Also of highly dubious legality. Would be interesting to see what would happen if an EU member state pursued damages on that angle and then tried to enforce the judgment in a US court. I would expect a US court would refuse to give it effect due to the other country exceeding the appropriate exercise of jurisdiction under international law.
Countries enforce laws on people/organizations they don't have jurisdiction over all the time. Usually it ends up with the country not being able to do anything about it until the convicted is doing business in that country, has assets there or is stepping foot into it (in the case of organizations: when a representative goes to that country).
Having another countries court enforce a judgement is the exception, it usually only happens if there's a treaty to that effect (like with copyright law).
You're mixing up personal jurisdiction with legislative jurisdiction. There is a body of customary international law that concerns the appropriate scope for extraterritorial legislative jurisdiction. This is separate from personal jurisdiction, which is in some ways easier to establish. In the US, for example, you can get personal jurisdiction over any natural person, and sue them for any way they wronged you anywhere in the world, merely by serving them with process while they are physically present in the US. But if you sue someone in Alabama for something they did in France, the Alabama court is going to apply French law in most cases. (in most countries, there is also something like the common law doctrine of forum non conveniens that allows courts to dismiss cases that are better heard by a court elsewhere)
And it's simply not the case that foreign judgments are generally unenforceable. See the discussion here https://en.wikipedia.org/wiki/Enforcement_of_foreign_judgmen... . No treaty is necessary, though it certainly helps the person seeking enforcement if there is one.
Legality at the root is what a nation or union of nations is able to enforce. Perhaps GPDR is not legal in the case law, but I see cookie banners on most sites I visit these days.
Ultimately, a country can regardless of what any other country says... ban a company from doing business within their borders, confiscate property within their borders, arrest employees within their borders, and prohibit employees or products from entering their borders.
Arguably, tech companies could just disregard GDPR, at the expense of all business, offices, and access to the European Union. However, if they want to continue to have that access, they need to comply with the EU's laws, even if someone could argue that those laws extend in dubious ways outside the borders.
The thing about national sovereignty, of which each EU member state has, and to some degree, the EU as a whole is capable of exacting, is that you can't decide whether you think their laws are reasonable or not, you can only decide if you're willing to comply in exchange for access to that market.
Bear in mind, the US literally tells people "you can't do business in Iran", and everyone accepts it, because the alternative of "you can't do business in the US" is way worse for business.
You're right in that international law isn't real in the same way that national laws are. But countries do consider international law in determining whether to give effect to another country's actions. If EU member states started seizing assets of businesses that it applied the GDPR to in violation of international laws, other countries would take that as a hostile action and possibly stop recognizing EU member state judgments, for example, as presumptively valid. And they can take retaliatory actions against European companies.
Customary international law is best thought of as widely accepted norms of fairness between sovereign states. There is no international police to come get you when you don't play nice, but staying within the dictates of international law generally protects you from accusations of unfair play and the consequences that can bring.
And yeah, the US maybe does violate international law in the specifics of its sanctions policies, though they are usually carefully crafted to only apply to people who somehow participate in the US financial/payments system. It's very possible that one day the US will pay the price for this overreach/maximalism when countries eagerly jump ship to an alternative international financial system, should a viable one emerge. But for now, the US is the only real game in town. The strong take what they can, and the weak suffer what they must.
And this is part of the reason why places like China have things like the GFW. Because they know that the US would never cooperate with even relatively benign things like foreign privacy laws (let alone more controversial things), so best ban them from the domestic network altogether.
PS: I have no intention of condoning the behavior of building censor networks like the GFW, but until there is some international court to adjudicate Internet jurisdiction cases, my prediction of the future is that there will be more and more countries adopting technological countermeasures and the Internet will be increasingly fragmented.
GDPR applies to individuals located in the European Union, and citizenship is not a factor. EU citizens have no GDPR rights while abroad, and conversely non-Europeans have GDPR protection while in the EU.
