1. Should there be Federal (rather than state) laws relating to data breaches, cybersecurity, and/or consumer privacy online? Why or why not? What types of laws would you recommend adding or removing from Federal law (rather than state) relating to these topics?

2. Note GDPR Article 45’s rule allowing transfers to non-E.U. countries on the basis of a decision that they provide adequate privacy protections. Does the rule depend on an outdated concept of data having a physical location? Is United States law adequate? Are U.S. companies most likely to ignore the GDPR, comply with it, or block E.U. users?