Really?
They've been working hard on a mass surveillance legislation (which would outlaw encryption) for a couple years now, it was thankfully voted down in 2023 because of a successful public outcry, but that didn't stop these gestapo assholes, they're gonna "reword it" and keep pushing it and eventually the public will have fatigued and stopped caring and it will go through.
The EU couldn't fix the EU-US privacy framework even for the third try, and when the previous one have been invalidated by the CJEU, nobody bat an eye and continued to do the same thing.
GDPR is simply ignored by any bigger US company, it took 5 years for NOYB to facebook get fined which was less than 0.3% of their income, basically a small tax, not a huge fine.
Also GDPR is full of inconsistency (face biometric data is special data, but a photo of your face from what anybody can get the biometric data is not) and loopholes (required by law, legitimate interest).
They did something, but I wouldn't call that "a long way".
I work for a very large US company and can assure you that GDPR is something we pay a lot of attention to. This isn't the opinion of my employer, but my personal experience is that the big players take it seriously and meet and exceed all their obligations because it's too risky not to, and they have the necessary local legal teams to understand the law as best as is possible.
I think it's the small/medium companies who are where most of the issues are. Small companies write a non-legalese privacy policy because they think that's better for their users, but in fact have written something legally meaningless that gives their users no protections. Some small companies just don't know their obligations because they think they won't apply as they're not in the EU.
Then there are the companies who are big enough to know better, but small enough to know they can get away with it because all the scrutiny goes to big tech. I was asked by a medium sized advertising network to implement a keylogger on our website at my previous company so that the network could enforce their revenue sharing by detecting all user data input into our site and match it against their records. I laughed them out of the room, but they made it very clear this was how everyone did it.
> Some small companies just don't know their obligations because they think they won't apply as they're not in the EU.
To be fair, unless a company has a business presence in the EU there is nobody to sue for GDPR violations. The EU cannot enforce its laws on an entity which isn't under its jurisdiction at all.
Okay, with "any bigger US company" I thought mostly about Facebook and similar companies, of which many does continuously break GDPR rules even after many decisions and fines (simply because their business model is incompatible with privacy / data protection).
But it is still true, that nothing happened after the Schrems II judgment, and many-many companies continued to transfer personal data to providers affected by FISA.
> ... GDPR is simply ignored by any bigger US company, it took 5 years for NOYB to facebook get fined which was less than 0.3% of their income, basically a small tax, not a huge fine. ...
From my experience working at multiple companies, and having interacted with others, the GDPR is not ignored by American companies. websites based out of the US block EU users to avoid fines, or these US based companies which don't block EU users have gone out of their way to comply with the GDPR as interpreted by their respective legal department.
GDPR is closely adhered to by big American companies. They may be the only ones to whom the EU is applying regulatory pressure on this. Chinese and Indian companies, on the other hand, as well as any non-enterprise American company, including start-ups, on the other hand, can and do safely ignore it. (Or follow it in broad strokes.)
