[ThePhysicist]

Currently there's not much the data protection authorities in the EU can do about foreign companies abusing the data of users.

I assume that in the coming years (or decade?) there will be more efforts to ensure the enforcement of EU law for foreign companies that offer services to EU citizens as part of trade deals.

Right now there's e.g. a flourishing industry of data brokers in Israel that illegally collects data from EU (and US) citizens and sells it, a practice which is hard to stop as well since most of these companies don't have offices in the EU.

I think another possible strategy would be to go after the clients of these companies. If they can't legally sell their data to companies in the EU or US their business model would falter. The GDPR actually mandates that you as a data controller validate that companies which process data for you adhere to GDPR principles. Right now it seems this isn't being enforced much yet but I think it will be soon, which hopefully will have an effect on data brokers outside the EU as well.

[imhoguy]

It is enforced and viral in EU. Think of it like radioactive materials, any operation needs to be fully tracked.

While accessing any user personal details you need to have user consent to process their personal data. You can't simply buy the dataset and assume it has consent. When you buy data from data provider you need to make sure user gave consent to handle data by third-parties to that provider in accordance to GDPR. Users can revoke the consent, every party needs to be ready to handle that scenario. Any data export outside EU GDPR also needs consent. Moreover the dataset needs to be registered with local regulator.

[Silhouette]

While accessing any user personal details you need to have user consent to process their personal data.

Consent is only one of the lawful bases for processing data under the GDPR. In practice, it's the one almost everyone tries not to rely on unless they can't avoid it, because it comes with extra obligations that other bases might not.

[pas]

Could you list the others? Or at least provide some examples?

Basically all I know are based on either mandatory by law record keeping, or records used to fulfill whatever service/product/goods the user purchased, but even in these cases the processing must be described, right?

[Silhouette]

The GDPR itself is actually quite readable, so if you're interested in the details, you can got to the source. There's a neatly formatted version hosted here:

https://gdpr-info.eu/art-6-gdpr/

What the source material won't tell you, for better or worse, is how these are interpreted in reality by data controller, processors and regulators. The two main things to know in that respect are:

1. Relying on the subject's consent is usually the last resort. It comes with lots of extra strings attached.

2. The "legitimate interests" provision is open to interpretation. It is widely used as an excuse for processing that many of us might consider far from desirable. But it is also a risk for data processors doing things many of us might consider reasonable, because any regulator can take a different view and they get to win by default.