It's much more complicated than that. The article 3 (https://gdpr-info.eu/art-3-gdpr/) says two possible ways to get into a territorial scope of GDPR:
- the offering of goods or services
- the monitoring of behavior of data subjects
Offering doesn't mean that it's just available and/or sellable in EU. It's more complicated than that. EDPB has a guidance on this topic: https://edpb.europa.eu/our-work-tools/general-guidance/guide... In short, document shows examples where some services are available in EU, and sellable there but personal data isn't covered by GDPR.
On the other hand, my understanding is that monitoring of behavior is always covered by GDPR.
(I am not a lawyer and this is not a legal advice)
I don’t think I dispute that the GDPR and related laws claim to apply to me if I have a website that EU residents access.
I dispute that they have jurisdiction to actually apply their laws to me, any more than the US can charge somebody with violating FCC regulations for a radio signal sent from Norway.
There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?
The U.S. and the EU signed the Data Privacy Framework over this past summer. https://www.dataprivacyframework.gov/s/ This offers methods for EU residents to exercise claims against U.S. businesses.
Among other requirements, a participating organization must provide you:
Information on the types of personal data collected
Information on the purposes of collection and use
Information on the type or identity of third parties to which your personal data is disclosed
Choices for limiting use and disclosure of your personal data
Access to your personal data
Notification of the organization’s liability if it transfers your personal data
Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
Reasonable and appropriate security for your personal data
A response to your complaint within 45 days
Cost-free independent dispute resolution to address your data protection concerns
The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means
> There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?
Nope. Extradition only covers the case where you go to some other country and commit a crime there, then return to the US. If the crime you committed there is serious, and is also a crime here, then extradition can apply. There are other conditions as well, but the key is that it has to be a crime in both places.
Europeans can claim that you must follow their laws until they are blue in the face but it won’t magically become true. You can safely ignore it. Enjoy competing against European businesses without having to pay any of the same costs.
Even if you do not have to comply with GDPR, 12 States have passed data privacy regulations to date. You may still need to comply with data protection law regardless if you qualify for various State laws.
Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.
If Norway passed a law saying that all US websites have to include a disclaimer saying Norway is the best country, it would be pretty clear that it doesn't affect me, because Norwegian law doesn't apply to people who aren't in Norway and aren't Norwegian citizens.
I put up a website. If people from the EU visit my website, why does EU law apply to me? Opening a brick and mortar bakery in the US doesn't make me subject to EU food regulations just because somebody from Europe flies over and buys a cake.
Exactly. Plenty of people from the EU will claim that an EU law must be followed by US citizens, usually for magical reasons (or because they have been told that it is so). It just isn’t true.