This is also not like some stupid patent dispute or DMA compliance argument. These employees are directly responsible for stockpiling personal identities of millions of people for the express purposes of making the surveillance efforts of their government easier. That's a very political action, which is directly aggressive against a country's citizens, and they should feel that.
You can break your home country's laws when you go abroad and it's usually OK. You can smoke cannabis when you visit the Netherlands* from Ireland, for instance, and go back home to Ireland without worry.
Violating GDPR is illegal. It's acceptable to arrest people who do things that are against the law. And if, say, I write a lambda that runs hourly and violates the GDPR from my home in California, and then take a holiday to the Netherlands while the lambda is still running, should I be immune from arrest? The offense is still ongoing in that instance.
If we truly take privacy seriously then this should be treated like a crime. If I had something that scammed people in Europe and then holidayed in Europe I'd expect to risk arrest. Or is that somehow less important than violating people's privacy?
* (It's actually technically still illegal but that's a different story). Gedoofd is weird.
The US is willing to prison swap terrorists with Russia, we definitely wouldn’t tolerate some EU country (that we spend billions of dollars defending) arbitrarily arresting tourists so they can hold a foreign company hostage.
Anyway I think you're right that the US would strongarm EU governments in to getting their way (look at privacy shield, etc.) but I still think "you're allowed to continue breaking our laws that affect people in our country while you visit us because it happens to be running on a computer you left at home" is a weak defence.
