> Or the sites that don't bother with compliance and just show a message to the effect of 'this site operates under a jurisdiction that may have different privacy laws to your country' and leaves it at that.
That's potentially but not necessarily compliant. To a large degree, it depends on the intent of the website's data controller.
* GDPR Art 3(2) discusses the territorial scope of data controllers that are not in the EU. Their data processing falls under the GDPR if they are offering services to people in the EU.
* GDPR Recital 23 discusses potential factors that indicate an offer. Blocking EU visitors is not necessary: “Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
* The EDPB has issued further guidance on the territorial scope. In their guidelines 3/2018 [1] the spend a lot of ink on discussing this “targeting criterion”, and provide some clear-cut examples. Of course, that falls short of actually interesting examples of edge cases :)
That's potentially but not necessarily compliant. To a large degree, it depends on the intent of the website's data controller.
* GDPR Art 3(2) discusses the territorial scope of data controllers that are not in the EU. Their data processing falls under the GDPR if they are offering services to people in the EU.
* GDPR Recital 23 discusses potential factors that indicate an offer. Blocking EU visitors is not necessary: “Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
* The EDPB has issued further guidance on the territorial scope. In their guidelines 3/2018 [1] the spend a lot of ink on discussing this “targeting criterion”, and provide some clear-cut examples. Of course, that falls short of actually interesting examples of edge cases :)
[1]: https://edpb.europa.eu/our-work-tools/our-documents/riktlinj...