[SpicyLemonZest]

They don't go on random personalist whims (so far!), but they also tend to be much less specific in a way that can frustrate US businesses. The GDPR definition of "personal data" is just a couple of lines long; the California definition of "personal information" lists out twelve categories, one of which is "sensitive personal information" with eight more categories.

[vrganj]

There's a fundamentally different definition of how laws are supposed to work. EU law isn't a list of checkboxes that you can technically check while going counter to the spirit, it is a philosophical direction, the details of following it are up to you. The spirit matters, not the letter.

> When interpreting EU law, the CJEU pays particular attention to the aim and purpose of EU law (teleological interpretation), rather than focusing exclusively on the wording of the provisions (linguistic interpretation). This is explained by numerous factors, in particular the open-ended and policy-oriented rules of the EU Treaties, as well as by EU legal multilingualism. Under the latter principle, all EU law is equally authentic in all language versions. Hence, the Court cannot rely on the wording of a single version, as a national court can, in order to give an interpretation of the legal provision under consideration. Therefore, in order to decode the meaning of a legal rule, the Court analyses it especially in the light of its purpose (teleological interpretation) as well as its context (systemic interpretation).

https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/5993...

[plandis]

If I was a business owner I’d rather operate under laws that don’t have highly ambiguous definitions of terms that introduces extra risk that is unnecessary in other places.

[tchalla]

Unfortunately individual courts in some EU countries don’t care about the spirit but are fixated on the letter.

[SpicyLemonZest]

Right! Thanks for the link, I remembered reading that quote but couldn't find it. European regulators don't need hyper-specific definitions, because to them it's entirely normal to tell a company that they must do X or can't do Y even though the rules as written seem to authorize their current course of action Z.

All regulatory systems have some informal edge cases, of course. But Americans expect law to in general work more like a list of checkboxes and rely less on divining the regulator's intent. Indeed, that's one of the reasons why the regulatory environment under Trump is so frustrating to many of us; in the American view, there's supposed to be a strict distinction between what the law is and what the people at suchandsuch agency think the law is supposed to be or meant to achieve.

[dgellow]

The EU has pretty good documentation for the various regulations. For example for GDPR they do provide checklists:

- https://www.edpb.europa.eu/sme/be-compliant/respect-individu...

- https://www.edpb.europa.eu/sme/be-compliant/secure-personal-...

And guidance: https://www.edpb.europa.eu/system/files/2026-04/edpb-summary...

[vrganj]

> But Americans expect law to in general work more like a list of checkboxes

To me as a European, this is a very low-trust view of lawmaking that assumes a hostile relationship between a government and its people.

The European approach is a bit more of a living conversation.

In the implementation period there's workshops where you figure out how to best comply in a way that makes sense for your business. There's a lot of flexibility there since you're just aiming for the spirit of the law, not some formal definition that might not make sense in your case.

If you're found out of compliance theres a bit of a back and forth and if you put in a good-faith effort to fix things, nobody has any issues.

The advantage of this approach is that the government doesn't tell you how to run your business and things stay agile as new use cases and business models come up.

It works out pretty well in general, and allows for a more cooperative approach to reaching policy goals.

Problems usually only arise when American companies try their bad-faith technicalities and find that doesn't fly here, like when Facebook changed their ToS to try to argue that using their services itself constitutes consent under the GDPR and predictably got dinged for it.

[logicchains]

>It works out pretty well in general

How can you say that when Europe has completely failed at producing any big, successful tech companies in the past couple decades? China and even India have a lot more staetups-turned-bigtech companies.