If they deal with a business or organization in one of the non-EU countries they may be in, any personal data they provide is not covered by the GDPR rules, as they are not located within the EU at the time. It is not the citizenship of the person that is important, but where they are situated.
Looking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing or travelling in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is located within the EU as the purchase takes place.
From these examples you can see that the personal data of an EU citizen residing in the US, for example, would be dealt with according to individual data protection laws within the US and would not be subject to GDPR compliance, whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations.
Short answer. It depends but ordinarily ... NO!
IANAL but the information in this Compliance Junction article seems legit. Two staff members from Pivoti covered PCI DSS and GDPR at last nights ( and at times contentious) GDPR and Privacy Event of the New Jersey Chapter of the ISC2.
So ... hey Europeans. If you come to the USA and shop at the small local shops in my town, don't expect you're EU legal rights to be respected. The local coffee shop which has no presence in the EU and has no website that sells/service EU citizens is not subject to GDPR. If you are a local business, the local business association or chamber of commerce in your town may be the best place to get help. EU laws do NOT apply to natural persons or US only businesses doing business in the USA.
The primary determining factor is the location of the individual when considering whether GDPR rules apply. Any business or organization that processes the data of people living within the EU, no matter where the group is located, should comply with the GDPR stipulations or face being fined for non-compliance.
and , I think that you will be happy to know that Webmentions should meet the intentions of the GDPR if:
- if they disable any sort of analytics,
- and have a way to remove/anonymise IP addresses in their database and logs,
- provide a way for users to remove ordinary comments (or move those to Disqus) since Webmentions already support deletion.
I am leaning toward using the open-source Isso on this website.