> Those things are all necessary anyway It's a bold statement. Have you ever actually been working on any compliance yourself? 80% of everything is just senseless bureaucracy. I've worked in a medical startup and we had it all: GDPR, HIPPA, FDA approvals etc. The requirements are completely detached from reality and are usually written for some X-Ray producing firms from 20th century, not an health-tech AI startup. And they're trying to regulate everything, even how your organizational structure should look like, how you should create tickets in Jira (or any other _compliant_ products). Developers had to take useless trainings on how a medical organization should operate, which were essentially the courses of Aesopian language of medical bureaucracy. And legal expenses, boy o boy, the company had to spend twice as much on compliance staff than it did on developers. And what was the result? Rich American competitors with a ton of VC money were getting approvals while our company was struggling with all this idiocy despite having a much more superior product.

I'm specifically criticising the claim that GDPR was among the most burdensome requirements. Very little of GDPR is additional to what you need to do anyway, apart from DSARs (which aren't burdensome: you may charge a fee if someone's abusing the process), appointing a DPO (optional for most organisations), and the third-country restrictions (which are partly necessary, and article 45 reduces the burden). I don't dispute that regulations can be silly and a waste of time (e.g. PCI compliance requiring the removal of effective security measures, as directed by incompetent auditors, because the legal requirement is "passes an audit"), but I do dispute the use of GDPR as an example.

I'll note that of the three regulatory acronyms you gave, two of them (HIPPA and FDA approvals) are American.