On Flaw No. 5: Dismissive treatment of jurisdictional norms...
I like this, it's a feature not a bug. Why:
First, because it's pretty standard for many countries to try to enforce the law beyond it's own borders. The US is particularly (in)famous for this but others do it as well. Why should the EU be an exception? And you are free not to, just don't process the information of EU citizens. And if you do fuck it up, that's ok too because GDPR is aimed at organisations. It has no ability to extradite and imprison people.
Second, information knows no borders. It is actually quite hard to tell where information is actually being stored. Just look at the struggles around cloud providers assuring data is NOT transferred internationally. So a GDPR that only applied within the EU geographical borders would be useless: bad actors abroad would continue to abuse the rights of EU citizens. And worse: People might actively transfer data OUT of the EU purely to misuse it with impunity. That would both defeat GDPR AND punish good actors.
On flaw #1 (“According to this rule, small- and medium-sized companies would face reduced privacy law mandates than large firms because they are not assumed to be equally likely as large companies to violate the privacy of thousands of people”):
Complying with the GDPR isn’t hard for small companies that don’t amass and link data (even volunteer-led sports clubs have to comply with the GDPR, and do so), and the moment they do hoard and process data, they better fall under the full GDPR.
I may be cynical, but if they would face laxer rules, I expect that the sleaziest companies (the companies the GDPR was made for) would suddenly split of a small company processing ‘their’ data under these laxer rules.
I like this, it's a feature not a bug. Why:
First, because it's pretty standard for many countries to try to enforce the law beyond it's own borders. The US is particularly (in)famous for this but others do it as well. Why should the EU be an exception? And you are free not to, just don't process the information of EU citizens. And if you do fuck it up, that's ok too because GDPR is aimed at organisations. It has no ability to extradite and imprison people.
Second, information knows no borders. It is actually quite hard to tell where information is actually being stored. Just look at the struggles around cloud providers assuring data is NOT transferred internationally. So a GDPR that only applied within the EU geographical borders would be useless: bad actors abroad would continue to abuse the rights of EU citizens. And worse: People might actively transfer data OUT of the EU purely to misuse it with impunity. That would both defeat GDPR AND punish good actors.