GDPR also applies to companies that provide services to EU citizens, no matter where the company is based.
This makes a lot of sense, because otherwise you'd get situations where Multi Corp X could claim, "Oh, but our Berlin office is actually offering this service hosted in Kiribati. We just happen to have German users" and not offer access to personal data.
Seen as enforcement is through fines, companies that do not have an EU presence are completely unaffected. So even if technically true, in practice claiming that there's global reach is false. Concretely, no one is going after a hypothetical Baton Rouge Herald for not providing an opt-out of data harvesting on their news website.
I know about that. These situations are logical, if you'd ask me. The OP suggested EU law works where all parties involved are outside EU. Like EU playing world police, or something.
This makes a lot of sense, because otherwise you'd get situations where Multi Corp X could claim, "Oh, but our Berlin office is actually offering this service hosted in Kiribati. We just happen to have German users" and not offer access to personal data.
Seen as enforcement is through fines, companies that do not have an EU presence are completely unaffected. So even if technically true, in practice claiming that there's global reach is false. Concretely, no one is going after a hypothetical Baton Rouge Herald for not providing an opt-out of data harvesting on their news website.