
StreetLend.com shuts down, citing GDPR regulations - cbeach
https://streetlend.com
======
pdimitar
What many posters here miss is that there is a big group of tech people that
have no interest in dealing with legal matters more than the bare minimum, and
overall deem them risky. I am one of them. People like me are well-aware of
the fact that if we are not experts then we're absolutely gonna lose because a
dedicated lawyer can and will dig up material you couldn't prepare yourself to
defend from.

Thus, complying with something somewhat ambiguous like the GDPR is still an
expense -- of time, money and risk -- that many small website owners won't be
willing to spare.

Look, it's not hard to encrypt all personally identifiable information; there
are ready-made frameworks that let you choose which DB columns you encrypt and
how. You can generate a key for each user on creation and have their data
encrypted with it. The problem is NOT that.

The problem is what happens if a legal firm or an agency targets you. Even if
you adhered to the spirit of the law, they can dig up evidence that you didn't
obey the letter of the law (since GDPR is quite loose and ambiguous).

Small tech owners can't fight such litigations. I am kind of baffled how this
point evades so many people in this thread.

~~~
eksemplar
From the description Streetlend didn’t violate the GDPR in concept though.
Addresses are public record, available in public databases, and there is
nothing stopping you from doing lending eBay. All it needed to do was clear
it’s records every 6 months and let people delete their accounts.

Except this isn’t really true. Streetlend made its money by selling your
privacy data to advertisers through Amazon. So when you put up a power drill
for lend, people would see power drills for sale at local shops, based on
their online presence harvested through stuff like their Facebook account.

The really ironic thing about that this is that streetlab imagined itself
“ethical” when it’s entire business model was selling your data...

The GDPR isn’t really that hostile to small business and it doesn’t require an
understanding of law. You can hire a data protection officer at a legal firm
for almost nothing, and as long as you follow their advice on how to pass
audits, you’re really not in trouble.

That being said, the GDPR is really hostile toward startups trying to make
money the same way Facebook and Google does. You need to have a massive legal
department to do that, and Streetlend obviously did not. But is that really so
terrible?

It may call for a new business model for the internet, and that may seem
impossible right now. But do you remember when the EU outlawed environmentally
shitty lightbuilbs and everyone said we were going dark because it was
impossible to do anything else? Today 95% of lightbuilbs are LEDs because of
that.

Startups will find a way to make money that isn’t selling your data.

~~~
yellow_postit
The massive legal team part is indeed the problem as it further entrenches
Facebook and Google from competition in that space.

~~~
mtgx
The issue is that after Google and Facebook has abused users' data for so long
and made so many tens of billions of dollars from that abuse, they're now
allowed to _keep that money_ , so they have a huge head-start on anyone else
who can't abuse users' data anymore.

The law is needed, otherwise _everyone_ would continue to abuse users' data
more and more. So that's clearly not the solution. The ideal solution is
fining both Google and Facebook for all the money they've made from that abuse
from at least the past 5 years, to _level the playing field_.

People say that capitalism is the "worst economic system, except for all the
others", and that's true. But one of the main issues with capitalism and why
it gets to be so broken in the end, is that when companies abuse their powers,
the punishment _almost never_ fits the crime. If it did, I think capitalism
would be a much more optimal economic system. I think this is by far the
biggest issue.

As an example, Intel made tens of billions from anti-competitive moves against
AMD, and it was only fined $1.4 billion, a fine that's still under dispute
even a decade later (Intel has yet to pay it).

Samsung, and other memory makers have been caught at least once in the past,
and now again, doing price fixing. But the fine was and likely will be again
much smaller than the profits they made.

Then we have the big banks, which also made a ton of money from screwing
people over, and again they were fined at "record levels" but still much less
than they made in profits.

This is how the incumbents keep getting ahead of the others, even when
stronger regulations pass - they never have to truly pay for the crime they
did in the past, and they get to keep 95% of their profits from that crime.
That isn't how things should work - the governments should take _all_ of the
profits they made from the crime and the _fine_ should be added _on top of
that_. If a company grows 10x in size in a decade from abusing some law and
consumers, then the governments should absolutely take back 90% of its size
when it's punished later. _That 's_ the deterrent.

Now in regards to privacy, the laws weren't that strong before, and I don't
really believe in punishing people or companies for laws that didn't exist,
which is why governments need to be much more vigilant from the birth of new
industries, and not wait until they are mature and most damage has already
been done.

Maybe my solutions are a little too extreme, but I do believe more needs to be
done compared to what governments are doing now. We can't just let companies
get away with almost all the profits they made from abusing consumers.

Also, there need to be stronger _anti-merger laws_. That's for sure. We almost
never need to let companies merge, and if they do merge, that almost always
ends-up not being in the consumers' favor. If some companies can't compete on
their own anymore, then so be it - let them go bankrupt. The rest will either
become stronger, or new entrants will appear. I think that's still preferable
over allowing them to "survive" under a bigger company. Let the creative
destruction flourish in the market, as it's supposed to.

~~~
ThomPete
How have Google and Facebook abused users data?

Users have been giving away data to google and facebook to use their services.
What exactly do you mean have been abused about that.

~~~
PurpleBoxDragon
All of the data was taken without consent. The user might have clicked some 'I
agree' checkbox, but they were not in a position to give consent. We could, to
compare it to other similar issues involving lack of consent, call it
statutory data theft.

~~~
ThomPete
Not it wasn't taken. You give over the use of that data to FB when you use
their service. Just like you do when you get a loyalty card in Safeway or pay
with you credit card.

Calling that stolen is mixing your personal opinions with facts.

------
rzwitserloot
The GDPR is about 68 to 90 pages depending on which language you're reading it
in. It is trying to be futureproof by leaving measures defined in terms of
'current state of technology', 'reasonable security considering the risk' and
other such ambiguous terms.

I run a small business and I like this. Just about anybody can read it and
understand what rights and requirements are being set out in it.

The GDPR specifically refers to the concept of "micro, small and medium-sized
enterprises" [GDPR 40p1 and 42p1 use this text; they direct member states
about the spirit of the law, referring that the needs of such businesses need
to be taken into account].

GDPR 58p2 sets out that regulatory bodies in a member state have the power to
issue warnings. As in, if you mess up, unless the mess-up is malicious or
excessively negligent, you get a written warning and reasonable time to fix
the problem. My government (The Netherlands) has taken the effort, as have a
significant number of third parties, of creating a legal document of 3 to 10
pages covering some details, and they generally set out more explicitly that
you grant yourself a week or so to fix problems without penalty. Whilst the
GDPR is intentionally ambiguous in order to try to be somewhat futureproof and
remain short enough to read back to back in an afternoon, it's fairly clear
this is perfectly fine.

The most strenuous sections of the GDPR involve requests from those whose data
you store. If they ask you to supply what data you have of them, and whom
you've shared it with, you have to comply. Within reasonable timeframes, and
you cannot lie about it. If they ask that you delete this data, you must be
capable of doing so, and you must do so within a reasonable timeframe.
However, the GDPR is nice enough to grant you exceptions for reasonable
measures which nevertheless make it hard to comply. Things like a backup tape
are specifically called out. It's okay if data that's been requested to be
removed, stays on those. You would have to show that this data is
pseudonimized (GDPR-ese for encrypted, pretty much).

Any service which has a hard time supporting requests to explain what data you
store and where you've stored it, or which cannot delete it from the main
service on demand... should indeed just call it a day and shut down. I don't
think a service like streetlend would have a hard time supporting such
requests, however.

~~~
tomxor
> The GDPR is about 68 to 90 pages depending on which language you're reading
> it in [...] I run a small business and I like this. Just about anybody can
> read it and understand what rights and requirements are being set out in it.

I don't run a small business, I make small things on the internet, this is not
why I got into tech, I don't want to read 68 pages of yuk. If I made a small
site that saves some user data i'd just pull it down too, I don't want the
burden of worrying about being sued for some small thing I created, you just
wont have it anymore.

FB fucked it up for everyone, ultimately people gota learn that when you give
data to someone you implicitly entrust them with it. FB had to go and be evil
and now the EU is overreaching demanding everyone spend their time bubble
wrapping everything... everyone backing them up are the village people taking
to the streets with torches and burning shopkeepers after the king was found
doing witchcraft. Go burn the king.

~~~
pdkl95
> this is not why I got into tech, I don't want to read 68 pages of yuk

One of the goals of this law and similar efforts is to make it clear that _you
need to consider the social, ethical, and legal ramifications of the things
you crate. You are not creating neutral things in a vacuum; there is no
neutral ground in a burning world[1]. That "small thing on the internet" might
be reuniting families that were separated by work or politics, or it might be
undermining the support structures of an entire industry or community. Maybe
you are creating a _social space*, which includes a duty to manage that space
to keep so it doesn't become a tool of abuse[2]. Maybe your small site stays
small. Obviously you cannot be expected to foresee every potential consequence
of your creation, but you at least need to make the effort and catch the low-
hanging fruit (e.g. the basic privacy features enforced by the GDPR).

[1] [http://opentranscripts.org/transcript/no-neutral-ground-
burn...](http://opentranscripts.org/transcript/no-neutral-ground-burning-
world/)

[2] [http://www.gdcvault.com/play/1024060/Still-Logged-In-What-
AR](http://www.gdcvault.com/play/1024060/Still-Logged-In-What-AR)

~~~
malvosenior
It’s safe to say people create hobby projects that fit within their ethical
framework. This is about forcing a very slanted set of ethics on pretty much
every creator.

I personally find regulation like this abhorrent and against my morals. Sadly
I don’t have the money to fight the EU so my creations will be blocked to its
citizens going forward.

The end result of this is that EU citizens will be the ones that suffer from
lack of access to technology and the smart ones will end up VPNing into non-EU
networks to stay on the cutting edge.

~~~
FridgeSeal
> The end result of this is that EU citizens will be the ones that suffer from
> lack of access to technology and the smart ones will end up VPNing into non-
> EU networks to stay on the cutting edge.

Right, because everyone who lives in Europe is too incapable of coming up with
technology and businesses themselves (that have the added benefit of being
GDPR compliant) and without access to American firms they will surely fall
into a technological dark dark age.

Instead of viewing GDPR as some nightmarish spectre coming to ruin everything,
why not think of it as a potential opportunity? You're familiar with making
money in a borderline no-holds-barred approach, now try and come up with some
innovative business ideas that _don't_ rely on scraping and selling as much
data as mechanically possible to prop up a business. This is a great for the
disruption hackernews loves so much.

~~~
hartator
> Right, because everyone who lives in Europe is too incapable of coming up
> with technology and businesses themselves (that have the added benefit of
> being GDPR compliant) and without access to American firms they will surely
> fall into a technological dark dark age.

Cite one EU startup that you’ll miss if the issue was reversed.

~~~
rocqua
Spotify.

~~~
lovich
Nokia and Skype we're both from Europe as well IIRC

------
advisedwang
As far as I understand, to make this site GDPR compliant you would have to:

1\. Get consent when someone creates an account, saying what you do with the
data including how you make automatic decision (e.g. which amazon pages you
recommend).

2\. Allow people to unconsent/delete accounts

3\. Have a page that allows a user to download their data.

4\. Have a way for them to fix mistakes in that information

That doesn't seem that burdensome. In fact some flavor of that is pretty much
what you get with standard a standard create account/view account/change
account/delete account workflow.

~~~
awalton
You know, until someone opportunistically sues you using a legal firm that
costs the plaintiff nothing, and then you're out the cost of getting a lawyer
and trying to defend that all of your actions and interpretations of the GDPR
are correct. And if your business is already small/not making money, you're
adding to the hole you're already in.

Which, you know, the guy directly cites as the reason he's shutting down if
you actually read the site.

There's plenty of ambiguity in the GDPR, especially around logging, backups,
and third parties (e.g. login through Facebook/Twitter/Google, you know, that
thing that five years ago everyone was trying to sell at _the_ way to do user
authentication). This guy just decided it's not worth the potential of being
sued while we wait for the dust to settle on how those ambiguities shake out
(because, honestly, the only way we're going to get those cleared up is if
someone is sued and they're made clear by case law).

~~~
bloopernova
Do you know of a good place to read about the GDPR and backups?

My concern has been the account deletion provision. Does the GDPR expect us to
be able to go back and modify past backups? Years-old tape archives?

~~~
lmkg
I get the impression the GDPR expects you to not keep data around forever, as
a general best practice.

When you collect data, you have to tell your users at collection what your
retention policy is (this is part of Right to Transparency). So, right there,
you should probably have a retention policy, and "forever, always" isn't
really a well-thought-out policy.

The Right to Erasure is not as far-reaching as some people seem to think it
is. If the Legal Basis of the data collection is Consent, then that consent is
revocable and processing (including storage) pretty much has to end as soon as
consent is revoked. But if the Legal Basis of collecting the data is something
else, and I really feel like 90% of the time in practice it's going to be
Legitimate Interest, then the Data Controller gets to balance their own needs
against the rights of the Data Subject when handling a Right to Erasure or
Right to Object request. And you can probably make a good argument that you
don't need to modify back-ups. Your argument is stronger if a) your restore-
from-back-up procedure can ignore or delete the user's data during/after
restore b) your data retention policy eventually deletes the back-up.

~~~
jimktrains2
I do I remove data in a WORM store?

~~~
tscs37
Is it truly a WORM store that cannot delete any data ever never? If so, you'll
need to encrypt the data in a way that allows you to make records
inaccessible.

If the WORM store rotates out old data (webserver logs, tape backups with
retention and rotation, etc.) then you simply inform the user of that and
that's it.

~~~
jimktrains2
> If the WORM store rotates out old data (webserver logs, tape backups with
> retention and rotation, etc.) then you simply inform the user of that and
> that's it.

Can you point me to where that's allowed? What if retention is reasonably long
(a year)? or not (10 years)?

> s it truly a WORM store that cannot delete any data ever never? If so,
> you'll need to encrypt the data in a way that allows you to make records
> inaccessible.

So now I can't perform impromptu analysis of my own data in any
computationally easy way? Security analysis? Analyzing shipping information to
optimize in the future?

~~~
tscs37
Acronis, a german corporation, is implementing the GDPR too [0] and they
recommend that if possible, you split backups per customer, if that is not
practical atleast do your best to protect the data and don't keep it for
unnecessary time frames. You should have a retention policy and encrypt your
backups.

[0]: [https://www.acronis.com/en-us/blog/posts/backups-and-gdpr-
ri...](https://www.acronis.com/en-us/blog/posts/backups-and-gdpr-right-be-
forgotten-recommendations)

[A0]: [http://www.gdprarticles.com/gdpr-articles/data-subject-
right...](http://www.gdprarticles.com/gdpr-articles/data-subject-rights/gdpr-
right-to-be-forgotten-include-backups/)

[A1]: GDPR Art. 5 §1 a, b, c and f, §2

[A2]: GDPR Art. 17 §1 b and c, §3 b and e

>So now I can't perform impromptu analysis of my own data in any
computationally easy way? Security analysis? Analyzing shipping information to
optimize in the future?

Any analysis will have to be done in a way to make sure you're not exceeding
the bounds of network security or you're outside legitimate interest.

Analyzing shipping information is the same, as long as you do everything to
make sure the data is pseudonimized or not otherwise in risk of leaking
personal data, it's fine or alternatively you ask customers about it.

>What if retention is reasonably long (a year)? or not (10 years)?

Use your own judgement of what is reasonable, worst case you get a letter from
the EU asking you to reduce the retention timeframe as long as you made an
actual effort to implement the regulation.

~~~
jimktrains2
My question wasn't so much about doing the analysis, but about being unable to
do it without fetching keys and decrypting on a per-log-entry basis. Not only
would this be insufferably slow, I've not seen a feature like this in any COTS
software and quite frankly seems incredibly difficult to write properly and
securely, specifically the key management portion.

~~~
acdha
> Not only would this be insufferably slow

Why do you think that's a given? It seems like an implementation detail with a
couple of easy solutions such as caching or batching, and it should encourage
better system design in many cases where the analysis doesn't require PII and
thus it's better from a security perspective not to have access to it there to
begin with.

There have been a ton of breaches over the years where reporting or test
systems had data which they didn't even need but which had been loaded anyway
since it was less work than subsetting the data.

~~~
jimktrains2
> analysis doesn't require PII and thus it's better from a security
> perspective not to have access to it there to begin with.

Unless I'm pulling from a raw dump of shipping I've bought, which would
contain the address so that it can be cross-checked if there is an issue and I
didn't know ahead of time that I wanted to perform this analysis.

~~~
tscs37
If you want this analysis you should plan for it. Mozilla does this for
example. Any kind of profiling or monitoring goes through several layers to
ensure the minimum amount of data necessary is collected.

If you want shipping analytics you'll have to decide that ahead of time. That
way you reduce the risk for your customer in case you don't want to do this
and if you do want it you still make an effort to reduce the data necessary.

You should keep in mind that the basic premise of the GDPR is that the
shipping address isn't yours to begin with. It's personal data of your
customer and ultimately belongs to them.

If they don't allow you to use it for analytics, tough luck.

~~~
jimktrains2
> If you want this analysis you should plan for it.

Yes, I should be omniscient. Thanks for clearing that up.

> Any kind of profiling or monitoring goes through several layers to ensure
> the minimum amount of data necessary is collected.

Yes, because they need to collect it. It's not about looking at what they
have.

> If you want shipping analytics you'll have to decide that ahead of time.

Again, I'm not omniscient. I can't figure out what my company will be doing in
a year, and waiting another year to collect the data I already have could see
me hemorrhaging money.

> You should keep in mind that the basic premise of the GDPR is that the
> shipping address isn't yours to begin with. It's personal data of your
> customer and ultimately belongs to them.

Which is an absolutely silly notion. It is the company's data, not the users.

> If they don't allow you to use it for analytics, tough luck.

Which is silly. It's the company's data; they should be able to use it to
improve their business.

~~~
tscs37
>Yes, I should be omniscient. Thanks for clearing that up.

Not omniscient but being able to plan ahead does help a lot, yes.

> It's not about looking at what they have.

Yes, because they only collect what's necessary and if they don't have that
they ask if it's necessary and collect it.

>I can't figure out what my company will be doing in a year, and waiting
another year to collect the data I already have could see me hemorrhaging
money.

Then simply ask your customers to hand over data with consent to use it for
analytics, problem solved, no?

>Which is an absolutely silly notion. It is the company's data, not the users.

No. Under GDPR this is no longer the case. The data belongs to the user now
because corporations have shown time and time again that owning the user data
is too much responsibility for them.

You do not own the customer data anymore, the customers own it. And they can
decide what you're allowed to do with it.

End of story.

~~~
jimktrains2
> You do not own the customer data anymore, the customers own it. And they can
> decide what you're allowed to do with it.

Which is entirely silly and basically contrary to everything else, e.g. data
retention regulations that assume the company owns the data.

~~~
tscs37
It's perfectly in line with existing German Data Regulations (although they
get a minor update too with the DSGVO coming along with the GDPR). Data
retention laws in Germany supersede the GDPR. The GDPR itself also mentions
that any regulation and law in your jurisdiction may supersede anything in it.

Even that data isn't owned by you. You are merely responsible for keeping it
safe while you have to store it. Ultimately it's the customers data. End of
story.

------
vincnetas
How many times i have seen comments comparing civil engineers and software
engineers and the liabilities each have.

Civil engineer failing to comply with regulations ending up in jail vs.
software engineer well, doing nothing if his software does something wrong.

So welcome to the future where software engineers will be held responsible for
what they create. I think it's right direction. And don't start with 'hackers
playing for fun with side projects will no longer be able to do this'. It's
same for engineer building a shed in his backyard. No one will have problems
if he has not done load calculations and is using that shed by him self. Only
difference is that if you put it on the internet it's like building that shed
in a public park. And then you have problems if you don't think what you are
doing.

~~~
sb8244
People die when a civil engineer messes up. Most people don't die from a
website.

~~~
arnoooooo
That does not mean that software has no real world consequences. Otherwise,
why would people be building software ?

There's a reason companies which are 100% software can be valued in the
billions of dollars. Their software has huge, very real consequences.

~~~
sturgill
Also their marginal cost of delivery approaches zero. High fixed costs in
creating the software and almost negligible marginal costs. The return on
capital can be astronomical.

Online services have “real consequences.” But not of the type as goods in the
physical world. PCI and HIPAA have tried to mitigate against some of the most
egregious crossovers of failed software. GDPR scares me. Not in the “I don’t
like the consequences” but in the “I don’t know what this does and how screwed
I might be.” I’m very happy to be on the other side of the pond where I can
safely observe the fallout. Feels like buying a first generation Apple device:
I’ll wait a few years and let the early adopters go through the pain for me...

------
DevKoala
"Perversely, this new EU law hurts small and ethical startups, but helps
reinforce the dominance of Facebook, Google and Twitter, who are able to
prepare and defend themselves using established legal teams and cash reserves,
and who now face less competition from startups."

This bit is true. If the startup I work for had not turned profitable in the
years leading up to GDPR, we would not be able to compete in this space
anymore.

~~~
threeseed
These comments are just ridiculous.

If your business is on such shaky ground that straightforward changes required
by GPDR are going to cause your business to collapse then you have bigger
problems. Because one employee suing you or your rent increasing will also
cause you to collapse.

~~~
freeone3000
>because one employee suing you or your rent increasing will also cause you to
collapse.

Yes, these are well-known causes of company collapse, so well-known that we
have entire industries mitigating the risk (multi-year leases at fixed rate,
shell corporations renting (see: wework), and temporary contractor/agency
staffing). We don't have that for GDPR yet.

------
hywel
It seems like more research into GDPR could have prevented this.

Firstly, there's nothing this site does that is so unusual. If the user gives
explicit and informed consent for their data to be used in this way, then you
are likely to be covered.

Secondly, it's looking unlikely that the rules will be enforced that strictly
in the near term, especially against a small, hobby website. IANAL but you
likely have a couple of years until you have any chance of being on the ICO's
radar (ICO is the UK's enforcer). And even then, you can reasonably expect the
find to be << €4M.

Thirdly, if you run this site from a limited company (about £100/year to
maintain), then the very worst case would be that you are investigated under
the GDPR in the future, and you can fold the site then at which point your
liability ends. No need to do it now, in fear of something that may never
happen.

I hope it's not too late to change your mind about shutting down!

~~~
HenryBemis
I am currently working in one of this multi-$bn companies. They run/are
preparing GDPR.

So far I haven't found ANY person who has read the full 80 pages. Everyone is
asking eveyrone else, they download whatever presentations they find on the
internet, but NOT ONE have bothered reading the damn thing.

It will be a massacre for many companies, only because very few do their
homework.

~~~
closeparen
Having engineers read and interpret regulation personally is not a remotely
sane legal risk management strategy. Read the thing on your own time if you're
curious, but the engineering work should start with specialized outside
counsel/consultants and percolate down to engineers as company policy via the
CTO.

You're onto something, though: in a corporate environment, the word
"compliance" is a magic spell that disables all critical thinking skills
within earshot.

~~~
civilitty
> You're onto something, though: in a corporate environment, the word
> "compliance" is a magic spell that disables all critical thinking skills
> within earshot.

Is that a bad thing? The vast majority of regulations exist because someone's
"critical thinking" went too far in the name of profit.

~~~
closeparen
>The vast majority of regulations

Your mistake is assuming that the idea being sold internally under the heading
"compliance" is required by, or even tangentially related to, an actual
regulation.

------
bdz
Couple of video game services are also shutting down due to GDPR

Super Monday Night Combat wich was developed in the US by Uber Entertainment
[1]

Ragnarok Online terminates the access from Europe. They are in Korea. [2]

1
[https://steamcommunity.com/games/104700/announcements/detail...](https://steamcommunity.com/games/104700/announcements/detail/1661142811548355195)

2 [http://blog.warpportal.com/?p=10892](http://blog.warpportal.com/?p=10892)

~~~
codedokode
I don't really understand why. They just should not collect real names or any
other personal information and then they would be fine.

~~~
lmkg
Not really. The GDPR covers "personal data," which is much broader than the
category of "personally identifiable information" that other legislation
covers. A user identifier, even if opaque and not related to any personal
information, counts as personal data.

~~~
actuator
Yeah, and the crazy thing is if you talk with a lawyer they would label
anything and everything as personal data just because of how abstract some of
the things are in the regulation.

For example, IP address is PII and if you derive city, region or country from
that it becomes personal data. Now if you are a small project or startup there
is high chance that you are using some of the external analytics tools like GA
or mixpanel(as building a good analytics tool is an effort on its own). Now
you have to take care of data like country there as well and be very careful
that you delete data like this as well.

~~~
codedokode
> if you derive city, region or country from that it becomes personal data

I don't think city itself is a personal data. You could use user's IP address
to get the city and then discard it and this way you know user's city but
don't have to keep their IP address.

Google Analytics can be a problem; Google or someone else should make the
analytics that doesn't store IP addresses.

And I think ISPs should randomly rotate IP addresses of their customers so
they cannot be used for identification.

------
cyberferret
I admit to being baffled as to why they shut down. If a user of the service
has given permission for their location to be shared on the 'nearby' map, then
they still comply with all the legislation because they have tacit permission
from the user that their location will be shared with others.

If the user then decides NOT to share their location or want their data
deleted entirely, then the as long as the site stops sharing their location or
removes their data completely (within 30 days), then they are still GDPR
compliant, AFAIK.

EDIT: Sounds to me like a side project started getting a little unwieldy or
had too much technical debt for the developer to manage, and he decided to
shut it down using GDPR as a vague justification?

~~~
adventured
They explained why. Obviously you may still disagree, however their opinion of
acceptable risk is subjective (ie it's silly to tell someone what their
tolerance for risk should be).

> GDPR threatens website owners with fines of 4% of turnover or €20 million
> (whichever is higher) if they do not jump through a number of ambiguously-
> defined hoops. The law, combined with parasitic no-win-no-fee legal firms,
> puts website owners at risk of vindictive reporting. Young websites and non-
> profits cannot afford legal teams. Therefore the risk posed by GDPR is
> unacceptably high.

> Perversely, this new EU law hurts small and ethical startups, but helps
> reinforce the dominance of Facebook, Google and Twitter, who are able to
> prepare and defend themselves using established legal teams and cash
> reserves, and who now face less competition from startups. The EU Cookie
> Law, EU VAT regulation and now the EU GDPR are all examples of poorly-
> implemented laws that add complexity and unintended side-effects for
> businesses within the EU.

~~~
cyberferret
You are right in that I don't agree. I don't think this is a question of
tolerance of risk, but that he doesn't seem to want to study all the
implications.

I will be first to admit that GDPR is full of holes and ambiguities and has
never been tested in a court of law yet, but rather than (as the two quotes
you pulled from his site) assume that GDPR has been set up to give the 'big
boys' free reign and punish small operators, I'd like to think that GDPR
actually puts a LOT more accountability on the larger players and actually
will put smaller players on a semi-equal footing.

I really don't think that the EU will be spending the money and time (and open
themselves to the PR disaster) of suing websites that might make $1000/mo for
the full EUR20Million, do you?

~~~
pixl97
In the US copyright trolls, for example, go after small sites first. They are
not able to provide the huge amount of money needed to fund a solid legal
defense. The trolls can use the precedent to attack larger more well funded
targets. It is not unheard of for US law enforcement to do the same thing.
That is why groups like the ACLU and EFF are so important here.

~~~
lagadu
But trolls can't go after any sites. The only entity with the power to issue
fines is the national regulatory entity. Trolls would only be able to present
a complaint with them and let them to the assessing and investigation. Also
precedent doesn't work the same way in EU jurisdictions like in the US
(although it's irrelevant in this case).

------
nerdponx
_Unfortunately the European Union 's new GDPR (General Data Protection
Regulation), introduced on 25th May 2018, creates uncertainty and risk that I
can't justify taking.

GDPR threatens website owners with fines of 4% of turnover or €20 million
(whichever is higher) if they do not jump through a number of ambiguously-
defined hoops. The law, combined with parasitic no-win-no-fee legal firms,
puts website owners at risk of vindictive reporting. Young websites and non-
profits cannot afford legal teams. Therefore the risk posed by GDPR is
unacceptably high.

Perversely, this new EU law hurts small and ethical startups, but helps
reinforce the dominance of Facebook, Google and Twitter, who are able to
prepare and defend themselves using established legal teams and cash reserves,
and who now face less competition from startups. The EU Cookie Law, EU VAT
regulation and now the EU GDPR are all examples of poorly-implemented laws
that add complexity and unintended side-effects for businesses within the EU._

Can anyone in the EU actually comment on the content here? This seems
completely out of proportion with everything I have heard about the GDPR.

Given the authors stance on data privacy and accessibility, I am somewhat glad
that he is shutting the site down.

~~~
xfz
I'm working on GDPR compliance at the moment, as are many of my friends here
in the UK. Even people in non-IT jobs have been involved or had training, so
awareness is high.

The figures cited above are correct, but the consensus from people I've spoken
to is that the maximum fines would only be for the most serious breach. It's
hard to imagine a small non-profit being fined €20 million. That said, people
are taking it seriously.

I can't help wondering if the owner of Streetlend has just decided it's not
worth maintaining at a loss anymore and decided to take a swipe at GDPR. I
can't know that of course. However what seems fairly inevitable is that
technical, commercial and legal changes will come along now and then and it
takes real work to adapt. I don't know of any company/organisation that is
motivated to keep running but didn't try to comply with GDPR.

~~~
dommer
I tend to agree, seems a little sour. (and now I'm sounding a little judgy)

[https://www.borroclub.co.uk](https://www.borroclub.co.uk) is managing (so
far) to compile to GDPR.

------
craigsmansion
I'm unsure of all the negativity regarding the GDPR here.

GDPR compliance is catching up with your project's "ethical debt" in much the
same way as a project sometimes has to deal with a "technical debt". If it's
unimportant, it's of no concern. If you kept up with good practice, it's of no
concern. It's only if it's important and you let the debt accumulate that it
could potentially be a problem.

~~~
jimktrains2
> GDPR compliance is catching up with your project's "ethical debt" in much
> the same way as a project sometimes has to deal with a "technical debt".

This is needlessly polarizing. I don't have any ethical issues with a service
not letting me delete my account or download all my data. Sure, it's nice, but
it's not an ethical issue if they don't. I also don't have issues with
services processing and analyzing _their_ data (it's not my or our data) any
way they choose without notifying me.

~~~
chii
It's not an ethical issue for you, but the world is made of many other people,
and it is an ethical issue for them.

------
cf
I don't get the hand wringing. If you have an image sharing service you will
have to contend with child pornography. If you have any content sharing
service you have to deal with copyright infringement. You need a lawyer to
create a company. If you do open source you will often put a license file in
your github repo.

Tech has already and will continue to interact with laws/lawyers. At some
point open source libraries will appear to streamline compliance. For now it
sucks but ya gotta muddle through or call it a day.

~~~
freeone3000
In the first two cases, we generally _don 't_. Or didn't, until recently. DMCA
is very push-oriented: You get a takedown notice specifying certain URLs, you
take down that content. Compliance solved!

GDPR requires restructuring of applications to keep data on a temporary basis
with the consent of the users, to remove data after the fact, to selectively
restore, and to allow users access to their own data. These are proactive
steps required, and while applications written in the next six months will be
built with those requirements in mind, it's still a fairly large burden for
business-as-usual applications.

~~~
cf
Totally, but there are unlikely to be many ways to structure the law to give
users consent over their data and not burden business as usual. Even
responding to DMCA requests is burdensome. You can automate it like Google has
tried but it fails sometimes and has become a major technical and personell
challenge.

I don't want to trivialize compliance. Even ostensibly simple requirements are
never quite that, and every second spent on them is time not spent on your
product.

------
teeray
Is there any kind of blanket CYA waiver that we can put on sign-up pages like
"if you're an EU citizen, sorry you can't use this site because GDPR.
Definitely don't click 'sign up' below anyway" ? What is the opt-out criteria
for a site?

~~~
filoleg
Interested in finding this out as well. So far, not a single thread discussing
GDPR on HN made this explicitly clear.

~~~
dingo_bat
That's part of the fun. It is so ambiguous and vague that nobody is clear on
the specifics.

~~~
izacus
It's only unambiguous to the people who don't want to refuse to understand it
because they're making profit on selling out people's data.

~~~
Multicomp
That is a false choice. According to that, you A) love this law or B) exist
only to profit off tracking pixels and JavaScript beacons mwa he ha

Or it could be the people running 100-user-or-less sites are trying to see if
they can just leave their sites up, ignore the "oh yeah, well your web server
has IP addresses in your LOGS doesn't it!? Well guess what, OUR logs show an
EU IP address, so you know what the letter of the law let's us do? €20 million
fine, you data slurping fiend!!" frivolous lawsuits in hopes of keeping their
little side project which while (maybe) technically noncompliant, aren't
actually using the data for those nefarious purposes, only DDoS and spam
mitigations.

------
ujkwast
>GDPR threatens website owners with fines of 4% of turnover or €20 million
(whichever is higher) if they do not jump through a number of ambiguously-
defined hoops. The law, combined with parasitic no-win-no-fee legal firms,
puts website owners at risk of vindictive reporting. Young websites and non-
profits cannot afford legal teams. Therefore the risk posed by GDPR is
unacceptably high.

I get the point about legal trolls,but how are the hoops ambigously defined?

\- don't store data you don't need for your business' stated purpose

\- get active consent before you do so

\- be ready to delete data on command

\- store the data with best principles (i.e., instead of having ID and other
stuff connected, centralize identifiying information and protect,use
pseudonyms otherwise)

IANAL, but this seems pretty sensible?

~~~
ams6110
He said the site does not make money. So why would he spend more of his time
to make the changes needed to be compliant?

That said, I think the fear of no win, no fee legal firms is a little
overblown. You can't get blood out of a turnip and if he's not making money
there's no reason any law firm would be interested in suing him.

~~~
lucb1e
> He said the site does not make money. So why would he spend more of his time
> to make the changes needed to be compliant?

I'm honestly wondering what the law previously said regarding data protection.
The Dutch WBP from 2001 already covers everything that he would have to do
under GDPR given this website, so unless the UK has some very weird laws (or
unless we're weird), nothing would change. Perhaps an extra tickbox on signing
up that says "yeah yeah I'm really very aware that my data is shared with
third parties".

Most likely, this is a good excuse to go "I refuse to read the long legalese
[even if it's 95% the same as before] and I'm just going to quit this loss-
turning website without the community turning sour on me because I have a good
excuse".

~~~
freeone3000
It's very likely that the site is non-compliant with Dutch law.

~~~
lucb1e
I just mentioned the Dutch variant because I know of it and since both
counties are in the EU, laws are typically very similar. I'm wondering if he
was compliant with whatever the current (pre-GDPR) UK law is.

------
svennek
I read the farwell-post as "My start-up failed, and I am shutting it down
because I am sick of it", but instead of owning up, I blame the GDPR...

As a Brit, he would most likely already have to comply with most of the stuff
already. And he should know that most government bodies use dialogue instead
of fines initially..

------
johnmarcus
I find it hilarious that so many think 'its ok to force 70page read for every
developer because look what Facebook did'. But at the same time if anyone read
the EULA of Facebook when you signed up, then you would have known precisely
the risks of sharing your data with Facebook. They hid absolutely nothing from
view. Chew on that for a bit.

~~~
lagadu
Surely you're aware of what is known as inalienable rights? Rights that you
cannot sign away no matter what?

------
anonytrary
> GDPR threatens website owners with fines of 4% of turnover or €20 million
> (whichever is higher) if they do not jump through a number of ambiguously-
> defined hoops.

Disregarding the "hoops" \-- shouldn't this 4% go entirely to the affected
users? I thought this was meant to protect the users. Seems like a cash-grab
by the government. Can someone make a good argument as to why the fines should
be paid to a third party (the state) when this issue is between the service
provider and the customers?

The only thing I can think of is that the state is the only entity which can
enforce the new rights, meaning they get paid for violations of the rights.
Still, if someone threatens the integrity and privacy of your data, shouldn't
the damages be paid to you?

~~~
avar

        > [...]Can someone make a good argument as to
        > why the fines should be paid to a third
        > party (the state) when this issue is between
        > the service provider and the customers?[...]
    

The same reason you pay speeding tickets to the state instead of personally to
each person living on the street you sped on, or who could otherwise have been
directly affected by that specific occurrence of speeding. Or the same reason
health inspection fines for restaurants in the US are paid to the city or
state, not everyone who's ever visited the restaurant.

There's no concept in the GDPR that the violation only exists between the site
and the users whose privacy it violated, where are you getting that idea from?

~~~
anonytrary
> pay speeding tickets to the state instead of personally to each person
> living on the street you sped on

Roads are usually state-owned property, whereas your personal information is
your property, right? If Alice mishandles Bob's property, why is Charlie
getting paid for it?

> There's no concept in the GDPR that the violation only exists between the
> site and the users whose privacy it violated

Why not? The site-customer relationship is the only relevant one here. What
prevents a profitable, large-scale data mining company from simply accepting
the Max(4%,$20m) = 4% tax for mishandling data?

A $20m dollar fine would surely deter smaller actors, but the 4% fine doesn't
seem like a deterrent for large-scale data-mining operations, which can be
incredibly lucrative. For example, if Facebook had the choice between _not_
using the data and making $60b per year, versus using the data and making $90b
- .04 x $30b, wouldn't they accept the tax and continue using the data? If
this is the case, I don't see GDPR making a big difference if the highest-
market-share companies can "get away" with paying the fee.

This would increase the gap of viable profit models between smaller and larger
companies, at the sole benefit of the state, with little, if any, benefit for
the victims (the users). Of course, I am assuming that there is no criminal
penalty for noncompliance. The government might think: why impose a criminal
penalty if the state can simply tax large corporations for the mountains of
profit they are making off of insights from personal data?

~~~
avar
I think your questions come down to general European v.s. US jurisprudence.

    
    
        > If Alice mishandles Bob's property,
        > why is Charlie getting paid for it?
    

If Alice and Bob both join Fight Club and have a consensual fight and one of
them dies, even in the US the survivor will be charged by the state for that.

The reason is that certain violations aren't simply seen as person-to-person
violations, but disturbances of the general order that have ripple effects on
the rest of society.

European countries in general are more prone to seeing something like the
violation of business law as being a crime against the state, not just a
violation of the specific people who were victims in that specific instance.

It has upsides and downsides, but I think in general it's better than the US
system. American companies tend to have to worry about compliance with
regulators _and_ the possibility of huge payouts from court cases filed by
individuals. If you have a small company and screw something up (but not much
more than other companies in general) you can go bankrupt mainly due to bad
luck.

In Europe companies tend to mostly have to worry about just the regulators and
the state, except in cases of gross negligence, which makes it easier to
predict when you need to be compliant etc.

There's also the practical matter that the state has a lot more leverage
against the likes of Facebook and can exercise collective bargaining. You can
see how well this "your personal information is your property" idea is going
in the US with the likes of Equifax, Facebook etc. In practice the little guy
just has to eat the TOS of these services and doesn't have anything like a
property right over his information.

As to your question of whether some companies will simply eat the 4% fine.
We'll see, but that's a topic unrelated to who the fine is being paid to.

If some company like Facebook were to publicly flaunt the GDPR you can bet
they'll find something else to charge them with. The GDPR isn't the only
privacy regulation in effect, there's also various national regulations that
could be brought to bear. The threat of the 4% fine is mainly intended as a
big stick to bring companies into compliance.

------
arkis22
I am about to launch a startup. As an American citizen GPDR scares the shit
out of me. My app doesn't do anything I consider rude to my users but that
doesn't mean European courts can't find something wrong with the way I do
business.

I consider myself lucky that I'm in a state that doesn't make me collect tax
in states I don't have nexus.

Europeans are required to use something like chargebee to deal with VAT in
different countries. I don't mean to be rude, but if a service like chargebee
didn't exist, you Europeans would be fucked.

I'm sure VAT is just the visible part of the iceberg. It's an awful situation
for entrepreneurs.

~~~
clappski
‘Europeans would be fucked’... as if there aren’t any successful or innovative
European companies?

Bare in mind that you probably use some sort of service to handle every time
of payment, even if it’s a local sale (e.g. Stripe, VISA Pay/V PAY etc.).
Additionally, selling goods in the US is just as complicated for an external
business as it is into the EU - state, county and city sales taxes, as well as
exemptions from US taxes laid out in international treaties have to be
accounted for. The general advise if you want to sell internationally is ‘get
an accountant’, because it’s actually quite a complicated subject
(unsurprisingly).

~~~
arkis22
There are, but few of them are one man operations like me. There will be even
less one person startups (or none) now.

The compliance tax burden for American companies varies by state. I'm lucky to
live in one that isn't onerous.

Luck is a factor when starting a business, but regulatory capture is a bad
kind of luck.

------
soufron
WTF... The GDPR is only the continuation of the current regulation. If they
can't follow it now, it's probably they were already not respecting it before.

And all in all, it really looks like a way to get out without having to admit
some other failure.

~~~
eterm
Yeah I struggle to see how all these businesses which are panicking over GDPR
could ever have been compliant with, for example, the UK DPR which has been in
effect for a very long time and has many of the same requirements.

The biggest change going to GDPR is clearer definitions of what a data
controller is and data processors and new restrictions on "automated decision
making".

The ability to view, delete and demand data be accurate has long been a
requirement of meeting UK data protection laws and I'm sure many other
countries too.

It seems that businesses just ignored the law until it came with fines worth
worrying about. A bit like the VATMOSS changes where US businesses were
worrying they would have to start dealing with EU VAT even though that was the
case previously.

------
matte_black
My question is, if the choice is between shutting down or just completely
firewalling out all citizens of the EU, why not limp along without the EU
market instead of dying out completely?

If a site makes it very clear EU citizens are not welcome on the service and
will be banned on site, can they really be held liable for any EU citizens who
get in anyway through proxies?

Our company has stated it has no plans to comply with GDPR and if faced with
litigation it will simply be ignored unless the United States government gets
involved. Complying is simply something we can’t afford to do right now,
especially for a market that makes us a lot less revenue.

~~~
return1
this startup is based in EU so they have to comply for all their users around
the world.

~~~
matte_black
Why not just move all the servers off the EU and reincorporate?

~~~
liveoneggs
> Why not just

------
toomanybeersies
As far as I'm aware, you cannot be privately sued for breach of GDPR. You can
only send complaints to the regulatory agency, who then take action. The fines
levied then go to the government.

There is no incentive for lawyers to troll around trying to sue for breach of
GDPR, because there's no money to be made by them.

~~~
lmkg
Article 79, "Right to an effective judicial remedy against a controller or
processor," seems to say that individuals can sue controllers or processors.
This may be limited to cases where the regulatory agency does not find in the
data subject's favor? [https://gdpr-info.eu/art-79-gdpr/](https://gdpr-
info.eu/art-79-gdpr/)

Article 82, "Right to compensation and liability," begins with the text "Any
person who has suffered material or non-material damage as a result of an
infringement of this Regulation shall have the right to receive compensation
from the controller or processor for the damage suffered." [https://gdpr-
info.eu/art-82-gdpr/](https://gdpr-info.eu/art-82-gdpr/)

------
enugu
What would be great is an 'open source' legal movement. Non-profit legal orgs
which read the details of laws, cases and then put up detailed 'views' of the
laws from the perspective of an individual, company, buyer, seller, landlord,
tenant etc. Instead of having a list of laws, have an experience based
checklist for each type of agent.

Also, requiring the government to not just frame laws but provide this kind of
information. The ico website[1] seems to be doing it for this particular law.

This might be less useful in boundary cases, where firms with legal resources
play at the edge, but it can at least serve as a safe upper bound for a lot of
regular activity. Lot of this information already exists in books, legal
reviews, but this is important enough to be made conveniently available on an
public website.

[1] [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/)

------
liveoneggs
GDPR is having a _massive_ chilling affect at my job as well. I think some
brand new web frameworks need to be born that focus on compliance. It feels
like a solid opening to me to get some new ideas out.

------
wonder_er
Does anyone expect the GCHQ to get investigated based on its collection and
use of private data?

I won't hold my breath that this will ever happen. For that reason (and many
others) I expect that GDPR enforcement will be capricious and biased and used
as a weapon against unpopular groups.

~~~
brongondwana
Nope, law enforcement groups get a special carve-out. They can collect
whatever.

------
thinkingemote
Can we go back and see what HN users views about the EU Cookie Law was, before
the law was put into implementation? Perhaps we will also see hearty support
for it, as we now see with the GDPR - when the EU cookie law is just regarded
as a nuisance now.

~~~
smileypete
[https://hn.algolia.com/?query=Cookie](https://hn.algolia.com/?query=Cookie)
Law

It's counter productive in that disabling or regularly clearing cookies to
improve privacy can result in annoying popup messages every. single. time. a
website is visited.

I am truly grateful to the developer or the firefox addon 'I don't care about
cookies'...

------
GiorgioG
I would think any small software shop outside of Europe is better off blocking
all EU IPs rather than risk having to lawyer up when they wind up being
targeted and potentially face a $20m fine. It would be financially
irresponsible to do otherwise unless they have some kind of GDPR insurance
policy (if such a thing exists.)

~~~
geomark
A handy service that checks if a visitor is from an EU IP would be handy.

~~~
jimktrains2
Any geoip database will do.

------
raverbashing
GDPR discussions: Americans trying to interpret European Law and European way
of enforcing laws

That describes most of it

~~~
aeorgnoieang
> GDPR discussions: Americans trying to interpret European Law and European
> way of enforcing laws

Should they just pretend they don't exist? The Europeans haven't interpreted
this law or provided a clear history of enforcement either. That's the point
of these discussions – they're uncertain about the consequences of the law!

~~~
raverbashing
Of course they shouldn't pretend it doesn't exist.

But the interpretation should be seen in light of enforcement of _current_
data protection regulations (as per ICO in the UK, and corresponding BDSGs in
Germany, for example).

GDPR is not "starting from zero" but it's based on current legislation.

See for example: [https://globalcompliancenews.com/data-privacy/data-
protectio...](https://globalcompliancenews.com/data-privacy/data-protection-
enforcement-in-germany/)

~~~
freeone3000
The current regulation has been widely ignored and of no consequence to
Americans. GDPR looks like it's going to be matter, unlike previous privacy
laws.

------
liveoneggs
I went to a conference recently and attempted to have a discussion about GDPR.
Two other people showed up, none of whom had not done any research into the
issue at all.

My fear is that patent-lawyer-style firms will start aggressively blackmailing
companies for "settlements" or they will begin tons of GDPR-based violations
aimed at your business.

------
hrktb
> Did it turn a profit? No, sadly not, but running at a loss was fine as my
> day job covered the bills.

It seems the root of the issue would be financing the changes.

In a way, looking further into the regulations to clear how to deal with
ambiguous parts or even straight hire a lawyer to look at the details would be
a simple move if the expense could be justified.

Could it be summed up as “unexpected but mandatory changes kill unprofitable
business” ?

~~~
strken
It's not like he ever intended to turn it into the next Facebook, though, is
it? It's like your grandmother's unprofitable home-made scone business
shutting down because she doesn't have a certified kitchen.

~~~
estel
If her scone business started accepting payments by card then I think it
should be held to the similar standards as larger businesses when it comes to
securing card details.

Which is kind of what GDPR wants to do for personal data: if you want to
collect it from me, there are a minimum set of standards that you need to
adhere to because it’s _my_ data.

~~~
jimktrains2
The pci DSS is well speced and reasonable.

~~~
hrktb
GDPR is not that big of a deal for companies/groups who’ve been paying
attention to these issues from day one.

In particular if you already went though PCI DSS, it’s only a few additional
things here and there.

~~~
jimktrains2
"few". Handling customers individually in terms of logs and database backups,
for instance, is not a small undertaking. Deleting all traces of a customer is
neigh impossible; I bet even "compliant" places don't do it right.

The pci DSS has nothing in it like the gdpr; I'm not even sure why you would
compare them.and it makes me think you know nothing about either.

~~~
hrktb
It depends how you do it. For me dealing with PCI DSS compliance was mainly to
get rid of unwanted traces in the logs and anything permanent (backed up), and
separating services dealing with sensible information.

While doing these changes, there will usualy be a rethinking of how user data
is handled at its core. For instance I worked in the past on dissociating user
account with it’s profile and private info, so we could get rid of personal
info and only keep behaviors.

With GDPR you get similar leeway for keeping most of your data as long as you
get rid of identifying info in a reasonable manner. If I’m not mistaken
backups are also safe up to a point, but I don’t have the details at hand.

My main point was that if someone had the occasion to think thoroughly about
user data policy and cleaning unwanted traces at leadt once in the past, GDPR
was a lot easier than one might think at first.

------
dumbfounder
Can someone explain what ramifications this has for companies operating in the
US that may have "personal" data on EU people? I am curious to know if there
will be a new wave of lawyers coming after me for running Twicsy. (FYI, I get
requests for removals every day, and I comply with all)

------
richp10
GDPR is not difficult to comply with and based on the decades of experience
with the Data Protection Act on which it is based, the chances of being sued
(or threatened with litigation) seem tiny indeed.

Also, I _think_ the reason why this site cannot cope with GDPR run deeper than
being willing to add a 'delete account' and 'download my data' functionality
to a loss making site.

On the screenshots, it shows a prominent section on the home page: “StreetLend
with Facebook friends (and their friends, and people they endorse)”

This suggests they are using the Facebook login to harvest from the Facebook
social graph.

Head down that particular road and you are in a privacy shit show - and after
Cambridge Analytica and GDPR my guess is that Facebook is cutting of this
supply of data - or setting hurdles that streetlend cannot hit.

A few people were sued by the ICO for non compliance with the DPA - but it
didn't open the floodgates of civil litigation. To my mind (and I am in the
processes of updating two small businesses to be compliant) it just sets good
ethical standards and Google / FB etc are missing a trick in not just
declaring this is the standard they will follow worldwide.

------
bigjimslade
Government is not on your side. Remember that, for all countries, for all
times, for all peoples. Government protects itself first, at your expense, by
helping those who can help it accomplish that said goal. If you can't help it
to that end, you're nothing, literally. It truly couldn't care less about you,
your liberties, or even your very life. Government can and does completely
destroy people's lives, regularly, for having committed no moral offense of
any kind, having caused no harm whatsoever to anyone anywhere in any way, but
instead for having violated nothing more than a statute granting random
behavioral power over you to some overfunded, distant, and uninterested
regulatory agency.

This explanation might aid those who're confused about why a community
strengthening, environmentally positive, socially worthwhile website like
Streetlend would shut down in response to this huge collection of laws that
was sold to us as actually helping us.

~~~
civilitty
_> a community strengthening, environmentally positive, socially worthwhile
website like Streetlend_

If Streetlend were even remotely as you described, they would have easily made
enough money to defend itself against the government - all in glorious free
market fashion. All hail supply side Jesus! Oh wait, it's tiny operation
making a pittance in revenue. Whoopsie!

Thankfully, this is the 21st century and Western society has long ago decided
that it'd rather have "the government" destroy individuals with a system of
courts to appeal to rather than let anyone do whatever they wanted. Thanks
Obama.

~~~
CryptoPunk
Many large and profitable enterprises struggled as marginally profitable
businesses for an extended period of time before finding a formula that
worked.

The ability to run a failing business is also valuable in and of itself. Look
at the businesses run by the McDonalds brothers before they opened McDonald's
restaurant for example, which helped them gain the experience necessary to
eventually create a successful business.

>>Thankfully, this is the 21st century and Western society has long ago
decided that it'd rather have "the government" destroy individuals with a
system of courts to appeal to rather than let anyone do whatever they wanted.

Ah yes the 21st century, where a growing proportion of young adults live at
home, have given up on starting a family, and have a shrinking pool of
industries in which they can afford to start a business or career, as a result
of an increasing number of well-intentioned regulations.

Regulations like GDPR are hopelessly misguided attempts to centrally plan
greed and abuse out of society. The complex bureaucratic rules attempt to
anticipate every permutation of commercial interaction, and predetermine the
correct parameters of action for each permutation.

It's absurdly reductionist and unworkable, and only results in more rent-
seeking and less efficiency.

------
gopher2
It seems better to ban EU citizens from your service than to shut down
entirely.

~~~
FPGAhacker
It will be interesting to see if hacker news shuts down or starts
blocking/banning EU. They certainly aren't compliant today.

~~~
dangrossman
In what way isn't Hacker News compliant today? There's a "Legal" link at the
bottom of the page where they detail what information they collect, who it's
shared with and what it's used for. It includes instructions for how to
contact them with requests to access or correct that information. It describes
the legitimate interest basis for information they collect without explicit
consent (e.g. moderation, preventing fraud). Sounds to me like they have a
lawyer that knows GPDR over there.

~~~
_o_
True, they are not. The opt-out analytics is not allowed and they are sending
the data to 3rd party (google) without user consent. I could also argue about
some minor things, but allowing google to track users without consent is a
major breach (but they can also simply fix it by using for instance piwik).

[https://techblog.bozho.net/tracking-cookies-
gdpr/](https://techblog.bozho.net/tracking-cookies-gdpr/)

~~~
dangrossman
There are expensive lawyers that disagree on that, and think that the EU DPAs
would consider basic website analytics a legitimate interest (one of the
alternative justifications to consent for processing), and the current draft
of the upcoming ePrivacy regulation explicitly excludes the use of first- and
third-party cookies for those analytics from the requirement to obtain express
consent. You can review the privacy policies of some very large companies with
huge legal teams that have already made their updates for GDPR (like
LinkedIn/Microsoft for example) that use Google Analytics and many other third
party cookies on their site without asking for consent...but describe the
legitimate interest reasons for doing so.

~~~
_o_
Legitimate interest is one of the hardest parts to actually go for (I wouldn't
use it for anything that is not seen by naked eye from the Moon) and you can
argue that analytics improves the "user expierience" while on the other side
the user will argue, that it is not necessary for the site functionality to
work. And it isn't. And this is the fundamental condition for legitimate
interest. So the "expensive" lawyers are wrong but I think they are just
trying to push the limits to see how far they will be able to go.

Something about legitimate interest:
[https://youtu.be/-stjktAu-7k?t=4563](https://youtu.be/-stjktAu-7k?t=4563)

Let me just point to one sentence: " _Processing conducted due to "faulty"
balance test_ (your interest vs. person fundamental human rights) _may expose
the controller_ (you) _to highest level of fines_ ". I wouldn't gamble here
and go for local analytics (again piwik is simple to install and use) or
require consent from the user.

ePrivacy is not here yet, GDPR is and I doubt the analytics will be excluded
as it is tracking in its purest form and you can set up your own software, no
need for 3rd party processor here. It would literally destroy the GDPR
principles which I doubt ICOs will allow.

For my (user) perspective: I don't have problems giving consent to particular
site if they don't give the data to any 3d party processor, from google, fb,
amazon to various ad networks. Bottom line, the problem is not for various
sites to have my PII, but I have huge problem with agregating those data by
single entity and I will never give consent for that (read as: google
analytics).

~~~
dangrossman
What makes you think the compliance burden is any different for self-hosted
analytics vs third-party analytics? You're the data controller in both cases,
your obligations for consent/interest, disclosure, access requests, etc are
all the same. Google Analytics has a DPA where they guarantee they meet their
GDPR obligations relating to your data, and Google is a member of the US-EU
Privacy Shield, which takes care of your obligations with respect to
transferring data outside of the EU. If anything, hosting your own Piwik
instance greatly increases your compliance burden and risk of a costly breach,
as you'll be collecting and storing much more personal data than Google does,
in a less secure environment -- Google Analytics is mostly aggregate/sampled
data, and supports IP anonymization at the edge before any processing/storage
is done.

~~~
_o_
Just for the sake of not relying on google to do their work and not having to
rely on someone who has huge conflict of interest with anything regarding user
privacy. But regardless of that I would offer a consent pop up, for this site
it is trivial, you are surprisingly clean :) Excuse me, I will refrain from
further commenting about GDPR, I am sick of downvoting and quite frankly,
people will figure it out on their own.

------
sergiotapia
Another business destroyed due to needless regulations and busy suits.

~~~
kennywinker
I'm not sure "needless" is the right word here. Even if you think this law is
bad, there is clearly a need for data privacy and protection laws.

People's reaction to their data being scooped up by Cambridge Analytica just
because a facebook friend did a survey proves the need. What CA did was
probably legal, but in most people's minds should not have been legal.

~~~
jimktrains2
> People's reaction to their data being scooped up by Cambridge Analytica just
> because a facebook friend did a survey proves the need. What CA did was
> probably legal, but in most people's minds should not have been legal.

It's not _their_ data. This is the part that drives me nuts. When you give
something to facebook, it's no longer yours and you loose control of it. It's
like this for _everything_. That nude you send your SO? It's out of your
control. That nude your SO took of you? It's even less in your control.

If you don't have a service agreement with someone, it's not your data. It
will never be your data. Stop pretending.

It's dangerous to let people think they control data they hand to other
people. They don't. They never will. Why perpetuate the illusion?

~~~
kennywinker
And yet we have “revenge porn” laws that say there are things your SO can and
cannot do with that photo.

If I put my money in the bank, that does not actually make it the bank’s
money. They have the right to do things with it - invest it, loan it, but
there is an agreement that it has not been perminantly given. That agreement
is backed by consumer protection, insurance, etc. and the bank, no matter how
much they would like to, can’t make me sign a EULA that makes my deposits
theirs.

~~~
jimktrains2
> And yet we have “revenge porn” laws that say there are things your SO can
> and cannot do with that photo.

Which are mainly extensions of harassment law (again, not something you
control, but a penalty after action).

> If I put my money in the bank, that does not actually make it the bank’s
> money.

You also have an agreement with the bank as such. If I just gave it to some
guy on the corner (or PayPal) then, you know, whatever is just as possible.

~~~
kennywinker
> not something you control, but a penalty after action

I’m fine with punishing companies _after_ they violate data protection/privacy
laws.

> You also have an agreement with the bank as such

I’ve not read many bank agreements but I don’t believe they say anything like
“the bank can’t take my money to the casino and put it all on black”. Yet if
they do that they’ve broken the law.

------
sitkack
Nerds operate on technicalities, many laws operate on best effort and in-
faith. It is extremely easy to to be in compliance with GDPR

    
    
        1. Try
        2. Do it
        3. Keep Doing it

~~~
jdminhbg
Good luck with your "but We Tried and then We Kept Trying" legal brief.

~~~
sitkack
This isn't Sarbanes–Oxley, this is literally don't be stupid with customer
data.

> "but We Tried and then We Kept Trying"

Will literally get you 100% of the way there if done in good faith. Crypto-
shred anything you acquire from an end user and you are good. Collect the bare
minimum to offer the service you claim to be offering, and you are good. Alert
the customer on how their data will be stored, used and fused and you are
good.

Of all people, programmers should stop whining about how hard and oppressed
their lives are. The EU is telling you to stop being a clueless *sshole. If
you even attempt to stop being one, you are fine.

------
chasb
For anyone interested we (Aptible) made this Slack community to answer
questions about GDPR: [https://join.slack.com/t/gridiron-
gdpr/shared_invite/enQtMzQ...](https://join.slack.com/t/gridiron-
gdpr/shared_invite/enQtMzQ5OTI2MzkwMjU4LWRkYzFiM2IyN2JhZjJlOTVmODkyOTk3MDJiYzBiYWVjYTkwZjg3YTEwNjAyZTliZjY3YmY3M2NkZWQ4NWM3OTk)

Disclaimer: we are a vendor that makes a SaaS offering for GDPR

~~~
mdpopescu
Er... is that meant to be funny? That website is asking for my email without
saying what it's used for :) Also, I can't refuse to provide it and still get
access to the functionality.

~~~
chasb
Literally the only thing the landing page says is the purpose and what your
email is used for: "Join the Slack workspace Aptible Gridiron GDPR Slack", and
"Verify your email"

~~~
freeone3000
Neither of those state why you need an _email_ , though. Why not a user ID of
the user's own choosing? Why does this email need to be verified?

~~~
Dayshine
...it's slack.

------
csomar
I might have missed the GDPR news/discussions but if you are in a non-eu
country and you are harvesting/using EU citizens data what could the EU do?

------
guy98238710
European developers have to deal with American software patents all the time
to ensure global distribution of their software. And software patents are way
less reasonable than GDPR. With GDPR, one can at least be sure that it is up
to the site operator to ensure compliance. With software patents, there's
always a risk that some random patent troll shows up with some obscure patent
registered 10 years ago.

------
stanfordkid
Sad -- regulation hurts small businesses. Why not make GDPR apply once the
number of users reaches a certain critical mass?

~~~
taylorswift_
That's actually a great idea in my opinion, not sure why you were down voted.
It seems that the incumbent large internet companies will easily be able to
afford this burdensome regulation but new startups all the way through medium
sized small businesses may struggle or even be suffocated by it. It would seem
reasonable to have a tiered system where the penalties only kick in when the
business has scaled.

~~~
romanovcode
I think this is horrible idea. GDPR is about data protection and consumer. It
has nothing to do with companies or their profits/sizes.

------
chrismatheson
Am I missing something?? Sure you could be sued, and that might end the small
business. But isn’t that what limited liability companies are for?

Option 1: close it down through fear of something happening.

Option 2: close it down if the worst thing actually happens.

Either way if the small company is operating at a loss/ v small profit, it’s
not going to harm you personally?

~~~
chunkyslink
Yes, I think you are missing somewthing. You can't be sued for GDPR.

You get reported to an authority that will handle the process. The Americans
think you can just sue people all the time. It not what it is like in Europe.
The point of this legislation is to help users, not to penalise businesses.

I mean how many companies were prosecuted for the cookie law?

~~~
boobsbr
> You get reported to an authority that will handle the process.

And then the authority will prosecute and fine you. You're screwed either way.

~~~
DanBC
Unlikely. What's more likely is the regulator will send you a letter asking if
you are in compliance or not, and then send you information about current best
practice to bring you back into regulation.

If your breaches are deliberate and flagrant you may end up with a fine. But
regulation in Europe really is light touch.

------
zerostar07
If GDPR is so easy to apply, why isn't HN complying?

~~~
jimktrains2
HackerNews also sends/streams data to Big Query for public usage:
[https://cloud.google.com/bigquery/public-data/hacker-
news](https://cloud.google.com/bigquery/public-data/hacker-news)

I think you can delete from BigQuery now, but even just a year ago you
couldn't.

------
StreamBright
It seems to me that they website would be easy to make GDPR compliant. What
was the challenge here?

------
ausjke
If I own a small business, what about I just sell online without collecting
any data at all? Credit-card and Paypal etc are third-party APIs that I do not
have a copy for my own, shipping can be out-sourced to USPS/UPS/Fedex and I
don't keep any of them either. Am I now safe for GDPR? It's like a grocery
store, you buy stuff and leave the door, I have nothing on record other than
you paid me via credit card or nameless cash before you walk out of the door.

Don't know how to do RMA though, maybe for each purchase my site and the buyer
both should have a receipt that just records the transaction but nothing else
private, still not sure how to implement that though.

It's so unhelpful for small business owners.

~~~
rorykoehler
How much are you going to sell if you can't market your goods or services
properly?

~~~
jimktrains2
> How much are you going to sell if you can't market your goods or services
> properly?

You can market without having per-user data. People did it for millennia.

------
DanBC
> GDPR threatens website owners with fines of 4% of turnover or €20 million
> (whichever is higher)

This is only for the worst, flagrant willing and knowing breaches. Small
websites who made an effort to comply wouldn't ever get hit with this kind of
fine.

------
aryehof
I think this a political statement protesting regulation. It expresses a real
ignorance of the legal process, culture and mindset in Europe that looks to
actually protect the public from abuses of power, position and exploitation.

------
sriku
Wouldn't it be better for most small businesses if EU required a kind of "GDPR
certification" that comes with its own audits? That might contain potential
predatory law suits?

On the practical front,how would a product like google docs that offers
collaborative editing deal with "forget me"? If I edited someone else's
document, would Google (or whoever) be obliged to contact the co-authors to
request that edits be removed? ... or should they do that automatically?
What's expected to happen to the version history of these documents?

~~~
midasz
It's the EU, not the USA. There will be no lawsuits. Compliance agency will
check, they will report to the business, the business gets time to fix it.
Unless very negligent, there will be fines.

------
zerostar07
EU bashing aside, we 've seen this play out before. Search for old HN comments
on the cookie law: It was supposed to reduce traffic by 90%, but nowadays its
worse than useless. GDPR will fail too, because it does not address the crux
of the issue: that most people do not care about willfully handing over their
data, and in fact many of them take pleasure at being public. Most people will
not care to delete their data from the service they used for 1 day. They will
not ask their local bakery to hand them over reports etc. Most people spend
most of their time on facebook, and most of them have already opted-in to the
kind of processing that facebook does. Google, amazon, netflix, spotify etc
are in line, because people are not going to give up on the most useful tech
services.

Some of the worst private offenders in europe are actually public services
like tax authorities who dug up tons of stolen data from banks, financial
services, or who use google maps and facebook to find out who is flaunting
their wealth. While not NSA-level, police authorities are catching up.
Registries of all kinds with very private info have very lax access rules in
EU countries outside the rich north.

Sure, some techies may feed their entitlement by going after some glaring
cases of violations for a few months, but the case remains that, if privacy is
a big issue, people are going to have to pay for it (i.e. they have pay a
premium). Cryptography/decentralization remains another option.

------
Angostura
Chris Beach accuses the GDPR or beigng ambiguous and an example of a of
poorly-implemented laws. Combined with the guidance from something like the UK
ICO, it seems to me to be remarkably clear and not onerous if your business
isn't based on extracting value from user personal data in the first place.

Could we have some examples of the ambiguity and poor implementation?

~~~
ID1452319
The main area of ambiguity in my opinion is around "legitimate interests".
Many companies who would otherwise breach GDPR regulations are using this as a
get out of jail free card, particularly sites/applications which collect
personal data without consent.

Personally, I think there will be a number of court cases post-GDPR to clarify
what precisely is "legitimate interest" and what is a breach of the
regulations.

------
bmer
I thought the UK was no longer a part of the EU?

~~~
AdamGibbins
One interpretation of GDPR is that it applies to EU citizens globally,
irrelevant of where the company or its data is hosted.

~~~
quickthrower2
I take it as applying to expats too living in non EU countries and their
natural or adopted children, depending on how they inherit citizenship and
maybe their grandchildren.

~~~
guitarbill
I believe it's EU residents, so if you reside somewhere outside the EU, sadly
it doesn't apply.

(It's possible decent companies will not limit GDPR provisions though.)

------
gremlinsinc
You should open source the software / code. Maybe someone not in the EU could
use it to start small side project..

------
RRRA
Is there a GDPR checklist of technical things to do to prevent this from
happening to cash-strapped endeavours?

------
herbst
I hate how GDPR forces me to log additional data. Like now I should ask for a
age, have detailed access logs and so on.

I have semi anonymized data that I can now either make fully anonymous or link
it directly to a user.

Worst of all is however that the complexity of my app doubles easily when I
Actually follow all the rules.

------
dommer
Seems a little angry, sour, and conspiracy-esque. But 20 Mill is some dark
cloud.

GDPR hasn't effect
[https://www.borroclub.co.uk/](https://www.borroclub.co.uk/) So seems like it
is possible to have a sharing website and not violate GDPR

------
nottorp
They're afraid of frivolous lawsuits... does this mean the loser doesn't pay
the winner's expenses in the UK either?

Judging by their post and the comments here, this is more of a problem with
the US/UK legal system not with the EU regulation.

------
paxys
Kinda weird that the whole post is an advertisement for the website which is
anyways shutting down, but contains no explanation for WHY the regulations
aren't feasible to implement.

~~~
lwansbrough
Have you actually looked at GDPR? It's virtually infeasible for any small
company to adhere to, based on the decades worth of software that we've built
the world's economy around. Logs, databases, backup systems, analytics,
metrics, sign in systems, e-commerce systems, fundamental algorithms were all
built without any concept of users being able to legally claw back their data.
Actually implementing this stuff in the real world _is a fucking nightmare._
It means rebuilding your entire stack if you actually intend to comply with
the laws to their fullest extent. And even then, someone can hire a lawyer and
sue you, which then burdens you as you struggle to prove your compliance,
wasting valuable time and resources for someone who didn't have the
forethought to decide ahead of time if they wanted you to have access to their
data or not.

~~~
nfoz
> It's virtually infeasible for any small company to adhere to, based on the
> decades worth of software that we've built the world's economy around.

Ah, that's exactly it. Decades worth of software irrevocably centred around
tracking and analytics.

It would be glorious to see it all thrown in the fire. We can write software
and protocols that don't spy on people. Let's get back to that.

~~~
lwansbrough
Cool, looking forward to the magical solutions people come up with for
performing full text search on encrypted PII, lest you get sued for $10M for
keeping someone's name in your database that they willingly handed over to
you.

~~~
freeone3000
I mean, they won't be magical, but we have the resources, surely.

------
voltagex_
Damn, I wanted to do this for Australia (or at least NSW) for
gadgets/electronics/computer parts etc. I wonder if I put geoblocking in place
if I'd be covered.

------
lopmotr
Couldn't he keep operating until he gets caught, then lose the case, go
bankrupt (the company, not himself), and shutdown at that point instead of
now?

------
minusSeven
Is it not possible to country ban each website ? Why couldn't they do that for
all of europe and move on ?

------
amaccuish
Not really a "victim"

------
dboreham
Here's the thing: if you already cared about your users' privacy and security,
and had some level of common decency in your approach to users, none of this
is a big deal or indeed different to what you'd already be doing.

~~~
jimktrains2
Except the gdpr goes well beyond common decency.

~~~
Majestic121
No, it does not.

~~~
jimktrains2
The gdpr is ill-specified for starters. The commentary conflicts with the law
itself, and the law makes it nearly impossible to know if you're dealing with
a gdpr data subject.

I firmly believe that companies need to protect their data better as the
consequences of loss aren't shouldered by them, which the gdpr says nothing
about.

I also firmly believe that it's their data. When I send data to another
machine, I was never under the impression that said information was mine. I
was never under the impression that anything I have on Facebook was ever or
will ever be private. I consider order information vital information _of the
company_. When I choose to load thea Google analytics tracker, I have no
notion that I own that tracking information.

Splitting basic infrastructure like backups and logs by customer or
introducing a whole system of flimsy cryptography to support that is no where
near reasonable and well beyond common decency.

Explaining all uses of data and why decisions are made isn't common decency.
Again, I sent you my data, it is now the server's/company's. I expect them to
do what they will with it.

The gdpr is well intentioned, but ultimately nothing more than toxic smoke and
carnavel mirrors. It is an underspecified mess and burden creating the notion
that you can renege on data you send someone else.

------
KaiserPro
None of this violates the GDPR.

So long as they clearly allow opt in to what data is being processed, and why,
and a way to delete it, you are mostly ok.

As the site might need to deal with issues of fraud, you are allowed a little
more leeway in storing personal data.

------
TheForumTroll
As always discussions about GDPR on HN is 99 % FUD.

------
marcrosoft
Regulation always has unintended consequences. This is an example of it.
Although they mean well regulation never accomplishes its goal and restricts
the freedom of many.

~~~
oblio
> Although they mean well regulation never accomplishes its goal

Yeah man, that's why we have the safest cars and airplanes in history, because
of the free market, not because of regulations. I'm sure that United Airlines,
who literally dragged a passenger from their airplane, would have invested a
ton in passenger safety if not forced by regulators.

Sarcasm aside, laws do work. There's a reason the most developed countries in
the world have a very strong legal system. You give up a bit of freedom (which
is a bit of an obsession for Americans) in exchange for a lot of protection
from various nasty things people do to each other. As a result you sleep
better and you get the side benefit of a special brand of freedom: freedom
from fear from your fellow human beings, from their arbitrary whims (to a
reasonable degree). Unregulated societies look like Somalia. Trust me, you
wouldn't like that brand of freedom ;)

------
jancsika
How is Moxie's Signal affected by GDPR?

------
pishpash
Are there no exemptions in GDPR for small-time operations like StreetLend? Was
it a problem because of its affiliation with Amazon?

------
rando444
Unless the owner is doing something shady (or just doesn't understand the
GDPR), the issue is pretty clear.

He's running an unprofitable business (by his own admission), and likely is
running it as some sort of sole proprietorship and doesn't want to take the
risk on himself.

The solution is to create a company so that the company can shoulder most of
the risk so the company goes bankrupt in the event he finds himself unwilling
to comply with regulatory requests.

I'm guessing he just doesn't want to dump any more money into a failing
project, which is his decision to make.

Is this a failure of the GDPR though, or a success?

Personally I think fly-by-night websites should be the last people responsible
for handling personal data. If they're unwilling to attempt to comply with
regulations, then perhaps the internet is a better place without these sites.

~~~
closeparen
>If they're unwilling to attempt to comply with regulations

This is an obtuse, bordering on malicious misreading of the post. They're not
unwilling to implement the necessary features. They're unwilling to shoulder
the _risk_.

> Personally I think fly-by-night websites should be the last people
> responsible for handling personal data. If they're unwilling to attempt to
> comply with regulations, then perhaps the internet is a better place without
> these sites.

This isn't a data broker, a credit reporting agency, someone with a giant
sensor fleet, etc. It's extremely straightforward to not share data with a
"fly-by-night" website like this.

~~~
rando444
Yes, they're unwilling to shoulder the _risk_.. so why should they get to keep
people's data? Because it's a small operation? Because the owner doesn't have
time to secure it?

Yeah, it's extremely easy to not share your data with them.. if you know they
don't care about protecting it.. But what about all of the other people on the
internet that don't know this guy doesn't care about your privacy?

Convincing businesses to take your personal data seriously is the whole point,
and you shouldn't get a free pass just because you only handle people's
personal data in your spare time.

~~~
closeparen
> so why should they get to keep people's data?

Because people voluntarily provide it to them.

> But what about all of the other people on the internet that don't know this
> guy doesn't care about your privacy?

Governments confront problems with this general shape all the time... the
result is usually labeling requirements. Sure, this guy should not be allowed
to claim he has a crack team of elite cybersecurity engineers when he doesn't.
Regardless, no one is asking him keep secrets for them. It's a niche
Craigslist.

>Because it's a small operation?

You're actively campaigning to degrade privacy (and also user freedom,
competition, and choice) to a much greater degree by displacing these
activities onto large, centralized platforms. _Especially_ those which are
monetizing your data to a high enough degree that it's worthwhile to staff a
compliance team for the privilege of continuing to do so.

~~~
vkou
> Because people voluntarily provide it to them.

Voluntary or not, there are some rights that you cannot give up to someone
else. In Europe, one of those rights is control over your own personal
information.

There's also the issue of information symmetry. Just because I voluntarily
bought your product doesn't mean that you should be 100% free from any
liability that it may cause.

~~~
jimktrains2
> In Europe, one of those rights is control over your own personal
> information.

Which is a dangerous illusion. You don't control anything you hand over to
someone else.

~~~
vkou
I don't control the money I hand over to my bank, but short of complete
societal collapse, Mad Max style, it will be used, and accessible in ways that
are very clearly defined. It's not just going to dissapear to the Bahamas one
day.

~~~
jimktrains2
> I don't control the money I hand over to my bank,

You do have control, actually. You and the bank have an agreement as such.

~~~
che_shirecat
Likewise users in the EU have an agreement with GPDR-compliant companies for
control over their data.

------
originalsimba
What happens when GDPR conflicts with SOX, which prohibits the destruction of
data?

GDPR is a great example of the kinds of disasters that happen when nations try
to force the entire planet to follow their unilateral actions.

~~~
kartan
If you are a bank and a client asks you to delete their data. The bank will
still keep it for the tax agencies.

If a tribunal gets asked to delete the personal data of the accused, they will
keep the data.

There is a principle of public interest and public obligations to keep data.

What part do you think that is a disaster?

~~~
originalsimba
> What part do you think that is a disaster?

uh... this post is about a guy losing his business because of the GDPR. What
part of that isn't a disaster?

>If you are a bank and a client asks you to delete their data. The bank will
still keep it for the tax agencies.

> If a tribunal gets asked to delete the personal data of the accused, they
> will keep the data.

> There is a principle of public interest and public obligations to keep data.

In other words, GDPR has no teeth outside of Europe.

~~~
lazyasciiart
GPDR explicitly lets organizations keep data if they need to. Do you think it
just turned into a magical get-out-of-your-past switch that means "my employer
will have to delete records of firing me!"?

~~~
abraae
I don't think you've read the legislation.

Your example "my employer will have to delete records of firing me!" is
exactly how the GDPR works.

There are exceptions -e .g. if the firing is now leading to a court case, but
they are less than you think.

In an ironic twist, after deleting the data subject's personal information,
you must be left with nothing that identifies them, so you don't even know
that they have requested this in the past - only that someone exercised their
right to erasure (not who).

~~~
lazyasciiart
Yes, I have read it, although I am not a lawyer. Have you? Because the
exceptions include "necessary in relation to the purposes for which they are
collected or otherwise processed", and avoiding re-hire of a bad employee
seems pretty related to the purpose of identifying employees in the first
place. If you have professional legal advice to the contrary I would
definitely be interested in knowing more.

~~~
abraae
I'm not a lawyer but I've read it fairly thoroughly. From the ico, the
exceptions to the right to erasure are below (none of them cover your
example):

The right to erasure does not apply if processing is necessary for one of the
following reasons:

to exercise the right of freedom of expression and information;

to comply with a legal obligation;

for the performance of a task carried out in the public interest or in the
exercise of official authority;

for archiving purposes in the public interest, scientific research historical
research or statistical purposes where erasure is likely to render impossible
or seriously impair the achievement of that processing;

or for the establishment, exercise or defence of legal claims.

~~~
lazyasciiart
Ok, well here's the text of the legislation.

Article 17.1 The data subject shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue
delay and the controller shall have the obligation to erase personal data
without undue delay where one of the following grounds applies: a) the
personal data are no longer necessary in relation to the purposes for which
they were collected or otherwise processed; [https://gdpr-
info.eu/art-17-gdpr/](https://gdpr-info.eu/art-17-gdpr/)

If you read further down the page, you come to the section you are quoting,
17.3, which says that the above right from 17.1 does not apply even if one of
the conditions in 17.1 is met. However the scenario we are talking about is
one where none of those conditions were met in the first place, so we never
had to look at 17.3.

You can argue that 17.1.b/c would require an employer to remove any
demographic/political data it had stored on you, but absolutely not that it
requires the employer to remove the record of your existence at the company.

~~~
abraae
Again, IANAL, but according to 17.1.b, the data subject..shall have the right
to obtain from the controller the erasure of personal data concerning him or
her ... where one of the following grounds applies: (17.1.b) the data subject
withdraws consent on which the processing is based

17.1.b appears to be the trump card held by the data subject. They can
withdraw consent at any time and request erasure.

Once they do, the data controller can then use any of the exceptions in 17.3
to deny them. However none of these is "because I want to keep records of all
firings".

My further understanding is that you certainly could keep a record that
someone was fired, just not a record that included any personal information
that could identify who that was.

i.e. pseudonymization..

~~~
lazyasciiart
No, I addressed that. 17.1.b doesn't cover identifying data, it covers data
about their characteristics. That's what my last sentence was about - you can
demand that they remove the information that you are black, but not that they
remove the information that you were there.

(edit - and I think you could keep the information about their race/etc if it
was properly pseudonymized, but I haven't tried working that out so I'm not
sure).

------
_o_
I can shutdown my site at any given moment, citing attack from Mars. And? I
think that GDPR was just an excuse, if this would be a booming bussiness, he
wouldn't have problem adjusting to GDPR.

------
dsfyu404ed
The result of " sed 's/GDPR/tax law/g' " applied to the comments says a lot
about the filter bubble we're in.

------
donttrack
Why did it have to shut down?

~~~
AdamGibbins
Scroll down, it answers the question.

~~~
lucb1e
(not OP) I scrolled down and didn't find an answer. The section labeled "why
shut down" mentions (paragraph by paragraph):

\- "[GDPR] creates uncertainty and risk" \-- which?

\- "fines of 4% of turnover or €20 million (whichever is higher)" \-- as if a
small infraction is going to get the maximum punishment. He can't be serious
here.

\- "ambiguously-defined hoops" \-- which requirements are ambiguous?

\- "parasitic no-win-no-fee legal firms, puts website owners at risk of
vindictive reporting" \-- if you ever needed one of those companies (I did
unfortunately), you'd know that _someone_ always ends up paying the lawyers.
Either the sued company or the client. It's _definitely_ not risk-free for the
client.

\- "this new EU law hurts small and ethical startups" \-- what clause of GDPR
would ethical startups run afoul of anyway? It's aimed at unethical ones. And
as for "small", then you can't get a big fine anyway right? At least, unless
you intentionally cause big damages, I don't see how a small firm like this
could unintentionally cause such big damages that large fines are in order.

So it's not answered. And I am still wondering what part of GDPR he doesn't
already comply with in the website's current form, as the Dutch "WBP" from
2001 required 95% the same things. I assume the UK generally has somewhat
similar laws.

~~~
davorak
Some people are under the impression that ip addresses fall under "personal
information". So if the user account is deleted and the associated ip logs are
not deleted this would be a GDPR violation.

Another potential violation would be asking a users age(like asking their
birthday), but not needing their age for the operation of the service.

It is currently unclear how rigorously GDPR will be enforced. In the extreme
case of rigorous enforcement nearly all current server/frameworks would cause
violations by default and would need to be overhauled.

There are a bunch of other examples in the comments that are likely violations
for the site as well. It is unclear how many of these apply since it is
unclear how the GDPR will be enforced.

~~~
jimktrains2
> Another potential violation would be asking a users age(like asking their
> birthday), but not needing their age for the operation of the service.

In theory, in the US this could be driven by COPPA, but I havn't seen a
birthday asked for that reason in a long time. It also wouldn't be a reason to
store it, only to ask and process ephemerally. I believe it's also common in
the US for alcohol-related websites to ask age, although that could be
misguided, it is common. Again, not a reason to store, but to ask.

~~~
davorak
Yeah I was not clear. My intent was to talking about storing of a birthday vs
storing a boolean indicating if the user was the age of majority or a boolean
for weather they were 13+ for COPPA.

Storing the value, rather than ephemerally processing it, is a matter of
convenience so you do not have to ask your authenticated user to re-input
their age/birthday/<are you an adult> all of the time.

That said it seems unlikely that a regulator would come down hard on a data
processor that stored a date vs storing a boolean value.

------
wiradikusuma
I didn't really understand the implications of GDPR until I read this. Now I
understand the paranoia.

Basically, in good faith, everyone is happy: website owners take measures to
protect their users' data, and ask for consent. But 1 unsatisfied user, or
heck a slimy competitor, can bring you down (I assume €20 million fine is
business-killing for most startups).

The key is "targeted". If you're targeted, since it's ambiguous, your chance
of losing is higher.

On the brighter side: Some people make extra income! /snark

~~~
Dayshine
"Targeted" is someone complaining to their national regulatory authority.

Who will likely do nothing based off a single report.

------
rdlecler1
What bothers me about GDPR is that you can’t make consent a precondition for
service. Maybe user data is my business model. Or maybe I’m a US company and I
don’t want to have to deal with issues of Europeans accessing my site. Why
should the GDPR be my problem if I’m not in the EU. Don’t like it, don’t use
it. There’s too much over reach here.

~~~
ec109685
That isn’t true. You can ask for what is necessary to run your business as a
precondition for using your site.

~~~
rdlecler1
No it’s not.

[https://www.google.com/amp/blog.lukaszolejnik.com/gdpr-
conse...](https://www.google.com/amp/blog.lukaszolejnik.com/gdpr-consent-
requirements-first-ico-guidelines/amp/)

~~~
ec109685
That isn’t true. YouTube for instance _requires_ you to give basic consent to
use YouTube: [https://adexchanger.com/privacy/this-is-how-google-is-
prepar...](https://adexchanger.com/privacy/this-is-how-google-is-preparing-
for-gdpr/) (not the best citation)

~~~
ec109685
Another example:
[https://mobile.twitter.com/johnnyryan/status/993827965594202...](https://mobile.twitter.com/johnnyryan/status/993827965594202112)

------
Meekro
Typical.. Equifax gets off with a slap on the wrist. Facebook talks to
Congress for a bit before returning to business as usual. Nothing happens to
Cambridge Analytica.

But damn if they don't destroy a few small businesses to show that the
government is on the case.

~~~
guitarbill
Equifax is US. Congress is US. Cambridge Analytica got raided by ICO, the UK's
data protection agency, investigation is ongoing (although on of the witnesses
is a bit... shaky). Troll somewhere else.

