Hacker News new | past | comments | ask | show | jobs | submit login
GDPR: Removing Monal from the EU (monal.im)
369 points by maufl on May 17, 2018 | hide | past | favorite | 923 comments



This is a ridiculous over-reaction based on an extremely shallow interpretation of the GDPR.

If you are running a small business and you feel that you won't be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that's your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away.

Legal compliance is a requirement for any business, and privacy law is just one more thing to take into account and for a small business that does not process super sensitive data (such as medical information or financial information) the costs of compliance are negligible. They're not '0', but then again it is a business and costs of doing business are the norm.


It is impossible to sell raw-milk cheese in the United States. Are French cheese makers overreacting by simply choosing not to do business here rather than change their centuries-old production techniques? It is illegal to sell kinder eggs in the US, because of some law that involves children accidentally swallowing toys. Is Kinder overreacting by refusing to sell those candies here? You cannot buy Bovril in the US, because of a panic about mad cow disease from 20 years ago. Are the manufacturers of bovril overreacting by refusing to create a separate production facility that uses only beef sourced from outside the UK? Compliance with laws outside your primary market has a cost, and potentially a benefit. Every business, large or small, is going to do that cost-benefit analysis, and make their own decisions. As an american I can hardly blame the Kinder people for failing to provide me with convenient access to chocolate eggs containing plastic toys. It's my government, and the laws they've put in place that have had that effect.


Thank you for making a coherent argument. You are missing one point I think: if not for those regulations those companies would love to do business. They are forbidden from doing business, this guy sees the law and runs off without even trying to become compliant. That's a different thing. There is no way that Kinder could be compliant with US law in such a way that they would not be exposed to what - to EU sensibilities - amount to exorbitant damage claims.

Similar arguments apply to the other examples you use, I see your point and there are valid reasons to not enter a certain market because of the legal climate there but the point I am trying to make is that the OP has not raise any valid point at all other than 'I don't want to comply'. And that's fine by me but then don't bother dressing it up in a bunch of made up requirements.


>this guy sees the law and runs off without even trying to become compliant

This guy quite clearly states that he doesn't have resources to become compliant, while it is too risky to make a mistake here.

There are fans of GDPR on this website, who prefer to ignore the fact that the compliance has its cost, and added to that still unknown risks of practical interpretation of legislation which also have their cost. But these are real life things.


I respect his right to do whatever he would like with his own hobby, but we should be clear that the guy is stating he doesn’t have the resources, based on a series of misunderstandings.

So, for example, he says he is required to appoint a DPO.

The U.K. Information Commissioner has this to say:

>Do we need to appoint a Data Protection Officer?

A> Under the GDPR, you must appoint a DPO if:

> you are a public authority (except for courts acting in their judicial capacity);

> your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);

> * or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.


You are correct as to a DPO, but if he is, say in the US, and subject to GDPR, he must have an EU Representative, who by all indications would be liable for his violations. That's a significant burden if not a practical impossibility for most in his position. Also, if he's transferring personal data from the EU to the US directly from individuals, his only practical way of making that transfer compliant is likely to be privacy shield certified which is not cost free (although he could maybe rely on consent as a derogation, but relying on that has risk). I can think of many things like this that have, if not a hard cost, then a definite cost in time and resources to comply including keeping up with compliance. Could easily be not worth the effort for a single individual.


And "large scale" means how many records in DB? How many users? Or records per day?


Why have you isolated one element from a multiple element sentence:

If

* core activities * require * large scale * regular * systematic

If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.


All repeatable processes are systematic, almost the whole IT goes into the category. And "core" is undefined too.

I agree that it is safer to imply you're liable.


These are excellent questions that you will have to have shown you've considered if you get audited. If there's disagreement with the regulator, you'll come together to resolve it, and then may need to appoint one.


Well, so it's undefined, at least until practice of legal application establishes. Undefined means risk, and stopping serving EU is a meaningful mitigation, if your profits don't compensate you for all the hassle. Where's "overreaction“ then?


Monal is an XMPP client running on user's iOS devices. Is that person even running an XMPP server for those users?


A UK privacy attorney I know considered 20k records (individuals) to be large scale. I haven't seen much helpful guidance. The WP29 guidance I've read only gives examples at the very extremes of large and small so not too helpful. Practical guidelines will evolve over time.


I guess if you have to ask that question you are not a large scale.


I don't think an argument of such kind would stand in your communication with regulators, or (especially) in courts.


This is "what will you do if the lightning strikes you" thinking. Only about less probable things.


I'm not sure I understand your point. Do you mean “they won't catch you"?


They won't even manage to precisely decide what actually means 'large' let alone if it applies to you specifically, before you die of old age.

The above statement will apply to everybody or nearly everybody (still not you).


Perhaps more important, dpo is just another hat - if he's ceo,cfo,cto - he can be dpo too?


There are limitations, namely:

"There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any."

Specifically they recommend against also being the data controller. I.e. you shouldn't be responsible both for handling personal data and verifying compliance of said handling.


No, because you wouldn't be independent enough. A CFO or a CTO would tell its board things are okay because it isn't in its interest to do otherwise.

That's why some independent DPO jobs are appearing.

But the DPO is a small cog in the machine. Updating the processes is the most time and resource consuming regarding the GDPR.


That's the UK's interpretation of GDPR. What about France or Poland, or any of the other countries?

I suppose it depends where in Europe he would like to visit


I'm not seeing any interpretation being done here, but judge for yourself. Here is what the GDPR actually says (Art. 37 Designation of the data protection officer):

> (1) The controller and the processor shall designate a data protection officer in any case where:

> a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

> b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

> c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.


That's the UK's straight-forward unequivocal explanation of the rules. Where there is room for interpretation or uncertainty, the ICO is very good at pointing this out. It doesn't here.

As poisan42 points out - it echoes the words in the actual article, directly.

Bottom line, he doesn't need a DPO.


There's no "UK Interpretation", this is the whole point of the EU. The rules apply across the block.


EU law doesn't work like that. Each country has to pass their own local law to enforce the GDPR. For the UK that was the Data Protection Bill 2017.


From wikipedia:

The GDPR replaces the 1995 Data Protection Directive.[4] Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[5]

So, no local laws. It's a regulation.


Only for the sake of correctness/completeness: GDPR does allow member states to adjust certain details to bring them in line with local regulations (see Chapter 9). These are explicit opening clauses though that must not basically weaken or augment GDPR.


It's more complex than that. Different countries might pass different laws about interpretation, and both are valid until there's an ECJ decision.


It's an EU Regulation, which under EU law the local courts have a duty to enforce. Local courts and laws will be dealing with all the details unless a case is appealed to ECJ.

To say that local courts and laws will have no influence is complete rubbish.


I'm not sure why people are downvoting this so hard: https://webcache.googleusercontent.com/search?q=cache:eMV5_l...


GDPR compliance takes resources. I would say for a small business it takes about 1 or 2 days. Not hard work but tedious. In the end you will have around 5 documents that will show your processes, what you do to keep data save, a plan how you deal with questions from customers and regulators, that you trained your employees and that you choose your subs carefully.

Essentially that's it.

I am no lawyer but I am a CPO.

Pro tip: Speak with the regulators they are on your side.


I guess you are EU-based, unlike the guy whose text we are debating here.


Yes - I guess having an EU contact is something not easy to come by on the other hand there might soon be a service for it.

I guess an XMPP Server could be considered a communication service an could be subject not to the GDPR but to regulations concerning ISPs and Phone companies.


Well many of us find it completely normal to spend days on having a good security, setting up HTTPS, encrypting content to protect privacy. I wonder why GDPR seems so different, it's just more of the same, just less technical.


Exactly. It will take a while before standards and best practices form, but they will.


I guess I am a fan of GDPR, certainly compliance to anything has a cost. I personally don't find the costs of GDPR compliance onerous unless you have already built up lots of non compliant systems that now need to be fixed, in which case the free ride is over. Anyway, this guy is pulling out of the EU but if he allows anyone from the EU to use his service from a non-EU location anyway he would be risking non-compliance.


no. gdpr applies only to people in the eu. if you are an eu person in canada it does not apply to you.


you're right, it seems a few people have been making the same mistake about eu citizens that I've made.


Kinder is an amusing example, since they decided to offer a compliant variant of their product in the US.

https://www.today.com/food/kinder-joy-chocolate-eggs-are-com...


They did that in a rather smart way, too, by diverging it enough from the original that they could sell it elsewhere as a new thing.

I mean, it never really took off here, very few people prefer it over the original, but better than not being able to sell it outside of the US at all.


Yes. Rather a step back from the original offering isn't it? If I'm being honest, I couldn't give a damn about the kinder eggs prohibition, as I am not a child, and I do not have children. The Bovril issue is by far my biggest personal concern, although I'd really like to be able to buy raw milk cheese.


There are states in the US where you can buy raw milk cheese legally. You just can't do it through interstate commerce, but for example it can be done in person at farmer's markets with cash. New York is one such state, I dunno about the other major tech hub states.


Bovril could easily comply. They would simply have to open a manufacturing facility that did not use UK beef. The French cheese makers could sort of comply, by pasteurizing their milk. Kinder, I admit, has a more difficult problem, and has, in fact attempted to comply, by creating a completely different product with the same name.


"The French cheese makers could sort of comply, by pasteurizing their milk"

And why should the French cripple a delicious and traditional product, which is gladly gobbled up by millions of happy consumers to sell their product in the US?


Because otherwise they can’t sell it there. Their country, their rules. A French cheese maker doesn’t get to dictate the rules abroad. Take it or leave it.


It seems to me that French and other European cheese makers are much more interested in protecting the integrity of their product than opening up the US market for it.


You mean, exactly what we are doing right now, causing all kind of outrage in France ? Funny you should bring that up, because it's a very hot topic currently :-D


Ah yes, "simply" open a manufacturing facility.


There will be a cost involved. And presumably there will be some benefits that result. Those are precisely the parameters of OP's decision.


I'm not following your distinction. The only difference seems to be timing.

Case 1: CompanyA is already doing business in CountryB. CountryB changes regulations. CompanyA pulls out of CountryB because of regulations

Case 2: CountryB has regulations. CompanyA choose not to do business in CountryB because of regulations

am I missing something?


Except EU has always (well, Sweden since 1973) had regulation, if you would gave followed that, you would not have to change much in most cases. Just write some documents and smaller changes.


But in this case this is not even a business. It is a zero-revenue open-source project. It seems to me that only very well-funded charities are allowed to run web services now.

P.S. I sincerely hope my country gets out of this ASAP.


Kinder is a great example actually on how a company adjusted their product. Now I believe in all markets (even beyond USA) the product is safer and less dangerous for kids to get injured.


I really don't think, it got safer.

It takes some special talent, even as an adult, to take such a big bite off of a classic Kinder egg that you'd have any chance of accidentally swallowing the plastic capsule or somehow else hurting yourself on it.

And with the new egg, I'd be concerned that my kids swallowed that plastic spoon. Like, that's something they actively have to put into their mouth and it's not as interesting as the toy for them to be motivated to not swallow it.

It's also small enough for them to realistically pull this off.


Is safety a real concern here? I would have never viewed Kinder Eggs as dangerous in any way.

I haven't found a single case of a child getting hurt in Germany. Only news reports about them being unhealthy (big surprise).


Actually, I'm pretty sure they still stick the toys inside the eggs everywhere except the US. Perhaps a European can correct me on this assumption.

EDIT: Turns out the US-style kinder eggs are indeed available outside the US.


In Canada they definitely still put toys in the eggs. http://www.ferrero.ca/our-brands/kinder-surprise/moments-of-...


http://fortune.com/2017/05/22/kinder-egg-usa-debut/

Toy is also in US version but different design


I’m in Canada and can confirm that the toy-in-the-egg version was always sold here. As far as I know, this hasn’t changed. E.g. http://www.canada.com/life/Kinder+Surprises+Banned/2353187/s...


I've seen this variety sold in Poland

https://www.candywarehouse.com/assets/item/regular/kinder-jo...

But I'm not sure it's typical.


Yeah. That's the US version also, not sure how common it is outside US.


They marketed it as a new thing beside the original here in Germany.

Most people seem to prefer the original, though. They lost a lot of charm by going from toy+edible+tinfoil to plastic+toy+plastic+edible+plastic spoon+plastic.


The new one is even more sweet and rich than the eggs (more like a dessert than a snack) and harder to eat for a young child, so not surprising.


Looks like this now http://fortune.com/2017/05/22/kinder-egg-usa-debut/

I have seen this outside of US also (pretty sure it was doing a Europe trip)


it's just a different product, which shares almost nothing with the original, and is simply sold besides it outside the US.


Yup, Kinder Eggs have toys inside in the UK


They're not forbidden to so business, they're forbidden to so business unless they adapt their product or practices. I'd say that is pretty much the same as this case?


> It is impossible to sell raw-milk cheese in the United States.

I've bought plenty of raw mil cheeses (domestic and imported) in the US.

http://www.realrawmilkfacts.com/raw-milk-regulations says: "In 1987, the FDA mandated pasteurization of all milk and milk products for human consumption, effectively banning the shipment of raw milk in interstate commerce with the exception of cheese made from raw milk, provided the cheese has been aged a minimum of 60 days and is clearly labeled as unpasteurized."

As many cheeses are aged more than 60 days, the ban on "raw-milk cheeses" is basically an urban myth.


Oh it's real enough, since there are also plenty of cheeses which are aged under 60 days and not traditionally pasteurized. It's also relevant for making yogurt and butter in traditional ways, though one can start with pasteurized and get an okay enough result.

But as I said in another reply to the parent poster, there are states which allow raw milk products in intrastate (but not interstate) commerce.

[Edit: Wow my text got mangled by autocorrect. Fixed so that it makes sense now!]


Unlike your examples, GDPR bans neither messenger apps nor Monal in particular.


Indeed. And the prohibition on raw milk does not ban cheese. Many cheeses from France are still available, because they do not involve raw milk. The EU has passed a law, perhaps it is a worthwhile law. This is one of the consequences. The ban on raw milk in cheese making exists thanks to (presumably) the best intentions, and the end result is that there are many cheeses I would like to buy, that I cannot. An American (unlike me) who supports such a ban rejoices in the fact that we are protected from these dangerous french cheeses. Perhaps you rejoice that you are protected from the dangerous GDPR non-compliant Monal.


> the prohibition on raw milk does not ban cheese.

It bans "raw-milk cheese", which is a distinct kind of product, not one way of many to make a particular product ("cheese"). If you ban raw milk, you ban certain types of product entirely, and there is no workaround.

It would be like saying a prohibition on planes does not ban automobiles, and after all, both are a kind of vehicle. True, but not really relevant.

Back to the GDPR case, it's closer to a producer of pasteurized-milk-cheese saying they are going to get out of the cheese business altogether because of the ban on raw-milk-cheese, and labeling their cheese as such and documenting however briefly that the cheese is made out of pasteurized milk is just too much effort, and they are afraid of being sued by people claiming it is raw-milk-cheese.

Whatever.


No analogy is perfect. In this case, there are questions that legitimately have no definitive answer (like what is "large scale"), so it is more like the cheese maker genuinely doesn't know whether their milk would be audited as raw-milk or not, and even if they consult with a lawyer they still don't have confidence that they would know.


Running further with a bad analogy doesn't make the analogy any better or more relevant to the GP comment.


Apologies, I genuinely don't understand this critique.


GDRP doesn't ban the milk from which messengers are churned at the messenger mills either.


Still in the dark mate. I'm sorry, maybe it's me, maybe it's you, but we seem to be speaking a different language.


It's you. The original comment says 'The author of Monal misunderstands/misrepresents the regulation and is throwing a silly tizzy'. To which you say 'some laws ban some things. also, cheese is made of milk'. These things are true but not related to the GDRP or messengers.


[flagged]


There are literally no costs for complying if you sell or give away a messenger app, unless you're leaving everything unencrypted or collect tons of unrelated private data, too.

If they sell private information gathered from that messenger app to undisclosed third parties, then there may be additional costs of compliance.

Maybe this developer is complaining because he's running a nefarious business model? In that case it might indeed be easiest for him to shut down his business in the EU.


The original comment is about the proportionality of the response, the choice the author is making and what the commenter thinks about it. When something is banned outright, there is no choice and no proportionality. So, no, it's not particularly responsive nor analogous.


Same as the ban on the cheese wasn't a ban on "cheese" it was a ban on "cheese made with this manner" the regulations being shown here aren't a ban on "collecting/using personal information" it's a ban on "collecting/using personal information this manner"

Again cost / benefit is always a valid choice to operate somewhere.


The conversation was about whether the response was proportionate to (what the commenter felt was) a small imposition. You can't just change the degree of imposition from a small one to a really severe one and then claim it's 'the same'. It's only the same if you possess the enviable mental quickness to find not-the-same things the same. You're right that I don't.

If you cancel an appointment because you stubbed your toe, many people will consider that response unreasonable. If you did it because a pterodactyl flew in and bit off your head, lightning thought process and all, fewer people would.


If you read the article, you would find out that this is the essence basically.

"As GDPR approaches, I get the impression that it is an end of an era for the internet. The days of someone making something, putting it on the internet and offering it to the world seem to be over. "

And this particular thing GDPR ruins pretty goddamn well.


Bullshit. That era existed before everything was analyzed and monetized and PII was packaged and sold as a commodity. GDPR ruins invasion of privacy for profit.


and open source.


Nothing about open source depends on invasion of privacy, unless what you’re open sourcing is data mining the public, in which case... blow.


I have good news for you about kinder eggs: they're no longer banned.[1] There's a store in Harvard Square that has about twenty different kinds. Sadly, they appear to be all licensed stuff now.

https://www.npr.org/2017/05/26/530257536/after-being-banned-...


>Is Kinder overreacting by refusing to sell those candies here?

Kinder make a different version of the Kinder Egg specifically to comply with US law.

https://www.kinder.com/us/en/kinder-joy

>Are the manufacturers of bovril overreacting by refusing to create a separate production facility that uses only beef sourced from outside the UK?

Bovril was briefly made without any beef content because of the BSE issue.

https://web.archive.org/web/20071201114613/http://www.unilev...


> It is impossible to sell raw-milk cheese in the United States

No, it's not, but it is legally imposible to import them, and trade them in interstate commerce (many—I think still a majority—of states allow raw milk and raw milk products, though the FDA prohibits most directly and sets standards which effectively prohibit the rest in interstate commerce, including foreign imports.)

Not that that really changes the point you are illustrating.


He is a 1 person team. Given him a break vs. being so aggressive in your comment. There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc. All these things don't drop from the sky.

And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.


> Given him a break vs. trying to me so aggressive in your comment.

The article is spreading FUD and inciting others to spread it even further in the comments.

> There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc.

The GDPR is online, and has been for a long time, you don't need a lawyer but if you feel that gives you more comfort then fine, you don't need to hire anybody, that is just plain nonsense, and changing the UI to give users an opt out: that should have been done two years ago.

> All these things don't drop from the sky.

Indeed, this did not drop out of the sky. It has been in the works for years.

> And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.

That's fine with me, the way in which it is presented is not fine with me.


Well - you haven't refuted any of his core points wrt DPO, Push & XMPP. All your comments have been stated in an aggressive tone which generally is a negative signal. At this point, I feel you need to provide more context to your core points vs. just saying read the GDPR and comply with it (or that you should have already done 2 yrs back). Even companies like Google and FB are complying with it in the past month.


DPO has been thoroughly refuted in this thread. He doesn't need a DPO; if he wants to hire a DPO that can be him.


This is the furthest thing from true, like almost every single question about this terrible law. Vague law + faceless bureaucracies + universal application + crippling penalties...sounds like a brilliant combo to destroy people’s lives.


as usual, the rebuttal is: there have been this kind of laws in Europe for a decade. For example, if you're operating in Italy and don't provide 2 separate checkboxes for managing personal data directly and indirectly at sign up time you're in breach of the law.

Do you remember many people's lifes crippled by this?


Wait. So, I've had a site where there was only a single checkbox to create an account.

Now, if there was someone from Italy (I don't know, the site's gone for years now, highly unlikely but theoretically possible) does this means I'm a possible law offender and should avoid visiting Italy?

Oh, it also had no cookie banners, too...

Could be, the reason no one was hurt is that those laws weren't actually enforced any much? If so, I believe GDPR's promised to be different.


the GDPR will be enforced by the same entity that was enforcing this before, so why would it be different?

The truth is that obviously the authorities don't have an incentive to come after a minor player.


It's certainly true that even before the GDPR, almost any nontrivial business could reasonably be argued to be violating some mostly-unenforced law. I don't see that as a reason to shrug, and make the problem one step worse.

Selective enforcement of commercial law is a routine tool of unfree states--look at something like the tax charges against The Cambodia Daily. To trust in regulatory discretion is to trust that no government in the EU--a continent that within living memory hosted Francisco Franco, Giorgios Papadopoulos, and much worse--will ever be run by people you disagree with. In the extreme, a dictator can always ignore or rewrite the law; but somewhere in the slide from our present democracy to that, I don't think it's unimaginable that the GDPR could be abused.

I support privacy regulation. I don't see why it requires us to abandon the rule of law.

ETA: Downvote if you trust Viktor Orban, I guess? I'm presuming a strong case of "it can't happen here"....


The EU isn’t a continent, and the dictators you mentioned didn’t control EU countries.


My wording was awkward, but I think the meaning is clear. "...in the EU--the union of countries primarily located in a continent that..." ?

And what am I missing? They were dictators of Spain and Greece respectively. There are millions of people who can remember their rule alive in those EU countries today. What changed in the last fifty years to make a recurrence impossible? Turkey narrowly missed joining, and it's basically there now. Hungary seems well on its way.


The threat of being suspended from the EU and the (potential) economic damage from that? You can’t be a dictatorship and keep the same rights in the union, as per the Copenhagen criteria and Article 7.

[1] https://en.wikipedia.org/wiki/Copenhagen_criteria#Political_...

[2] https://en.wikipedia.org/wiki/Article_7_of_the_Treaty_on_Eur...


Article 7 doesn't seem to mean anything does it?

Spain just crushed a political movement trying to organise a referendum through force. It arrested the leaders and the rest of the EU is helping them catch the ones that fled. They call it a rebellion and state that Catalonia can never be independent.

Not an Article 7 violation, apparently. According to the EU it's merely an internal matter.

Hungary elects a government by a wide margin, it's a popular government, and the government reflects its people's disagreement with EU policies that aren't in any treaties and weren't in anything Hungary previously agreed to. This is apparently a violation of "rule of law" and "not democracy".

The EU's definition of democracy is anything that helps the EU, simple as that.


You are trying to justify a coup. A coup by a minority of the population that has a distorted view of history as a result of years of astroturfing.

So if applying the law is "crushing a political movement", let's crush it all the way. Nobody is above the law.


I didn't actually take sides or try to justify anything, just pointed out the contrast.

However a coup is a military overthrow of a government. What the Catalonians tried to organise is a vote, not a coup.


And Russia considers itself to be a democracy. There's a big gray zone between good government and a self-admitted dictatorship. Smart modern authoritarians know that they need to maintain the pretense of democracy (for reasons like the one you note), and they do a passable job--look at something like Cambodia. That's what makes tools to exert personal power while still complying with the law as written so important.

Why do you think the GDPR needs to give the government that much power? For a simple example: Why is 20M EUR the right statutory maximum? If the regulators would never enforce it, then why does it need to be so high?


Because otherwise some companies might conclude that it is cheaper to continue to violate the law and simply to pay the fine. See Volkswagen, which got fined billions for violating the law (and rightly so), and they're still in business and have not withdrawn from the markets where they were fined. But it looks as if they did learn their lesson (for the next 30 years or so, this wasn't the first time they got caught with something like that).


Volkswagen-sized companies would be subject to the 4% of revenue limit, since that's >20M EUR. That 4% seems high to me, but not insane.

The 20M seems insane to me. If the standard for smaller companies were e.g. 100% of the last five years of revenue plus 50k EUR, then can you imagine a case where it would be cheaper to violate the law and keep paying the fine? That would be a lot less menacing to small, non-commercial or semi-commercial projects.


There is signifiant disagreement to what extent Facebook and Google are compliant.


I'm pretty sure the regulatory bodies are thoroughly and wholly excited to take on Google and Facebook with some hefty fines and clarify the GDPR and how it applies. I can't wait either.


Google and Facebook have financial impacts in complying due to the very nature of their business.

They comply later than everyone else not because they didn’t see it coming or didn’t prepare for it, just that it wasn’t in their interest to do it earlier


I have, just not in this comment. See elsewhere in this thread, it's hard to miss.


Indeed, this did not drop out of the sky. It has been in the works for years.

I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.


I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017.

Likewise. This idea that the GDPR has been in the works for years so it's somehow implausible that very small businesses have only just heard of it doesn't stand up to scrutiny. No owner-run microbusiness is spending the time necessary to keep up with the vagaries of EU debates.

Similarly, the idea that the GDPR is plainly readable and so that shouldn't be a burden and no-one needs to consult experts makes no sense. The document is many pages long, there are many more pages of guidance and interpretation produced by both the EU itself and the various national regulators, and it's still fundamentally ambiguous on many significant practical points.

It is entirely reasonable for a small business that does relatively little trade with the EU not to want anything to do with this, and it has little if anything to do with how good or bad their practical data protection measures and respect for privacy are. If small businesses are overreacting then that is on the EU for failing to pass better law and provide sufficiently clear, concise and timely publicity and guidance on what it really means.

My business interests are in the UK, so we're stuck with this one. However, if we'd realised ahead of time how much trouble the new EU VAT rules would cause a few years back, we would gladly have sacrificed the modest part of our revenue that comes from other EU member states in order to avoid that mess, and it wouldn't have been a close decision. So I find it very hard to criticise anyone running a small business outside the EU for wanting to avoid the latest round of heavyweight EU regulations if they have a way to put themselves outside of their scope.


Thank you for perfectly describing the frustrations I have experienced with GDPR. As the owner of a small SaaS business in the US I don't have the time to follow various EU regulations that closely.

I only found out about GDPR earlier this year from a random HN comment. I can't understand the attitude from some HN commenters that everyone should have known about this for years. Where/how should every small business that could be impacted by this regulation be notified?

As you noted, the regulation is readable, but verbose and frustratingly vague. I ended up reading most of it along with countless articles from various third parties debating what it means and how to comply - and I'm still not 100% certain if the steps I've taken mean I'm actually "GDPR compliant."

I too got stuck having to comply since around 30% of my customers are in the EU. However, I gladly would have foregone all of that revenue and focused on non-EU customers only if I had known what was coming back then...


Nobody actually knows what "GDPR compliant" means. As it's up to you to demonstrate, and it's up to your regulator to decide a policy enforcement guideline, basically nobody knows. It's really, really, really burdensome, especially if you have to retrofit it to existing systems.


You know what? i'm pretty sure you can just talk to one of the european regulator in advance and ask him questions about points you don't understand. They are pretty slow but they do respond.


I'm probably a bit more in touch with this stuff than most because of the nature of my business but in the last year or so I've seen more and more companies that made real work of their GDPR impact studies (companies with vast amounts of data and/or sensitive data were further along). For all but the largest the impact has been very low, the longer ago they started the lower the amount of work they had to do.

That's the price of sitting in your office with your head down though, you can't ignore changes such as these.

This is one of the oldest HN mentions about the GDPR I could find:

https://news.ycombinator.com/item?id=11764073

But it sank without a trace.


But you were obeying PECR (or the e-privacy directive), which came in around 2002, right?


> Indeed, this did not drop out of the sky. It has been in the works for years.

VOGON CAPTAIN: [On Speakers] People of Earth your attention please. This is Prostectic Vogon Jeltz of the Galactic Hyperspace Planet Council. As you no doubt will be aware, the plans for the development of the outlying regions of the western spiral arm of the galaxy require the building of a hyperspace express route through your star system and, regrettably, your planet is one of those scheduled for demolition. The process will take slightly less than two of your Earth minutes thank you very much.

MANKIND: [Yells of protest]

VOGON CAPTAIN:

There’s no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you’ve had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.

From "Hitchhiker's Guide to the Galaxy" by Douglas Adams

sorry I couldn't resist


Yeah, but the analogy is not good...

* We've known about the GDPR for around 2 years.

* The GDPR text, national regulators' comments, industry opinion, sample docs and a plethora of free resources have been readily accessible on the Internet for about the same length of time.

Having worked on the GDPR docs for a medium-sized business that builds learning management systems for corporate customers (about 100 live systems + dev and testing platforms where we are a processor of their personal data), it took about 3 weeks-worth of time to re-audit our platforms, complete a more detailed risk/impact assessment and write this all up together with some procedures for handling enquiries.

Yes it took time, and we went the extra mile with diagrams and tables because the docs are customer-facing, but handled in a timely fashion, GDPR compliance is not a brick wall to business continuity.

If a business already has in place a baseline level of good information security practice, GDPR compliance is not that hard.


Also, needing to have a DPO is not difficult since he already has one employee, himself. It's not ISO2700x, you don't need to fiddle around with rights in small businesses to make sure it fits the narrow perspective of a standardization and exclusiveness.


The DPO cannot be himself.


He doesn't need a DPO.


Source?


I can't speak for you, but I only heard about GDPR 6 months or so ago, like most people outside of Hacker News. Most small businesses only heard about it in the last 6 weeks.

Sure, the regulation was there, but nobody talked about it, and it's unreasonable to expect people to magically learn about EU regulations, especially if they don't live in the EU.


> * We've known about the GDPR for around 2 years.

6 years, it's a 2012 directive.


I saw that one coming a mile away, thank you for the quote though :)

And no, this is not about demolishing our way of life, the town we live in or the planet, it's about respecting the privacy of your users, which - for a change - is actually a positive thing. Unless of course you weren't going to do that in the first place you should welcome the development, I imagine that in a just world the Vogons would be on the receiving end of it.

Oh, and in this case the plans were not on display in the locked filing cabinet in a basement of a building where the lights had gone off and where the stairs were missing.

A handy URL has been provided for a long long time and all the debates have been recorded in public as well.


Im already respecting my users privacy. I should’t have to spend time and money to prove it any more than i should have to prove I didn’t rob your house.

Sure make it illegal to mistreat user data then punish those who fail. Don’t punish everyone up front


I smirked a bit, the EU certainly didn't advertise it in the last two years but it was definitely around. But just like in HGttG there isn't much use in yelling in protest now, grab a towel and grab something safe. (I should sent out my towel reminders to some of my users since I updated a few pages)


Similar laws have been on the books in most if not all EU countries for literally decades. How Americans can be blind sighted by the way things have been for years is absolutely beyond me.


This is exactly why we get GDPR. Usually what happens when rules and guidelines are not followed, there will be stricter rules with higher penalty.


Except in this case the Vogons already visited you 15 years ago to tell you about the e-privacy directive and 20 years ago to tell you about the data protection directives.


The OP is not the site owner.

The decision to exclude a portion of your user community should be explained.

Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.

Presumably the developer wants to continue to offer this app and service. His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.


> His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.

Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.


You don’t need a lawyer to comply with the law is a weird statement to put out there. You should retract.


What? I don’t need a lawyer to tell me I can’t go out and steal someone’s wallet. It’s perfectly possible to comply with the law without one.


This particular law is 88 pages full of duplicated terms, vague definitions and sometimes contradicting points. A very quick proof of that is the number of misunderstandings on so many points of it just in the comments of this topic - e.g. "do you need a DPO?", "do you need two separate people to avoid CoI?", "does the DPO need to be EU resident?". There are hardly two people with the same interpretation. And if people on HN have a horrible grasp of GDPR, how would an Average Joe be able to understand it idependently?

The only thing certain are the insane crippling fines.

It is extremely naive to believe you don't need a lawyer for that. You do - the same way as in some of EU's less market-oriented countries, after a VAT reg you need a registered accountant.


Well, the difference is that theft is a natural law. We are born with an instinct it is wrong.

Having a data processing officer in the EU for some definition of significant business is not a natural law and requires careful parsing of the legal text.


> changing UI to give user an opt out

Opt out is illegal under the GDPR - it needs to be opt in.


Businesses hate regulation and uncertainty because it just adds to their costs. Large companies just eat the cost. For small businesses it’s practically impossible to be in compliance for all laws. But if the risk of not being compliant is too high and the reward is too low then they will choose this.


Having spent this week doing compliance for my small business customers, the cost is not zero but it's really not much at all - I've done full compliance for six companies and it cost less than £250 each (one of those clients is a large NGO).

This guy doesn't like regulation and is playing to the crowd for sympathy.


We have spent 3 months and aren't done yet. I would love to know your secret.


The secret is bald faced lying. The quoted price may barely cover an updated privacy policy from a lawyer. And nothing else. Not one line of code changed.

Let alone full review of every system and legal review of the DPAs you have to sign and or create with every single co and processor.


Not the OP, but it's pretty straight forward for most people (including the author of TFA). You need to identify what private information you collect. You need to decide what lawful basis you are using to collect that data. If you have no lawful basis, you have to stop collecting that data. When you collect the data you need to notify the user under what lawful bases you are collecting the data. If you are using consent lawful basis, you need to get consent in an opt-in manner. You need to record what statement you have shown to the user and any consent that you receive.

If you are using only contract basis for the data it's really easy. You tell them that you are using their data for purposes of fulfilling the contract. The great thing about contract basis is they can't object. The only thing you need to do is to inform the customer of any 3rd parties you send their information to in order to fulfil the contract.

It only gets complicated if you want to use the data for other things. For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects. You also need to make sure that you don't delete their data if they exercise their right of removal (which is completely bass-ackwards, but whatever). Consent is similar actually, but you have to get the consent up front. The other lawful bases are very unlikely to show up in most organisations.

I think the main problem with most organisations (and it's the case with the company I work for at the moment) is that control of private information is very loose. For example, we use several SaaS systems for our marketing. Some of them are clearly unnecessary and so we either have to remove that functionality or get consent. So there's lots of discussions about whether it is worth a huge wad of text thrown at the user in order to have cat emoji's or some stupid thing like that.

The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights. It can be a manual process, but if you have a lot of users it might threaten the margin.

Anyway, long story short: If you are only gathering the information that you need to do the work you are doing, there is likely very little (or in a lot of cases I bet nothing) to do. If you are gathering the information to use for your own purposes, then there may be a lot that you need to do.

Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job. Even in the company I work for, where we don't actually use the data for nefarious purposes (AFAICT ;-) ), we're finally having some long overdue conversations about what stupid SaaS crap we're using under the hood. Not to be unkind, but I utterly fail to understand how marketing people fall for the same lies that they spew out themselves... "If only we send our customer's data to this service, they will find a way to drive more business our way! And we don't even have to pay them!" Yeah... right...


I don't do any real business in the EU, but I'm a fairly succesful online marketer. Being able to flexibly use SaaS businesses is so, so valuable for testing and iterating on marketing plans. I would fight pretty hard against a company policy that limited it, since today's marketing test is tomorrow's major revenue driver.


I think you misunderstand what I was saying. We collect data in our system. We use that data for marketing under legitimate interest. Sometimes marketing would like more analysis done on the data than we have time to implement. They hear about some SaaS business that will take the data and give them a marketing plan (Yay! No work to do!). They ask us to ship over all the data to the SaaS business. Sometimes it's a good idea because the SaaS business is legitimately providing an analysis service. Almost all of the time the SaaS business is providing nothing beneficial and instead just scooping up personal data that they sell. It's difficult for us technical people to explain why we can't just arbitrarily ship data over to some random SaaS. With GDPR it will be much, much, much better. Essentially I think it will shut down the fly by night operations that are just sucking data and offering nothing in return. But on the flip side it will mean that these analysis operations will have to charge a reasonable fee for their services (instead of selling the data they collect). This, in turn, will prompt the marketing people to have to do due diligence because they actually have to spend money out of their budget. No more "It's free, so why not?"

Similarly we sometimes get asked to incorporate silly things into our service because the marketing people think that it will create engagement. Again, these are free SaaS businesses that are scooping up data and selling it. Although I made up the cat emoji thing, it's not that far off what we sometimes get asked to incorporate. With GDPR, those businesses are going to have to charge for their services and that's going to have to come out of our budget. We don't have to argue "We're not shipping our whole customer database over to a SaaS just so we can have cat emojis on the the system". Similarly, it makes our systems simpler because if they really want cat emojis, we can implement them -- it's just not "free" (it never was, but it's hard to have that conversation sometimes).

I probably should have left the SaaS thing out of my explanation because it's confusing and only slightly related to what I was talking about :-). Like I said, we use some great services for marketing and will continue to do so under GDPR.


I really appreciate this detailed response!


Do a lot of SaaS businesses sell personal data as their business model? When I think of SaaS I think of paid subscription access to a piece of hosted software.


> if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job

how could you "not need" data if the loss "destroyed" the business model?


> > information that you don't need to do the job

For example, my business model might be to ask you for your login and password information for your bank so that I can help myself to the contents of your bank account. In return I'll send you a newsletter on how to get rich quick :-)

I doubt you are asking seriously, but in case you are, the distinction is: if I need the information to complete the contract, then it is under contract basis and I'm allowed to use it for that purpose. If it's not needed for completing the contract, but I have a legitimate reason for using the data anyway (kind of vague, but includes marketing -- basically all the stuff that was legal before GDPR) I can do so, but I need to tell you I'm doing it. You can object and then I have to stop. If I have no legitimate reason for using the data, but I want to anyway, I can still do it. I need to ask for your consent (which has to be opt in). My service can't depend on you opting in (because I have no legitimate reason for needing the data). I can't deny service just because you opt out. You can also withdraw your consent at any time.

So in my silly example at the top, I could literally ask for consent to use your login details for you bank. If you agreed, I could use them. However, since I have no legitimate interest in your bank login details (other than I wanna look at your bank balance), I can't make my service depend on that.

If your business model is based on making money from data that you have no legitimate interest in and you have no consent for... well, I really, truly have no sympathy at all. I understand that some people may have a different opinion, but I don't think mine is really that unreasonable.


Need to... serve the subject

Vs to package and resell the subject.

It is a matter of making subjects of data collection in control of their data being sold without their consent to the real customer, someone else.


This seems as good a place as any to challenge some of the simplifications that are often given in defence of the GDPR.

Not the OP, but it's pretty straight forward for most people (including the author of TFA). You need to identify what private information you collect.

Fair enough.

You need to decide what lawful basis you are using to collect that data. If you have no lawful basis, you have to stop collecting that data.

Right, but probably the most practically relevant basis for anything non-trivial will be legitimate interests, which of course involves balancing tests. Even today, just a week before this all comes into effect, there is little guidance about where regulators will find that balance.

If you are using consent lawful basis, you need to get consent in an opt-in manner. You need to record what statement you have shown to the user and any consent that you receive.

But this is retrospective and stronger than the previous requirement. Even if you have always been transparent about your intentions and acquired genuine opt-in from willing users, you are now likely to be on the wrong side of the GDPR if you can't produce the exact wording that was on your web site or double opt-in email a decade ago. The most visible effect of the GDPR so far seems to be an endless stream of emails begging people to opt in to continue receiving things, even where people had almost certainly genuinely opted in already before.

For legitimate interest (which is essentially exactly the same as the laws that are currently on the books) you need to be able to exclude processing the data if someone objects.

Not quite. There also appear to be a balancing aspects here, though with some additional complications involving direct marketing, kids, and various other specific circumstances.

Take a common example of analytics for a web site. These may include personal data because of things like IP addresses or being tied to a specific account. Typically these have relatively low risk of harm for data subjects, but if for example a site deals with sensitive subject matter then that won't necessarily be the case either.

A business might have a demonstrable interest in retaining that data for a considerable period in order to protect itself against fraud, violation of its terms, or other obviously serious risks. Maybe the regulators will consider that those interests outweigh the risk to an individual's privacy if their IP address is retained for several years, at least in some cases. Maybe they will find differently if it's the web site for a drug treatment clinic than if it's an online gaming site.

Even if the subject matter isn't sensitive, where does the line get drawn? A business that offers a lot of free material on its site to attract interest from visitors might itself have a legitimate interest in seeing who is visiting the site and tracking conversion flows that could involve several channels over a period of months. This is arguably less important than protecting against something like fraud, but nevertheless the whole model that provides the free material may only be viable if the conversions are good enough. But equally, maybe it's not strictly necessary for the operation of the site and whatever services it offers for real money, so should the visitor's interest in not having their IP address floating around in someone's analytics database outweigh the site that is offering free content in exchange for little else in return?

That's just one simple, everyday example of the ambiguity involved here, and as far as I'm aware the regulator in my country has yet to offer any guidance in this area. Would any of the GDPR's defenders here like to give a black and white statement about this example and when the processing will or won't be legal under the new regulations?

The other lawful bases are very unlikely to show up in most organisations.

I would think the basis that you have to comply with some other law is also likely to be quite common. It will immediately cover various personal data about identifying customers and recording their transactions for accounting purposes, for example. But again, since that will include the proof of location requirements for VAT purposes in some cases, how much evidence is a merchant required to keep to cover themselves on that front, and when does it cross into keeping too much under GDPR?

The other main problem is that if you want to use something other than contract basis, you need to build something that allows the user to exercise their rights.

And once again, those rights are significantly stronger under the GDPR, particularly around erasure or objecting to processing. Setting up new systems that comply may not be too difficult, but what about legacy systems that were not unreasonable at the time but don't allow for isolated deletion of personal data? To my knowledge, there is still a lot of ambiguity around how far "erasure" actually goes, particularly regarding unstructured data such as emails or personal notes kept by staff while dealing with some issue, or potentially long-lived data in archives that are available but no longer in routine use. And then you get all the data that is built incrementally, from source control systems to blockchain, where by construction it may be difficult or impossible to selectively erase partial data in the middle.

Not to put too fine a point on that, personally I highly approve of this. I really could care less if somebody's business model is destroyed because it is now too expensive to collect information that you don't need to do the job.

But what if an online service's business model relies on processing profile data for purposes such as targeting ads to be viable, and regulators decide that a subject's right to object to that processing outweighs its necessity to the financial model?

It's easy to say a lot of people might not like being tracked, but on the other hand, if services like Google and Facebook all disappeared in the EU as a result of the GDPR, I'm not sure how popular it would be. There are two legitimate sides to this debate, and neither extreme is obviously correct.


Thank you! This post starts to show some of the huge complexities that GDPR has for business and their understanding of what the terms of the law mean.

A point is that often statements of a law are defined not by the language but by the ruling of lawsuits that occur around those statements and that is what most companies and lawyers are waiting for, what do courts rule when these lawsuits happen.

The biggest issue that I have heard of (Im no expert) is what does the right to be forgotten actually mean ? Does that mean all your backups are now illegal as you are retaining the customers information after they asked you to remove their records?

I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.


I think the parent's reply is a good one. We could probably debate some of the finer points, but I think when we get some time to see how it all shakes out in the end we'll have a better vantage point.

But to answer your question about the right to erasure, here is the law: https://gdpr-info.eu/art-17-gdpr/

I can't find it right now (and I have to get back to work), but there is a reasonableness requirement for requests. So things like backups might be covered by that. I wish there was some direction on that because it's a problem for me at work as well.

My opinion is that the directive's view is that all personal data retention should be temporary. There should be a defined point where the personal data is deleted. Either that's when it's no longer necessary for the contract, or when you no longer have a legitimate interest in it, or when the user asks for the removal.

Up to this point, most of us have been building databases with the intent of retaining the information indefinitely. So we never thought about this. Although I'm a fan of this law, I admit that it's going to be troublesome transitioning from where we were to where we need to go.

And as the parent briefly stated, immutable databases are going to be a serious problem.


I think the UK agency had some text on erasure and backups, and it basically boiled down to this:

If a data subject requests their data to be erased, you should remove their data from active systems so that it is no longer being processed, but you don't have to remove it from backups or other passive systems. You should however store some sort of marker so that if you need to restore data from backups, the data subject's data will be re-erased or otherwise stopped from entering active systems again.

And if a data subject asks, you have to tell them how long you store your backups of their personal data.

I think that's perfectly reasonable. And if your backup retention policy is "forever", now might be a good time to re-evaluate that policy.


Neither the UK nor the EU previously had any general provision for a right to erasure. At EU level, considerable waves were made when the "right to be forgotten" ruling was issued, but that came from a court that was considering a specific case.


I think some of the fear that smaller business have is that this will encourage lawsuits until people understand how the courts will rule on each item.

That concern really is unfounded, though. The primary means of enforcement of the GDPR will be action by national data protection regulators. It isn't some carte blanche for trigger-happy lawyers to start suing every business that gets a little detail wrong or anything like that.

The general concern that the picture is unclear until something happens to clarify it is, unfortunately, much better founded.


> But what if an online service's business model relies on processing profile data for purposes such as targeting ads to be viable, and regulators decide that a subject's right to object to that processing outweighs its necessity to the financial model?

forgive my frank language, but too fucking bad.

edit: my right always outweigh your profits. Sorry.


The only problem I see here is needing data based on contract obligations, I have seen lots of sites packing the data collection into privacy policy or some shady contract, thinking that this is legitimate interest. But legitimate interest is actually the hardest part of GDPR, even if most people think it is a workaround. If you can provide the service without some personal data (not due to financial claims) you can't pack those under "better user expirience" as legitimate interest. I presume, that after 25th, google will stop tracing searches for EU users for example. Legitimate interest has a long recital behind it and is a real problem to do it right unless legalislation requires the data. I would stick to consent for everything else. Just mentioning.


There is only two ways of legitimate interest that I considered for my service; "security" and "better user experience".

The data collected under the former is simply the IP and a timestamp in webserver and app logs, usually purged within 7 days and then any user data included in backups, purged after 3 months.

"better user experience" is not really personal data but I included it anyways; browser type (mozilla/edge/etc.), viewport resolution, pageload time, OS. And not stored in a way that allows correlating them.

For analytics that is really all I need.


I'm pretty sure you have to ask for consent for both of those.


Why do you think "legitimate interests" isn't enough?

https://gdpr-info.eu/art-6-gdpr/

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.

"Analytics" is not what his company is for, ergo, using my Personal Data to do analytics isn't okay. He sure as hell isn't doing it for my benefit. I'm also not hiring him for security, so the same reasoning applies: he doesn't get to store my IP address in his logs without asking.

And when I say "no" to his opt-in modal, he'll still have to provide me non-degraded service. The fact that he can do so is yet another indicator that the data collection is not a legitimate interest.


The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.


No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.

Look, you can definitely discover and monitor for problems by simply hashing IPs and storing the hash instead. Once you've detected a potential problem (say, a lot of requests from the same hash), only then do you have a "legitimate business need" to record the actual IP addresses and do some short-term analysis of the situation.

The spirit of the law is simple: if you don't absolutely need to store personal data, DON'T. Just don't. Store something else. Or just drop the data into /dev/null. Saying that you'll delete soon the personal-data-you-don't-need isn't sufficient.

And really, if this is the way GDPR compliance is going to go, "muh security" is quickly going to gain the reputation as the bullshit reason shady people trot out who want to disobey the law. People who actually care about security should push back on that strongly.


I don't think that it relates to you, but maybe just for others: "better user expirience" is not something without it your website could work. If this means handling PI (for analytics (GA way, not local) for instance), you cant just flush it down the legitimate interest.

Over the thumb: you can use it for things were you need PI for your service to work, it is normal, that you request address if you operate the online shop, you can't deliver the goods without it, while analytics is something users don't need and is not required for your service to operate.

I was just writting complaint letter to my phone/isp company where they showelled marketing, questionars, threat assesment (not IT security, customer assessment) analytics and few other fishy things into legitimate interest, without even providing information about which data they use and why exactly. Legitimate interest is a really nasty thing and it is hard to get it right, it is not free "get out of jail" card.


Perhaps having legitimate purpose for data collection in the first place helps.


Why are so many commenters on HN presuming that companies that struggle to comply with the regulation are doing something shady with user data?

You are aware that there is a time and monetary cost to comply for those with legitimate data collection purposes, right?


They struggle with it for the same reason people on the political left always struggle to understand why some people oppose new regulations: the question of whether and how to regulate commercial activities is always a proxy for deeper underlying differences in how people view the world. GDPR is just a proxy fight between the left and the right and is showing all the same characteristics.

Consider adventured's sibling post - it quite astutely points out that GDPR discussions are much more vitriolic than you'd expect for discussions of the minutiae of data handling. People who say that GDPR compliance is hard are being attacked on a personal level. He explains it as 'emotional investment' in GDPR but I don't think that's a good explanation; the people arguing most strongly for it are also those saying it's not much work, so that seems backwards. You'd expect people who put in the most effort to be most emotionally invested in it.

There's a much better explanation available: your view on GDPR is a direct consequence of your assumptions about human nature. If you believe in the existence of benign and enlightened technocrats then GDPR seems like excellent progress towards building a better world - it's extreme vagueness and severe penalties are exactly what's needed to foster obedience to technocratic elites. People who complain about this are just being unnecessarily awkward ... just be reasonable after all, and you'll be fine! The EU are reasonable so if you're reasonable too, you have nothing to fear! From this perspective, anyone who objects to GDPR or actually decides compliance is impossible must - almost by definition - be being unreasonable. What are they hiding? Why can't they just get on board; the only answer available is that they have flawed characters and any points they make about gray-area debatable things like cost:benefit ratios must be some sort of obfuscation.

If on the other hand you believe the whole idea of wise and beneficent bureaucrats is naive, then GDPR looks like a hell of a lot like a power grab by the very sort of people who shouldn't be able to grab power. Vagueness is of deep concern because it's in the shadows of vagueness that abuse can be found, and when a law is nothing but vagueness, it even makes sense to question to motives of those who created it - that's a problem because lots of self-styled Europeans have bought into the EU's utopian rhetoric and can't separate criticism of the EU from criticism of themselves and their desired future.

There's no real scientific way to prove whose assumptions about human nature are right. The USSR was a rare example of a real-life experiment in who was right and for a long time it proved the American style, conservative, small weak government is better mentality to have superior results. But that was decades ago and many have forgotten or weren't alive back then, so now rule by technocratic dictatorship seems attractive again.

As a consequence GDPR discussions will always have the same flavour as Clinton v Trump debates, or Brexit debates, or whether to restrict spending on political campaigning. They are ultimately about the same issues.


You're bringing your US-American assumptions about politics and left vs right into the context of European politics where they are a poor fit. The world is not Democrats vs Republicans.

There is no GDPR debate or fight: it's done, it was done six years ago, and the only people pushing back are American companies who are unhappy that Europeans don't want their data hoovered up by corporations they have no control or oversight of, for who-knows-what purpose.


Sorry, but do you want to say that EU has no left and right in politics (parent post did not mention Democrats or Republicans)? Or that everyone in the EU is unanimously happy with GDPR? Seriously, if a law's getting applied only after a long while it's passed - it's not unheard of to have a debate as people start to actually care.

Maybe I'm wrong, but I think that parent example is not US-specific at all and is applicable to just about any country where there are people that learn toward different beliefs (that "direct consequence of your assumptions about human nature" part of the post)

The assumptions may be wrong, but that was generally constructive.


First of all, come on, obviously I'm not saying there are left and right in EU politics (and in the national politics of EU countries), but what those left and rights are concerned with don't match 1:1 with the issues under debate in American politics.

Partly because there is a much broader political spectrum -- Democrats in the US roughly line up with, for example, the Conservatives in the UK or the CDU in Germany -- but also because it's just a different set of issues and preoccupations.

I do think it's fair to say that within the EU there is a general consensus about the importance of data privacy, and I also don't detect any resistance to the GDPR in general, or any question that it should be repealed. (That was partly sealed by the revelation of US spying on Europeans a few years ago, which hasn't been forgotten.)

Second, if I'm honest, I find the whole "assumptions about human nature" is a bunch of hokum and quite the opposite of constructive. Nothing about GDPR has to do with "obedience to technocratic elites", and is in fact about rejecting the ability of institutions which are not democratically accountable to gather personal data and monitor people, or make decisions that affect their daily lives, without their informed knowledge and consent.

GDPR is not a "power grab" (hah!), it's about distributing the power that comes from control of information more evenly. The EU has a lot of flaws, but this is one of the most democratic and equalizing bits of regulation that they've produced, and frankly the concessions it makes to large companies are huge.

I don't accept the argument that to be in favor of this I must be in favor of USSR-style totalitarianism. If anything, the inefficient planned economy of VC-funded startups, with their cults of personality around founders, that want to collect data and influence populations with impunity are the petty dictators of the 21st century. Personal rights should trump the rights of corporations, and I am deeply suspicious of people who would equate the two.

But that's all making a mountain out of a molehill: most of what GDPR does is harmonize existing regulation across the EU to make it easier for companies within and outside of Europe to do business here, adds enforcement teeth to the regulatory agencies and harmonizes the penalties, and sets out in actually rather specific detail what is required to be compliant, while giving everyone years to implement this regulation.

If people don't want to comply with GDPR and just block all EU users, then that will make the internet a nicer place for us, so by all means go ahead!


You probably haven't looked then. Despite assumptions elsewhere, I'm from Europe and still live there for example. The idea that everyone loves GDPR is naive. Only today I was working next to someone who was trying to figure out how it applied to her (tiny) business, and getting annoyed by the process. She's just copy/pasting the contents of an email she received into her own mail copy to avoid having to do extra work.

Nothing about GDPR has to do with "obedience to technocratic elites"

No? I think you missed by points then.

The GDPR was created, is enforced by and serves the interests of regulators. It specifies so little it is essentially a direct grant of power to those people - they can do whatever they want within its framework and that framework allows nearly anything.

As for 'technocratic elites', did you see political parties campaigning on this issue? I sure as heck did not. Right now the hot topics in European politics are immigration, terrorism and economic growth. Not data protection.

is in fact about rejecting the ability of institutions which are not democratically accountable to gather personal data and monitor people

Of course companies are democratically accountable - outside of monoplies (rare), you can just not trade with them if you don't like their data handling practices.


Interestingly enough, GDPR gets the most support from the center-right parties within the EU, in my experience because it's a law that protects individual's rights to their data. You'll find that it's not that popular among the left-wing member parties.


It's a deflection tactic by people who are emotionally invested into GDPR. Note the extreme emotionalism that GDPR draws out of its supporters. That makes it difficult for some of the supporters to have a rational discussion when it comes to the flaws of GDPR. They don't have a legitimate response to the context in question, so the easy approach is to attack the credibility of the person stating that they've struggled with compliance, rather than engaging in substantive discussion about the problems that GDPR generates for small businesses. The fear for the supporters is that if they admit to there being any flaws in GDPR, that will then act as a threat to GDPR (which they view as a monumental victory for privacy). They don't want to give an inch of ground, no matter the issue, because they're afraid of having GDPR diluted, taken away, and or not spread to the rest of the planet.

This is also why in all cases you'll see the GDPR supporters go after the character of the site/service owner (including always questioning their motives to muddy the waters). It's an attempt to short-circuit any reasoned debate, to destroy the credibility of the opponent. This has happened numerous times on HN in the last month or two.


You still have data hygiene policies to enact which are confusingly legislated. Also legitimate interest is a loophole created to appease some lobbyists but the legislators declined to make clear anywhere because they don’t give a shit about commercial needs.


What exactly did that less than £250 get your customers in return?

Even if you had a business that was whiter than white in terms of compliance with previous data protection laws and had perfect documentation of all its data collection and processing activities, it would surely cost far more than that just for the time to write some basic notes on the extra things you now have to tell data subjects and/or your regulator, get them reviewed by a lawyer, incorporate them into the relevant policies, and send notifications to anyone affected about your updated privacy policy.


> I've done full compliance for six companies and it cost less than £250 each

What about your salary?


Is that £250 each just for GDPR compliance? That's one law in one region. Now multiply it by the number of legislative bodies worldwide and the number of relevant laws passed by each - how much does that cost?


Before it was £250 for each EU country. Now it is £250 to comply in all 28 states (27 soon). So, it saves £6750?


If a business doesn't want to be compliant with the laws of all ~200 sovereign states in the world, they're most welcome to just select a single one and do business there (not the US though, as laws often change for each state so that's right out the door). I'm sure the competitors in the space will love having one fewer competitor.


Complying with the laws of 200 countries is negligible for a big business like Google, a significant burden for a small startup, and a prohibitive expense for a new open source project.


Could you contact me at sudhir.j@moviebuff.com - would like a consult.


Can you send me an email? I am working for a startup and I would like more information about your services . (It’s in my profile).


did that $250 include an audit to verify that you are actually in compliance?


Are you compliant with the copyright laws in your company? Are you sure you have licenses for all the software you use? Have you audited the software you write to ensure that none of the programmers have included code without an appropriate license? How about patents? Are you sure that the software you write does not infringe on patents somewhere? There are people who will happily audit your company in exchange for a truckload of money... For some reason, most people don't think this is necessary.

Your risk in GDPR is similar to your risk in IP law. If you don't comply with the law and someone calls you on it, you might have legal proceedings against you. In most cases it's pretty obvious if you are compliant with the law (Well, to be fair, it's completely unobvious if you are going to get randomly sued for patent infringement, but I digress...) If you are have a very complex situation, then maybe it is worth some legal advice, but it's pretty freaking obvious if you need the data you have collected in order to fulfil the contract or not.


There is no such thing as a GDPR audit.

Anybody that tries to sell you one is full of it.


How could this possibly be true?

You claim to know a lot about the GDPR, I’m not sure my business is compliant. Can you take a look and tell me?

What’s that called if not an audit?


An audit without certification will never give you anything that you could not have come up with yourself. So feel free to buy a GDPR audit but realize that you are just buying an opinion.


In the USA, the word "audit" is used to describe any process by which a company tries to determine if it's in compliance with some set of rules. Sometimes that process has special legal consequences, but it usually doesn't. The final deliverable is often literally called an opinion.

No lawyer or accountant has ever given me anything that I couldn't have come up with myself, with sufficient study. I still paid them, because the law is very complex and I have other things to do with my time. That's how any country with a nontrivial legal system works.

You seem to have great confidence that you understand how the GDPR will be enforced. I'd suggest that:

1. Not everyone knows as much about EU law as you do. This is especially true for people who don't live in the EU.

2. You might be wrong. Maybe GDPR compliance really is dead simple, and the lawyers who keep answering "it depends" are just cheating their clients; but from my experience in complying with similarly complex regulations, I wouldn't bet 20M EUR that's the case.


> For small businesses it’s practically impossible to be in compliance for all laws.

I've been in continuous operation with my businesses since 1986 and I guarantee you that I've been compliant with the laws as much as I'm aware of them. The major transgressions involving business assets were parking tickets, speeding tickets (< 10 km/h excess by an employee of the company in a company vehicle). Other than that not so much as a copied piece of software. Oh, and we were once late with a tax filing because the bookkeeper messed up, they absorbed the fine.

Running a small business in a way that is compliant with the law is stupidly easy: know the law.

Now, there is one thing that I did that I know full well was against the law and that came about as a result of me getting very angry about some stuff that happened to a friend of mine. In that particular case I saw my actions as akin to civil disobedience. In the end it got superseded by others doing the same thing much better and at a much larger scale but I would have fully accepted the consequence of breaking the law in that case. But it would have been a conscious decision to break the law.

Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.


> [Complying] with the law is stupidly easy: know the law.

You're out of touch.

Compliance just isn't as simple as you think it is no matter how much you double down in these comments. Laws aren't black and white. Do you not use an accountant, either?

Frankly, your advice is terrible.


Incredibly out of touch. I can virtually guarantee that a regulator or prosecutor who wanted to make an example of him could tear his business apart finding violations over 30+ years.


That's not exactly a new insight, Richelieu beat you to that one a couple of centuries ago.

But that's just trying to stretch what we are discussing here: that it is possible to comply with the law in principle. That some overzealous prosecutor with a grudge could nail you might happen - in Russia, maybe even the USA. But frankly where I live I have not yet seen a case like that. We probably have them but not frequently enough to make the news and in general the legal system here works quite well.


Have you been running a socially controversial business? That's where the specifics of the law start to really matter. The butcher, baker and candlestick maker have little to fear from the most badly drafted of laws; it's the person running a skate park or gay bar in a small town who tends to be on the sharp end.


> it's the person running a skate park or gay bar in a small town who tends to be on the sharp end

Or for that matter, someone running a social platform that allows socially "undesirable" speech, speech that is openly critical of government policy, or speech that exposes the wrongdoing of powerful people.


> Have you been running a socially controversial business?

For about 20 years, yes.


Not the point. You’re making the case that you’re always fully compliant with all laws and have been for 30 years, because it’s just so damn effortless. It’s almost more work to NOT be compliant!!

And I’m saying that’s bullshit. You’re breaking laws left and right, but you just don’t get caught because enforcement of those laws is so inconsistent. And the GDPR is so much worse; I’m sure you’re not compliant with GDPR given how vague and over-reaching the law is, but you’re probably mostly compliant and you’re too small for anyone to care.


> You’re breaking laws left and right, but you just don’t get caught because enforcement of those laws is so inconsistent.

Well, you know my business better than I do I guess.

> And the GDPR is so much worse; I’m sure you’re not compliant with GDPR given how vague and over-reaching the law is, but you’re probably mostly compliant and you’re too small for anyone to care.

And my business is about 100x the size of the one of the person writing the article. And I'm not worried. So I see the article writer as someone who uses the opportunity to make a whole bunch of fuss over something that (1) most likely would never impact him and (2) has indicated clearly that despite his opening sentence he probably doesn't give a damn about his users privacy.

So as far as I can see the law is working as intended.


That is the OPs exact point. Did you read the article? He mentioned that "The days of someone making something, putting it on the internet and offering it to the world seem to be over". And here you are talking about knowing the laws while the OP sits in a different country trying to run his business.

You might be from Europe and to you it may just seem sensible but 1-5 person companies often have to make tradeoffs like this. It is not right to say just comply with the law - it is so easy! The company, here, has decided that the cost is too high and that they are out.


> And here you are talking about knowing the laws while the OP sits in a different country trying to run his business.

I also have to be compliant with US laws if I deal with US citizens. What's the difference?

> You might be from Europe and to you it may just seem sensible but 1-5 person companies often have to make tradeoffs like this.

Not the ones that want to stay in business.

> It is not right to say just comply with the law - it is so easy!

But it is easy, he's just making it seem as though it isn't. There is so much factually wrong in that blog post that if that's the level of thinking that goes into the decision making then there most likely are other issues.

> The company, here, has decided that the cost is too high and that they are out.

Probably good riddance. But for all the wrong reasons.


[flagged]


Try not to post the same comment over and over again, especially when you are making a point that has already been addressed elsewhere in the thread.


I know you are frustrated. But your tone and rebuttals sounded repetitive to me as well. Learn to be self critical too. You were overwhelmingly shot down in your comments yesterday and there is a reason for it.


But OP is wrong. OP is saying GDPR is making it impossible for him to offer the software, but GDPR has almost no effect on him.

OP can just rely on "legitimate interests", and describe the data they're processing and why.


Legitimate interests is not defined. So good luck with that.

Also you are responsible for downstream guarantees of legitimate interest.

He is right that open P2P protocols like XMPP, such as NNTP, IRC, bitcoin, ethereum, etc are not handled clearly.

It is a headache for him I can sympathize.


> Legitimate interests is not defined. So good luck with that.

Are you expecting GDPR (or any law for that matter) to define an exhaustive list of every definition, that holds true now as well as for the future? Have a rethink about that statement...


Yes. I do expect that. It is a reasonable expectation that the laws are clearly understandable by those subject to the laws.

Just as companies need to be specific about how they use data now the legal-judicial system needs to be specific about what it means and intends.

It is a double standard because the legislators are not interested in the commercial impact.


You say one thing, other people say other things.

It's easier just to say "this tool blocks Europeans" and problem avoided.


Says random person on the internet. Other random people disagree.


> I guarantee you that I've been compliant with the laws as much as I'm aware of them.

All the laws, worldwide?

Are you in compliance with anti-blasphemy laws? Laws that forbid insulting the monarch? The tax regime of every country in the world?

The creator of Monal has decided the easiest way to be compliant with another country's laws is simply not to do business there, and I think you're underestimating the difficulty of the alternative (trying to comply with every country's laws).


Any laws that have the potential to reach me I am compliant with. If there are countries with laws that strike me as idiotic - such as anti-blasphemy laws - then I will do my level best to be informed of that beforehand and I will not break that law even if I feel that it is idiotic.

And as for the 'don't insult the monarch' law, we have that law here in NL and I purposefully broke it as a private individual to make a point.

The tax regime of every country in the world has no impact on me, I reside in NL, my businesses are here as well. But when I had several businesses in Canada and one in the USA I complied with the tax laws there too.

> The creator of Monal has decided the easiest way to be compliant with another country's laws is simply not to do business there, and I think you're underestimating the difficulty of the alternative (trying to comply with every country's laws).

He's taking the easy way out because there never was a real business behind this. This is my conclusion because he feels that his holidays are more important than the rights of his users.


You're right, there was never a business behind this. It's free software.

Why should the creator of free software spend their own money to support users in a region that imposes extra regulations?


>Why should the creator of free software spend their own money to support users in a region that imposes extra regulations?

If I create free software that concretely and demonstrably aids in worldwide human trafficking and has negligible utility elsewhere, would you still consider my refusal to comply with regulation reasonable because my software was free?

How free the software is not a determining factor, either morally or legally, in determining whether or not the GDPR is or should be applicable.


Nice strawman. If sometime in the future you want to talk about Monal, let me know.


Because even free software has to comply with the law. Funny how that works, but not making a profit on something does not absolve you from legal liability.


And the easiest way to comply with the law in this case is simply to block EU users, as was done.

You can hardly complain that someone who gave you something for free wasn't willing to spend their time or money to comply with additional demands.


Funny how that works, but not making a profit on something does not absolve you from legal liability.

But why would someone who is literally giving something away accept that liability, or even any perceived risk of liability, if they have an easier option?


Running a small business in a way that is compliant with the law is stupidly easy: know the law.

There are professionals who spend their entire careers just "knowing" very specific parts of the law, and who are still frequently found to have misinterpreted it when tested in court.

Is doing your company's annual financial returns also stupidly easy, because you just have to know accountancy?

What about security? Just write all the software you use yourself based on your expert knowledge of cracking and cryptography?

Incidentally: not knowing you are breaking a law is no excuse for breaking the law, ignorance is not a valid defense.

This is possibly the greatest conceit in the history of legal systems. No human being in any Western nation could even read every word of law that applies to them in an entire lifetime, never mind fully understand the implications and the motivations behind those words that might be relevant to interpretation. Ignorance may not be a legal defence, but not being magically aware of the sum of all human knowledge about every legal system that you interact with is certainly a reasonable excuse for doing something illegal but otherwise apparently ethical and sensible.


> For small businesses it’s practically impossible to be in compliance for all laws.

This is just ridiculous, patently false and making an excuse for reckless behaviour. Only specific laws apply to your business domain and if you aren't complying with them then you are wilfully breaking the law and putting your customers and the general public at risk.

Own a cafe ? You should be cooking in a safe manner. Sell a car ? It shouldn't kill people. Run a website ? Make sure your user's privacy is respected.


> Own a cafe ? You should be cooking in a safe manner.

Almost no restaurants score a perfect 100% during food inspections.

Many regulations understand that real life works on a gradient. That is why cars have varying safety standards that they have to meet based on their size and class, and why consumers can pay more for cars with a higher safety rating.


And that includes the GDPR


I have started to think that parts of GDPR should have been restricted to large companies - e.g. anyone with more than 100k active users, data describing 100k individuals, or an organization employing more than 100 employees. That would seem like a fair way to protect privacy while keeping barriers low for tech ventures / experiments.


You can't block fire exits at small stores or large ones I see no reason to adopt your suggestions.


If you do that then facebook and the other privacy terrorists will happily create 20000 little companies that they outsource their scum to. Also, a very small company with tens of thousands of datasets can still do terrible damage to people.


Perhaps, when it comes down to it, he doesn't want to be subject to a law that he had no ability to influence given that he's not an EU citizen. In blocking EU users he is fully compliant with the GDPR as he has zero of their personal data to begin with?


If that was the case, no one outside the US could use VISA/MasterCard either (they enforce US laws on all international customers), or could make any business with any US company (even HN has to enforce the Iran embargo on all its international users).

If you want to criticize local laws applied internationally, abolish the US.


i believe they enforce them legally, via international law. there is no such thing about privacy


Sure, he's entitled to take his ball and go home if he really wants to. That doesn't put him in the right, and it doesn't make his move anything more than whining.


You can be respective of privacy without complying with GDPR. It requires a lot more than simply being privacy-conscious. (E.g. I don't think Hacker News is doing anything unethical even though they blatantly violate GDPR)

> Legal compliance is a requirement for any business

You are required to comply with the laws of your country, not those of other countries.


> You are required to comply with the laws of your country, not those of other countries.

No, you are required to comply with the laws of any country you do business with. This applies to any type of business, and I don't see why "it's on the internet" appears to be the main counter-argument.

If I buy something from you (via snail-mail or on the internet) and it doesn't follow the requirements of the consumer law in my country, I can ask you to comply with the laws of my country. If you refuse, I can report you and you will be fined (if you don't pay, then you can have your right to do business in my country revoked). In practice most cases won't escalate that far, but the principle is the same.


> and I don't see why "it's on the internet" appears to be the main counter-argument.

Because by default any web site has, in the past, been open to people from any country that doesn't censor the web.

Regulations like GDPR are making doing business in more than one country more difficult and encouraging a Balkanized web.


> Because by default any web site has, in the past, been open to people from any country that doesn't censor the web.

This has never been true since the internet was international. You have always had to comply with laws of countries you interact with, it's just that most people who ran internet businesses decided to ignore the law (just try hosting some copyright or patent infringing content on the internet and see how long it takes to have legal action applied, even if you aren't a resident in that country). And, despite the ethical questions about censorship, censorship is usually done through the laws of a country (for instance in Germany). So complying with censorship requests (or having your entire site blocked) is actually an example of complying with laws of other countries.

The world is made up of sovereign nations, and businesses that wish to interact with other sovereign nations must obey the restrictions that the both nations place on that interaction. If you don't like it, then don't do business with that nation. I cannot think of another industry where this concept is seen as foreign -- it's a very fundamental part of how the world has been structured for thousands of years. Just because it's much easier to conduct businesses overseas than it was 200 years ago doesn't change the fundamental properties of what you're doing.


The fundamental properties of doing business overseas have changed. What used to be a prohibitively expensive enterprise is now within the reach of everyone.

And the cost of regulation, which used to be negligible compared to the cost of the enterprise itself, has now become a significant barrier for small businesses.


The costs of compliance are not a fundamental property of doing international business (after all, governments can change the cost of compliance or make it cost nothing). The fundamental properties I was referring to are that you are transacting with another nation state's people, and you have no fundamental right to do business with them unless that other nation grants you permission. Just because it is easier to do such business without permission or oversight doesn't change that you are doing the same type of business.

You might not think the costs are fair (and in practice that should be taken into account by regulators, to avoid removing all international trade and thus losing the benefits), but that is not really justification for arguing that this is a departure from how things have always been. Nor is it justification for arguing that you shouldn't care about the laws of other countries you do business with because you don't live there (which is what GGGGP was insinuating).


It is a departure from the way things have always been online.

The EU can certainly demand that web creators jump through hoops, but then they can hardly complain if creators outside the EU decide that interacting with the EU isn't worth the trouble.


Nobody is forcing people to do business with the EU. If you don't like the laws in the EU, then you don't have to do business with the EU. Simple as that.

(My whole point is that a lot of people arguing about GDPR want it both ways, and don't see that it's not strange that countries have rules for doing business with their residents.)


That is not true. You do not need to comply with any country’s laws except the one you reside in, except for treaties by your home country that say otherwise or your desire to travel abroad.

Just think of what China would do to the Internet if it could.


> You do not need to comply with any country’s laws except the one you reside in.

Unless you want to business with another country, in which case you need to follow the laws of that country when you conduct that business. Which is what I've been saying the whole time.

> Just think of what China would do to the Internet if it could.

If you want to provide a service to China you need to follow Chinese laws or they will block you using their firewall. China is a (not very nice) example of how a country has the right to decide who it does business with -- if you won't help them conduct surveillance of their citizens then they won't do business with you and will block you from doing business with their people. You might not agree with their laws or how they act, but it is their right as a sovereign nation to create their own laws.

I never said you need to follow the laws of every country in the world, and I really don't understand how so many people are reading that out of what I said (and keep saying). If you want to do business with a country you will have to obey the laws of that country. That's the way international trade has always worked.


When the business is being conducted outside the EU but the EU is enforcing GDPR, it is a problem. The GDPR is specifically written for extrajurisdictional enforcement which is a big change in the world of laws.

I am just saying that the EU will not be the only jurisdiction following this model. Be prepared.


Dmitry Sklyarov and Kim Dot Com would like a word


If you feel it’s important to comply with the laws of any country you accept HTTP connections from, why would you be upset with this outcome? Restricting your services to familiar jurisdictions until you can afford the legal advice to safely enter new countries is the only reasonable course of action in a world following that philosophy. One should not assume they’re familiar with the laws of 176 countries merely because they know how to start nginx.


Collecting personal information and running a business based on that personal information is very different to knowing how to configure nginx. You're putting up a bit of a strawman.


You can be fined if there is international or bilateral law or if somehow else the fine can be domesticated. There is no international regulation (not even consensus) on privacy so the law is not directly enforced here. However you are also not required to apply another country's law to all your customers, and if you don't want to you should (but are not really enforced to) block the EU.


Considering that most online businesses are (effectively) a form of international trade, I wonder whether GDPR fines could be seen as a form of customs fine (which definitely is something that foreign companies can be forced to pay, as you've said).


"you are required to comply with the laws of any country you do business with."

Prove that.

Because that's not how "the law" works. I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.

No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees. And to my knowledge, Canada has not signed a treaty with the EU regarding enforcement of the GDPR.


> I am Canadian, my business exists only in Canada, and there are only two types of laws that apply to me. Canadian laws, and treaties that Canada has signed on to comply with.

If you decide to sell a couch to someone in America, you have to comply with American tax laws, American import and customs laws, American consumer laws, American patent laws, American copyright laws, American trademark laws, and any other laws involved with doing a financial transaction with someone in America. The same logic applies for Australia, the United Kingdom, Germany, Belgium, South Korea, Japan, etc. Pretending otherwise is naive, and if you don't believe me then try to sell something patented in America to an American.

The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.

Of course, for a couch business things would probably never reach that level. And for an internet business you probably would just be IP blocked or something similar.

> No other country in the world can just make some "arbitrary" law that affects me. Unless my country agrees.

But it only affects you if you make the positive decision to do business with a country that has those laws. If you don't decide to do that, then you don't have to follow those laws (obviously). You can't have it both ways though (the benefit of having access to a market without having to follow the laws of that market).

In the case of enforcement you're right that they wouldn't have the right to compel to you to pay a fine, but they can in theory place sanctions against you. So if you continue to do business with sanctions in place then there is a process for extradition through international treaties.


> The key question is what happens if you break those laws. In most cases you will be given a fine, and if you don't pay then you will no longer be allowed to sell goods to consumers in that country. If you continue to break the law then you are probably breaking an international treaty on border control or customs, which means that you could be extradited or tried in your own country. Some of the laws I mentioned above are mediated through international agreements, but the fundamental point is that if you break their laws they can place sanctions against you to stop you from doing business with them.

A foreign country could arbitrarily decide I owed them a certain fine, or was no longer allowed into their country, or that they didn't want to allow my products into their country, at any time, whether or not I followed their laws.

In my daily life I've done, and continue to do, things that are illegal under e.g. Iranian law. That's fine and normal - I have no obligation to comply with Iranian law. Iran can make its own decisions about whether e.g. I'm allowed to enter their country, but that would always be the case.


Nope, the buyer has to comply with american tax law. You the seller are not doing business in there.


If you make a profit in America you'd better believe that the US government wants a share of it (there are exceptions if you sign a W8BEN and ask for a tax exemption based on existing international treaties) but the default position is that you pay tax on profits made in foreign countries -- and this applies for any country in the world that has something resembling a capital gains tax.

If you sell electronics that are a fire hazard, you can be punished for breaking consumer laws. I mean, for an extreme example, if you sell an illegal substance in America from overseas you can be punished for breaking those laws too.


I think you're seriously mistaken as to how one-off (and maybe all) import into the US works.

If I buy something mail-order from Canada, I'm considered the importer and would have to pay duty on it, just as if I had driven a truck over the border, bought the couch over there and driven it back.

If it's something as big as a couch, chances are it's going to be held at a customs warehouse for me to pick up (after I've paid the duty).

If I need to do this on a regular basis, I'm going to hire an import/export broker or possibly go through an actual furniture importer. That's the company that's doing business in the US that owes US incomes taxes, has to comply with US consumer protection laws and any of those other regulations.

In all of these scenarios, at no time did the Canadian couch store do any business in the US, even though I, the customer doing the "buying" may have been initiating the transaction over the Internet (or phone or with a paper mail-order form) physically in the US and/or with a US credit card.

If that Canadian couch is a fire hazard, the US's recourse is to stop it at the border and not let it in (or punish the US company, only in the case of the furniture reseller), and possibly punish me, the importer, since I'm the one legally attempting to bring it into the country. AFAIK, they have no recourse against the Canadian company.


you seem to suggest that you can (for example) sell/distribute canadian alcohol in saudi arabia, even though it's illegal there. do you really think that's accurate?

every country has the right to enforce it's own laws within it's own borders. you don't get a pass to do whatever you please in another country without their permission.

edit: i noticed "my business exists only in Canada"

if you mean to say you aren't doing business in another country than what you've written isn't speaking to the point of "you are required to comply with the laws of any country you do business with"


Yes. You can sell alcohol to Saudi Arabians from Canada. You cannot ship to Saudi Arabia. The buyer may pick up in another location where alcohol is legal including in person in Canada. What they do with the alcohol once in their possession is their business.


In which case you are doing business with (say) France, which has its own alcohol customs laws that you have to follow.

I never said that you have to follow the laws of the country of nationality of your clients. That'd be a ridiculous thing to say, and I'm not sure why you're arguing against that particular strawman (the GDPR only talks about EU residents and doesn't mention EU citizenship at all).


The word choice of citizen vs resident is a red herring. The issue is the extrajurisdictional reach of the law.

An EU resident visiting" your business which is hosted and operated in the United States, is the same as a Saudi Arabian coming to the United States to buy alcohol.

This is the reason why the GDPR requests an EU designated representative, so there is someone to charge locally.


> An EU resident "visiting" your business which is hosted and operated in the United States

Except the EU resident isn't "visiting" your business, you're providing a service to them across the US-EU border (and just like any cross-border service there are rules). I really don't get why this case is any more complicated than any other kind of consumer law (you can't sell electronics that blatantly catch fire to Australian customers, even if you're based in a country where consumer laws don't exist).


You aren’t providing the service across the border. The service is in your own country. The buyer is using telecommunications to make an order across the border.

The buyer is the one responsible for knowing their own local laws and should be responsible for managing them.

If a Saudi Arabian couple ordered a gay wedding cake from a baker in Montreal, over the phone from Saudi Arabia, in preparation for flying to Canada to get married, which laws apply? To whom?


Selling to Saudi Arabians and selling to Saudi Arabia are two entirely different things. In one you're doing conducting business in the Saudi Arabian market, and therefore under the umbrella of their government and in the other you're conducting business in whatever market the person you're selling your alcohol is located at, and under the umbrella of that market's laws.


When an EU business buys a service from an American operating in America from their website hosted in America how is this materially different than when a Saudi Arabian citizen visits New York and buys alcohol?

Why would Saudi law apply in New York?


Because the EU business is not located in New York. It's located in the EU. By providing a service to an EU resident you are interacting across the US<->EU border and thus EU laws restrict what services you can provide across that border. I would recommend thinking about it like shipping products overseas.


That's why the GDPR talks about residents, not citizens.


No. It is quite definitely not true that you must comply with the laws of countries you are not in.

The EU is primarily leveraging the fact that most everyone wants to travel to the EU eventually.

While you in your home country you have no need to comply with the GDPR unless a treaty between your home country and the EU exists to mandate it.

The EU is also leveraging their trade agreements.

What they don’t understand is that China is next and they have totally diametrically opposed views on consumer privacy. But when has the EU ever been farsighted?


The U.S. has been doing this for decades, applying U.S. laws to global citizens who happen to travel to the U.S, and I'm not even talking about kidnapping foreign citizens and taking them to Cuba.


You need to travel to the US. They are applying laws domestically.

The US is quite opposed to extrajurisdictional law enforcement which is why they don’t sign onto things like the International Criminal Court.


And a US citizen who chooses to break EU law has very little to worry about unless they travel to an EU country, where that country's law will be applied.


> No. It is quite definitely not true that you must comply with the laws of countries you are not in.

Unless you wish to do business with that country, in which case you need permission from that country in order to do business with its residents. If you break their laws they can place sanctions against you, and if you find a way to break those you can theoretically be punished legally through extradition.

If you don't do business with those countries then you're off the hook. Obviously.

Just look at the recent Project Gutenberg copyright lawsuit for an example of how breaking the law of a country you are not in can cause you legal troubles.


If you are not doing anything shady, if you have your house in order security wise and if you do not collect data that you have no use for you are 95% there. The remainder will maybe require consultation with a lawyer for an hour or two if you want to play it safe but you could also simply wait for a few months to see how it all plays out.

If you are respectful of other people's privacy then there is very little chance that you will be found afoul of the law and even if you should be then you will be warned to become compliant long before you will be fined.

This whole discussion is beyond ridiculous.

Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.


> then you will be warned to become compliant long before you will be fined

citation needed

> if you do not collect data that you have no use for you are 95% there.

I have always been respectful and even never required emails on signups. I am not 95% there because there is a ton more to do. In fact i am at 5% because i have a lot of small scale past projects. Not everyone is a VC-funded startup.

That's the kind of emotional reaction that everyone has to GDPR. Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.


> citation needed

Every statement issued by EU regulators to date.

> I have always been respectful and even never required emails on signups.

Good.

> I am not 95% there because there is a ton more to do.

Such as?

> In fact i am at 5% because i have a lot of small scale past projects.

You've had two full years to get this done. The law came into effect the 14th of April 2016. It is now May 2018.

> Not everyone is a VC-funded startup.

If you can build it you can also build it in a way that is compliant with the law and if you built it in a way that requires a lot of work to be compliant with the GDPR then you likely were already riding a very fine line with respect to the DPD which has been in effect for much longer.

> That's the kind of emotional reaction that everyone has to GDPR.

Emotions are a bad guide when it comes to legal stuff.

> Yes we like respecting privacy, it's a good thing, but there is a lot that is problematic with this legislation.

Such as?


> 95% Such as?

Everything. Even if you process just an IP you need to document your procedures, change privacy policies. If at any point you ask for anything you need to implement opt ins, a way for (unauthenticated) users to request their data (even if it's just 1 IP) etc. My point is that having negligible private data is not less of a compliance burden than having a lot of private data.

> You've had two full years

You mean i ve had 2 years to attempt to interpret a vaguely written law. Actionable information is just now coming out, and even that is contradictory (cue this topic). Even the EU parliament's website does not comply yet.

> you likely were already riding a very fine line with respect to the DPD

First, that is a directive, not a law and compliance can vary widely. Second, gdpr requires new procedures which means it requires amendments anyway

> Such as?

I have posted another comment


> Even if you hold just an IP you need to document your procedures, change privacy policies.

So don't hold IPs if you can't be bothered to know where the might end up and if you don't want to update your privacy policy. Why would you?

> My point is that having negligible private data is no less compliance burden than having a lot of private data.

And no data means no compliance burden.

Note that holding data already has costs associated with it no matter what you do: you need to secure that data, you need to back it up, you need to process it and eventually you will need to get rid of it. All of those cost money and effort.

> You mean i ve had 2 years to attempt to interpret a vaguely written law.

As laws come the GDPR is surprisingly clear. I was quite skeptical until I actually got a copy of the draft and I was positively surprised. They actually got it mostly right, there are some minor things that I would have liked to see different but on the whole I am not complaining.

> Actionable information is just now coming out, and even that is contradictory (cue this topic).

The hysteria is ridiculous. Anybody that has spent even so much as a couple of hours on this subject - and from a somewhat serious point of view rather than the ridiculous fear mongering - knows enough to not have written a silly blog post like the one on display here.

> Even the EU parliament's website does not comply yet.

That article was not exactly enlightened to put it mildly.

> First, that is a directive, not a law and compliance can vary widely.

Yes, but if you did take it serious then you are well underway.

> Second, gdpr requires new procedures which means it requires amendments anyway

Yes, there is some overhead. But this is mostly to ensure that the law will not be ignored like what happened with the DPD. As you say 'it was a directive' which many companies interpreted as 'can be ignored'. What they failed to realize is that if you don't self regulate after a directive is issued that there will be a version of the directive with teeth that has the strength of law. Congratulations, we are there.


> you need to implement opt ins,

No. This is the myth that "consent is always required". There are several justifications for processing personal data, and consent is just one of them. There are others.

https://ico.org.uk/for-organisations/guide-to-the-general-da...


First, notice how things like legitimate interests are not narrowly defined and left up to the DPA to judge. Which makes it hard to know whether you even need consent or not. Second, this is ICO, the British regulator. There are 28 of them one in each country and they won't always agree, so the application of GDPR policies can vary.


Legitimate interest definition is almost exactly the same as the existing laws on handling private information. If you want to complain about it, don't complain about the GDPR. If you've been handling private information for EU customers and have been complying with the law, then there is practically nothing for you to do.


But, again, if you're not compliant they'll just write a letter telling you this and asking you to come into compliance.

At that point you can check your understanding of the law and what you're doing and write back letting them know why you think you're in compliance; or you can change your process; or you can take it to court.


What happens when that is not possible though? E.g. in the case there is a breach and it is found out because of it that you were not compliant. Do they still write you a letter? Also , is this procedure common for all DPAs or just for the UK?


> citation needed

The 20 years of data protection enforcement we've had.


> Imagine the rest of the world reacting to the DMCA this way which has far wider scope and effect.

That would have been a wonderful thing to see. The DMCA has had a chilling effect on speech worldwide, and has created difficult barriers for small businesses to deal with if they want to host user-created content.

I think you unintentionally made your opponent's point!


This guy is not a small business. He's just a guy, doing this for fun, it seems.


I run a soup kitchen, doens't mean I can ignore fire regulations, or health codes


If I run a soup kitchen and new regulations make it too costly for me to continue, I'm in the right to shut it down if I want. If anyone is against this decision, then they should open their own soup kitchen that meets the new regulations.


That doesn't mean the regulations are bad. Just because the food is given free, doesn't mean you are allowed to poison people


I never said the regulations were bad. I just said that the guy closing his service is just one guy. If one person ran a soup kitchen by themselves and -- because of new regulation -- decided it was too onerous, I would say "Thank you for running the soup kitchen as long as you have. Have a well deserved break." I feel the attitude in this thread is "You ran a service by yourself for X years, and now you're finding it too onerous. You must continue running the service, because i said so". This seems like a weak argument.


How does that defense work out for marijuana growers in the US?


These situations are incomparable. The author of the article is being criticized for choosing not to do something that may be illegal. If the author continued to run his service in an illegal way, then he should be treated the same as marijuana growers. But he has chosen not to run his service. The equivalent situation in the United States would be a bar that decided to close after Prohibition and restart their business in Canada. This is a perfectly reasonable reaction to new regulation.


Hobbies cost money and time. In this case it will only cost him a little bit of time.


Perhaps this isn't obvious to everyone, but other people are actually not obligated to spend their time doing things you want them to.


Perhaps it's not obvious to the author of that software, but publishing products (even free ones) involves liability. You cannot simply say, "Well I didn't charge you!" A free product can still be the subject of a fraud lawsuit, or a negligence lawsuit, etc.

And I think this is as it should be. I'm not sure why people think software meant for use by a broad audience, however cheap, should not be subject to basic safety, security and privacy regulations.

What's more, it's pretty clear the author doesn't actually have a lot of GDPR obligation. They need to maintain a contact point which Apple is actually doing for them. They need to forward RTE requests to crashlytics. If they're doing ANYTHING else with personal data, that's shady as hell and I'm glad they're not doing it to EU citizens anymore.


In the United States and under English common law, those giving away something for free are only liable for 'gross' negligence, which is a significantly lower bar than the implied warranties of merchantibility that will arise if you start charging. All these warranties can simply be disclaimed, by licensing the software correctly.

> I'm not sure why people think software meant for use by a broad audience, however cheap, should not be subject to basic safety, security and privacy regulations.

There is a major difference between cheap and free. There is an especially major difference between cheap and open-source, because most open-source licenses include specific text to disclaim any implied warranty. Without contractual consideration, the author's words don't form any kind of contract with those who choose to use his software.

This is not a difficult concept to grasp. If the author made any money off his project, then yes, a very strong warranty is implied, but without that, the warranty is rather weak. Under common law, those giving things away for free can only be held liable for 'gross negligence', which is different from the automatic warranties that arise when you sell things, regardless of price.


Even in America, if a user can argue that their consent is uninformed you can still end up with a lawsuit. What's more, various states have different rules regarding that liability as well.


You're not wrong in this guy's case, especially since his software is on the App store. However, for most open-source projects, the installation process is sufficiently obtuse that you would be hard pressed to claim you were 'tricked' into installing it


It's not clear that open source projects that are published public domain actually have GDPR obligations. Specific INSTANCES of them running as a service might.


That's the law in the EU, I think it's natural to have a hobby that doesn't break any laws.


Right... which is why this guy has decided this is no longer going to be his hobby in the EU. While the EU has every right to say 'those who do X for a hobby must do Y to comply' they cannot say 'everybody must have X for a hobby' or 'Bob must continue doing X for a hobby' .


The high-tech laws and regulations of the EU are a bit more sophisticated than in the US so it may take some time for the rest of the world to catch on.


Well, if anything, Europe has a history of labeling authoritarians as progressives. Whether that's something to be proud of is something history will decide.


Authoritarianism is the only way to protect the people from runaway capitalism. Juncker is a good leader - I never understood why Americans/Anglos think that "Authoritarianism = BAD".


Probably because we’ve internalized the lessons of the aftermath of the British empire


He's not in the EU.


Indeed but he head a TLD from a self-governing dependency which is implementing the GDPR:

https://www.gov.im/about-the-government/data-protection-gdpr...

So he wants the funky TLD from Europe but he doesn't want European law 'hassle'. Hypocritical.


How is that hypocritical? It's really obvious that the author puchased an "im" domain because it looks like the acronym for "Instant Messaging", not because he wants to be associated with a European country or European law. He also purchased his domain name before the GDPR came out.


I also don't understand this reaction, because the guy is the developer of a chat program. It seems that if you encrypt communications and user data and do not sell personal data to third parties, then you comply with the GDPR. I don't see where those bureaucratic hoops come into play this developer is bemoaning.


If he's already handling the data securely and only keeping the data necessary for the service (which I doubt but we'll never know) all he has to do is:

- Appoint a data protection officer (himself)

- Write down the processes of how he stores data (we keep it on this database, hosted at x provider; that provider is called the data processor) and how he deletes data whenever the subject of the data requires it.

That's it.


Worst case is he really is selling personal data to third parties, and does not want to risk any fines from the EU because of it.


I agree with you, but in this particular case, it seems to be a free chatting app, not a revenue-making business. From the looks of it, I think the author's motivation for writing and maintaining this are ideological, to provide privacy to users. "This app has no ads, no user behavior tracking and all messages are exchanged directly with the XMPP chat server". Doesn't look like a business to me.

https://itunes.apple.com/us/app/monal-free-xmpp-chat/id31771...


Operating a network service is now illegal by default. Yes, the exceptions are large enough to accommodate most legitimate businesses. Yes, the likelihood of enforcement action against a small player is low. But the normal course of websites has so far been miles and miles away from the nearest illegal act. Now they are right up against the letter of the law merely for calling listen(). The only other law to come that close to the normal operation pure-internet entities is copyright, and it’s drawn similar ire. While it’s true that websites have always been prohibited from committing murder, the possibility of committing murder with a website is so remote as to be absurd.


This is a ridiculous over-reaction based an extremely shallow read-through of the material discussed.

He is not running a business but an open-source project!!!!


> then again it is a business and costs of doing business are the norm.

Does a cost become acceptable because it's the norm?


> extremely shallow interpretation of the GDPR

Please elaborate. I was unable to perceive the legal depth of interpretation.

> you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go away

Businesses limit liability and legal exposure all the time.

It's a tradeoff, as all things are.


> Please elaborate.

As you wish:

> I frequent Europe and do not want to get into legal trouble on vacation.

There is no precedent for violators of EU law regarding privacy to cause people to be harassed on their vacation (yes, there are examples of this on the US side but that's not what we are discussing here).

Worst case you would be warned to become compliant, then if you persist in not being compliant you might be fined, then if all that fails there might be a request for extradition but I highly doubt it would even get that far. Time will tell. What will definitely not happen is that out of the blue you will be yanked from your bed in Paris or Barcelona because you decided to refuse a request for deletion.

> The days of someone making something, putting it on the internet and offering it to the world seem to be over.

No, the days of harvesting data and building profiles without consent are over. You can make something just like you did last week and you can offer it to the world just fine. Do take care of your users data, be a good steward and try to do your best not to get hacked.

> do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.

The GDPR does not have this requirement for the kind of business the article writer has. No need to hire anybody. Pure nonsense.

> Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.

Having a DPA in place with Crashlytics takes care of this, that's all the burden there is, in fact, Crashlytics most likely has a standard form for this because they will be entering into DPA's with a lot of companies in the next couple of weeks/months.

> Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance.

Everything you do requires GDPR compliance but not everything is impacted by the GDPR. In this case logging the IP is fine, and then when you're done with the data you can get rid of it. No need to keep it indefinitely. And that simple trick: remove data that you no longer need is going to go a long way towards establishing GDPR compliance.

> APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII.

So do not keep it longer than you need it.

> I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.

But he does have the time to write blog posts complaining about having to meet the letter of the law. That time would have been better spent actually reading the law and figuring out the impact.

> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.

Of course it is.

> EU user data is sent out of Europe constantly.

Indeed. And that won't stop because of the GDPR.

> GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service.

Yes, that's the whole point. You can't blackmail your users to opt-out of the law by virtue of withholding your product, which is a very very nasty way of trying to deal with a legal issue, rather than to face it head on and simply attempting to try to comply.

> GDPR compliance is something the XSF is talking about right now.

Good to see not everybody has the same attitude.

The way I read it this person is not trying to limit their liability, they're simply trying to pretend the law doesn't exist, have come to the conclusion that that won't fly and now blame the law for their laziness and negative attitude towards the privacy of their users in general.

If he really cared about the users privacy then he'd at least make a serious attempt. This blog post does not indicate a serious attempt was made, it reads like someone looking for excuses.


re: DPO

i think you are being a bit naive and dismissive. the law could easily be interpreted as his endeavor requiring a Data Protection Officer. the guidelines (http://ec.europa.eu/newsroom/document.cfm?doc_id=44100) for the DPO require that processing "special categories of data" needs a DPO. those categories include tings as benign as "trade union membership."

so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.


Bigger than the DPO issue for processing Article 9 special data is the fact that processing Article 9 special data is generally prohibited outside of enumerated exceptions.


> so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.

This is a ridiculous argument. No, someone in the EU chatting about trade union membership does not magically require him to hire a DPO.

Please.


There's two kinds of "free service" on the internet. There's the Facebook / Google kind of free, where the herd of non-paying users is being aggressively monetised in other ways by a very profitable business. It's perfectly reasonable to expect this kind of free service to jump through the GDPR hoops as just another cost of doing business.

This is the other kind of free, where it genuinely is being done out of interests sake as a public service, like guerilla gardeners. In this case, it's perfectly reasonable to say that you got into this because you're interested in solving the technical challenges, not because you enjoy wading through bureaucratic rules, and decide to stop offering that free service in the EU because the fun has gone out of it.

Probably you're completely right about how easy complying would actually be, and in that case you could certainly take this code and run your own push server that serves EU clients.


It's a reasonable action based on shifting tides and uncertainty, particularly for a project with no revenue to speak of. If the EU wants to do arbitrary things, that's on them.


Thanks for clearing that up - I can't stand people who think they are above the law. Here in France and Germany, this law is creating a lot of jobs too. I hope more laws like that in the future so that even more jobs can be created. I love the EU :-)


For jobs to be created (presumably in startups) , there must be startups first. Startups won't be started if you need to hire 1 full time accountant (for the VAT mess), 1 privacy person and 1 lawyer before you even lay down your idea. I get it that GDPR is creating some nice jobs these months, but it won't last long. I wonder if this guy would even make the app if he was in the EU today.

I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.


You don't need a 'full time accountant' for the VAT mess, I've been doing this for years (decades) and it took about 2500 euros / year / company for the full administrative burden, including payroll for up to 25 employees.

You don't need a privacy person either (I suspect you mean DPO), but you do need to know what you are doing.

> I am all for fair taxation and privacy, but the EU should start creating the mechanisms that make it easy and automatic for startups to comply with stringent requirements instead of leaving the burden upon them.

That I agree with, it can still be better. But VAT/MOSS took the sting out of the VAT reporting and the privacy law is entering a shake out period now and will also end up to be manageable.


the parent specificly refered to jobs being created for privacy officers or sth. i m replying to that. Also, the too many different VAT regimes can create a huge accounting mess if you are selling in many different EU countries, hence the existence of payment processors and relevant startups.


I can't tell if this is sarcasm or not, so I'll pretend it's not.

This is the broken window fallacy. You're not creating jobs, you're destroying wealth.


This is such a terrible argument. You’re essentially arguing that any business of any kind should never complain or choose not to do business in a jurisdiction if the reason is regulatory burden, no matter how onerous, expensive, ambiguous, and offensive that regulation is.

That’s illogical and not the way that any business evaluates what activities to pursue or forgo.

You’re casting aspersions on this one guy and implying that he must be up to something shady, all because he’s chosen to not serve a market that has decided to pass some horrible regulation that you happen to like. Unbelievable.

You can’t have your cake and eat it too. The EU can pass whatever laws they want, but the rest of us are still free to tell you to pound sand.


> if the reason is regulatory burden, no matter how onerous,

No, what we're saying is OP can't complain about the burden of this onerous regulation when the fact is that almost none of it is relevant to OP and he'll have to make only minor changes to be compliant.

Several of the claims OP made are flat wrong and it's trivial to show they're wrong by simple web searches.


There are hundreds of comments here on this thread arguing about all of those points and what the law even says. The GDPR is a complete joke.


But most of the argument is between fucking idiots who have no clue what the law actually says, and people who do know what the law says.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: