I Am Not A Lawyer and all that, but the good people at Clifford Chance
are, and this is what they have to say about non-EU based companies and the EU's General Data Protection Regulation (GDPR).
The GDPR radically increased territorial scope of EU personal data protections by extending its jurisdiction not only to the controllers processing personal data in the EU, but also to non-EU controllers and processors processing personal data of individuals who are in the EU, if:
(a) [...]; or
(b) relates to: offering of goods, services to such data subjects in the EU (irrespective of whether the goods/services are offered for a fee or free of charge), or monitoring of the behaviour of the data subjects, as long as their behaviour takes place in the EU
So the WMF, which does offer services to data subjects in the EU, and also monitors their behaviour, is within the scope of the GDPR by both parts of (b). The plaintive bleating that they are immune from EU law because they are based
in California seems unlikely to work, because they operate
in the EU, both by providing (free) services within the EU and by hosting some of thir servers witin the EU. So what do they have to do?
The non-EU resident controllers and processors who are obliged to comply with the GDPR must appoint representatives within the EU to be a point of contact for the EU personal data subjects and regulators for the purposes of enforcement of the GDPR
If the WMF have not already done so, the Europeans chapters may find themselves in the firing line. Failure to comply could mean
fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million
That's a lot of cups of coffee.