Comment by k1w1
3 years ago
There is nothing in the GDPR about citizenship. GDPR applies to "data subjects who are in the Union" Art 3(2). So it is the physical location of the person that matters. As a US citizen, if you travel to an EU country on vacation then the GDPR applies to you while you are there.
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
If it is physical location, that is something you cannot possibly know for a user, due to VPNs. You might know that a person is logged in and registered with a US address, but you don't know if they are traveling (they might even VPN via the US because it is convenient for work).
So I guess you need to assume this applies for all visitors.
I think that's correct; and I suspect it was intentional.
I strongly disapprove of extraterritorial legislation (a US specialty). But in the case of the GDPR, if you want to regulate internet activity, then you more-or-less have to go extraterritorial.