The data pertain to EU's citizens, that is covered under the GDPR, if your business deal with private data from EU's citizens you are under the GDPR even if you don't operate in the EU (such as the case of Clearview). Of course, without an office/representation in the EU it's impossible for the EU to collect the fines and apply other punishments, still the business will be judged under the terms of the GDPR in the EU.
It's the business of the EU since the data is from EU's citizens. Like I mentioned before, if a business was defrauding people (i.e.: identity theft) in the USA while operating outside of the USA, the American justice system has all the prerogative to defend its citizens rights even if it wasn't possible to stop the operation, collect fines, etc. There would be an investigation, there would be a prosecution and eventual punishment. Depending on how egregious the rights violating behaviour was it could escalate into the international sphere.
It's the same case here, Clearview AI is processing private data from EU's citizens even if outside of the EU it is against EU laws.
> Or America was fining them for dealing with US-blocklisted entities like Iran.
The USA does punish companies outside of the USA for dealing with US-blocklisted entities, how the hell do you think sanctions work? Why do you think most of the world avoid dealing with Iran, North Korea, etc.?
Clearview has been targeted before by other DPAs in the EU [0][1][2][3][4].
[0] https://www.edpb.europa.eu/news/national-news/2022/french-sa...
[1] https://www.edpb.europa.eu/news/national-news/2022/facial-re...
[2] https://noyb.eu/sites/default/files/2021-01/545_2020_Anh%C3%...
[3] https://www.imy.se/globalassets/dokument/beslut/beslut-tills...
[4] https://www.edpb.europa.eu/news/national-news/2023/decision-...
