The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...

There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.

The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.

It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.

It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.

If using a 30 year old attack costing a few hundred bucks is considered undue effort then we are all save.

[1] https://en.m.wikipedia.org/wiki/Van_Eck_phreaking#LCDs

I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.

If the customer is choosing to display his data on his screen while under risk of Van Eck phreaking, it's on him.

If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.