Ultimately, adtech has to broker between publishers and advertisers. If those have any business in EU, they will be liable for the data, even if the broker is outside of jurisdiction.
But the publisher and advertiser might not know where the data came from. The broker could easily just say "oh yeah, we have permission from these people to share this data".
I'm sure some of them will get caught, but how long will that take?
A free-market solution would be to establish strict liability for the publishers and advertisers, regardless of intent. Establishing liability creates an incentive to manage the risk, and therefore establishes an insurance market. The insurance companies would gather additional information in order to price the insurance accordingly, including audits of the data brokers and determining risk factors of each data broker. Doing business with a disreputable data broker would then lead to higher insurance premiums. While this cost would larger be passed through to the purchaser (the companies purchasing adtime), the cost would be lower for advertisers that deal only with reputable data brokers and follow best practice, thus having a market advantage for well-behaved advertisers.
Granted, this relies on several levels of the efficient market hypothesis. At some point, it is more efficient to ban poor behavior than to introduce 3rd-order effects that slightly discourage poor behavior.
If you buy a stolen bike and could reasonably have known that it was not obtained with consent, you're also liable. For example, an unusually low price from someone who doesn't own a bike shop and wants cash can be indicators for that. In the case of data, it may be that they are able to provide lots of data without plausible source.
Sure, you might be liable, but do you think that in practice this will matter? It's not like it's somehow obvious that an advertising company has data on you that they shouldn't have. Somebody needs to actually suspect that for any investigation to happen.
> If they have customers in the EU, freeze their bank accounts or sanction their payment processors.
This is comical. The government isn't going to start shutting bank accounts for GDPR violations on small foreign corporations, as if they're smuggling nuclear fuel to Iran. Half the bank accounts in the world would be closed if we were so sensitive to regulations.
They then can't make business with European publishers or show ads for European businesses as those are liable. And showing ads for things not available in Europe isn't really bringing revenue from an European audience ...
I thought this was obvious. I've been saying since day 1 that GDPR won't help much with privacy. It might even do the opposite by making people feel that their data is safe. But a company beyond the jurisdiction of the EU can simply ignore GDPR and vacuum up all the data they want.
What will ultimately help with privacy is not leaking out this data in the first place. Push browsers and other such services/devices to stop leaking enormous amounts of information on the user.
That's not to say that GDPR isn't useful. It certainly is, because it stops the big legal businesses from doing it, but it also has the downside of harming European online businesses.
The end result is the fracturing of the internet. You'll have the Chinese internet, the EU internet, the Russian internet etc. The internet kind of loses its meaning at that point.
Also, I do remember reading some kind of EU document that this is what they were thinking of.