The question is, is it also illegal for a non European site, to use Google Analytics when visitors are coming from EEA ?

As a non-European site owner, the EU has absolutely no legal jurisdiction on my business or business practices. I could care less what is or isn't "Legal" in Europe. Because if I care about what is legal in Europe, then I need to care what is legal in North Korea, Iran, China, Russia, and every other country in the world. Hey! why stop at country/nation state level, maybe the mayor Graz in Austria should pass a law banning the use of Word-Press.

I agree with you on the basis , but as far as I know :

The GDPR also applies to data controllers and processors outside of the European Economic Area (EEA) if they are engaged in the "offering of goods or services" (regardless of whether a payment is required) to data subjects within the EEA, or are monitoring the behaviour of data subjects within the EEA (Article 3(2)). The regulation applies regardless of where the processing takes place.[40] This has been interpreted as intentionally giving GDPR extraterritorial jurisdiction for non-EU establishments if they are doing business with people located in the EU.

And I think this is the same for the Brazilian LGPD, Californian and Australian equivalents.

If being a non European based business was enough to escape the GDPR, Google, Facebook et al, would simply close their offices in the European Union, and run their sites and services from outside the EU. Isn't it?

Also, lot of non EU sites, are blocking access to EU visitors, to be sure not get into troubles.

Please note, that , the EU parliament made no difference between giant companies, and one-man business, because they believe that, from the moment you run an online service, you are a big guy ...

Any country or jurisdiction can create a law that says it applies to everyone, but any law only really applies if the country has means of enforcing the law. So the EU court is welcome to render judgement against my company, but they can't enforce it. They would need to come to Canada (I am Canadian) and get the Canadian court's to agree that my actions are illegal, but since those actions are not illegal in Canada, they could never get such a judgement.

In terms of Facebook and Google, they have a presence in the EU, offices and subsidiaries and are actively selling advertising to EU corporations. So it isn't a question of these companies being giants, it is a matter of where and how they are doing business.

If I don't make mistake, Canada is GDPR-compatible, privacy laws in Canada are approved by the EU, which is why it's allowed to transfer data about EU individuals to Canada. My initial post concerned the transfer of data to the US.

ps: I read once that Canada has an agreement with the EU to enforce GDPR fines to Canadian's businesses. But I agree this is unlikely to happen, excepting in a very very big case.

I read once that Canada has an agreement with the EU to enforce GDPR fines to Canadian's businesses.

Not to my knowledge. We have some strict privacy laws, but they are far from sufficient. Most notably an anti-spam law that requires business to have explicit consent from individuals in order to send them emails. This law is very effective a limiting spam from Canadian companies, from which it rarely originated (relatively speaking) but does nothing to stop it from Russian hackers.

Spam seems unstoppable , ... and since Spammers are exchanging db of emails, this ends in the hands of "phishers".

I wish regulators put as much efforts as they put in privacy protection (which is good), into fighting spams and hackers.