Doesn't this fall squarely into "the Americans innovate, the EU regulates"?

Whether that saying is derogatory or not obviously depends on your point of view, but this new regulation isn't contradictory to the saying.

The point was that it's usually said in a derogatory fashion, insinuating that European innovation suffers as a result of this.

Those also aren't strictly tied together. I absolutely believe that EU's internet regulations make it less desirable to start interesting new internet companies there. In many cases, I would also gladly trade that for the benefits of being an individual living under such a system.

Indeed, but again the point is that it's usually said, so as to imply that the EU suffers from these policies.

Whether or not that's actually the case is a different question. To your point, it's a much less cut-and-dry question as well.

I've read the Wikipedia summary, and it appears to me, that GDPR only requires encryption, not anonymisation, of personal data! Or did I miss something?

It also requires trivial opt-out and readability of the opt-ins.

And it gives enough power to really control what companies are doing with people's data. And the fines are huge (up to 3% of the company's global gross amount) compared to what exists today.

Can users still be manipulated to opt-in to a service X if they want a service Y badly enough? I.e., you can only use Y if you also take X?

How many people would opt-out of (or not opt-in to) a service like Google search?

There are some things that must have a separate opt-in from the bare minimum that's necessary to provide the service.

Typically, there are three bullets on European privacy forms: handling personal data to provide the service, handling personal data for commercial and advertising purposes, sharing personal data with third parties (usually for commercial and advertising purposes). Pre-printed forms can only have the first ticked to yes, the other two must be filled in by the customer.

But can ticking those boxes be mandatory for using a service? ie. "if you don't tick all three boxes you won't have access to Google Search"?

No. Anything not strictly necessary must be opt-in.

See also: https://www.google.it/amp/s/amp.theguardian.com/technology/2...

Think it's actually 4%. Seriously huge fines

Just wait to see how the lawyers game these. my bet is no major corp ever pays a penalty that high, ever. there may be some egregious offender that gets caught with this, but not one of the big boys.

If I'm in debt to somebody 10.000, he owns me. If I'm in debt 10.000.000, I own him. Huge fines for behemoths will always be negotiated.

Nevertheless, it's a strong incentive for even the biggest companies to follow the law. EU has the capability and desire to enforce huge fines to make sure data protection laws are obeyed.

They actually do get fined huge sums, and they do pay up. To them it is just the cost of doing business.

Facebook getting fined for privacy violations:

http://www.bbc.com/news/business-39958630

Fines in antitrust cases can already be huge so I would doubt that those fines could be gamed if regulators take it seriously. The alternative to paying a fine is being banned from the market, which for the EU is a big deal.

> Think it's actually 4%. Seriously huge fines

And we'd all be delighted with taxes as low as 15%!