[pclmulqdq]

In the case of the cudgel that is the GDPR, distinct from EVERY other data governance rule, there are two unique things:

1. It applies to everyone, with no thought of company residency or size.

2. It applies to all forms of "personal information" and "processing," defined ridiculously broadly.

This means that the following things are technically illegal by the text of the law:

* Storing the email address of an EU-based customer of your consulting shop on a private server not in the EU, and (God forbid) using it to send a sales email to that person.

* Storing the IP address of an abusive user of a SaaS website (in order to block them) if that user happens to be in the EU and your server is not.

Should these be illegal?

[hypertele-Xii]

Yes, of course they should be illegal. Why should US companies have the right to harvest our private information for profit and cause damage by mishandling it without oversight?

[pclmulqdq]

So sending a single email to a single EU customer from a non-EU server amounts to "harvesting your private information for profit" and merits a $20 million fine?

I have no problem with the GDPR that you wish you had, by the way. My problem is with the one that exists. It neither stops the wholesale harvesting of information nor actually benefits privacy.