It's pretty reckless to say "it can't", when it already has been enforced in non-EU countries.
No, you are the one who is being reckless. A foreign country cannot unilaterally pass a law to be applied on US soil. Like I said, there are treaties and other mechanisms through which the US can agree to reciprocal enforcement of certain laws or concepts. Absent that, however, foreign law does NOT apply on sovereign soil (that’s why it’s called sovereign soil!)
With respect to the GDPR, there are absolutely companies in the US that need to be concerned with its application (to the company’s operations overseas through direct enforcement and here in the US through treaty-based enforcement).
But, the fact that an IP Address, an account username, or a login history exists is only one piece of the equation (pretty much a low level piece at that).
The GDPR applies to the processing of “personal data of data subjects” controllers and processors who are in the EU, but also to “processing activities” related to: (1) offering goods or services; or (2) monitoring data subject behavior that takes places in the EU. It can also apply when the subject of the information lives in the EU.
However, this free online forum is neither a processor nor controller of the personal data (what very limited personal data there might even be). It’s not selling data to anyone, or even selling products to anyone in the EU.
Moreover, the process of signing up involves giving consent regarding the PRIVATE information. Can consent be revoked related to the storage of that PRIVATE information? Sure.
But that doesn’t mean that a screen name or post history has to be deleted. In case you didn’t notice, both are not PRIVATE information because the user put all of that information out there for everyone to see. You don’t get to make something PUBLIC by posting it and then unring the bell and claim it’s PRIVATE. Similarly, if you post up your name and address, it’s public.
Sent from my iPhone using WAYALIFE