Within the EU itself, GDPR is rarely enforced. A paper tiger of sorts. Its main meaning is to scare some people straight, but the resources for actual enforcement of its provisions are rather limited.
For example, I still receive a lot of commercial spam that advertises in-EU businesses.
Maybe but no lawyer is going to say it’s probably fine to break the law since enforcement is lax, and the engineering team isn’t going to say we can stand by all the random code this we pulled from npm. The obvious thing to do here is blocking readers from 7 time zones away which up until today went unnoticed.
For example, I still receive a lot of commercial spam that advertises in-EU businesses.