In time the average american consumer will understand the monetary value of their PII and usage metadata and demand adequate protections - which effectively is all that GDPR does. Given the actions of the current cabinet, I feel we are in fact accelerating towards this inevitable outcome.
Data locality in legally compatible jurisdictions is the most fundamental form of protection there is. Without concepts such as Safe Harbour and data locality, handling of PII would be farcical amongst MNCs.
Re: Demands on Encryption? The most prominent mention of encryption is in Article 32(1)(a), which mentions the “pseudonymisation and encryption of personal data” as measures that organisations can adopt.
However, it is important to note that encryption is not compulsory. Instead, the GDPR takes a risk-based approach, meaning that the decision to encrypt data depends on the sensitivity of the data, the risks involved, and the potential impact on data subjects.
Backing up demands with fines is about the only way consumer protections are realised as corporate mandates rather than friendly advisory. Name me another comparable legislation that achieves its goals without resort to punitive measures for non-compliance?
In short, you would far better understand the intent, purpose, and reality of GDPR if you engaged with it as a piece of vital EU consumer protection legislation, rather than some sort of draconian shake-down of American Capitalist practices.
