Re: "May have been (at least in US law) legal"
Article 3 of the GDPR states "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union".
So if the data subject is an EU citizen
No. By virtue of what you quoted, all the subject has to be is in the EU. It doesn't matter whether or not they're a citizen. Of course if the Prime Numpty gets his way it won't make any difference to those of us in the UK after October 31st.