That is an interesting article, but it doesn’t answer the question of jurisdiction because it refers to the GDPR itself. I.e. it doesn’t answer whether an EU country itself actually has the authority to enforce it on a US citizen. The US could pass a law that says a website operator must eat a dog turd every time anyone, anywhere, a website runs an ad that a US person sees. Say someone in Romania runs a site with ads and the US government wants to enforce this. The law could even state that it applies anywhere in the world, but that doesn’t make it so because the US does not have jurisdiction everywhere in the world. The Romanian government will rightly refuse to make their citizen eat the dog turd.

So the spirit of my question is, where is the stick to actually enforce anything on a US entity operating in the US under the GDPR? There is an agreement via an EO. Is there anything else in US law that could be used to enforce this if a US citizen refused an EU country trying to enforce the GDPR in the US? Using the text of it is NA because the EU can only do things that apply to EU countries and their citizens.

For those that aren’t familiar with how the US gov functions, an EO is not even remotely close to a treaty, which has the same supremacy as our constitution. All an EO does is tell federal employees or federal executive agencies what to do. Our president could issue an EO telling everyone in the US to wear yellow hats when not in a building and for the FBI to arrest anybody with a yellow hat. Those arrested would have charges dropped the second it reaches the court because such a law does not exist and it is outside the scope of power of the president. EOs can only act within already existing laws.