Just wanted to point out a few things others have already mentioned.
“Not only does every company that does business with an EU citizen have to comply with GDPR, but most major Internet companies (like Google, Facebook, etc) have already announced they intend to export the “spirit” of GDPR to all of their customers, regardless of their physical location.”
That’s not quite correct. Only companies that have personal data on users based (not just citizens! it could be Americans on vacation…) in the EU, must comply. Second, yes FB has announced it will “comply with the spirit” of the GDPR. This does not mean what you think it means. This actually means that they WON’T be following GDPR procedure to the tee for users based in the US/Asia/Africa because they are not required to. It’s a cost-saving measure. https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-put-1-5-billion-users-out-of-reach-of-new-eu-privacy-law-idUSKBN1HQ00P
Finally, you say the GDPR is a reaction to “surveillance capitalism.” Actually, I wouldn’t categorize it as such. It’s just a minorly-updated version of the 1995 DPD, which as a directive, led to uneven and inconsistent implementation in member states. The goal of the GDPR is to safeguard fundamental human rights to privacy and also ensure a common digital market for the transfer of personal data throughout the Union. Sure part of it was driven by the rise of giant data brokers such as Acxiom, but it’s more a reaction to potential US-government surveillance programs revealed by Snowden and others. That’s why the Safe Harbor/Privacy Shield agreements were updated (EC court found Safe Harbor didn’t meet “adequacy” standards for data export as a result of the Schrems case).
Really, whether one thinks GDPR is good or bad really depends on whether one agrees with the EU’s Charter of Fundamental Human rights, articles 7 & 8, which state that natural persons have a right to privacy and personal data protection. In the US, you can process anyone’s personal data as long as you don’t directly cause them harm or break any laws. In the EU, however, you CANNOT process them unless it is expressly allowed by the law. The GDPR, for better or worse, gives lots of exceptions and legal grounds for doing so. As many others have mentioned, consent is the most obvious grounds for processing, but others such as legitimate interest, public interest, statistical research, and several others exist. It’s likely that firms will gradually tend to rely on non-consent means as the legal issues surrounding legitimate interest become clearer.