- Yes they were. If you violated the law, even if your servers are outside, the country would claim the violation happened in their territory because the subject was in their country so the law was violated there, and they can sue you.

- Neither is GDPR. If you are outside the EU, they can't force you to pay a fine like your own government can. Without enforcement, the law doesn't really apply. (See GDPR from 2016 until now.)

Which one applies depends on a bunch of things, such as whether there's an extradition treaty and whether you have offices in the EU, etc. I've never gotten a straight answer on which law rules in such cases, but that's probably because there is no single ruling case. Both are sovereign states, who supercedes is not codified in any law because there is no higher instance to appeal to.

I mean, if a small island state makes a law that if one of their citizens visits another country, that country should pay tribute for the honor of being visited by one of theirs, how in the world is that going to be enforced? Same with GDPR: the EU claims it applies worldwide, but the only reason that holds any truth is because you probably want to do business with EU citizens. Banning your company is the only thing they can truly do to you, and that has always been the case.