[caffeine5150]

You are correct as to a DPO, but if he is, say in the US, and subject to GDPR, he must have an EU Representative, who by all indications would be liable for his violations. That's a significant burden if not a practical impossibility for most in his position. Also, if he's transferring personal data from the EU to the US directly from individuals, his only practical way of making that transfer compliant is likely to be privacy shield certified which is not cost free (although he could maybe rely on consent as a derogation, but relying on that has risk). I can think of many things like this that have, if not a hard cost, then a definite cost in time and resources to comply including keeping up with compliance. Could easily be not worth the effort for a single individual.