The worst thing a company can do is try to sell you more soap. The government on the other hand can literally ruin your life (or even end it in some countries).
The EU is doing a fantastic job of keeping everyone distracted by pointing the finger at the "evil American tech companies" while simultaneously doing the opposite when it comes to privacy from government...which is the real threat.
I could point to many instances of this but the easiest one is the EU commission currently pushing a ban on encryption.
In the post Snowden world it’s hard to imagine that any massive tech service isn’t hooked directly into the NSA or that it’s being used for what isn’t exactly illegal surveillance but sort of is.
Not that you’re wrong of course, but I think we should still work on both issues. Even if you look at the EU the agencies which are working to protect and destroy our privacy aren’t the same. So it’s very possible to support one and not the other. Similarly I think we should absolutely crack down on tech company surveillance. What I don’t personally get is why it stops with Meta. Let’s not pretend TikTok and the others aren’t doing the exact same thing. I also think we should keep in mind that the consumer agencies aren’t only doing it to protect our privacy, they are also doing it to protect our tech industry, so it’s not exactly black and white, but I really don’t think we should stop just because other parts of the EU are also evil.
I’m also not convinced that they are doing a good job distracting anyone. Within the EU NGOs there is far more focus on end-to-end encryption and keeping our privacy safe from governments, especially in countries like Germany.
With these laws in place, EU companies face worse conditions than US ones. They may be protecting some bigger EU companies, but they definitely aren't protecting our IT industry.
GPDR was an annoyance for Google, and a complete disaster for anyone small(think companies that can't hire a Chief Data Protection Officer to work full time)
There's a good rationale for placing restrictions and rules on data privacy, but there are also some very ignorant and destructive decisions.
Of course, there is tons and tons of legalese, edge cases, interpretations etc. But if you abide by and implement these basic principles, especially as a small company, you can be quite confident you won't run into any real problems.
If you kind of cared about your customer data in the first place as part of your company culture, its not that hard to adapt. Maybe some really careless companies had a hard time. There must have been some kafkaesque situations killing small companies no doubt, but honestly I haven't heard of them. I only hear Americans complain about it.
To me, this means the law is just right.
If you work in a B2C publicly accessible sector, I can assure you - you store more PII than you'd like to believe.