Your contract is irrelevant. If you process data of EU subjects, then you're bound by the rules of GDPR regardless of what your contract contains. You can't sign away your rights in the EU, so I can lie and say that I'm in the US, and that's entirely your problem.
Will be interesting so see how this shakes out in the courts over the next few decades.
It’s not possible to know the legal jurisdiction of the user represented by an incoming packet with today’s internet.
To me this sounds like a random person in a random country smuggling their data across a boarder into my system without my consent. Have a hard time reconciling my views on privacy and individual freedom with a world where a random country can hold me liable for some random law in their jurisdiction when I never consented to doing business with their citizens.
Is it his problem? He doesn’t have to respect GDPR because he doesn’t operate in the EU. Sounds like it’s your problem if he doesn’t handle your data the way you think he does.
European authorities are still able to enforce fines against him unless he’s exceedingly careful, even if he doesn’t have direct presence in the EU.
This is why many websites just block European IP addresses entirely.
You might think you’re safe in the US, but perhaps you use a payment processor with significant European presence? Stripe or Paypal, for example. European authorities can take your money.
> This is why many websites just block European IP addresses entirely.
This is not sufficient. IP addresses do not have sovereign rights and only loosely correlate with the legal jurisdiction of the user behind the originating packet.
This is a world where, by connecting to the internet and exchanging packets, you are simultaneously liable for every law under every jurisdiction; it’s just a game of roulette which jurisdiction the packet you receive is coming from.
This doesn’t seem scalable, sustainable, or particularly good for human/civil rights.
No, they can’t. People in sovereign countries aren’t beholden to your country’s laws. The EU can block access to the site from inside but nothing more. It doesn’t rule the world.
