This isn't correct with 3rd party CA's with modern TLS either.
TLSv1.2 has Perfect Forward Secrecy with DHE and ECDHE key exchanges and in TLSv1.3 PFS is mandatory. A compromised root CA or even leaf certificate these days protects you from a man-in-the-middle and not a whole lot else - the certificate private key is never used for session key derivation and the keys themselves are ephemeral and never sent over the wire so even intercepting the key exchange doesn't allow decryption of the stream.
Even if you don't have Forward Secrecy, like you decided to use RSA KEX which is a terrible non-default idea even in 2015 let alone today (this feature isn't even present in TLS 1.3 deliberately, lobbying to keep doing this failed), your private key is still needed so a third party CA can't imitate you.
The CAs have never been supposed to know your private key. For a long time now it's straight up forbidden on pain of removal from trust stores for the CAs to learn somebody else's private keys.
For the example of Let's Encrypt your client probably picks a private key and stores it where your web server can use it, but it never sends this key to anybody else. In fact if you care you can even have the key chosen by the web server and literally never send that key to the Let's Encrypt client at all, the client picks up a "Certificate Signing Request" and it goes OK, I see you want a certificate for some key you know but I don't, that's cool I will go ask Let's Encrypt to issue a certificate for that and let you know.
That's not how GDPR works. GDPR doesn't care where your company is registered or does business; if they process the personal data of EU citizens then GDPR applies.
I was an Estonian resident a while ago, and I wanted to delete data in my old VK.com account (a Russian company). They didn’t do anything, naturally, so I wrote to Estonian data protection inspector or something. They said that (surprise!) they can’t do anything either.
Things might be better now, but my bet is if you register a company in, say, Seychelles, and your business is purely digital, you can ignore GDPR all you want.
EU can, in theory, tell payment processors to stop working with you, but I haven’t heard of such cases. Even then it won’t help if you don’t sell anything (apart from user data).
Some EU countries have started blocking websites (by spoofing DNS) – this could actually work to put some actual pressure on non-compliant companies, but also is kinda too authoritarian for EU?
Tl;dr: GDPR has good intentions, it just doesn’t work right now if the data processor is not in EU.
Correction: replace "EU citizens" with "people in the Union". That's how GDPR describes the people it covers. It's where you are that matters for GDPR rather than citizenship.
No if this is the case, they can't service EU citizens at all because US companies can't have any EU data because they can't protect EU citizen data.
The only way to service EU customers is when we assume entering data on an US website is not exporting data from the EU to the US by the US company. Just like when I go into a Walgreen in NYC as an EU citizen.
For the last decade US and EU companies have ignored the fact that it is/was mostly illegal do transfer EU citizen data to the US (it is currently legal but will be illegal again) - also every EU company that exports data to the US (e.g. by using Mailchimp) needs to guarantee the safety of the data by auditing Mailchimp, no one does and there have been no fine for now, but I assume there will in the future.
"The EU parliament raised substantial doubts that the new agreement reached by Ursula von der Leyen is actually conform with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and severely fails to enforce basic human digital rights in the EU. In May 2023 a resolution on this matter passed the EU parliament with 306 votes in favor and only 27 against, but so far has stayed without consequences."
Someone randomly walking into a Duane trade in Seattle and purchasing a device would not be reasonably coveted under the GDPR
However if 23&me were targeting European citizens that would be different.
Despite what the adtech industry likes to claim online, Bobs Burger Joint in Baltimore does not have to be specifically concerned about abusing their customers data even if a customer happens to be an EU citizen.
Now if they shipped frozen burgers to France online then sure they would. If they sold “merch” in euros they would. But a local store with a physical premises trading in person? Not covered.
A European citizen living in Austin buying from Amazon though, could well be covered. Amazon do target EU citizens
TLSv1.2 has Perfect Forward Secrecy with DHE and ECDHE key exchanges and in TLSv1.3 PFS is mandatory. A compromised root CA or even leaf certificate these days protects you from a man-in-the-middle and not a whole lot else - the certificate private key is never used for session key derivation and the keys themselves are ephemeral and never sent over the wire so even intercepting the key exchange doesn't allow decryption of the stream.