Sure, it technically applies - but I doubt it will have any effect. Compare it to hacking across border where there is no extradition. At least until some form of GDPR is rolled into international trade treaties.
I very much doubt GDPR penalties will be levied at individuals - even when a business entity is wholly controlled by an individual. Blocking of criminal services does seem probable in extreme cases - but so far most of Europe has been pretty lenient wrt outright censorship as far as I know. Filtering certain child pornografi content being an exception.
On a side note, the cp filter is scary - as the infrastructure implies the existence of censorship infrastructure ready for abuse in the event of a power shift.
