Background
Most internet feeds are unfiltered. Everyone who has ever rented or set up a server knows malicious traffic comes in from all over the world, including the European Union (but mostly from other places), as soon as a server is online, and passwords, keys, and/or facilities to firewall malicious traffic need to be ready beforehand.
Scenario
Small Town News USA Inc. (a fictional company) operates a newspaper and web site about Small Town, USA. Primary customers live in Small Town, USA. Recently, their corporate lawyer has suggested they need to pay several thousand dollars to do preparation and paperwork for European GDPR regulatory compliance that affects businesses worldwide with any EU citizen data. Management, thinking it would be less expensive to filter and inconvenience maybe 5-10 travelers and remote viewers who are accessing the website from Europe, decides that the easiest way to deal with GDPR liability is to reject internet traffic from non-USA viewers.
Unfortunately, the commonly available technology to do this involves IP-sniffing. In more detail, a web server is designated as a "firewall/Nginx-reverse-proxy" and would take a connection , examine the IP address (personally identifiable information under GDPR; see FAQ What Constitutes Personal Data?) and then forward only USA connections to a different server containing the Small Town News web site. But "Rejected" connections are still processed by sending back a web page containing only: "Sorry, we can't serve you at your current location." IP addresses and times are recorded in the web server logs. Furthermore, IT staff want web server logs to include IP addresses so that they can ban malicious traffic. This involves automated processing of behavioral data and also storing bad-behavior IPs in other files that update the firewall data, which is held in an operating system table.
It turns out the USA-only filter is an imperfect technological measure. It does not filter out 100% of EU-resident traffic. First, there is no perfect mapping of IP addresses to locations. For instance, an IP address apparently owned by the US Navy could be traffic coming from an EU-resident civilian contractor on his lunch hour who works at a US naval base in, e.g. Italy. An EU-resident visitor to the USA could still access the full website from the USA. Another EU-resident could buy VPN (Virtual Private Network) service to disguise their computer's true location, and that could involve forwarding their traffic from a point within the USA which would allow fetching the full Small Town News website because the Small Town News firewall received a USA IP address.
Enforcement
For those who think this is scaremongering and unenforceable, perhaps read:
How the EU can fine US companies for violating GDPR which isn't entirely certain, but does suggest the possibility of US cooperation for collecting EU civil fines.
Maybe Location-sniffing is also illegal...
The article "Why the US and Other Non-European Companies Need to Comply with the GDPR" on busineessknowhow.com claims:
"... identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address - is actually specifically prohibited by GDPR. GDPR contains a prohibition against 'profiling', which GDPR defines as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, LOCATION or movements."
Since this doesn't cite specific sections of the 100+ page regulation, I don't know if it is correct. It all sounds like a great welfare project for lawyers, regulators, and IT pros who take the time to specialize in this area and bad for the creative entrepreneur who simply wants to put something online.
Question
Is Small Town News GDPR compliant under their (unfortunate) EU-blocking policy?
Or can they only become compliant by outsourcing the filtering to some other company, who can be the scapegoat when filtering is imperfect?