Does GDPR apply? Can I go around making annoying requests to apps and services I use?
I found this excerpt from https://cybercounsel.co.uk/data-subjects/ informative:
A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
That kinda makes sense?
I wonder if this could be attractive? "By EU law, we won't sell your data" is stronger than an American company's promise.
EDIT: So to answer the question directly: No, if you use a US located business from outside the EU you aren't covered no matter your citizenship, unless the data is being processed in the EU at some point.
Here's Article 3, "Territorial Scope", from the regulations.
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.
From (1) we have that an EU company has to apply GDPR everywhere to everyone.
From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.
(3) is just telling us that non-EU companies may also fall under (1) if international law says so.
Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.
For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
That could be risky for EU users abroad or behind VPN's, no?
While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.