The problem is when the regulation doesn’t accomplish anything, but also costs a lot.
For example imagine a hypothetical email safety law that says you must keep everything encrypted and have multiple audits over all of your processes and systems. Such a law doesn’t do anything to protect users, but audits will suddenly result in a massive flat cost to start a new email company.
In reality look at the “privacy” legislation pushed by Facebook and google: mostly it reduces/removed their liability if they do a few relatively cheap things but doesn’t require them to stop spying on you or stealing your data. But relatively cheap for Facebook and google isn’t cheap for anyone else.
It does change the way we culturally view the practices relating to privacy though.
I think a lot of the net effect of legislation like GDPR, can be viewed through the lens of 'in essence'. Ultimately, it's setting in place a culture where companies need to think twice before monitoring users without consent.
The smaller companies are more likely to build their companies with a view to good practice, while the larger companies can be brought closer to an acceptable line through punitive measures.
For example imagine a hypothetical email safety law that says you must keep everything encrypted and have multiple audits over all of your processes and systems. Such a law doesn’t do anything to protect users, but audits will suddenly result in a massive flat cost to start a new email company.
In reality look at the “privacy” legislation pushed by Facebook and google: mostly it reduces/removed their liability if they do a few relatively cheap things but doesn’t require them to stop spying on you or stealing your data. But relatively cheap for Facebook and google isn’t cheap for anyone else.