The US is a sovereign nation. US law explicitly allows them to snoop on foreign entities/persons/data.
GDPR doesn't have jurisdiction outside the EU.
I wish it were otherwise, but it is not. The EU isn't a world government, it's a regional government/alliance, somewhat analogous to the US. The US often manipulates other nations to agreeing to pass laws that align to their policy goals globally, but ultimately it's a decision of sovereign nations to pass laws. I don't think the EU wants to call into question the entire concept of sovereignty in a policy conflict with the US, since the US is the a hegemony and one of only two global superpowers (and arguably the only one).
The GDPR applies to EU citizens regardless of where they are, and if the EU courts can apply fines (for example the company has a presence in the EU) then the court will probably fine the company.
Whose law?
The US is a sovereign nation. US law explicitly allows them to snoop on foreign entities/persons/data.
GDPR doesn't have jurisdiction outside the EU.
I wish it were otherwise, but it is not. The EU isn't a world government, it's a regional government/alliance, somewhat analogous to the US. The US often manipulates other nations to agreeing to pass laws that align to their policy goals globally, but ultimately it's a decision of sovereign nations to pass laws. I don't think the EU wants to call into question the entire concept of sovereignty in a policy conflict with the US, since the US is the a hegemony and one of only two global superpowers (and arguably the only one).