Why would the EU expect that any of its laws would apply to my business?
It doesn't.
Unless you choose to do business in the EU (which is possible, thanks to the wonders of the World Wide Web).
Then, and only then, do you have to comply with EU law, including the GDPR.
From a comment by @BenCollins:
I'm talking about non-EU online retail that does allow Europeans (particularly those not actually in the EU at the time of the transaction) to place orders.
Basically, GDPR Article 3 says that the GDPR
applies to the processing of personal data of data subjects who are in the Union
The phrase "in the union" is clearly open to interpretation, but according to the website Security Now, Dr. Michèle Finck says this:
Most people seem to agree that the relevant criterion is whether you're based in the EU at the moment data is collected - citizen or not (my emphasis).
While Michèle Finck is a well-respected legal scholar, she is not an authoritative legal source, so we need to wait for to case-law to nail this. For what it is worth, (not much I am afraid) I think it would be against common sense to define the territorial scope so broad that brick and mortar stores in the USA risks to be prosecuted in Europe if they sold goods or services to European tourists.
However, what most US based businesses that chooses to be open to business for orders that are placed by natural persons who are in the [European] Union need to know that there is this: According to European law, the GDRP does apply to them when they conduct such business.
From a comment by @BenCollins:
I question the notions that (a) there is a basis by which the law would apply
The legal basis is European law, in particular GDPR Article 3.
and (b) that it has any enforcement mechanisms outside the EU.
As for enforcement, I think a good answer has already been provided by Dale M. but for completeness: The USA has treaties with EU that mean that after a legal case has been decided in a court of law in the EU, it can request that the USA enforce the judgement (typically by collecting the fine the USA-based business incurred when conducting business in Europe).
To make this answer more general, here are a breakdown of the the regulation of territorial scope of the GDPR for businesses that are not located in the EU:
The scope is clearly spelled out in Article 3, and if you're not "a controller or a processor in the Union", you are only subject to the GDPR if your processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
US based companies that engage in business practices that are illegal in Europe know about this, and has already taking steps to protect themselves from the being prosecuted in Europe under the GDPR by using firewalls to block access to their services from the EU.
The bottom line is that if you:
- have no presence in Europe, and
- don't offer goods or services to people who are in the Union, and
- you don't collect personal data about European natural persons,
then the GDPR does not apply to you. If at least one of the above applies then you need to follow the GDPR if you do not want to be prosecuted in the EU.