The question—who is responsible—can only be tested in a law court as a matter of due diligence. In the first instance (for those people who may be subjected to a legal claim) the person responsible is the website owner. There is a chain of responsibility that extends from the site owner up to the webhosting company and therefrom through to the ISP and telco who manages the transfer of data ... but we're getting ahead of ourselves.
First of all, GDPR hasn't come into effect and, more importantly, it hasn't been tested.
Returning to the substance of this topic: due diligence
is at the heart of the matter. There's a wonderful legal adage that goes like this (in Latin): ignorantia iuris non haud excusat
. Just because the client might attempt to excuse their legal obligations (by claiming a lack of due diligence on the part of the developer who "failed" to advise the client of the need for GDPR compliance—assuming the developer was au fait
with the need for the client's potential compliance with the GDPR in the first place) doesn't mitigate the client's responsibility to be aware of laws pertaining to the client's jurisdiction. I mean, fair go and all that: I live in Australia and I have no knowledge of the intricacies of European law. Unless (and until) the Australian High Court is prepared for the Australian Privacy Act
to be subjugated to a foreign law, I really don't have an interest in this. Likewise, I'd be surprised if people living in the USA, in South America, Africa, the Indian sub-continent or South Georgia and the South Sandwich Islands would be overly concerned about the GDPR either!
So, as far as whether a European court would give leave to a defendant to enjoin a foreign-based developer in an action brought under the GDPR, there is no legal precedent ... as far as I'm aware. Furthermore, the client has to establish
that the developer did not exercise due diligence in advising them of their legal responsibilities. Well ... let them give it their best shot!
If, as a developer, you want some measure of protection, then you could insert a clause in your contract that reads: "It is the client's responsibility to ensure that all trade practices and privacy obligations, as required under law pertaining to the client in the operation of the client's business, are the responsibility of the client. The client further indemnifies the developer from any and all actions, civil claims or legal torts in the operation of the client's business."