So that's going to be a really interesting thing to watch. Technically, the answer to your question is no - GDPR has nothing to do with being in the EU, it has to do with being a citizen of the EU. So if you're an American who travels to the EU, your shadow profile might get tagged with being in the EU, but you're still not eligible for GDPR protections.
On the other hand, if you're an EU citizen living in the United States for the last 20 years (meaning, before the advent of Facebook), you technically have the right to request that all your data be deleted from Facebook's servers.
Now, how will you know if they have data on you? Can you just assume that they do and make the request anyway? Will tech companies begin verifying your citizenship to tell if GDPR really applies to you? We'll soon see.
If you're an American, then you can gain (indirect) access to GDPR protections by transferring ownership of your Facebook account to a citizen of an EU member state. They can then withdraw consent to track personal data from Facebook for that account and/or send a subject access request.
Taking this action violates the Facebook ToS and will result in your account being closed.
You might be able to structure the sale so that the European was the data subject for GDPR reasons, but did not have the passwords. That seems reasonable because under the GDPR, a company like Equifax would be obligated to purge your data if you withdrew consent even though you don't have access to the account they have on you.
GDPR applies to anyone processing personal data about a subject who is in the EU. His or her citizenship does not matter. So you can just go to Europe and make your claim from there. https://gdpr-info.eu/art-3-gdpr/
It may be - but that would just allow Facebook to say "if the login is from an EU IP, don't save this record" - but the rest of your profile, generated in the United States, can still remain. As long as no collection happens while you're within the EU, they may be fine. The whole thing will have to play itself out in court, it seems.
You would have the right (if you were an EU citizen) to ask for your shadow profile to be deleted, and I believe that they would have to collect an opt-in before they started to store a shadow profile about you.
This is technically true, but there are a lot of really weird implementation details. Since GDPR only applies to EU citizens, and those citizens could physically be anywhere in the world, how Facebook implements this will be super interesting.
Think about how a shadow profile gets created, for example - they notice that a group of three people keep getting tagged in photos, but there's a fourth person in the pictures who doesn't have a Facebook profile. The three people keep logging in from the same physical place (say, in the U.S.), and that same place is where the pictures are geolocated. You can assume this fourth person was in the U.S. So, Facebook starts a shadow profile on him - pictures he could have been tagged in, locations he probably was in, interests he probably has based on the intersection of his friends' interests.
But this guy is actually an EU citizen who showed up in the U.S. for a vacation. Uh oh. When would Facebook have found that out? When would they have asked this guy to opt-in? Can they assume everyone in the U.S. is not an EU citizen until told otherwise?
I wrote this in another comment, but this is only partially true. The GDPR protections can potentially extend to non-EU citizens who travel to the EU, but the letter of the law seems to state that that's only true if data is actually collected while the person is in the EU. In other words, Facebook and others could potentially say "if this data is geotagged in the EU, don't record it. Wait until they're back in the US." Then, since no data collection happened in the EU, they wouldn't have the right to get it deleted.
Edit: rereading https://gdpr-info.eu/art-3-gdpr/, it specifically mentions the "processing of data", not just storing. In other words, Facebook could potentially stop an American from logging in when in Europe. Would they? Likely not, it would hurt their business. But what if I (an American) sign on via a British VPN?
It also doesn't answer what would happen to the data of EU citizens who are never geotagged in the EU (due to living outside of it), but also have shadow profiles created without their consent anyway. The first GDPR lawsuit will be fascinating.
