I think the truth is that we don't know. There have been rulings that seem to go as far as saying that an American company can be compelled by the US government to share information against GDPR rules so no American company can ever be compliant - not even if they set up an EU subsidiary which nominally controls the data and all the data is hosted in the EU because that American company could simply override their EU subsidiary. Even if you're hosting in the EU, is the company an American one that might be compelled to use their control of the servers to hand over your data?
Yes, if you're using Google Analytics and Google Fonts, you'll need to get permission from each user before loading any of that. Those services are used to track users around the internet and for marketing/ad purposes within Google.
I actually think it's near impossible to make something "GDPR compliant." For example, let's say that you try to do all the right things - trying to be as strict as possible. You put up a cookie banner that has both "accept" and "deny". Molly presses "accept". Two days later, Jane is using the same computer. Jane didn't accept. You're now tracking Jane who did not consent.
I think showing a good-faith approach and genuine caring about user data will go a long way with regulators (but IANAL so don't take that as advice). Things like Google Fonts/Analytics are easy targets because we know they leak data to Google. If you're hosting a MySQL database on Azure, theoretically the US government could get a search warrant and serve it to Microsoft and get access to your database. I personally think regulators should be focusing on the rampant bad-faith compliance targets rather than "well, technically maybe the US government could do X." Websites are putting up "Accept all" and "Manage choices" buttons where you'd have to spend an hour opting out. C'mon, that shows such a blatant disregard for user's rights. Having a database hosted on Azure that the US government could technically get a warrant to search your database and because Microsoft is a US company they'd have to give them access is certainly something that could happen, but such an unlikely vector compared to someone embedding GIPHY and now Facebook knows all the page views.
Realistically, if the EU pushes too far, the US is going to say "you can't ban US companies from the internet in Europe." If the EU seriously said that you couldn't use Azure because Microsoft is a US company (or any other US company), I'm guessing the US would take it to the WTO (World Trade Organization) and it'd likely be considered in violation of trade treaties. There's a certain amount of local rules and regulations you can put in place and some might have a protectionist impact on foreigners, but outright banning foreign companies wouldn't fly.
Plus, the US's reach often extends to EU companies. Hetzner and OVH both have a US presence. I don't know, but I'd guess that people on-call in the US can access a lot of their EU presence. Why wake up someone in Germany or France at 3am when it's 9pm in the US? The US presents their US subsidiary (or US employees) with a warrant and the warrant expressly forbids them from disclosing to anyone so the European parent doesn't even know to restrict access from their US employees, etc. At some point, one needs to be realistic about the threat vectors.
On a practical level, stop using third party services where you (and your users) are the product. Google Fonts is free because you're paying for it with user data. An Azure-hosted database costs money because Microsoft doesn't get access to what you're storing in that database. Do get DPA agreements from your third parties and give them a look over to make sure they seem reasonable. Do genuinely care about your users' data. That does take a bit of effort (not just good feelings). For example, you need to know that Google Analytics feeds the data into Google's larger marketing machine rather than being private storage for you.
On perhaps the most practical level, check what third-party stuff you're serving on your site - javascript, images, fonts, etc. People don't know where your database is stored unless you tell them. They can easily see that you're loading a Facebook tracking pixel since that's in the page you're serving to them. That gives them an easy way to see if going to your website is loading something that's tracking them without their consent - even if you're not wanting that third party to do that tracking. Your users complained to you about the things they could see. I think those are often the most likely ways that GDPR violations will happen too - companies haven't really built their businesses around backend data stealing (err, sharing) because they'd need to make an SDK for Java, C#, PHP, Python, Ruby, etc. JavaScript lets them write once and even push updates without you needing to update dependencies. Focus on the front-end stuff that users can see - both because it's the most likely place you'll have compliance issues and because it's probably the most likely place you'll be caught with compliance issues.
Again, I am not a lawyer and none of this is advice.
Yes, if you're using Google Analytics and Google Fonts, you'll need to get permission from each user before loading any of that. Those services are used to track users around the internet and for marketing/ad purposes within Google.
I actually think it's near impossible to make something "GDPR compliant." For example, let's say that you try to do all the right things - trying to be as strict as possible. You put up a cookie banner that has both "accept" and "deny". Molly presses "accept". Two days later, Jane is using the same computer. Jane didn't accept. You're now tracking Jane who did not consent.
I think showing a good-faith approach and genuine caring about user data will go a long way with regulators (but IANAL so don't take that as advice). Things like Google Fonts/Analytics are easy targets because we know they leak data to Google. If you're hosting a MySQL database on Azure, theoretically the US government could get a search warrant and serve it to Microsoft and get access to your database. I personally think regulators should be focusing on the rampant bad-faith compliance targets rather than "well, technically maybe the US government could do X." Websites are putting up "Accept all" and "Manage choices" buttons where you'd have to spend an hour opting out. C'mon, that shows such a blatant disregard for user's rights. Having a database hosted on Azure that the US government could technically get a warrant to search your database and because Microsoft is a US company they'd have to give them access is certainly something that could happen, but such an unlikely vector compared to someone embedding GIPHY and now Facebook knows all the page views.
Realistically, if the EU pushes too far, the US is going to say "you can't ban US companies from the internet in Europe." If the EU seriously said that you couldn't use Azure because Microsoft is a US company (or any other US company), I'm guessing the US would take it to the WTO (World Trade Organization) and it'd likely be considered in violation of trade treaties. There's a certain amount of local rules and regulations you can put in place and some might have a protectionist impact on foreigners, but outright banning foreign companies wouldn't fly.
Plus, the US's reach often extends to EU companies. Hetzner and OVH both have a US presence. I don't know, but I'd guess that people on-call in the US can access a lot of their EU presence. Why wake up someone in Germany or France at 3am when it's 9pm in the US? The US presents their US subsidiary (or US employees) with a warrant and the warrant expressly forbids them from disclosing to anyone so the European parent doesn't even know to restrict access from their US employees, etc. At some point, one needs to be realistic about the threat vectors.
On a practical level, stop using third party services where you (and your users) are the product. Google Fonts is free because you're paying for it with user data. An Azure-hosted database costs money because Microsoft doesn't get access to what you're storing in that database. Do get DPA agreements from your third parties and give them a look over to make sure they seem reasonable. Do genuinely care about your users' data. That does take a bit of effort (not just good feelings). For example, you need to know that Google Analytics feeds the data into Google's larger marketing machine rather than being private storage for you.
On perhaps the most practical level, check what third-party stuff you're serving on your site - javascript, images, fonts, etc. People don't know where your database is stored unless you tell them. They can easily see that you're loading a Facebook tracking pixel since that's in the page you're serving to them. That gives them an easy way to see if going to your website is loading something that's tracking them without their consent - even if you're not wanting that third party to do that tracking. Your users complained to you about the things they could see. I think those are often the most likely ways that GDPR violations will happen too - companies haven't really built their businesses around backend data stealing (err, sharing) because they'd need to make an SDK for Java, C#, PHP, Python, Ruby, etc. JavaScript lets them write once and even push updates without you needing to update dependencies. Focus on the front-end stuff that users can see - both because it's the most likely place you'll have compliance issues and because it's probably the most likely place you'll be caught with compliance issues.
Again, I am not a lawyer and none of this is advice.