What would be your preferred approach ? I’m on the implementation side of this in a reasonably large company and so far I found the act to be reasonable. It must rely on some interpretation as every piece of such regulation. Same as GDPR for example and yet it’s a very important progress for EU citizens guarantee wise.

There’s plenty of techniques to avoid re-identification… aggregation isn’t the only way. Especially considering that aggregation if using a stupid dimension isn’t helping at all…

It’s never been illegal at all, you’re oversimplifying the issue. Plenty of use cases that can use US clouds. Not all data is PII and plenty of use cases perform fine by anonymising their data. Also EU countries aren’t that better than US when it comes to state issued privacy violations; we just don’t do dragnet bullshit (yet) but plenty of requests are served as requested…

I can understand being fine with a nomination that aligns with his personal interests but from there the journey to « party of small people » likely takes a convoluted path.