If you've lied, there are periodic audits, and you might get thrown in prison.
I assume you can lie going to China. If you do and get caught, you'll probably never be welcome to visit China again (or fines, or prison, or some other consequence; but most countries would just keep you out).
it always depends on who is asking. this whole subthread is about who the GDPR applies to. in your other comment you lay that out very clearly: https://news.ycombinator.com/item?id=31397369
the relevant question is: when do i loose my status as a resident of the EU if i am an EU citizen. i'd like to make the claim that the intent of the GDPR is to protect the people who are inside the EU at the moment the data is collected.
even if i just leave for a week as a tourist, and then use some non-EU service, the GDPR no longer protects me. it is unclear if the GDPR still applies if i registered with that service from inside the EU and they know that i am the same person that's now accessing the service from outside the EU, but as you said, the easy thing to do is to just assume that the GDPR does apply until there is a clear benefit from being able to not apply it, and in that case the company needs to show evidence that i am not an EU resident. on the other hand if i sign up for a service outside and continue using that service after i return to the EU, protection should start from the moment i come back.
my point is that this is meant to be not the legal residence status, but simply your location at the time, unless you happen to be in the EU only for a short visit, in which case the GDPR is not going to be of much use (it might still apply though. can i visit the EU as a tourist and then issue a GDPR data request or deletion or whatever other benefit the GDPR offers, and then go back home after issuing the request?).
which is different from getting an EU domain. there it matters that you have the legal residence status regardless of your location. if you have a multi year residence visa, you won't loose your EU domain just because you spent most of that time traveling outside of the EU. you'll need to return your EU domain only after you permanently leave the EU. (which every british resident had to do)
I assume you can lie going to China
you can't lie, they want to see evidence that you are a resident or they won't let you board the plane. consider that the point is to control infection vectors and they want to avoid people transiting through high risk areas. so this is not to punish people but to prevent the virus from spreading and if in doubt, they won't let you in.
https://gdpr-info.eu/art-3-gdpr/
However, the framing as a human rights law, protecting "fundamental rights and freedoms of natural persons," means that the intent is somewhat more broad:
https://gdpr-info.eu/art-1-gdpr/
It defines principles which are believed to apply everywhere.
That's reinforced by language like "This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law." This extends jurisdiction as far as practical, in ways which are legally ambiguous.
"Legally ambiguous" generally means that you might be right, but the cost of finding that out will be astronomical.
Human rights laws have an inherent friction to them. On one hand, if random dictator's private business violates human rights laws, that's outside of jurisdiction, so not much can be done about it. Sovereignty is an important principal. On the other hand, it's clearly viewed as not okay, and often has some ramifications at some point. If you're applying for a contract, and have a track record of human rights violations....
