“Reasonable person” tests are pretty common and well-understood in general. One of the reasons that the GDPR in particular avoids being overly prescriptive about how to meet its requirements is to avoid situations where it becomes inapplicable or obsolete due to changes in technology or habits.

In the US, a reasonable person test is meaningless without a body of precedent setting cases.

If the language of a new law uses it with regards to a new technology, then no one can be sure what the courts will decide.

It may be different in the EU, as the legal system is quite different.

It's a valid concern, but I don't think the line is as muddy as it seems at first glance: would I expect a Pyongyang hotel room to be bugged? No. But I also would not assume that it's not. With this construction you get two kinds of being surprised, with one taking all the variability derived from suspicions and the like while the other should remain quite stable. Just like most people were simultaneously surprised and not surprised at all by the Snowden revelations.

Obviously one would have to explicitly exclude from the "reasonable" test the kind of surprise that was not triggered by Snowden, because otherwise all our greatest fears would become legal by definition.

And recording your IP address in the apache log?