[quesera]

Sorry, I was imprecise.

The EU can theoretically sanction entities with establishment inside the EU, for actions outside the EU. I'm not sure if GDPR allows this, but (as a terrible example), I've read of laws to punish foreign travel for underage sex tourism. However entities with no such establishment cannot be punished judicially by the EU because there is no mechanism.

The EU could block network traffic to an offending extraterritorial entity, which might cause them to suffer losses (e.g. advertising volume if nothing else), but the EU cannot fine or arrest the entity or its officers as punishment.

I think we largely agree at the root of things. There's some imprecision in language around words like "apply" and "relevant".

I have only dug this deeply on GDPR because we, as a corporation, want to comply with the most consumer-friendly policies that we are able to. Obligations (e.g. CCPA because we are in the US) are table stakes, but we aim for more. Our lawyers tell me to stop worrying about the GDPR at all, and I am confident that they are correct legally (and financially), but as we all know it is more efficient to design systems that do things properly at the outset (or at least under minimal time pressure), instead of urgently retrofitting later.