(no title)

According to the GDPR, its jurisdiction is global via “public international law” and mutual government agreements, but you’re right that’s not entirely clear and they are claiming untested jurisdiction. The law says it applies to non-EU companies if the company establishes any marketing or sales presence either located in the EU, or markets or sells to EU residents (which might apply if the company so much as analyzes sales data by country), or if the company is “monitoring” the behavior of EU residents in any way, where monitoring does not seem to be defined in Article 4 so could mean a lot of things including doing anything with collected data or corresponding with customers.

https://gdpr.eu/article-3-requirements-of-handling-personal-...

I’m sure there are US companies that happen to sell to EU residents that happen to acquire some PII but don’t know and can’t correlate it with the EU, and so aren’t subject to the GDPR. But according to the law’s language, it seems as though something simple on a company’s website like using Google Analytics, which does identify and “monitor” the behavior of people by location, might trigger GDPR. I might expect 23AndMe to trigger applicability for multiple reasons, including that they are using DNA to identify regional heritage and relatives, the samples may be delivered with EU addresses on them, and the samples are as personally identifying as it gets. That’s on top of whatever the website, account registration, and sale process collects.

Notably, the GDPR applies depending on customer jurisdiction rather than company jurisdiction. If they’re serving EU (or UK) customers, the GDPR definitely applies.

23andme markets and sells services in the EU and is therefore subject to the GDPR. And they know this very well: https://www.23andme.com/en-eu/gdpr/

That's not how GDPR works. GDPR doesn't care where your company is registered or does business; if they process the personal data of EU citizens then GDPR applies.