[dylan604]

How does that work exactly if there is no international branch of a company in the EU? If a company is online with a presence large enough to attract European visitors, are they required to open an office in the EU? If not, are they supposed firewall visitors? That's assinine sounding.

[morelisp]

They could not collect unnecessary personal data.

[dylan604]

Who's stopping them?

[morelisp]

I don't understand.

Do you mean, who's stopping them from not collecting personal data? No one, that's the point. If you're not collecting personal data none of this applies and you can serve whatever you want to people in the EU.

If you mean, who is stopping them from handing over data to the US government? That's exactly what this court case is about. They can't conduct commerce in the EU unless they have a mechanism to avoid that, and progressively more strict enforcement gets imposed by courts if they keep trying. (Eventually, presumably being detained if they try to enter an EU country, though I seriously doubt it would escalate that far in practice.)

[southerntofu]

If you have no business in a country then its laws don't apply to you. Google & others specifically break EU law because they have offices and branches across EU yet wipe their asses with consumer/privacy protections.

[whakim]

It depends. Based on your description, it sounds like the company in question wouldn't actually be subject to the GDPR. Simply attracting European visitors isn't sufficient; you have to be clearly intending to offer goods or services to those visitors. What that constitutes isn't black and white, but stuff like providing EU contact details on your website or specifically advertising to EU subjects might count.