They don't go on random personalist whims (so far!), but they also tend to be much less specific in a way that can frustrate US businesses. The GDPR definition of "personal data" is just a couple of lines long; the California definition of "personal information" lists out twelve categories, one of which is "sensitive personal information" with eight more categories.
There's a fundamentally different definition of how laws are supposed to work. EU law isn't a list of checkboxes that you can technically check while going counter to the spirit, it is a philosophical direction, the details of following it are up to you. The spirit matters, not the letter.
> When interpreting EU law, the CJEU pays particular attention to the aim and purpose of EU law (teleological interpretation), rather than focusing exclusively on the wording of the provisions (linguistic interpretation). This is explained by numerous factors, in particular the open-ended and policy-oriented rules of the EU Treaties, as well as by EU legal multilingualism. Under the latter principle, all EU law is equally authentic in all language versions. Hence, the Court cannot rely on the wording of a single version, as a national court can, in order to give an interpretation of the legal provision under consideration. Therefore, in order to decode the meaning of a legal rule, the Court analyses it especially in the light of its purpose (teleological interpretation) as well as its context (systemic interpretation).
https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/5993...
If I was a business owner I’d rather operate under laws that don’t have highly ambiguous definitions of terms that introduces extra risk that is unnecessary in other places.
There's really only a risk for those trying to walk a line so they can actually get around the purpose of those laws while seemingly still being in compliance. For those with no round about intent, the "ambiguous definitions" are perfectly fine.
Unfortunately individual courts in some EU countries don’t care about the spirit but are fixated on the letter.
Right! Thanks for the link, I remembered reading that quote but couldn't find it. European regulators don't need hyper-specific definitions, because to them it's entirely normal to tell a company that they must do X or can't do Y even though the rules as written seem to authorize their current course of action Z.
All regulatory systems have some informal edge cases, of course. But Americans expect law to in general work more like a list of checkboxes and rely less on divining the regulator's intent. Indeed, that's one of the reasons why the regulatory environment under Trump is so frustrating to many of us; in the American view, there's supposed to be a strict distinction between what the law is and what the people at suchandsuch agency think the law is supposed to be or meant to achieve.
The EU has pretty good documentation for the various regulations. For example for GDPR they do provide checklists:
- https://www.edpb.europa.eu/sme/be-compliant/respect-individu...
- https://www.edpb.europa.eu/sme/be-compliant/secure-personal-...
And guidance: https://www.edpb.europa.eu/system/files/2026-04/edpb-summary...
> But Americans expect law to in general work more like a list of checkboxes
To me as a European, this is a very low-trust view of lawmaking that assumes a hostile relationship between a government and its people.
The European approach is a bit more of a living conversation.
In the implementation period there's workshops where you figure out how to best comply in a way that makes sense for your business. There's a lot of flexibility there since you're just aiming for the spirit of the law, not some formal definition that might not make sense in your case.
If you're found out of compliance theres a bit of a back and forth and if you put in a good-faith effort to fix things, nobody has any issues.
The advantage of this approach is that the government doesn't tell you how to run your business and things stay agile as new use cases and business models come up.
It works out pretty well in general, and allows for a more cooperative approach to reaching policy goals.
Problems usually only arise when American companies try their bad-faith technicalities and find that doesn't fly here, like when Facebook changed their ToS to try to argue that using their services itself constitutes consent under the GDPR and predictably got dinged for it.
I don't want to sound like I'm criticizing any of that. It sounds like a reasonable approach and if European citizens like it more power to you.
To me as an American, this is a very high-touch view of lawmaking that sounds like a big problem for companies trying to do new stuff or challenge incumbents. If the meaning of the law is adjusted to fit each individual business case, doesn't that mean the regulator might not let me have all the same adjustments my competitors got? I wouldn't call this a question of hostility as such; even a kind and friendly regulator might think that some of those adjustments depend on doing business as normal, and thus they don't apply to the new abnormal things I'm doing. (Of course, I'm making the stereotypically American assumption that running around disrupting normal business practices is a valuable thing to do.)
First of all, I wanted to thank you for the constructive and interesting exchange of views - I find that too often conversations on EU regulations on HN devolve into caricatures and trolling, its been nice to have a substantial conversation with you.
Ironically, I have the opposite read on the same situation: "Just do what the law wants from you" seems like a pretty straightforward thing that even the smallest startup can follow.
In the case of GDPR that would be roughly "don't store any personal data you don't strictly need for the feature, ask for consent, delete data when asked".
Checkbox-lawyering on the other hand requires just that, lawyers. Expensive ones. Ideally entire legal departments.
If you're a huge incumbent, you can afford that. Meta finds the neatest little ways to technically comply without actually doing what the lawmakers wanted. The little startup? No chance.
The other concern is addressed by the judicial system. If a competitor got some exception you didn't get, that's your correction mechanism. The CJEU exists precisely to ensure consistent application across member states and cases. The purpose is the same for everyone; the implementation differs based on context, but the purpose doesn't change.
>It works out pretty well in general
How can you say that when Europe has completely failed at producing any big, successful tech companies in the past couple decades? China and even India have a lot more staetups-turned-bigtech companies.
Past couple of decades, how many exactly? I mean Apple (48), Microsoft (51), Amazon (32), Nvidia (33), Oracle (49), Adobe (44), Cisco (42), Intel (58), Google (28) aren’t exactly young.
With the exception of Tesla (23) and Meta (22), USA is not brimming with large new tech companies from the past decades either.
I mean King, Spotify, and Klarna are not trillion dollar companies. But at least they are younger than Google.
American companies at around Spotify's market cap include Palantir (23), CrowdStrike (15), AppLovin (14), Uber (17), ServiceNow (22), Robinhood (13), AirBNB (18), Snowflake (13).
CrowdStrike (15)
EU equal of similar age and employment: SAP (31) or Darktrace (13)
AppLovin (14)
EU equal of similar age and employment: Delivery Hero (15), Infineon (27) or Evolution (20)
Uber (17)
EU equal of similar age and employment: Klarna or Bolt
ServiceNow (22)
EU equal of similar age and employment: Mistral
Robinhood (13)
EU equal of similar age and employment: Revolut or eToro
AirBNB (18)
EU equal of similar age and employment: Booking.com, Amadeus, or Accor
Snowflake (13)
EU equal of similar age and employment: OVHcloud, Arm, or ASML