Enforceability of GDPR outside EU

How can the EU presume to regulate activity that takes place outside the EU? The EU’s General Protection Data Regulation states (emphasis mine):

It would seem this is entirely unenforceable and in practical terms is a statement for the record. Do any other governments cooperate with the EU to try to enforce this?

I ask because I am a Mod on another message board and a member in the UK has asked that his account be deleted. For whatever reasons, the technical ability to delete accounts is not available, or least not available to Mods. Even if we ban a user, the account is not deleted. The board is not operated in an EU country but being on the Internet and all, it is of course available to individuals located inside the EU.

As far as I know, having been to one FYI on GDPR for work ages ago, ¯_(ツ)_/¯.

The expectation from the EU’s side is that non-EU companies that process EU data will appoint a representative in the EU that can then be assessed any fines or penalties. Failing that, they just talk about setting up a specific treaty with the relevant country to handle violations.

How do you think Disney prosecutes a copyright violation in Bulgaria?

I am not being facetious - intellectual property and other intangibles are done by treaties, i.e (and extremely simplified) the EU promises to aid the US and shut down and prosecute any rogue torrent-site uploading the latest Marvel outing. The US will return the favor.

There is no treaty between the US and EU in place regarding GDPR enforcement.

That highlighted section in the OP primarily relates to companies based outside but doing business in the EU for practical purposes. The EU can restrict you business in the EU, impose fines, even freeze funds held in the EU, etc. Not sure what they’re gonna do to a mod of an foreign message board…

There’s two separate issues: jurisdiction and enforcement.

The EU assets jurisdiction based on the collection of personal data of individuals inside the EU. That doesn’t seem much of a stretch, frankly. They’ve decided to enact a measure to protect their own residents, from anyone who is collecting personal data.

The enforcement issue is a different one. How can they enforce that? Well, most of the big players, like Google and Facebook, are doing business in the EU. They have assets and a business presence there, and will have to comply with this provision or else be hit with regulatory fines.

There will of course be small players, like your board, who don’t do business there, but it’s not all about you! It’s the big operators who will be subject to the law, and also with a significant presence that will enable enforcement.

It’s also the smaller players in Europe, running the EU equivalent of your board. They will be required to have the ability to delete accounts.

And, I wouldn’t be surprised if subsequent versions of your board software develop the ability to delete an account, because that feature will be needed by boards run by Europeans in the EU. So passing this measure will influence the development of the software to allow greater privacy protections.

But as for long-arm jurisdiction generally - most nations assert it. uS citizens have to pay taxes on their income, even if they’ve never set foot in the US.

General Noriega discovered that he could be found guilty of breaking both US and French laws, and doing time in both countries’ fine penal institutions, without actually being in the US or France at the time of the offences. Then he was shipped to Panama to serve time for crimes committed in Panama.