I'd say he isn't. But the US government will do it all the same, and at least some of the EU governments would probably also apply the privacy laws on companies dealing with their citizens. (Probably not UK, but France is a good candidate, and Germany is also reasonably rabid about it's privacy laws as of late.)
Law gets really complicated when you cross international boundaries, and usually everyone involved will assert their right to impose laws on you, and whether they actually do this mostly depends on how easy it would be for them to do it.
If you base legal decisions about your business on abstract principles, you might just get detained the next time you route through an airport that belongs to someone you've mightily pissed off. Generally, it's smarter to strive for not offending anyone, or if you cannot manage that, strictly not visiting or in any way depending on countries whose laws you might have broken. For example, if your site is not strictly legal under US law, don't host in under .com.
Law gets really complicated when you cross international boundaries, and usually everyone involved will assert their right to impose laws on you, and whether they actually do this mostly depends on how easy it would be for them to do it.
If you base legal decisions about your business on abstract principles, you might just get detained the next time you route through an airport that belongs to someone you've mightily pissed off. Generally, it's smarter to strive for not offending anyone, or if you cannot manage that, strictly not visiting or in any way depending on countries whose laws you might have broken. For example, if your site is not strictly legal under US law, don't host in under .com.