This would seem like a simple question. However, with many things in the soon-to-be-enacted GDPR, there is no simple answer.
If read to the letter of the law, anyone who is a European citizen is protected by GDPR anywhere in the world. So the simple answer would be ‘Yes’…right?
There is an argument for the fact that if you are a traveler to the US, what happens to your data depends on the applicable American laws related to data collection, data use, and data storage. So, if you enter the USA or even if you utilize an American service product any data collected and stored is protected by US laws not GDPR. The simple answer would be ‘no’.
If this American company, however, trades with EU, then your data is protected by GDPR laws. This company would have to adhere to GDPR regulations. In this case, the simple answer is ‘perhaps’.
Yaki Faitelson wrote in a Forbes magazine that even those US companies which do not trade with any of the member states of the European Union do, in fact, need to be concerned with GDPR.
An example raised in this article involves any American company with a website. That would include practically any American company. Right? If markets and/or products are traded on this website, then GDPR might well apply. This emphasizes the technological scope of GDPR.
Article 3 of GDPR is well worth studying. Even if a company does not actually trade with an EU nation, but you collect data—personal or even behavioural—from someone within an EU country who is in the EU when that data is collected, then that EU consumer is covered by GDPR. This emphasizes the territorial breadth of GDPR.
So, if an American-based company collects data through an online marketing survey, for example, then that data might be protected by GDPR.
There is no single simple answer to the question ‘Does GDPR Protect EU Citizens in the USA?’