I didn't realize it applies to EU citizens who aren't in the EU. I got the part about a company operating from the EU and the citizen is somewhere else. I get what they're trying to do by making it apply to EU citizens, regardless of where they are, and that's pretty ambitions. Then again, the whole thing is pretty ambitious.
The example of receiving a phone call or letter from geography Y when one is in geography X is an interesting one.
Let's say in X, things like wire fraud, or meddling in federal elections of X, are illegal. Because the person on the other end of the letter/phone call/illicit connection to a political party email server/Twitter bot is in Y, and none of those things are illegal in Y, usually doesn't matter. Country X will still
charge thirteen, give or take, people of breaking laws in country X.
Of course, if you're a well-heeled, and well-connected, Russian, it's A-OK (which is the flipside of having to worry about being accused of fabricated crimes if you piss-off your powerful connections).
What GDPR is doing is a parallel. It is saying that the data of EU citizens is protected regardless of where it is collected. The idea is that by accepting - a deliberate act - the data of an EU citizen, you are accepting certain responsibilities about safeguarding that data, and limitations on how you use that data. That is a shift in the concept of data ownership.
Free speech enjoys different protection in the US than other places. However, the classic example of yelling fire in a crowded theatre is pretty universal; indeed, free speech doesn't protect fraudsters, etc.
I think I laid-out this interesting example in another thread. Anyhow, a guy had a auto-defibrillator which produced data which was regularly collected by the company which built the defib. He was trying to correlate between the defib activity and other factors which he was recording, like sleep, diet, exercise, and so-on. He asked the defib company for the data from his device. They refused.
Legally they had every right to, because it was their data, not his. That strikes me as odd, but there it is.
What the US could do is improve their own data protection laws. Disclosure laws have been a good step. However, there has to be some sort of recognition that data about/of end-users, from which companies often derive revenue or other things of value (rewards programs, for example, are a fantastic way to know your customers very, very well, so you can better target them, thereby making more revenue) has value, and the end-users are owed a modicum of assurance that the data will not be abused, or lost.
The trick is we live in a world where data is the big prize. There are many reasons why Facebook wants to be the center of everyone's digital life, and Google is slap-happy to provide endless back-up of high resolution photos, and all for free. We are the product. Unfortunately, opting-out isn't realistic. Sure, one can simply not have a Facebook account, but one can't not transact via a bank (Equifax), or not have an Internet connection (net neutrality) without great effort.
In creating applications and services which collect data, GDPR asserts that organizations are entering into an agreement with end-users. Nobody accidentally collects end-user data (exceptions are myriad, because often, organizations don't completely understand what their logs contain). This pushes the onus back to organizations, which is, to me, a lofty and reasonable goal. It is saying, "Okay, if breaking the shrink-wrap, installing the program, or clicking on something is used by organizations as an implied or tacit acceptance of an organization's end-user license agreement, you are also accepting a burden - an end-organization license agreement, because ya'll are doing a really, really, like, incredibly, shitty job of protecting end-user data, and that ends, now."
I can see the free speech angle, even if I don't really want to, and holy-cow, are there ever massive problems. If I post the BlehBlah manuscript of life, the universe, and everything, using a social media service, but do it such that I, as an end-user, expect it to be shared with only a few other users of the same platform, to whom does that manuscript belong? If I post photos, 280-character micro-blogs, or a credit company is plugged into my bank, to whom does that data belong?
In the US, you also have this thing where an organization is technically a person, and thereby protected by the first
major edit addendum update fix to the US constitution. Citizens United, or something. If the free expression of an organization is equal, across the board, to that of an individual, then my data - 42-manuscript, photos, credit details... all of it - is absolutely sellable, and loseable, by whichever company is clever enough to harvest it. Free expression, then, is the freedom to harvest and, via shit security practices or plain-old stupidity, data about me? I am not entirely comfortable with that.
A quantum state of signature may or may not be here... you just ruined it.