The country the data resides in is irrelevant. If the data is about an EU citizen, that's all that matters.
I believe the company in question would also need a legal entity in the EU in order for the EU to prosecute them, as I don't think you can take (e.g.) an American company to an EU court. IANAL though.
You can take an American company to an EU court assuming the EU court has jurisdiction, and laws can specify that its jurisdiction should extend to actions taken outside the geographical area (I don't know if that is the case here).
Without a US court case they'd be dependent on assets or an income stream in the EU to be able to force payment of any fines, though.
If the company wants to do business with a EU customers, they have _some_ surface area in the EU, which is enough.
> an income stream in the EU
If the company cares for EU customers, there's probably also _some_ way to make money on them.
Unless EU customers will exclusively get Netflix USA ads in the future (which are 100% useless to them) on an otherwise 100% free service, there is a money stream to hook into.
That's not necessarily true for every site, though. A US site selling goods to EU consumers via US payment providers does not necessarily have any assets or income stream going through EU banks etc. that they could easily go after.
That said, that's usually only a problem with small companies. Very few large companies manage to avoid all financial exposure to the EU and still do business with EU residents, so it has relatively little practical impact.
Not only the money stream part, but if a big company pulls out of the EU, then they leave a big hole for someone else to fill. And you've just created a competitor who has a market base that you are choosing to not compete it.
e.g. if Facebook pulled out (unlikely), then someone can just make a new Facebook site (we already know what functionality to copy), and then suddenly Facebook has a competitor.
The GDPR relies on international treaties to make the location of the business irrelevant. Any company processing data of EU citizens must comply IIRC.
Do you have any pointers to where I can find info on that? It's clear that the GDPR itself establishes jurisdiction for EU courts over GDPR worldwide - it's very explicit about that.
But I can't find anything about how they'd make it enforceable in other jurisdictions (as opposed to enforcing the judgements by e.g. fining EU subsidiaries and the like).
Article 50 does say the Commission should take "appropriate steps" to ensure international "cooperation mechanisms", and its clear under e.g article 44 onwards that carrying out a transfer to a jurisdiction where the data would be subject to inadequate controls would be a violation of the directive, so you may very well be right.
>You can take an American company to an EU court assuming the EU court has jurisdiction,
Sure you can. EU Courts did it to Microsoft over (IIRC) internet explorer resulting in a brand new SKU. Microsoft tried the logic you used at which point the EU courts started levying 1.5m euro / day fines for noncompliance.
Turns out that if you want to do business in a jurisdiction badly enough, it creates their leverage to enforce their laws on you.
eh. Maybe. If they copy the data to a 3rd party in America (i.e. sell the data a marketing company, for "research" purposes), then the EU can't really go after the marketing company. I'm not saying it's right. I don't see why they couldn't anonymize the data (morally or ethically). But, I don't own a marketing company.
If a company based in the EU is transferring the data to a 3rd party in America without appropriate safeguards to ensure said data is treated in a way that complies with EU law, then the transfer itself is unlawful, and the EU can go after the company for that.
> If they copy the data to a 3rd party in America (i.e. sell the data a marketing company, for "research" purposes), then the EU can't really go after the marketing company.
No, but they can go after the original company who transfered the data. Remember, under EU law, companies don't own that personal data. It's not theirs to give away.
I believe the company in question would also need a legal entity in the EU in order for the EU to prosecute them, as I don't think you can take (e.g.) an American company to an EU court. IANAL though.