[toyg]

> Assuming they don't have an EU presence of some sort, EU law doesn't apply to them.

That's not correct. If they handle EU people's data, they are responsible for it and can still be fined. Obviously this cannot be enforced if they never visit and have no assets in the EU.

[shados]

Its correct purely because of jurisdiction. EU laws don't apply for people with no presence in the EU, unless there was some kind of treaty where one country agrees to enforce another's.

That's just how laws, any law, works. The EU can "fine" all they want but it would be entirely symbolic.

That's like if US restaurants had to enforce EU food safety laws when on US soil because a EU citizen is eating there.

Fortunatelly, unlike US laws, GDPR, by virtue of being EU law, is actually readable by normal human beings, so its fairly straightforward:

https://gdpr.eu/article-3-requirements-of-handling-personal-...

[toyg]

Yes, and "the monitoring of their behaviour as far as their behaviour takes place within the Union" absolutely applies to examining activity of LinkedIn users from the EU.

As for jurisdiction in general: the US routinely jails people for activities that took place outside the US, as soon as they set foot on US soil - occasionally even when they don't even do that (Kim Dotcom). European convictions for civil matters will not result in an arrest warrant, but can result in financial penalties and confiscations applied to anything that has to go through Europe in one way or the other.

The limits of enforcement, in the internet era, are becoming mostly practical rather than theoretical. Which is interesting and poses a number of new, unanswered questions. Simply speaking, one cannot just wave away any law simply because they don't live in this or that place anymore.

[shados]

Yup, but Article 3 point 2.a has a fairly strict definition, where for an entity outside of the US to be considered as "offering service" to EU members requires some kind of strict ties. The de facto examples is offering a product by specifically mentioning payment in Euro, or having presence on an domain with a top level TLD of a member state. If there's no ties that shows the offering is made to EU members, it doesn't apply.

Very very little tie is required (eg: just having one employee in the EU in a 50,000 people org would do it right there), but the law has been fairly consistently interpreted as such.

I get where you're coming from, but this isn't a if or but or theoretical. Its just how GDPR gets applied. I probably confused things by trying to introduce poor analogies, when the law itself is fairly clearly interpreted a specific way.