[arpinum]

Does GDPR apply here? They might not be selling to the EU, and they aren’t monitoring EU persons but just selling historic information. I don’t read GDPR as applying globally to any and all trade in EU personal data. https://gdpr.eu/companies-outside-of-europe/

[rvnx]

Well in reality it applies if the US wants to enforce such judgments. If myself, as the king of Monaco, I declare a law that says that US companies should pay a tax to pay for air that transited through Monaco (and hence was cleaned by Monaco's trees), it's perfectly valid.

[fmajid]

It applies. Practical enforceability is another thing completely.

[jansenmac]

Yes it does apply. https://www.hipaajournal.com/american-companies-gdpr/

[arpinum]

Your link is in reference to multi national companies. I don’t see how GDPR applies to companies that don’t do business with EU persons and without an EU presence.

[mnd999]

They are selling into the EU though, right? So they do do business with EU persons.

[garmaine]

Unless the payment processor is in the EU, the courts would have no jurisdiction.

[samus]

The courts would have jurisdiction on the recipient though. The recipent has to evidence a valid reason according to GDPR to process a subject's data.

[garmaine]

The recipient is outside the EU.

[ThrustVectoring]

GDPR applies, it has worldwide scope for data on EU citizens. On the other hand, European courts lack jurisdiction to enforce their laws on companies without EU offices and assets.

FWIW I'm really glad that EU courts lack this jurisdiction - any gain from privacy would more than be wiped out from losses to free speech, especially with the extensive history of libel tourism.

[tzs]

> GDPR applies, it has worldwide scope for data on EU citizens

Not quite. It applies to people who are "in the Union".

There is a very large overlap between "EU citizens" and people "in the Union", so most of the time there is no need to make the distinction but it is there.

[garmaine]

It’s hard to make an argument for the EU courts having that jurisdiction without also granting the same to Saudi Arabia and China.

[himinlomax]

The way it works is that the EU fines their EU-based operations or stops them from operating in the EU. And if they don't have any, those of their customers who do could not legally acquire their data on EU citizens without the subject's informed consent anyway.