1. Invitation to treat: that is offering services for consumption
2. Offer to contract: fulfilling the invitation by making a contract of terms
If you drop a potential customer at step 1, e.g. having your web-server decline the connection based on GeoIP, would that not constitute reasonable effort? We don't have case law regarding GDPR yet but I would certainly argue that it shows efforts being taken to exclude EU residents.
- the IP, under GDPR, is personal data. You need consent or a legitimate interest to process it.
- it is very murky regarding EU persons abroad. So if I operate with a German citizen originating in Hong Kong, I may be subject to the law.
Personally, I think that you'll be fine blocking EU IPs as long as you aren't doing anything more with them, but that doesn't change the philosophical problem.
Someone else, through proactive work on their part, came to my site (say hosted outside of the EU), even though I did not want them to and I am on the hook for a law I had no agency in creating.
Again, largely a thought exercise and not a real problem for real businesses, but it does beg the question...are websites liable for every law in the world? Do we just fall back on the 'well they can't enforce it' model of evaluating website legislation?