[flipbrad]

You're quite wrong. GDPR can apply to citizens in the US, and the link I posted shows the ICO enforcing it in their favour. SCL Elections Ltd was taken to court and then fined £15,000 for not complying with that US resident's request.https://ico.org.uk/about-the-ico/news-and-events/news-and-bl... I expect that US resident could also have brought a civil lawsuit, at least in UK courts, for damages.

The EU and UK GDPRs can also apply to companies in the US, or elsewhere. That's because location of the business (including subsidiaries) OR location of the individuals, are hooks under the GDPR's territoriality tests in Article 3. You usually need one or the other though; the way GDPR Article 3 works, it's pretty hard to imagine it applying to a US-only business in respect of US resident-individuals.

[dahart]

Yes it can apply to US citizens in certain cases, I thought I agreed with you on that, did I not? It’s still a fact that GDPR does not always (or even normally) apply to US residents doing business with US companies. UK courts have no authority over US companies operating only in the US with US residents who aren’t traveling abroad. Cambridge Analytica is a British company, that is why GDPR applies to them. So yes, I was wrong to conclude prematurely based on your link that this example is one where the company was legally entitled to refuse to comply. But the take-home message doesn’t change - GDPR doesn’t automatically apply to non-EU residents or non-EU companies, unless or until one or both parties has some EU involvement.

[flipbrad]

The part I most disagreed with is "GDPR is an EU law, it does not apply to US citizens living in the US". Yes it does, I provided an example. Your follow up is a lot closer to the mark.

[dahart]

GDPR is an EU law. It doesn’t automatically apply to people in the US. That’s the only reason I replied - your original framing left an implied suggestion that it might commonly or by default apply to US citizens, without discussing under what conditions. Arguing that you don’t have to be an EU resident leaves the misleading impression that the EU doesn’t have to be involved. I think it’s important to note that the EU part is required somewhere in the company-customer relationship for GDPR to have any say in the matter, and it’s important specifically because this is a common misconception and the misconception is being abused in some cases to coerce compliance where it’s not legally required. I know this as a US business owner that gets emails from US companies on behalf of US citizens that are demanding certain actions and rights under GDPR, without a legal basis to do so.