[elithrar]

> and that for a web service there's therefore nothing that will protect you besides IP-blocking Europe.

Which is bizarre reasoning: geo-IP databases are not foolproof, and thus you will get legitimate EU traffic from EU ISPs regardless. Further, by this reasoning, what's to say an EU customer using a VPN to exit in the US is somehow excluded from GDPR?

[setr]

If someone tells you “I have no interest in serving you, because I do not wish to follow your rules”, and you disguise yourself as someone else and ask again, how could you possibly expect your rules to be suddenly be followed? It would be absurd. At that point, they would have follow all rules across all countries simultaneously, because who knows what country any given person is really from? Ask and they’ll lie, and you’ll still be on the hook!

At some point the responsibility has to fall on the user instead of the business, and the I think actively skirting the rules is sufficient and a nice, clear line, to fault the user.