm.

[adventured]

It doesn't matter what the EU asserts. They do not have that jurisdiction, unless they're planning a military invasion of the US and plan to rob it of its sovereignty.

Just like the US does not have the ability to dictate to China what privacy laws look like in that country or how US citizen data is managed within that country (eg when I visit a Chinese site).

How could any this possibly be difficult to understand?

If South Dakota comes up with its own crazy privacy laws, that doesn't mean it gets to actually "assert" how EU sites must manage data for people from South Dakota. It doesn't matter how much South Dakota screams about it, that state has no power to dictate anything to the EU. You would only have to particularly worry about it, as an EU site, if you were eg hosting a server in South Dakota, or doing business there.

edit: replying to your comment below, because my replies are throttled

It is in fact how jurisdiction works today and yesterday and always. The exceptions require agreed upon, established laws between the parties that say otherwise, which you just admitted is the case by referencing FATCA as an example.

[repolfx]

That's not how jurisdiction works these days.

Look at FATCA. A US law that every financial institution in Europe has to comply with whether they like it or not.

The EU knows it isn't going to invade the USA. Nonetheless, it has explicitly asserted many times that everyone, globally, is expected to comply, regardless of whether they have any EU corporate presence or not. Why do you think they would do that, if they aren't intending to find ways to make it enforceable? And there are certainly many tools available to do that with that aren't military in nature.

[jacobgreenleaf]

FATCA “applies” to foreign corporations because bilateral treaties were signed, and a lot of the agreements were reciprocal.

[repolfx]

No it doesn't. FATCA applies to foreign corporations because otherwise the US financial system will freeze them out, moreover FATCA requires recursive application of this rule, that is part of FATCA compliance involves determining if your counterparties are FATCA compliant and freezing them out. It has nothing to do with bilateral treaties.

[AmericanChopper]

Can you point to some case law that says EU data subjects consuming US based services will not protected by GDPR? Because one of the main points of the legislation is that the EU will use it to protect their data subjects in every jurisdiction. You’re probably right, but you won’t be able to direct me to a lawyer who would be willing to evaluate a business and determine its GDPR exposure for $0.

[adventured]

You're asking me to argue or prove a negative.

You might as well apply the same premise to US vs EU vs Chinese (vs any other country) freedom of speech laws.

It's the exact same jurisdiction premise on how rights are governed, whether we're talking about privacy or otherwise.

Just because I'm an American, that doesn't give me US freedom of speech protections when I step foot into EU countries or Brazil or China or North Korea. I'm bound by the local laws on most things, with few exceptions.

[AmericanChopper]

I’m asking you to prove a negative to demonstrate that no US company could adequately assess their exposure at present, and they certainly couldn’t do it for free.

You seem to not understand that one of the core principles of the GDPR is that the EU intend to enforce it in all jurisdictions. Which they can do without an armed invasion using trade treaties, and instruments such as the New York Convention. For any entity anywhere in the world that doesn’t do business in the EU, blocking the entire union is the most risk averse and cost sensitive option.