I understand that Germany may impose criminal penalties for certain violations of the GDPR, maybe other countries too. In that case yes, you could get arrested changing planes in Frankfurt, and spend time in German prison. The probability of that of course seems very low.
An EU government could try to convince your own government to enforce their fine / injunction / extradition / whatever. I don't think the USA has any treaty or other law that would compel them to. I'd guess that Trump's administration would treat the request as something between a joke and an attack on American sovereignty, so I doubt that's a major risk here. Other countries may vary.
The easiest path for the EU to enforce is probably through your customers and vendors, probably starting with payment processors--like, require everyone who processes payments in the EU to transact only with people who transact only with GDPR-compliant companies. My personal guess is that everyone with a business model that depends on breaking the GDPR will move offshore, and the EU will play the same game of merchant account whack-a-mole that the USA does for online poker and such. I'd guess that the effort to enforce offshore will be big enough that only the most egregious violators will be worth the attention.
Pretty sure there is an extradition treaty [0], which the US makes use of to e.g. try and get British hackers extradited [1]. Such requests can be blocked (also [1]).
Yeah, but extradition treaties generally require "dual criminality", that the offense be a crime in both countries. If your offense wasn't a crime in the USA, then you probably won't get extradited; and if it was, then the USA probably has jurisdiction too (assuming you were physically here when you did it), so the USA can prosecute you itself.
Fair, and my reply was unclear. I mean that if the act is a crime in both countries, then it's a crime in the USA, so you'd be committing a crime with or without the GDPR.
An EU government could try to convince your own government to enforce their fine / injunction / extradition / whatever. I don't think the USA has any treaty or other law that would compel them to. I'd guess that Trump's administration would treat the request as something between a joke and an attack on American sovereignty, so I doubt that's a major risk here. Other countries may vary.
The easiest path for the EU to enforce is probably through your customers and vendors, probably starting with payment processors--like, require everyone who processes payments in the EU to transact only with people who transact only with GDPR-compliant companies. My personal guess is that everyone with a business model that depends on breaking the GDPR will move offshore, and the EU will play the same game of merchant account whack-a-mole that the USA does for online poker and such. I'd guess that the effort to enforce offshore will be big enough that only the most egregious violators will be worth the attention.