IIRC they do try to claim it applies outside of Europe; they say their laws apply to any entity processing data of EU citizens, regardless of where the data or website actually lie.
I think it's well within the rights of the EU to legislate in which way the data of its citizens is processed. If your product or service is accessible to EU citizens, in the EU market, then you need to abide by the laws of the EU. It's no different for physical or virtual products.
