Right to be forgotten - you can ask companies to delete data they hold on you.
Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.
I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.
It makes you aware a site is selling your data or is otherwise tracking you because otherwise they would not need a banner to request for consents to do so :)
It's really a wonder how every time gdpr is even remotely related, there's always gotta be someone complaining about how gdpr is at fault for the cookie/data prompts, and never that sites and advertising companies (and their 2137 partners) are at fault for actually making those prompts as annoying as possible in hopes that you just agree.
In the UK open banking was essentially a response to GDPR this has allowed (to a limited extent) a variety of tools to be built on top of bank accounts that others would not have been.
GDPR doesn't apply in the states, but hopefully it provides for some punishment for the poor security here for EU customers. Of course, then some Americans will get mad that a US company has to follow EU law.
> Of course, then some Americans will get mad that a US company has to follow EU law.
This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.
The GDPR applies worldwide to any data held about EU or UK citizens, regardless of where they reside. It does apply in the US, it's just potentially harder for the EU to enforce meaningful penalties for infractions.
Correct. It does not apply to US citizens residing anywhere in the world. It does, however, as I said, apply to EU citizens regardless of where in the world they reside.
If a company holds data about EU citizens, the GDPR applies to them, regardless of where that company is based. Including the US. Hence the statement "It (GDPR) does apply in the US" is completely correct.
But there's no jurisdictional reality that any of country/union A's rights will protect a person while they are present in country/union B.
In the same way that a US citizen does not have legal protection for free speech when present in, e.g. China, Saudi Arabia, or Germany.
Even if the EU got the text incorporated into the UN Universal Declaration of Human Rights, there are famously many countries who are not signatories (and it would require a locally-implemented actual law to support its recognition).
The EU can arrange post facto penalties for violations of their citizens' rights, to be (potentially) administered in the future, when a responsible entity enters EU jurisdiction, but absolutely not before then without cooperation by treaty with the nation where these foreign-and-not-real "rights" were violated. Which would be a surrender of sovereignty and basically unimaginable.
(No comment on the goodness or successfulness of the GDPR here, just that no part of it is relevant outside of the EU regardless of how the text is composed.)
(And this is all written with awareness that the US somehow manages to selectively enforce their laws extra-jurisdictionally in weak foreign nations. The EU is not the US, and the US is not weak.)
Just, that is why I wrote "it's just potentially harder for the EU to enforce meaningful penalties for infractions."
You premise is true in one sense, however, the point remains - the GDPR covers all EU citizens, regardless of where the company is based. For small US companies, sure the EU has very little power to enforce it, but larger companies that derive any revenue from the EU can be, and are, fined by the EU GDPR commissioners.
I can't find the source, but Google's AI in the search results also claims that "EU GDPR fines for U.S. companies are significant, with U.S. firms facing roughly 83% of total GDPR fines, totaling over €4.68 billion by early 2025". That 83% figure seems unreasonably high to me, but it's possibly just a consequence of the size of the fine being based on worldwide revenue and over half of the 20 biggest fines were to Google and Meta.
Which was much harder to achieve before.
[1] https://www.enforcementtracker.com/