> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.
My understanding (I could be wrong - IANAL and I haven't read the 80 pages) is that GDPR takes a somewhat countervailing view. SSN data breaches would be treated the same way as, say, whether someone likes the Beatles. The problem with GDPR from my perspective is its Draconianism.
This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.
GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.
I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.