I’m curious how that’ll work in practice. The sovereignty of a nation is a big thing. The US isn’t going to just prosecute TripleByte because Europe said they should. Sure, if @ammon visits the EU, he could be arrested, but a nation’s laws (generally) don’t extend past their border.
It’s a total pipe dream. I don’t know what fantasy land people are living in where they think the EU is going to successfully collect a dollar in fines from some random small company elsewhere in the world, no matter how messed up their privacy practices are.
First of all, this isn’t popular with the EU crowd here, but there’s no method of enforcement for GDPR for American companies without a presence in Europe. Good luck trying to collect a fine from some tiny business in the US
Second, you really think GDPR is going to be applied to some tiny American startup because they said they might do something and then didn’t?
Third, my understanding is that if you don’t target EU customers, GDPR doesn’t apply. It’s not enough that an EU customer happens to wander into your store. You have to have some accommodation targeting the EU (like translated pages, international shipping, different currencies, etc)
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
