It doesn't change much. If you have to jump through a VPN to get there, they can make a very reasonable claim that they're not targetting or serving the european market.

It doesn't have to be bulletproof, it just has to support the claim.

GDPR applies to processors or controllers not in the Union if the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

(See Article 3).

I believe that in most cases the point of geoblocking is not so much to try to actually stop people in the EU from accessing the sites, but rather to try to ensure that any data processed falls under #1.

One of the Recitals for that section says:

> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.