I think you're posting a strawman here. ePD is known to be bad (though for different reasons depending on who you ask), GDPR on the other hand _is_ easy to understand and follow.
Understanding the GDPR is quite easy, but following it can be quite hard if you're intending to violate people's privacy. If you read the GDPR because you want to enable the full Google Analytics suite without users even knowing, the GDPR will read like an absolute nightmare.
Except it isn't. I too thought this was the case. Please talk to a lawyer sometime for a more nuanced take (I begrudgingly have).
The funniest part about GDPR is that currently any organization that uses pretty much any US tech is in violation of the latest rulings, including much of the EU government itself running on Microsoft tech.
If you've just been consuming journalist or internet comment narratives on this topic you have no idea.
oh I know. And considering the CLOUD act that's how it should be. Maybe I shouldn't have written "easy to follow" since stuff like backups can get tricky and DSARs can be a pain on the receiving side, but it is certainly easy to understand. I do hope that GDPR does add a wedge for getting less dependent on US companies that obviously do not care about privacy at all.
But please also share the more nuanced take on the GDPR of your lawyer. You can't go around making claims like that without substantiating them ;).
