My own biggest problem with the GDPR — other than the regulatory burden, which disproportionately imposes costs on small challengers and effectively protects large pre-existing firms — is the so-called 'right to be forgotten,' which is really a privilege to force others to rewrite history. Among other things, it effectively mandates mutable logs, which is horribly insecure (logs should be in principle even if not in fact immutable), and at a higher level it grants malefactors the ability to legally compel others to refrain from true speech about them.
I can agree with the motivation, but the law is not particularly well written.
If the EU passes a law and it takes armies of lawyers over two years of negotiating with the EU to find a compromise of what is and isn't included in the law (with the EU changing its stance regularly), then it probably isn't a good law.
It took a year and a half of wrangling for the EU to decide that internet advertising was not a "legitimate business interest" or "necessary to perform tasks at the request of the data subject" (despite the advertising being a primary source of funding to pay for the requested task). Then the entire internet advertising industry had just 6 months to design/implement/deploy a system that can meet the requirements and migrate all their users to the new platform (keeping in mind that their users have a financial incentive not to switch, since the old system is more profitable).
There's also the weird catch-22 of how it only applies to users with EU citizenship, but you can't collect, use, or store the information on whether or not they are an EU citizen without their permission.
> Among other things, it effectively mandates mutable logs
It does not. The Right to Erasure is much more restricted than many people seem to realize. If you can articulate an Overriding Legitimate Interest, and find a way to balance that against privacy, then GDPR gives you a pass.
While I don't believe it's been tested in court, the general belief is that the Right to Erasure does not mandate deletion from back-ups. It's generally believed that an acceptable practice is to keep a ledger of "forgotten" accounts off to the side (or their hashes or something), and make sure that your restore-from-backup process deletes those from prod after restore. I know that logs aren't back-ups, but the same idea should apply.
The issue with compelled censorship may have merit, but I haven't seen a concrete example where I agree that happens. Like I said, the Right to Erasure is more restricted than many realize. But, Europe also ranks the importance of speech rights slightly lower than we do in the States, so it's possible that certain Overriding Legitimate Interest arguments wouldn't fly.
My own biggest problem with the GDPR — other than the regulatory burden, which disproportionately imposes costs on small challengers and effectively protects large pre-existing firms — is the so-called 'right to be forgotten,' which is really a privilege to force others to rewrite history. Among other things, it effectively mandates mutable logs, which is horribly insecure (logs should be in principle even if not in fact immutable), and at a higher level it grants malefactors the ability to legally compel others to refrain from true speech about them.
Other than that, most of the GDPR is pretty good.