[phs318u]

I recently did a stint as a contractor at one of Australia's "big 4" banks. I can assure you that they are so active in the privacy space, and foresee more and more GDPR-like regulations, that they've created their own privacy framework based on GDPR plus likely similar frameworks to come in other jurisdictions. It is one of the biggest funded projects in that bank (it helps that Australia recently had a negative spotlight on the banks' behaviour. Thanks Royal Commission!).

The point I'm trying to make is that if you have European customers, then the GDPR applies. Therefore, "foreign companies" competing for EU customers, definitely do have this limitation. Fines have been issued for companies that don't comply, and the sizes vary immensely (e.g. over 200 million euro for British Airways down to 118 euros (not millions, 118) for the Data Protection Authority of Saarland).

http://enforcementtracker.com/

[Mirioron]

GDPR might apply and the EU can levy fines on foreign companies, but that doesn't mean that a foreign company has to pay like a European one. The EU can't force a Chinese company to pay if they are willing to give up their EU business. That's the problem - you can't enforce it where you have no legal jurisdiction.

Or do I have it wrong and that there is an enforcement mechanism that can make a Chinese company do things the EU says?