No dog in this fight, as an American who has spent his entire adult life in Japan, but if I had been subject to this regulatory suite when founding my first business I would have just opted not to start.
Cookie law (2013)
— (@levelsio) July 4, 2018
VATMOSS (2016)
GDPR (2018)
EU Copyright (2019)
EU is making it impossible for startups to operate. That’s the same businesses it’s lacking in and trying to attract. 🤷♀️https://t.co/oIuu0OEA33
I operated under a relatively high-ceremony US regulatory regime (HIPAA, for healthcare information privacy) for several years. I sympathize with the general normative direction for the regulations, but the compliance steps themselves very rarely added value for anyone.
A fun example: a regulated business has to train all of their employees annually on their responsibilities under the regulations and keep a record of them having attended the training. I had a very surreal discussion (with myself, alone in a room) and recorded that I had had it.
That sounds like a parody of "stupid bureaucratic box ticking" but the nature of bureaucracies is that you really, really don't want to have to say "Look I know 45 CFR § 164.308(a)(5) says all members of the workforce, explicitly including management, need training, but come on."
Regulations often end up incorporated by reference in contracts, sometimes organically and sometimes because they were explicitly designed to be viral. This lets regulators conscript the regulatees as surveillance regarding their business partners.
Take GDPR, for example. You might think "Well, that's certainly a big ball of mud, but thankfully I am too small to worry about it." BigCo is not too small. BigCo will hire a department to worry about it. Someone in BigCo will put "Vendor attests to GDPR compliance" on checklist.