American government agencies are acting within US law when they spy on Europeans. They have legal remit, explicitly, to perform signals intelligence on foreign entities/persons. This is clearly abused in various ways (5EYES), but is also not illegal. It's only illegal for these American agencies to spy on Americans and within the boundaries of the US.
I'm not agreeing with it. I vehemently disagree with current US intelligence policy, and I think 5EYES is a travesty and clearly intended to do an end-run around legal protections for citizens of each of the signatories from their own government. It's clear the US government is acting unethically, but that does not mean their behavior is illegal, and I'm trying to clearly point out the distinction.
There's a lot of Europeans in the comments who mistakenly believe that GDPR applies outside of the EU. It does not. The US is a sovereign nation with its own laws, and it does not have any analogous legal restrictions like GDPR, nor does it have any legal restrictions against the government using it's intelligence apparatus against non-Americans.
The GDPR does apply outside the EU, it, like many laws, is extra-territorial.
That doesn't mean the non-EU countries will enforce it, it means that EU countries will enforce it even if the violation of the law happened outside of the EU.
> The GDPR does apply outside the EU, it, like many laws, is extra-territorial.
Extra-territoriality of law is a fantasy, not a reality, unless it's backed by significant soft and hard power. Any country can say their law is extra-territorial all they want, but they have no jurisdictional authority to the enforce the law in an extra-territorial way. The extra-territoriality of GDPR has never been tested, but it's pretty clear to me that the EU cannot successfully enforce GDPR against a non-EU entity in the US. It may be able to use soft-power against smaller nations, but not against the US.
If the GDPR needs to extend into the US, it has to be via treaty, which has the same force as federal law, or via analogous federal law in the US. Neither of which exist right now. In fact, the exact opposite exists. The US government has made it pretty clear with the Cloud Act and other laws that the GDPR does not and will not apply to US-based companies operating on the Internet.
The EU is welcome to try to enforce it. In some ways, I would hope it would succeed (I support GDPR privacy rights/goals), however the precedent of extra-territoriality and sovereignty is not small.
In the end, it simply means executives/owners of companies in violation will be unable to travel to/through any EU country. They'll ultimately be put on a list of people subject to arrest on arrival.
The GDPR applies to all EU citizens; so the EU may not always be able to enforce it, but if it can it usually does. So if for example a company infringes EU citizen rights in the US the EU courts can (and sometimes does) fine the company if it has a presence in the EU (i.e. it is capable of enforcing it).
My understanding is that it applies to data on people in the Union, and data on all citizens of EU countries whether or not they are physically in the union.
If the entity doing the processing is established in the Union then it applies to all of that entity's processing of personal data, regardless of where that processing takes place or the citizenship of the people whose data is being processed.
Same for entities not established in the Union but in a place where Member State law applies. The example they give in the corresponding recital is in a Member State's diplomatic mission or consular post.
For entities not established in the Union what it says it applies to data subjects who are in the Union in regard to activities related to offering them goods and services or monitoring their behavior as far as their behavior takes place in the Union.
Sounds about right, but the self-inflicted injuries seem to be US, not EU, made. The fix is straightforward: Stop the US snooping, don't disassemble EU civil rights.
