[h_anna_h]

> I feel this is because so many try to make GDPR seem too hard and breaking everything (likely people with something to lose).

Or people who wish to extend the reach of GDPR so that others outside of the EU are protected too.

> What you are saying would require that the EU could create laws that were above the Supreme Court in the US for example

This is not true for multiple reasons. Check out https://en.wikipedia.org/wiki/PROTECT_Act_of_2003 specifically "Authorizes fines and/or imprisonment for up to 30 years for U.S. citizens or residents who engage in illicit sexual conduct abroad". The EU could punish US companies that have offices in the EU or income from the EU. Alternatively it could sanction them.

[Daho0n]

Let me rephrase: If the data is in the EU it is covered by GDPR no matter where the person that creates the data is at (yes in the US too) but the person isn't covered by the GDPR, the data (that is in the EU) is covered. It is not the same thing. What most people seem to think is the EU overreaching and "making laws that reach outsides its borders" is in cases where a foreign company (like Facebook) gets regulated by GDPR even though the company is outside the EU. This is because the data is in the EU and of course data in the EU isn't under US or any other entities law but EU (and member states). If you transfer data outside the EU you either do so illegally or have to follow the rules of the GDPR. It still doesn't reach outside the EU borders. Of course if you do something criminally the EU might judge you no matter where you are at just like the US with PROTECT Act of 2003 but that is another matter.