Businesses must now notify customers how long their personal data will be held
Data controllers must also analyze the context in which the data is presented, as well as the risk of re-identification. Not only that, but technical methods for performing de-identification are not prescribed by law, but rather are often left to the discretion of the data controller
Countries are continuing to escalate restrictions on storage location and transfers of data, with China being the most recent to follow suit
And there's a third problem that I will address below