As far as I'm aware the General Data Protection Regulation is only applicable in the EU and I'm not sure how they'll try to enforce that in the United States.
It applies to anyone holding data on EU citizens. You will be fined by the US government for violating it.
https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr"For U.S. companies that have a physical presence (establishment) in the EU, which increasingly they do, the GDPR can be enforced directly against them by EU member state authorities," Priebe says. "EU authorities have been aggressively pursuing data protection enforcement actions against U.S. companies with locations in the EU for a number of years."
But things get a little murkier for U.S. companies without a physical presence in the EU. According to Priebe, GDPR addresses this issue "by requiring companies without an establishment in the EU ... to designate a 'representative' located in the EU."
This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and "unlikely to result in a risk to the rights and freedoms of natural persons."
But this all relies on the EU member state's judgment. Some EU countries such as Germany take a harder approach to data privacy, and may not be as lenient.
Last but not least: EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, Priebe says, stating that any action against a company from outside the EU must be issued in accordance with international law.
As it happens, the EU and the U.S. have a pretty good relationship.
"There has [...] been long term and increasing enforcement cooperation between U.S. and EU data protection authorities," Priebe says,
pointing to the negotiations over the EU-U.S. Privacy Shield data sharing agreement, which puts systems in place for the EU to issue complaints and fines against U.S. companies.
She continues: "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
The bottom line: EU regulators can fine U.S. companies for violating