So for me the biggest confusion is around personally identifiable information. Loosely this could mean so many things and affect every single tier of the architecture including cold storage of logs.

Agreed. E.g. there are lots of things you shouldn’t log, or at least not keep, which of course complicates things. Keeping aggregated stats instead might work.

It’s my strong belief that every single system is in violation of the requirements. The requirements are so vague I can poke holes in almost any system described to me and consider it not compliant. So if a law exists that nobody can effectively comply with, what use is it?

I see your point, and I wish it were clearer. But my expectation (and experience) is that judges don’t follow overly literate interpretations. Possibly a EU/US difference?

Uhhh so your argument is the law is vague and everyone is in violation but it’s okay because if you try to be somewhat compliant the EU won’t attack you. Yeah, lawfully that’s not something a business can roll the dice with.

Yet it’s what every business currently operating in the EU has been doing since May 25, and the world hasn’t ended yet

The current version of the law is unclear and full of holes. It’s like a beta, or possibly an MVP version. We can argue whether we’d be better off with or without it.

Laws can’t be alpha or betas lol. It costs people millions. It costs millions to enforce it. This isn’t like a free trial of a game lol.

As with software, *every* law gets its first real-life test in production. Bugs are ironed out in the next few years, or even decades.

Further more the laws set today can be enforced by a whole new set of people at any point in time. That’s why scrutinizing laws is so important and why a law that is impossible to be compliant with can be extremely problematic. This isn’t a light issue.