My guess is that in a lot of cases though it is that they simply do not want to deal with Article 27. Article 27 is a hassle even if all your data processing itself is fully compliant with GDPR.
Article 27 requires entities not in the Union to designate a representative in the Union that people and governments can use as a contact when they have GDPR concerns.
(Don't confuse this with Article 37, which requires the appointment of a "data protection officer". Article 37 only applies in most cases if you are doing large scale processing).
The representative seems to be more than just a communications go-between to provide an easy way for people in the EU to contact the processor/controller. One of the Recitals says "The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation" and "The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor".
There are EU companies that provide as a service being your Article 27 representative, but because it seems to be more than just a simple communications go-between they charge typically at least a couple hundred Euros or so a year for the service (sometimes much more).
1. They are actually all owned by a multi-national entity that is scared of the GDPR because it also operates in Europe
2. The news sites and their owner(s) aren't bothered; but the ad networks are. Maybe it's a "cross-contamination" issue. So they say something like "to keep using us, block European visitors, we'll provide that capability", and the news sites are probably fine with it because European visitors are a tiny fraction
3. It's a political statement, not an actual GDPR issue
It doesn't have to be bulletproof, it just has to support the claim.
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
(See Article 3).
I believe that in most cases the point of geoblocking is not so much to try to actually stop people in the EU from accessing the sites, but rather to try to ensure that any data processed falls under #1.
One of the Recitals for that section says:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
I noticed this being employed by some media sites when I was vacationing in Europe. No Discus comments, no account creation or login, just articles and banner ads. The sites loaded so much faster. I’ve done similar things at work when building out privacy law compliance. It’s a good pattern if you don’t need one to one feature equivalency between your US and EEA/GB presence.
