- the IP, under GDPR, is personal data. You need consent or a legitimate interest to process it.
- it is very murky regarding EU persons abroad. So if I operate with a German citizen originating in Hong Kong, I may be subject to the law.
Personally, I think that you'll be fine blocking EU IPs as long as you aren't doing anything more with them, but that doesn't change the philosophical problem.
Someone else, through proactive work on their part, came to my site (say hosted outside of the EU), even though I did not want them to and I am on the hook for a law I had no agency in creating.
Again, largely a thought exercise and not a real problem for real businesses, but it does beg the question...are websites liable for every law in the world? Do we just fall back on the 'well they can't enforce it' model of evaluating website legislation?