
GDPR: Why We Stopped Selling Stuff to Europe - chx
https://www.brentozar.com/archive/2017/12/gdpr-stopped-selling-stuff-europe/
======
meredydd
Data protection rules are this century's equivalent of pollution regulation.
The online ecosystem has trashed the global commons with huge amounts of
everyone's personal data, with no meaningful control or consent to how it is
used, and now it needs to be cleaned up.

There are companies that will go out of business, or have to pivot heavily, as
a result of GDPR. If this doesn't happen, it's is not doing its job.

More mainstream companies will grumble about this, just like they do about
environmental regulations now. But, then as now, _we 've done the experiment_.
As an industry, we were left to self-regulate for 2.5 decades, and look what
we did.

I am not looking forward to finishing our GDPR compliance. Anvil doesn't rely
on personal data for its business model, so it's not a big deal, just a bit
tedious - it's a textbook frictional loss from regulation. But I _am_ looking
forward to living in a world where everyone has to comply.

~~~
peoplewindow
There is a third option beyond go bankrupt or pivot, as this story shows very
clearly - cease trading with the EU or citizens of its member states entirely.
Like the effect of FATCA but in reverse.

That's the decision this small training firm has taken. It's a loss of 5% of
revenue, they say. That's not bankruptcy or pivoting.

This seems to be the unsurprising outcome of the EU's modern "obey us or we
crush you" mentality. The UK is walking away. This small company is walking
away. Apparently Microsoft is at least thinking about it for some products
(the connect site is back now but looks semi abandoned). How many others will
look at this and conclude the risks are too high to justify the costs?

GDPR does not seem like a well thought out law. I have always been satisfied
with my ability to delete things from the cloud. If I end up being banned from
useful services because the costs of complying with the EU's very transparent
attempts to bulk up their budget by repeatedly fining tech firms, I will not
be happy.

~~~
meredydd
_> There is a third option...cease trading with the EU..._

This is the direct equivalent of demanding the right to dump whatever I like
into the river, because some other company in another country can.

More generally, this is an example of "all regulation bad" thinking. If it is
inherently evil to impose any rules on companies operating under your
jurisdiction (and that's what you're implying with phrases like "obey us or we
crush you")... Well, now you're arguing that no government should try to solve
_any_ coordination problem. No auto efficiency standards, no pollution
regulations, no product safety standards...not a world I want to live in.

(I'm going to ignore the Brexit stuff, as that's a long-standing flamewar
that's already producing more heat than light in this thread.)

~~~
drchaos
> More generally, this is an example of "all regulation bad" thinking

"any regulation good" is a fallacy as well, and just because data protection
is a good thing, not all regulations claiming to achieve that are good, too.

And the GDPR is an especially bad and totally overblown regulation. I'd be
totally fine with not being allowed to do bad things, since I'm not doing that
anyway. I don't sell customer data, I don't collect PII from obscure third
parties, I delete what I'm supposed to and I don't store what I should not.

Unfortunately, just not doing anything wrong does not help me at all, because
GDPR requires basically everyone to be able to _prove_ , which -if possible at
all- would take ages to implement properly. Sure, Google and Facebook can
afford to spend a few man-years on this, and they can also afford a bunch of
lawyers in case some obscure bureaucratic EU entity finds that they followed a
wrong interpretation of the vague and unclear requirements in this directive.

As the sole developer for a small SaaS, I cannot afford that luxury. I can
either write code, which earns me money, or I can write pages of pages of
process documentation instead, which earns me nothing and does not even
guarantee I won't be fined anyway, since who knows what obscure requirement
may be hidden in those 201 pages of undecipherable legalese.

So my only realistic option is to do what most smaller businesses will do:
Ignore the GDRP, and hope they won't come for me first. They probably won't,
since they can't go after everyone at once. Sure, there's a rest risk, but
hey, one can get cancer too. At least, if you get GDRP instead, you won't be
dead, just broke.

~~~
YeGoblynQueenne
I've worked for a few companies that handled clients' private information for
financial purposes. There is a standard that you must observe if you work with
payment cards, PCI-DSS. It is complicated and costly to implement in full, so
some of the firms I worked for didn't - and instead avoided handling sensitive
data that was subject to the strongest of protections specified by PCI-DSS.
That meant, for example, never directly handling transactions and bouncing
them off to PayPal instead. These were still successful companies, that kept
growing while I was working for them.

One company I worked for sold software for card transactions and so needed to
get the highest level of certification. They did and they worked very hard to
achieve this, which is why they were (and I believe, still are) highly
respected in the business. They also did great financially and had big
contracts with huge clients.

There's also companies that specialise in that sort of thing- they help others
get their PCI-DSS on. For a fee- but it's cheaper than doing it yourself, or
paying the price of running wild with peoples' card data.

There are many more options than "ignore the standard" and "drown under it" is
what I'm trying to say.

~~~
drchaos
While this approach is reasonable and practical for credit card data, I doubt
it's possible (let alone practical) for most businesses to do the same with
what the GDPR considers personal data. You'd have to avoid email addresses,
names, postal addresses, phone numbers, ... - even in fields where such data
is not even supposed to be, like comments or emails.

Might be possible if one just sells ebooks or similar digital goods without
much customer interaction. But for anything more complex than that, you're
pretty much out of luck.

------
moreira
> You wouldn’t think that would be a big deal – but you’d be surprised. For
> example, students send us information about their databases all the time as
> part of asking questions – and they often send it unsolicited, through
> unencrypted email channels. That information ends up all over the place: our
> mail server, our desktops, phones, laptops, search indexes, etc. I’m not
> really worried about us maintaining the confidentiality of that data, but
> now we’d have to add in new audit-able tracking.

That’s a _good_ thing! Is it really that much to ask that when someone holds
your data, that you can ask them to delete it and be assured that it’s gone
for good?

Apparently, for them, it is. And I’m sure it’ll be for a number of other
businesses (and their competitors will just take their place, no big deal).
But I’m looking forward to a world where unrestrained data collection and
handling is no longer tolerated.

~~~
BrentOzar
> Is it really that much to ask that when someone holds your data, that you
> can ask them to delete it and be assured that it’s gone for good?

That doesn't give you the right to send someone your private data, in a
channel they didn't ask for it, and demand that they secure that channel.

This is the tough part about being a training company online: students send in
questions with their personal data, unsolicited, via channels I simply can't
secure. Your PII doesn't belong in email.

> But I’m looking forward to a world where unrestrained data collection and
> handling is no longer tolerated.

Read the post. It's not about what we collect - it's about what people send us
voluntarily. That's the part that I'm most worried about.

If I have no business relationship with those people, and they're just sending
us personally identifiable data for no reason, I'm a lot more comfortable
defending that in court. But if we have a business relationship where they're
paying for our advice, and then they start sending more and more data, that's
where I'm on shaky ground.

~~~
moreira
I am absolutely not criticizing your decision; you’re perfectly within your
rights to refuse to deal with all the rigamarole of GDPR compliance. It’s
easier and only 5% of your revenue, so why even bother.

And I completely understand the issue of people sending unsolicited data. I’m
sorry that my comment came across as though I was targeting you specifically.

I’m just excited for a world where data is no longer a “yeah let’s just store
everything with no thought”, and instead is a hot potato that you keep a trail
of and want to get rid of as quickly as possible. What a difference that’ll be
from the situation we have today. This article is just highlighting how just
accepting random data puts businesses “on shaky ground” as you said. The GDPR
will require everyone to be a lot more thoughtful about their data retention
policies, and that’s just great.

------
locust101
Basically companies like facebook and google have abused the data collection
and public trust so bad that EU had to come up with these absurd fines just so
those behemoths would pay attention. Also is there a reason why it is a
maximum of x and 2% of revenue? Shouldn't 2% of revenue big enough for a
company to be scared?

~~~
erk__
You also want smaller companies to comply, where 2% is maybe too little for
them to care, as it would cost more to comply with GDPR.

~~~
valuearb
2% of revenue is a huge fine for any profitable business.

~~~
BrentOzar
> 2% of revenue is a huge fine for any profitable business.

Not necessarily. In a business like ours (online training) where any
additional new customers basically flow through to the bottom line, if I got
20% of my revenue from the EU, and I had to pay a 2% fine now and then, it
wouldn't be terrible.

I can see how some slimy businesses would say, "I'm not even going to bother
complying - I'll just keep taking revenue off the table and paying the small
fees."

~~~
valuearb
Sure, if your profit margins were 50% on EU revenues, it wouldn’t be a big
deal to pay 2% of the max fine. Or if your startup doesn’t have revenues, you
could get off scot free.

But most profitable businesses are going to have profit margins in the 10-20%
range, and that fine is considerable. And if the EU applies it to the last 5
years revenues, they could wipe out a years profit.

For example, Apple probably has close to $100B in annual EU revenue, $2B is a
huge incentive to invest in doing this right. But if your EU business is $1M,
$20,000 is probably a fraction of your cost of implementation.

The law would have been far better if it specifically limited fine levels by
size of company. IE < 1M in sales, 1M to 10M, 10M-100M, 100M-1B, 1B+.

~~~
nolite
It’s on worldwide revenues, not EU revenues

~~~
valuearb
Ouch, that's amazingly short-sighted.

------
Radim
Automating PII detection & audits is a hard problem! Especially across sundry
data storages and formats.

Compliance firms typically provide a high-level paper trail, but what happens
when you don't even know where the PII data is, like the OP says? What if you
need to answer concrete individual Subject Access Requests?

So, as a technology company, we've attempted to solve parts of it with
technology. We really hope to make that pesky "PII stuff" detection and
auditing easier for companies:

[https://pii-tools.com](https://pii-tools.com) (in private beta, feedback
welcome)

------
BrentOzar
Whoa, didn't expect this to hit HN. I'm here if anybody has questions.
(Author)

~~~
magnetic
How can you prevent EU users from using your service (it seems that's where
you are headed)? I can think of IP geofiltering if you have a web service,
perhaps blacklisting some countries in the AppStores if you publish an app...
but people can travel & VPN somehow. Will part of the registration be "Are you
a EU citizen?" And if EU people work around your safeguards and manage to
register, are you still liable?

~~~
BrentOzar
> How can you prevent EU users from using your service

The first step is disallowing EU-VAT-eligible folks from purchasing. The
plugin I mention in the post is really good for that - it looks at a variety
of factors including the user's billing address for their credit card, for
example.

It's still totally possible that an EU citizen could be on Chinese soil, using
an American's credit card, while using an Australian VPN. That means the next
part of the registration will be a terms & conditions checkbox saying the GDPR
doesn't apply to me. (We're working with our attorney on that language.)

At that point, if someone still registers, AND they later ask for the right to
erasure, we'll still do our best to delete their data. But if they try to go
to the EU and complain, we'll be on much better legal ground to say, "Look,
they lied to us from the get-go, and we can prove it."

Nothing's certain - just trying to mitigate our risks as cheaply as possible.

------
shock
It doesn't seem like it now, but this is just a storm in a teapot. All of the
necessary bits to comply with the GDPR will be commoditized sooner or later.
I'm betting on sooner. This also presents a business opportunity to provide
those bits.

I do appreciate the fact that it's a nuisance at best and significant costs at
worst to be compliant to GDPR. Only in time we will be able to tell if it was
worth it or not. Maybe the US model of free-for-all access to user data will
work better, maybe the EU model will...I don't think anyone can say for
certain now.

If anyone does know with a high degree of certainty which will, it's time to
place the bets.

~~~
magnetic
> I do appreciate the fact that it's a nuisance at best and significant costs
> at worst to be compliant to GDPR.

I don't know that it's that simple. What happens when you have conflicting
requirements, for example (I'm making them up) EU requiring you to delete PII
within a period of time and US/Homeland Security/IRS requiring you to keep the
(meta)data for some period of time?

There may be conflicting requirements that have nothing to do with technology
& costs.

------
magnetic
Can a EU citizen call AT&T/Verizon and ask them to delete all records of their
calls?

Would the call logs also disappear from "the other side of the call"?

------
sly010
Naive question: If there are no such laws in the US, can one just simply store
ALL personal data in Iceland?

~~~
erk__
How would that fix the problem you still can't save data from users from the
EU.

~~~
tonyarkles
That's exactly it. GDPR doesn't particularly care where you're storing the
data, nor whether you have a "European presence". If you're storing data on
people from the EU, from the EU's perspective, you're required to follow GDPR.

From an enforcement point of view... if you have no EU presence, it'll
probably be pretty hard for them to actually collect on the fines they levy,
but as a director, travelling to Europe could be problematic. It's not
entirely clear here, but it looks like there's a possibility of directors
being held personally liable.

~~~
086421357909764
In fact, the EU considers all citizens of the world to fall under their legal
protections. That is, you don't have to be a EU citizen to have the same legal
rights.

~~~
sitkack
Technically this is true for the US as well. We just like to pretend there is
a distinction.

