
GDPR After One Year - goerz
https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-costs-and-unintended-consequences/
======
Quanttek
> individual “data rights” have led to unintended consequences; “privacy
> protection” seems to have undermined market competition;

That opening paragraph already speaks to the over-elevation of the market over
any other concerns. So it perfectly fits onto "news. _ycombinator_.com". Human
rights, including privacy and data rights, are more important than the profits
of some companies

Most examples in the text are, for instance, related to companies failing to
properly implement the GDPR (Amazon sending data to the wrong person, Spotify
not asking for 2FA/email confirmation for the bulk download, companies
deleting articles even when there would sufficient public interest, Ad vendors
failing to ensure compliance and therefore seeing drops in demand, ...), that
is, market failures - something this site would probably not call out but
rather attribute it to the legislation.

~~~
Zak
> _That opening paragraph already speaks to the over-elevation of the market
> over any other concerns. So it perfectly fits onto "news.ycombinator.com"_

I have not found the cultural climate on HN to be opposed to the GDPR at all.
Both its goals and its implementation seem to be popular here overall, and
most comments I see that are critical of it get enough downvotes to have their
text significantly desaturated even if they're making a good argument.

It's my impression, though I have not worked in the field that people
operating ad networks believe some kind of tracking is necessary to prevent
click fraud, and do not want to sell ads free of any tracking even when they
have customers asking for the option. I don't know how true this claim is or
whether alternatives have been adequately explored.

What I do know is that some of the industries that use ads, such as newspapers
are struggling to make enough money to continue operating. Nobody will miss a
scummy adtech firm, but people might miss local news outlets. It's valid to
talk about the impact on business not just in terms of profits, but also
considering potential positive externalities of the continued operation of a
given business.

~~~
frostburg
I recall a discussion on the matter. Everyone that wasn't selling ads felt
that if it was impossible to sell ads without tracking due to "click fraud",
there was no obligation from society to prop up their failing business model
by letting them ignore the privacy rights of the public just because it was
expedient to do so.

~~~
friedman23
> their failing business model

The business model is fine, the EU and you are choosing to kill it. Not only
are people arguing for no tracking they are arguing on forcing other people to
live without tracking. So if someone in Europe wants a free service in
exchange for their personal information they don't even have the choice.
Additionally GDPR requires that businesses not restrict their products to only
those that are funding it.

~~~
logicprog
I love it how everyone is downvoting you for pointing out something super
basic: GDPR is essentially the government deciding that everyone in Europe's
data belongs to the government, to decide what they can use it for and what
they can't. That's not personal data rights. That's other people deciding
what's best for you.

~~~
afiori
To make a little jump, this is like saying that child labor regulations mean
that your children are actually property of the government. (not to show it is
wrong, but that there is some background context needed)

Also I can still give facebook all my personal data. Simply facebook need to
get my consent to distribute and sell it and I will forever have some basic
control on what data fecebook has on me. The government has little to do in
this.

Also (beware the strawman), as far as I know people cannot sell their own
organs in the EU, is this a sign that your body belong to the state or that
business models build on harvesting poor people organs are unjust?

~~~
logicprog
So for your examples, I would say yes, yes through its rules and actions the
government has clearly shown that it thinks it owns those things. Including
our bodies (drug war anyone?). And a business model that pays for organs is
not "unjust" but maybe a bad idea for those that would participate, obviously.
I mean, the way you phrase that makes it sound like they're going to be
kidnapping poor people in the streets to steal their organs if there wasn't a
law against selling organs, which doesn't make sense.

> Also I can still give facebook all my personal data. Simply facebook need to
> get my consent to distribute and sell it and I will forever have some basic
> control on what data fecebook has on me. The government has little to do in
> this.

So long as the government doesn't force companies to provide the basic
control, that's how it seems like it should work! (:

~~~
afiori
> I mean, the way you phrase that makes it sound like they're going to be
> kidnapping poor people in the streets to steal their organs if there wasn't
> a law against selling organs, which doesn't make sense.

My understanding is that figuratively speaking that is almost what happened
with subprime loans.

Corporations and market can have a lot of power in performing predatory
tactics. If drugs were simply legal quite a few business would sustain
themselves on other people addictions.

One of the main reason we need regulations is that any sensible and obvious
law (like not kidnapping people to harvest their organs) has loopholes (like
keeping people poor, ignorant and devoid of mobility (lack of education,
criminal convictions etc.)) so that they will agree to sell their organs.

Organ harvesting is a deeply extreme subject and obviously will not happen
with or without regulations, but modern free society need are built on the
free enterprise (eventually in the public sphere) of individuals and
consequently they need to handle when individuals gather too much power and
can destabilize societies.

Every free society has this problem (including bitcoin with a 51% attack) and
needs to find a solution to both promise rewards for personal enterprise and
incentives not to abuse the system (for bitcoin (IIRC) they are respectively
money and loss of hardware investment)

> So long as the government doesn't force companies to provide the basic
> control, that's how it seems like it should work! (:

(interpreting as government should not force companies)

My problem with that is that principles do not help us distinguish fair
competition from predatory unethical behavior. In the contest of personal data
and privacy that is relevant as we live a completely different universe from
just a few years ago.

Gossip is not illegal, but if you were magically able to listen to every
conversation in a 10 km radius that would be a problem. Legal and illegal are
often linked to how hard it is to do something and the scale at which you can
do it.

------
BeniBoy
"GDPR has been the death knell for small and medium-sized businesses [...]
Here is a partial list: [...] Unroll.me, inbox management app"

Don't know for the other companies, but for this one, good riddance, they had
a notoriously scummy business model[1].

[1]:[https://www.nytimes.com/2017/04/24/technology/personal-
data-...](https://www.nytimes.com/2017/04/24/technology/personal-data-firm-
slice-unroll-me-backlash-uber.html)

~~~
hannasanarion
Every single company on that list deserved to die.

~~~
starik36
That is a straight up dumb thing to say.

Care to explain why "Brent Ozar, IT consulting services" (first company on the
list) deserves to die?

~~~
hrktb
Phrasing is harsh, but from the sibling thread:

> If I had to face EU officials, I could never say with a straight face, "Oh
> yes, I was completely confident in WordPress's abilities to keep customer
> data secure."

Should this business really continue handling potentially user data if it
can’t guarantee it will be secure down the line ?

~~~
dwild
> it can’t guarantee it will be secure down the line ?

Then no business can handle user data?

There's no such thing as a guarantee. You can do what you define as the best
effort to secure it, but you can't guarantee it will be secure.

------
franciscop
Color me surprised, scammy business are losing millions and exiting the EU.
I'm totally happy about the outcome.

Though there is still a lot of abuse and dark patterns going on, I believe
most of them should make it as easy to "opt all in" as "opt all out" for the
cookies for instance.

~~~
maximus1983
The problem is any regulation is that it increases the startup costs for
smaller businesses.

So as more regulation comes in it will just end up cementing the large players
in place as they can absorb the costs of any regulation, while smaller
businesses will have higher startup costs (which lets face it were next to
nothing).

So while you maybe rejoicing now that shitty companies have gone for now,
regulation will just make it harder for these massive companies to be toppled
as it makes it harder for smaller companies to comply.

The EU are trying to have article 13 pushed through and any site that has user
generated content will have to have some sort of upload filter to check for
copyrighted content. That is going to cost money to implement and since
Youtube hasn't really be able to achieve it, the only people that will be
supplying the software will be the likes of Google, Microsoft etc ... So again
it will just make it harder to the small business and help the large
businesses.

Also a lot of these regulations make are making the web a shittier place.
Every time I go onto a site now, I have the stupid cookie and GDPR notice
plaster in front of what I want to look at. I already protect myself and don't
care about their attempt to track me. It is just an irritation that nobody
pays attention to and it achieves the opposite of what it was intended to
achieve.

~~~
oblio
Legislation is not meant for you (at least for now).

It's meant for those who cannot/do not know how to protect themselves.

~~~
MaxBarraclough
I don't see how this answers the point.

I'm of the opinion that privacy regulation is a good idea, but it's trivially
true that it's an additional burden for start-ups. The _Is it worth it?_
question is a legitimate one.

~~~
fromMars
Honestly, the biggest problem with GDPR is it's current implementation, i.e.
the on demand wipeouts.

------
ivan_gammel
This all is a reflection of the old talks about the costs of doing technical
things right. One way of looking at them is that if something works for
business, we should not pursue better software architecture or improve
security or usability. Another way is to analyze and estimate the technical
debt and eventually start paying it. This is exactly what happens with privacy
now: business may cry about "removed incentives", "prohibiting costs",
"eliminated opportunities" and other BS, but in the end it's just a compliance
debt that they are not willing to pay. GDPR identified that debt and the
mechanisms for claiming it, that's it. After the dust settles, there will be
plenty of best practices and educated people which will make compliance easy,
certain business models unpractical and the business will go as usual. Yes,
compliance isn't a piece of cake, but there's nothing written in that law
which a sane engineer or manager would not implement. Even the right to be
forgotten makes sense: information about past crimes distributed via search is
a kind of extrajudicial punishment which makes it much harder for people who
already served their sentence to find a job and return to normal life. It's a
job of a government to prevent them from committing another crime, it's not a
job of a search engine or a news website.

~~~
tschellenbach
I don't think it's the goal of privacy or the tech that caused the costs to be
soo high. Probably more related to the ambiguity of the law.

~~~
ivan_gammel
I don't think the law is ambiguous. It's usually the situation when GDPR is
already violated or going to be violated and data processor wants to find the
least expensive solution to reduce the risks. In other words, it's not "How we
should do it?", but rather "How difficult it will be to challenge our solution
X in court? What our chances to win?" THIS is ambiguous, but it's the same
with any regulation.

~~~
jib
The regulation is very ambiguous.

Try to understand what is even personal data from this:

[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/key-
definitions/what-is-personal-data/)

It is all about risk, ambiguity and individual circumstances. I dont think
that is bad, but there is no clear record of what it even is we are meant to
protect.

~~~
crankylinuxuser
It is and it isn't.

If you're in the business of "doing free services so you can skim GB's of data
from users" or you "sell wholesale data collected without notice", the EU
doesn't want you.

If you're doing a good job of keeping user data private except at the direct
request of a user in a plain-language direct permission, then you're doing a
good job to the GDPR. Slipups happen, and as long as you do your best to stop
the bad thing, limit the breach, notify users, and be a good steward for their
data, then it's all good.

As a US citizen, I try to make a point to only work with companies that adhere
to the GDPR. I know they don't __have __to do so with me. But it tells me
their internal processes are set up to respect the user 's rights. And well,
running dual systems for different compliance regimes is a tough sell - its
easier to do 1 big system.

~~~
erik_seaberg
> as long as you do your best to stop the bad thing, limit the breach, notify
> users, and be a good steward for their data, then it's all good

If that regulator happens to like you. There is no schedule of offenses and
penalties and due process, only an absurdly high maximum for selective
enforcement.

~~~
jib
And there are a lot of regulators. Some of them a lot more combative than
others. That is my main reason for dislike for the regulations.

Overall I support the regulations, but I really wish the penalties had more
documented structure than “We will fine you anywhere from 0 to an 8 digit
number (in our case) depending on what we think is right”.

~~~
afiori
The negative outcome of more specific fines is that they get progressively
easier to circumvent.

------
WA
This is a very interesting list, especially the part about the GDPR increasing
the attack surface and where the data gravity center is.

The part about "compliance cost" should be taken with a grain of salt. If you
were compliant before, because you respected the users‘ privacy, the effort
was relatively low.

The study about VC having dropped by 50% in the EU because of the GDPR sounds
pretty weird to me. Unless of course there’s selection bias and we’re talking
AdTech companies mostly.

An interesting number would be: how many people closed down forums and moved
their discussion boards to Facebook?

~~~
JumpCrisscross
> _If you were compliant before, because you respected the users‘ privacy, the
> effort was relatively low_

This is not true. Even if you are perfectly compliant, you need a complaint-
response mechanism and lawyers in the EU ready to react to invalid
accusations.

Given GDPR took a complain-investigate model, one also needs to be ready for
power-tripping regulators. (Recall the Romanian data protector using GDPR to
seize sources from a newspaper investigating corruption allegations [1].).
Protecting against that requires, if not active lobbying, keeping lobbying
connections warm. That costs money.

Ironically (and predictably), I’m seen more data being funnelled to Google
than before. They have the scale to deal with this crap in each of the EU’s
(currently) twenty-right member states.

[1]
[https://www.techdirt.com/articles/20181114/01491541047/yet-a...](https://www.techdirt.com/articles/20181114/01491541047/yet-
another-gdpr-disaster-journalists-ordered-to-hand-over-secret-sources-under-
data-protection-law.shtml)

~~~
Quanttek
> Given GDPR took a complain-investigate model

Ironically, when GDPR came into effect so many on HN were spreading fake news
that companies would be litigated to death by users. Of course, to remove that
possibility and ensure only legitimate claims are pursued, the data regulation
authorities act as middle-man. Such cases of abuse could also just as easily
be done when people could sue. For example, nowhere does the GDPR imply that
you need to hand-over a source - that goes for journalists as well as non-
journalists. Companies sued have the right to appeal and, if GDPR wouldn't
have existed, the Romanian authorities would've probably just used e.g. tax
law to stifle the RISE project.

~~~
JumpCrisscross
> _nowhere does the GDPR imply that you need to hand-over a source_

Complain-investigate compliance regimes tend to result in deference due to the
cost of investigations and other informal expenses regulators can rain upon
the regulated. (It works in finance because financial firms have the margins
to support it. Also, the industry regulators are checked by both the courts
and a public regulator, the SEC.)

Complain-investigate is thus a terrible structure for a general business law.
Strict liability for data loss or mis-use (including the rights to data
transcripts and deltion) would have been simpler. (Albeit, less profitable for
European law firms.)

Long story short, GDPR’s aims and technical costs ( _e.g._ deleting user data
from backups) are fine. The problem is the compliance structure. It’s
fundamentally incumbent-biased, commercially and politically.

------
csense
My question is, if you're a US startup, and you simply ignore GDPR requests,
what happens?

Does Europe have some way to require its ISP's to firewall you off or
blackhole your DNS? Can they force Amazon to shut off your AWS account? Do
your executives risk being taken away in handcuffs to a European jail when
they go to Europe on vacation?

If there are no consequences, why don't US tech companies just completely
ignore it? (Of course, big players like Google probably have EU-based
datacenters and other assets that could be seized to pay their fines. I'm
thinking of small, cloud-hosted startups whose employees, bank accounts and
physical assets are all on US soil.)

~~~
wongarsu
> If there are no consequences, why don't US tech companies just completely
> ignore it?

Once you grow big enough the EU will inevitably have leverage over you:
Servers rented in the EU to lower latency, payment streams from EU customers,
offices in the EU to get talent, subsidiaries created for tax reasons,
executives on vacation, employees on conferences, money spent on advertising,
etc.

If you are a startup in SV the EU migh not have much direct pressure it can
apply, but how would an investor react when given the choice of "we could
spend some more money now, or we could do nothing and be significantly limited
once we grow to a certain size, basically unable to do anything significant in
one of the largest economies of the world".

~~~
JumpCrisscross
> _how would an investor react when given the choice of "we could spend some
> more money now, or we could do nothing and be significantly limited once we
> grow to a certain size, basically unable to do anything significant in one
> of the largest economies of the world"_

The simplest solution would be ignore GDPR, dominate the American market
(which is easier to scale across than the EU), and then use that momentum to
launch a simplified version in Europe. (Or buy a competitor.) The scale
advantage will almost always outweigh being prepared for multi-market growth
from the beginning.

~~~
s_dev
Which gives ample room for a European competitior that does adhere to GDPR to
clean up the EU market. We live in a very globalised world and the EU knows
the leverage it has -- just as the US knows it's soft power extends well
beyond her borders.

~~~
JumpCrisscross
> _Which gives ample room for a European competitior that does adhere to GDPR
> to clean up the EU market_

Agreed. My point was with respect to an American start-up—compliance with GDPR
is of lower priority than scaling. The priority, for both, should be scaling.

Advantage goes to the American start-up, however, in launching from a single
market. But one might counter-argue that consumers in _e.g._ China will prefer
to do business with European start-ups over American ones due to GDPR. (No
evidence for that. But it’s a valid hypothesis.)

------
njharman
I never understood how anyone thinks being forgotten is a right. Wrong, false,
liable, limited set of privacy related information should be correctable,
removable. But facts about you and what you’ve done, no. I’m sorry you made
embarrassing mistake. But it’s not worth losing so much public information and
enabling bad actors to save yourself from your own actions.

~~~
fromMars
Agree, and it doesn't even exist in most domains. I can't expunge my school
transcripts or information from credit bureaus.

Do we really think a society where there is no public information about people
better?

~~~
izacus
Which country in Europe are you from that school transcripts are public?

~~~
fromMars
That's a fair point. It isn't public information.

But, GDPR applies to any information, even if it isn't available publicly.

~~~
afiori
But it does not apply to governments

------
skybrian
It seems like a biased list, but it's good that someone is collecting links
about these incidents.

~~~
Operyl
It seems like there’s things from both sides of the camp on first glance, can
you point out the bias you see? (Legitimate question, and I only quickly
glanced.)

~~~
skybrian
I'm judging by "Compliance costs are astronomical" when the supporting
evidence is largely estimates from before it went into effect.

So you can't take everything too seriously, but still, it's good to collect
more links. Also, the author is being clear about the weakness of some of the
supporting evidence.

------
NewsAware
The article vaguely links Cambridge Analytics to GDPR. Is there really a
connection or is the article merely trying to frame GDPR negatively by
comparing?

~~~
captainbland
I don't think so. The APIs that Cambridge Analytica were taking advantage of
were available long before GDPR became enforceable and are most likely illegal
under GDPR because they allowed third parties access to your personal
information without your consent - where it was a friend of yours who
consented to revealing their information, Facebook would also reveal some
information about you.

The Wikipedia article actually details all this quite well in the fourth
paragraph (obviously without reference to GDPR):
[https://en.wikipedia.org/wiki/Cambridge_Analytica](https://en.wikipedia.org/wiki/Cambridge_Analytica)

------
nudpiedo
Meanwhile, people started to believe that Google reads their mind and society
evolved the way they behave as The Internet transforms the consequences for
acts such as chatting or posting things in public (or having certain opinions
in public)... I think GDPR same as other laws protecting citizens from The
Internet failed to protect the user, even if it was a good first try, to begin
with. Hope some standardization will come in the future to prevent all cookies
or some HTML tag standard or whatever.

~~~
dcbadacd
We have the Do-Not-Track header that should be interpreted as a denial to all
cookie notices and GDPR requests but they didn't write that into the law.

~~~
nudpiedo
exactly, that's what I mean: it cannot be part of a law... but such standard
must exist and be enforced by the browser, same as window.alert is a browser
pop up and not a javascript one. The cookie rejection should do it in the same
way.

Laws like GDPR are encountering problems to be enforced without being too
intrusive with the technology and the freedom to create products/standards.

------
pixelmonkey
I have an interesting question about GDPR and all legal compliance efforts.
When GDPR was first announced, I studied it in-depth because I'm the CTO of a
company involved in first-party content analytics, and I wanted to ensure we
complied.

In addition to making changes internally and technically to ensure compliance,
I also prepared a long Google Slide presentation that basically summarized _my
technical understanding of GDPR, after receiving the advice of several privacy
attorneys_. The information in this slidedeck was presented to my whole
company, as a way to further ensure compliance -- to make sure my employees
understood the policy at least as well as I did, since I had spent countless
hours discussing the implications of the law -- as well as reading the raw
text, which is excellently published/annotated by Algolia here:
[https://gdpr.algolia.com/gdpr-article-1](https://gdpr.algolia.com/gdpr-
article-1)

My inclination was to _publish_ this deck I had painstakingly prepared
publicly, because certainly it would be valuable to others. I publish a lot of
stuff publicly on our blog, for example:
[https://blog.parse.ly/post/author/andrew-
montalenti/](https://blog.parse.ly/post/author/andrew-montalenti/) \-- with
the only goal being to share information with the community.

But then, one of my attorneys advised me against this. Basically, the concern
was that if I publish something publicly about my understanding of GDPR, and
it contains an error of understanding (after all, IANAL), then I could be held
accountable for that. That felt really crappy to me -- after all, I'm just
doing the best I can, and it seems like there's a _lot_ of misinformation
about GDPR out there on the web. Does anyone know anything much about this? To
what degree can a company executive get him or herself in trouble for
publishing a document that summarizes his or her own understanding of the
effect of regulation, if the executive's company is potentially affected by
said regulation?

~~~
MaupitiBlue
I am not an EU attorney, but typically the risk with publishing something like
that is not that you make a mistake, but rather you get it right. The problem
arises down the road when your company does something that violates the law.
Now your wonderful presentation is used to prove that your company knew it was
violating the law, even though the actual circumstances may be a bit more
complicated.

~~~
Faark
Also getting it wrong might indicate they are unintentionally not GDPR
compliant and make others aware of that fact. But would that actually be worse
than regulators finding out later? Especially when you want to comply?

------
lucb1e
Well that's a rather biased account with cherry picked and anecdotical
evidence.

------
addicted
The major benefit that GDPR has brought (at least in our company, and I
suspect in other companies as well), is an increased emphasis on not storing
user data that is not needed. The idea that user data is useful, but it’s also
a liability.

This likely will lead to certain private data that companies would otherwise
have saved, because why not, not being saved anymore, which would reduce the
damage caused by a breach, which will never show up in numbers and stats.

------
billconan
When GDPR first came out, I found the terms pretty vague. I don't know how I
can implement it.

For example, a user's email is Personally Identifiable Information. When the
user wants to delete her account, I shall remove her email. This is ease.

But what if in my comment system, another user mentioned her email in a
comment. Do I need to remove this comment too? What if this comment has
replies too, should I remove all the replies?

What if a competitor make use of these undocumented gray areas to attack my
business?

~~~
Drdrdrq
Yes, you need to remove the said comment (or PII in it) _upon their request_
(ianal,...). I don't see how a competitor could abuse that.

~~~
billconan
Because you now need to implement a full text search or even natural language
processing to identify personal identities in your comment, and that’s quite
challenging. An evil competitor could register several accounts, purposely
leave those comments with personal identities of those accounts on the system
and then request to remove one of the accounts.

Your algorithm needs to parse those comments, identify which Comments
mentioned the to be removed identity, and remove them without breaking the
integrity of your database. Failing to do that, you get sued...

------
jaabe
I think we went in the wrong direction in terms of public data. It really
isn’t in my best interest as a citizen that our public sector can’t use my
data to run more effective, spot health issues sooner or perform city planning
based on citizen-mobility rather than educated guesses.

I think it’s absolutely the right direction for private companies though. I
know, I know, a lot of you are distrustful of government, but I’m Danish and
we generally trust our public sector in to an extend that would truly surprise
a lot of you.

So with that out of the way, I think it’s a shame that we spend so much public
funding burying public data in silos. I think we should absolutely keep
citizen data safe, but I think we should also use it and perhaps work to make
some of it less sensitive. Because some of it frankly doesn’t have to be
sensitive.

In my country we have a social security number. You get it 1-5 minutes after
you’re born, and in the olden days, it was used to identify you when you
wanted to do things like open a bank account. It’s still used for that to some
extend, but in the meantime we’ve created this thing called NemID (soon to be
mitID), which is a national 2-factor secure digital identity, that we use to
enter online agreements because it turned out that your social security number
wasn’t actually safe. We’ve also had leaks and hacks exposing nearly half of
the current social security numbers over the past 25 years.

Because a social security number is deemed sensitive by the GDPR, we’re
spending hundred of millions on the bureaucracy around it. It’s by far the
most reported thing to our national data protection agency, I think almost 80%
of the public cases involve it. And it makes no sense.

Why the hell didn’t we make it illegal to use it as an identifying number
instead? It would have saved us so much money.

And that’s just one issue with the GDPR. Another is machine learning and data.
This is obviously a sensitive area. I don’t personally think we should troll
through citizen cases to try and find possible alcoholics. Maybe someday, but
society has to deem it morally acceptable first.

I do think we should use citizen data to schedule shifts though. It makes no
sense to me, to have 10 nurses and 15 teachers do full time scheduling in a
city of 60,000-100,000 citizens when an algorithm can do it instead. But we
can’t, because the GDPR prevents us from using data that way.

I like the GDPR, but I think it needs a revision for the modern public sector,
and I think we should really ask ourselves what we want with our data.

Do we want to spend trillions on a bureaucracy guarding it, or do we want to
demystify some of it and put it to good use, so we can spend the trillions on
nurses, teachers and better infrastructure?

/disclaimer I work in the public sector.

~~~
return1
> I’m European, I trust my government

I think it would help to state your nationality, European governments range
widely in trust levels from west to east, and there are a lot of governments
in there. I wouldn't trust the greek government for a second.

[An example: the social security number (which is given to every
doctor/pharmacy/etc) contains verbatim the date of birth and sex of the
citizen, and this has been deemed lawful]

~~~
tyfon
I'm Norwegian and I also trust the government in most cases.

But I agree there are several European governments I would not trust.

~~~
hdfbdtbcdg
Really? Even after they tried to bring in mass surveillance only a couple of
months ago? Even when they want to give double prison sentences to people who
live in certain areas?

As a foreigner living there you might be less trusting as well. They are
constantly changing the rules to make it harder for legal residents to settle.

------
jandrewrogers
This overlooks one of the biggest under-reported problems GDPR has created: a
large percentage of all _industrial_ sensor data is "personal data" under
GDPR. These are systems and companies that nobody associates with collecting
or using personal data, because their business isn't about people, but the
regulations have defined the scope broadly enough that there is universal
agreement among their legal experts that are liable for not treating this data
as "personal" under GDPR.

This raises some difficult challenges that the average Internet business
doesn't have to deal with:

\- Compliance with GDPR requirements for personal data in many industrial
settings is operationally impossible. These aren't Internet ad tech databases.

\- Some industrial systems aren't the kinds of things you can trivially
upgrade to make them compliant in any case. We are talking embedded systems
with operational lifespans measured in decades. In many cases there are
_other_ strict regulatory compliance requirements around the design and
modification of these systems.

\- The workloads and data models for some high-scale sensor data models make
it technically impossible, given the current state of computer science and
hardware, to comply with some obligations under GDPR when handling "personal"
data. And for a much larger set of systems, it would be economically
implausible even though theoretically possible.

\- Sensor data infrastructure software often lacks the basic functionality
required to support compliance, as the functionality that the regulators
assumed exists for other purposes has no purpose in this context and therefore
has never been implemented. There is a disconnect between what is required of
the software users and what the upstream vendors can or are willing to
provide. These aren't software companies.

\- For some specific industry sectors, compliance costs disproportionately
fall on EU-based companies by virtue of the fact that their primary operations
are in a European country, even though they sell into a global market. That's
an economic own goal.

This has become a Sword of Damocles over some industrial companies because
their legal teams have studied their exposure to GDPR, identified substantial
compliance obligations, and _realized that compliance is effectively
impossible_. It is pretty clear to me that the regulators were so focused on
Internet advertising companies and similar that they were completely oblivious
to the unintended consequences for unrelated industrial sectors.

I've been studying this problem for a few industrial sectors for a couple
years now. You have companies scrambling to find technology that often doesn't
exist and in some cases requires hardcore computer science R&D before it could
exist. And this is a business opportunity for someone to add a tax to what
these companies produce. But the worst part is that this extremely expensive
compliance exercise does almost nothing for personal privacy because most of
this data was being collected for boring industrial applications.

~~~
jorams
> a large percentage of all industrial sensor data is "personal data" under
> GDPR

Could you give some examples? I can't think of anything off the top of my
head.

~~~
jandrewrogers
Many industrial companies measure the operational environment at massive
scales now using multimodal sensor networks and platforms thanks to plummeting
sensor costs -- LIDAR, hyper-spectral imaging, video, RF/radar, audio, remote
sensing, chemical and particulate sensors, et al. The exact mix and scope of
coverage varies with industry and company. Sectors are diverse and include
automative, utilities, agriculture, oil and gas, logistics, etc. The sensor
data is primarily used to manage risk, increase efficiency, improve safety,
adapt to changing conditions, respond to incidents, do preventative
maintenance, and similar.

Any sensor platform that can detect the existence of an entity in space and
time _and_ is measuring space where people exist, which is most of them, is
collecting personal data. A sophisticated party can reconstruct the identity
of detected entities in the sensor data in a straightforward way. Typically,
the sensor coverage inherently collects data on a large number of people from
which it is impossible to obtain consent, whoever happens to be within or
wanders into the sensor range. The detectable people in these sensor data
models are analytical by-catch. I've demonstrated this to many organizations
using diverse exhaust from industrial sensor systems never designed for that
purpose.

Some of these data models are incredibly large and fast moving, petabytes per
day. Many of them collect data in federated environments that are severely
bandwidth-limited and energy restricted; while the data model is very rich,
there aren't enough local resources to do anything outside the designed scope.
You can neither push compliance operations to the data, since there isn't
enough compute, nor can you backhaul it to someplace that does. The aggregate
data models can exceed an exabyte, so you aren't indexing where people are
(that would be incredibly expensive) and any attempt to brute-force search to
identify people for compliance purposes would effectively be a denial-of-
service attack on the system.

tl;dr: the scale and scope of external environmental sensing platforms
increasingly used by industrial companies inherently allows you to detect the
locations of many people in space and time that are unrelated to the business
operation. The necessary scale and operational architecture of these systems
make GDPR compliance technically implausible.

------
idlewords
Listing Klout as a casualty of the GDPR is like listing polio as a casualty of
vaccination. Ditto for the vast swamp of ad intermediaries. It shows the
legislation working as intended.

------
_fizz_buzz_
I am pretty ok with most of those. However, article 17, the right to be
forgotten sounds extremely problematic.

~~~
ivan_gammel
The right to be forgotten is the equivalent of the right to no punishment
without the law. The deeds must be interpreted and judged by a court, not by a
public, basing their opinion on newspaper publications. When someone is denied
a job because there were some news about him in Google from many years ago,
it's a form of extrajudicial punishment, which is illegal, and must be
prevented.

~~~
seventhtiger
It's far too powerful. It makes sense when you think of publishers and
articles about criminal cases.

It becomes much harder in social media. If I type your name in a comment that
I own, the platform becomes obligated to destroy my intellectual property to
satisfy your right to be forgotten.

If a book is written with a politician's name in the title, can the politician
ban this book from the Internet?

~~~
afiori
> If a book is written with a politician's name in the title,

The politician would need to argue that his/her own name is problematic.

> If I type your name in a comment that I own,

If you write a long comment about how I am a terrible person because of action
I took 10 years ago and are no longer relevant, yes. As far as I understand
the right does not apply to you human to be forgotten, but to specific
information about you that are no longer relevant.

~~~
seventhtiger
You are giving a government body the power of total Internet censorship and
trusting in their opaque process to determine whether each request is
warranted or not.

I can understand many arguments for censorship for the greater good. This is
censorship as an individual right enabled by a closed review process.

I believe it will have far reaching implications and it will be fertile
grounds for corruption. A massively powerful governance tool is created and
all its stated goals are of limited public good.

------
liveoneggs
every GDPR request I've seen has been public figures (actors, etc) asking to
be forgotten from commercial acts (movies) they were in and no longer like.
It's ridiculous.

------
fromMars
I am sure I will get downvoted to oblivion, but I think GDPR is a colossal
waste of time and money.

I think mandatory do not track settings are great, but the right to be
forgotten is to onerous to implement and not present in other domains.

They do make it harder for smaller businesses to compete.

I can't go to my school or a credit bureau or an insurance company and say
that all my past history should be forgotten.

Why should we enforce such a regulation online?

~~~
pleasecalllater
OK, can you also post here all your personal details, so I could sell them to
anybody who wants to exploit them to earn money? OK, fine, you don't want to
post it here. Could I get them from your bank, work, friends, family, post it
here and sell to anybody?

~~~
fromMars
This is a strawman. You are talking personally identifiable information and
data usage policies which is an entirely different thing than the requirement
for all data to be deleted.

~~~
detaro
> _You are talking personally identifiable information and data usage policies
> which is an entirely different thing than the requirement for all data to be
> deleted._

Could you explain a bit more by what you mean? GDPR only concerns itself with
personally identifiable information, and is at it's core about the rules for
"data usage policies" around it (which of course will involve rules for when
to delete data).

~~~
fromMars
Are you sure that GDPR only concerns itself with PII information. In other
words, is it legal to collect information about users as long as it isn't tied
to PII?

I consider PII to be things like name, Social Security Numbers, a credit card
#, an email, DOB, etc.

You seem to be suggesting as long as the data isn't associated with the above
or can't reasonably be tied to the above then GDPR doesn't apply.

I am in favor of rules around the usage and collection of PII information.
i.e. that information should not be shared with other parties without the
user's consent and in general access should be restricted.

My main beef with GDPR, is the difficulty to implement such a system, with on
demand wipeout.

~~~
detaro
"just PII" was a bit too strong, but this is how GDPR defines personal data,
which is what it regulates:

> _‘personal data’ means any information relating to an identified or
> identifiable natural person (‘data subject’); an identifiable natural person
> is one who can be identified, directly or indirectly, in particular by
> reference to an identifier such as a name, an identification number,
> location data, an online identifier or to one or more factors specific to
> the physical, physiological, genetic, mental, economic, cultural or social
> identity of that natural person;_

 _Identifiable_ is core to this definition. It's important to note that it's
taken so far that it's enough if others can establish the link, which is why
things like IP addresses or photos fall under it, even if I as a website
operator can't just go ask ISPs for the user behind an IP.

> _with on demand wipeout._

I keep coming back to that: GDPR only has something I'd call "on-demand
wipeout" if your only base of processing is "I've asked the user for consent",
because they can revoke said consent (or if you kept data without
justification of course). If you need the data to fulfill a contract, you can
store it as long as that's still true. If you're legally obligated to keep
records, the person can't just request you delete it. If you can argue a
strong overriding interest to keep some data, you can keep it - although that
one is of course open to interpretation when your interest is actually
weighing higher than the persons interest (an example might be fraud
prevention records)

------
umvi
Does GDPR mean blockchain based records are illegal? If a user's data is in
the blockchain, there is no way to delete it...

~~~
lewis1028282
Yes but it is personal information about a living person? I doubt it, it's
pseudo-anonymous so I believe it is legal under GDPR.

~~~
Avamander
Certificate Transparency logs contain personal information about a few people
right now. Is that legal?

~~~
anticensor
Yes, but can only be used to contact to certificate authors about certificate-
related matters.

~~~
Avamander
You're wrong, just search for ESTEID in the logs.

~~~
anticensor
EstEID is a purpose-built identifier. They are subject to a different law.

~~~
Avamander
How is a purpose-built identifier uploaded without explicit consent somehow
not subject to GDPR?

------
friedman23
>Startups: One study estimated that venture capital invested in EU startups
fell by as much as 50 percent due to GDPR implementation. (NBER)

[https://www.nber.org/papers/w25248](https://www.nber.org/papers/w25248)

That is massive. This will just further brain drain even more.

------
simplecomplex
Glad I live in and do business from the US where we don’t have to deal with
this wasteful and oppressive law.

------
rietta
Pottery Barn, owned by Williams-Sonoma, is a weird mention. They sell
household goods from mall stores and their online catalog. There exposure to
GDPR should be pretty minimal. Ship the product and don't sell your customer
list and basic security work that they should be doing already.

------
downandout
This seems like a pretty even-handed analysis of the consequences of GDPR. I
correctly predicted most of them, and have been highly criticized for it.

It’s truly stunning to me that a community like HN that consists of many
current and future startup executives can be so adoring of regulation that has
“been the death knell for small and medium-sized businesses“ and for which
“compliance costs are astronomical” according to the article. I sense that it
is mostly the vocal minority making these comments that ignore the seriously
negative consequences of GDPR and paint any company or person that is critical
of it as a privacy abuser. I suspect that it is the same small group of
abusive users that downvote any comment critical of GDPR into oblivion. Still,
it is a very bad look for a community that claims to be so invested in startup
culture.

It really is OK to recognize that something with good intent (privacy
legislation) can be poorly written and consequently fraught with problems
(like GDPR). Any idiot could have predicted that the fine structure they
imposed meant potential death for small businesses and a mere speed bump for
large ones. GDPR should be torn up and rewritten. The fine structure should be
a percentage of revenue, period - not 4% of revenue or €20 million, whichever
is higher. That is ludicrous and was designed specifically to drive small
businesses out of the market.

~~~
downandout
_I suspect that it is the same small group of abusive users that downvote any
comment critical of GDPR into oblivion._

Case in point, this post. Downvoted with no replies - just a handful of people
hiding behind their mice with no counterarguments.

------
davidhyde
Highlighting the cost of privacy is the very point of GDPR. This is the only
way companies will stop collecting personal data by default and think very
carefully about the consequences of what they keep.

------
scarlac
Several specifically _pre_ -GDPR issues are mentioned but still attributed to
GDPR.

GDPR is a win for the consumer. Not perfect, but overall a great step forward.
But I do think The Right To Be Forgotten is a terrible idea. However, it was
NOT introduced with GDPR, and there are several cases prior to GDPR.

Perhaps there are good points to be made. But the article fails to stay sober
with the misleading and sensational claims.

------
mola
Yes, an economy based on deception that uses it's customers in unknown ways,
most of the time in ways entirely unrelated to the product, is failing after
appropriate regulation.

All consequences seem entirely acceptable.

Businesses must act with responsibility for society. the regulator is usually
lax, until all hell break loose.

~~~
jasonkester
Those businesses seem to all be doing fine. They just implemented one of those
annoying pop ups that you have to agree to before you can see their site, and
they’re still doing all the same things with your data. But with your
“permission” now.

All the other businesses, though, the ones who were never planning to do
anything bad with your data. Those ones still all had to do a bunch of work
and show that same stupid notice that drives their customers away. And they’re
a lot less able to defend themselves against the mean spirited user behaviour
outlined in the article.

And for added fun, the eu now knows that it can pass silly laws like this as
often as it likes, and the whole software world will need to devote a team to
do a full sprint implementing another piece of user hostile code that doesn’t
help their business.

I’m not a fan.

~~~
lone-commenter
> another piece of user hostile code that doesn’t help their business.

That's entirely their problem. Compliance with the law wouldn't require user-
hostile "code" (I think you meant UI) if the business model wasn't user-
hostile in the first place. It wouldn't hurt their business if their business
was reasonable.

~~~
Mirioron
If the business is user-hostile then why do the users use these services
instead of paying for services that aren't "user-hostile"?

~~~
lone-commenter
True. Users prefer "free" services. I can imagine that some do prefer paid
services, but the majority expects things on the Internet to fall from the
sky.

That said, I think your point doesn't prove those businesses good to have.

------
anoncake
> If your account gets hacked, the hacker can use the right of access to get
> all of your data.

If your account gets hacked, the hacker has access to your account. Duh.

> The right to be forgotten is in conflict with the public’s right to know a
> bad actor’s history (and many of them are using the right to memory hole
> their misdeeds).

People can change. Newspapers can exaggerate one's misdeeds.

> And the right to opt-out of data collection creates a free-rider problem
> where users who opt-in subsidize the privacy of those who opt-out.

Opting out of data collection _isn 't a thing under the GDPR_. Breaking
business models that involve people selling their privacy is an intended
consequence of the GDPR.

> “Amazon sent 1,700 Alexa voice recordings to the wrong user following data
> request” (The Verge)

Doesn't sound like a company that can be trusted to ensure people's privacy
without regulation.

> “The problem with data portability is that it goes both ways: if you can
> take your data out of Facebook to other applications, you can do the same
> thing in the other direction. The question, then, is which entity is likely
> to have the greater center of gravity with regards to data: Facebook, with
> its social network, or practically anything else?” (Ben Thompson)

Freedom includes the freedom to make bad decisions.

> “Presumably data portability would be imposed on Facebook’s competitors and
> potential competitors as well. That would mean all future competing firms
> would have to slot their products into a Facebook-compatible template. Let’s
> say that 17 years from now someone has a virtual reality social network
> innovation: does it have to be “exportable” into Facebook and other
> competitors?

No more than Facebook has to create a search engine so you can export your
search history into Google.

> “About 220,000 name tags will be removed in Vienna by the end of [2018], the
> city’s housing authority said. Officials fear that they could otherwise be
> fined up to $23 million, or about $1,150 per name.” (The Washington Post)

The data protection authorities later told them that this is bullshit.

> As of March 20, 2019, 1,129 US news sites are still unavailable in the EU
> due to GDPR. (Joseph O’Connor)

"Losing" businesses that don't respect privacy is intended. It's kinda
flattering that so many US news sites specifically cater to EU residents,
making them subject to the GDPR. But frankly: We don't care much about your
local news.

> During a Senate hearing, Keith Enright, Google’s chief privacy officer,
> estimated that the company spent “hundreds of years of human time” to comply
> with the new privacy rules. (Quartz)

> However, French authorities ultimately decided Google’s compliance efforts
> were insufficient: “France fines Google nearly $57 million for first major
> violation of new European privacy regime” (The Washington Post)

The French authorities rightfully didn't care how much time Google spent on
not complying with the GDPR.

> Tradeoff between privacy regulations and market competition

Oh no, we might lose the ad market.

> GDPR has been the death knell for small and medium-sized businesses

Companies that cannot safeguard their users' privacy shouldn't exist, not to
mention those whose business model is based on infringing on their users'
privacy.

\---------------------------------------------

The "arguments" ad companies use against the GDPR are just absurd.

EU 2016: We don't want businesses based on violating our citizens' privacy to
operate anymore. You have two years two comply.

Ad companies 2018: Evil government! If you force us to stop violating our
customers' privacy, we will stop violating our customers' privacy! You will
regret this! And why didn't you warn us?

\---------------------------------------------

GDPR: You must ask your customers to opt into data collection, letting them
opt out is not sufficient.

Ad companies: The evil EU fined us for not complying with the GDPR! That's
unfair! How could we know that "letting them opt out is not sufficient" means
that letting them opt out is not sufficient? The GDPR is so vague! And we
spent so much money on not complying!

~~~
rndgermandude
> GDPR has been the death knell for small and medium-sized businesses

Yeah, and drug and tobacco regulation was the death knell for many small and
medium-sized businesses. Kill the GDPR, Abolish the FDA!

------
admax88q
> Amazon sent 1,700 Alexa voice recordings to the wrong user following data
> request

You know the best way to prevent sending 1,700 voice recordings? Not making
1,700 voice recordings in the first place.

Amazon will eventually mess up and send leak data to the wrong person. Blaming
this on the GDPR is stupid. If Amazon actually respected user privacy they
wouldn't make those recordings in the first place.

------
duxup
I like the philosophy behind GDPR.

I just think it misunderstands how people actually behave.

Human behavior is always a challenge for any regulation. These are early days
for digital age regulations, even the best efforts will be hit or miss at best
I think.

------
anotheryou
And does it really protect much? As long as you sign an agreement with the 3rd
party that they value GDPR you are all golden, no?

~~~
scrollaway
It's not just for protection but also for control, which gdpr excels at. I am
able to retain full control over where my data goes, who is allowed to have
it, I can make sure it's deleted when I don't want it there, and I can
actually request to have it.

~~~
WA
I‘m not so sure about that. Sure, in theory this works, but if your data was
shared with thousands of companies, how do you know it really was deleted?
Furthermore, GDPR still has the thing that businesses are allowed to have a
legitimate reason for keeping your data.

So far, as an end user, the GDPR doesn’t feel like anything changed at all.
Facebook and Google still gather shitloads of data with zero control on my
side. Cookie warnings on every website and loaded with dark patterns (link
leads to link, leads to link, leads to link, leads to server timeout). I
simply accept these popups and trust uBlock Origin to actually block the whole
AdTech shenanigans, instead of relying on their popup bullshit.

------
LaGrange
..Amazon not doing due diligence ain't a GDPR problem. The only problem is
that those two values are way too low:

* €55,955,871 in fines

* €50 million of which was a single fine on Google

Those are a joke. Considering what's going on, those values should be orders
of magnitude higher.

~~~
criley2
>Those are a joke. Considering what's going on, those values should be orders
of magnitude higher.

Frankly, I think higher fines and more aggressive fining would even further
deepen the business moat that mega businesses are already developing over
small and medium.

The article already describes how the current regulatory regime boosted Google
and big players 20-40% directly at the cost of small and medium (not in the
top 100 or top 50) sites.

Frankly, I think European countries should just take the China approach and
ban American companies because there isn't going to be a regulatory structure
that works here, and they're only going to hurt their domestic competition by
playing this stupid game.

~~~
seanmcdirmid
China doesn’t ban American companies for that reason, they ban them because
political dissidents could use them to communicate privately (gmail) or
publicly (YouTube Facebook twitter....). Not all American companies are
banned, either.

~~~
kkarakk
but it works out that way - india is following a similar strategy now and some
south east asian countries are following suit

~~~
seanmcdirmid
India won’t block Facebook. Or YouTube or even twitter. They would have huge
riots on their hands if they did.

~~~
kkarakk
India blocked facebook internet, India is blocking FDI(Foreign direct
investments) ie Walmart can't come in and put everyone out of business etc.

------
xwdv
Unintended consequence: because children are under the custody of their
parents until they become adults, a parent could easily go in and demand the
entire history of data a company collected from their child be provided; a
gross violation of their right to privacy which some argue doesn’t even exist
anyway.

~~~
drawnwren
Do people believe that children have a right to privacy from their parents?

~~~
DanBC
Yes, of course. Imagine a father who rapes his child and abuses his wife. The
child is removed from the father by the mother who goes into hiding, but with
temporary legal approval.

We don't want the father (who likely retains some element of parental
responsbility until the court case has finished) to be able to get the child's
location by SARs.

In Europe children are humans and humans have rights. Children are not the
property of their parents.

~~~
drawnwren
This seems like a problem with the temporary legal approval and not a genuine
response to the question. In the US, parents accused of abuse are denied all
parental privilege/responsibility at the beginning of the accusation until it
is proven that the parent was innocent.

~~~
DanBC
Parental alienation is a thing. If the mother was making it up you'd be
denying the child's right to a family life with its father, and the father's
right to a family life with his child.

~~~
drawnwren
I was just stating how it works in the US. My mother was accused by neighbors
when I was a child (certainly a much weaker tie than parental). I was taken
away by the state immediately while they investigated. The claim was
determined to be founded and the state took permanent custody.

------
dmitriid
> And the right to opt-out of data collection creates a free-rider problem
> where users who opt-in subsidize the privacy of those who opt-out.

The actual fuck? Pardon the language, but I cannot express this strongly
enough.

What does ”subsidize” mean? Users who agree to sell their data subsidize those
who agree not to sell their data? And not having to rely on data sales puts
financial burden on companies and drives them out of business? _Good riddance_

------
Virtuoso
Can GDPR be used to actually destroy a company operating online in the EU? I'm
guessing it could be, by simply overwhelming them with valid requests under
GDPR, like "Give me all my data!"

~~~
DanBC
> by simply overwhelming them with valid requests under GDPR,

Doesn't work in the UK because the request has to be genuine and not
vexatious.

[https://2040infolawblog.com/2019/05/19/a-cure-for-
blindness/](https://2040infolawblog.com/2019/05/19/a-cure-for-blindness/)

> The relevant text in the final version (Article 12.5) is as follows:

> Where requests from a data subject are manifestly unfounded or excessive, in
> particular because of their repetitive character, the controller may either:

> (a) charge a reasonable fee taking into account the administrative costs of
> providing the information or communication or taking the action requested;
> or

> (b) refuse to act on the request

~~~
Dylan16807
Also they have 30 days to respond, so at most you can force them to grab your
data every 3-4 weeks even without that clause.

