You’re going to get downvoted for that comment, but you do raise a legitimate question of enforceability. Sure the EU can say any company in the world who has EU residents’ data should comply with GDPR. But... or what exactly? The EU doesn’t have the power to fine companies outside of their jurisdiction. I mean, they can try. But as far as I know there is no enforceability to ensure that the company actually pays the fine.

For larger companies with offices in the EU (especially the ones headquartered there for tax purposes), they obviously have no choice to comply. But what about a small startup, with its only domicile and employees in the US?

What exactly could the EU do to punish a startup in that case? Unless they have some enforceability treaty with the US, I don’t see how they have any legal ground to extract fines for arbitrary laws defined in their jurisdiction. The worst they could do is ask EU ISPs and/or payment networks to block the offending sites, right?

It actually isn't clear that it doesn't, as best I can tell. I don't have the text in question in front of me, but one of the questions I've asked and haven't gotten a solid answer on is - who is covered by GDPR? Is it only EU citizens residing in the EU, or EU citizens generally?

If it's the latter, then someone with both US and German citizenship could be covered even if they've never been to the EU.

> The law, like any other EU law, obviously does not apply outside the EU.

There are precedents for the opposite. If you have a grandparent born in some EU countries, you have EU citizenship according to the law of that EU country, even if you never set foot on that country and have no contact at all with the EU. There is a (non-EU) country which says that if you're a citizen of that country, you have to pay income taxes to it, even if you never set foot on that country and have no contact at all with it. At least one country says that its law applies to buyers of widgets manufactured in that country, even if they are sold by someone who never set foot on that country and has no contact at all with it, to someone who likewise has no contact with it. And so on.

GDPR applies to all EU citizens. It doesn't matter if the citizen is accessing the web site from the eu or another country. Blocking people in the EU doesn't block all eu citizens from accessing your product/service.