
GDPR, China and data sovereignty are ultimately wins for Amazon and Google - rbanffy
https://techcrunch.com/2018/05/29/gdpr-and-the-cloud-winners/
======
smallnamespace
Any cost that has a high fixed component and a lower variable component leads
to increasing returns to scale for enterprises.

We see with regulation all the time, e.g. Dodd-Frank made it harder for small
banks to raise capital.

~~~
JumpCrisscross
Most successful compliance regimes balance the need for regulation against
incumbency bias by making the regulation more stringent for larger firms.
Restaurants, for example. If GDPR had envisioned a €1 million global revenue
floor for everything but the civil liability components, it would have been
successful.

~~~
PurpleBoxDragon
The GDPR seems to be been designed to do the opposite of this by imposing a
maximum cap on fees that could total many multiples of revenue for a small
business but which will never be greater than a 1/25 the revenue of a large
business.

~~~
tscs37
Revenue is not profit or the money available to a business.

1/25th of revenue sounds small but if you have a profit margin of 30% that's
already 13% of your profit just gone. At 10% margin it's 40% of your profit.

I think large business still very much cares when 40% of annual profit just
goes poof.

~~~
ryanwaggoner
Yes, but if you’re a small business, it could be 40,000% of your profit.
Goodbye business, goodbye employees.

Meanwhile the large company grudgingly pays their fine and rolls on.

~~~
tscs37
EU regulators don't do that, mostly because in the EU there is a right to a
proportional punishment, meaning you must be able to pay it, atleast if you're
a corporation.

The EU has no interest in bankrupting anyone, there are guidelines setup by
the EU for the regulators for this.

~~~
ryanwaggoner
I’d really like to see a source that regulators are not allowed by law to levy
a fine that would force a corporation into bankruptcy. I’m quite skeptical you
can provide one :)

~~~
tscs37
GDPR Art 83, §1

Effective, proportionate and dissuasive fines are widely understood under
common EU law that the fine may not bankcrupt a corporation, if it does for
whatever reason because it's too high, you can seek legal remedies against the
authority as per GDPR Art. 78

And that is only the GDPR, there are similar provisions in all EU member
countries.

The exception will be, of course, if you caused economic damage to users or
others, in which case you'll have a case at the regulator and a court case
will be opened too, both of which are independent and the court case can
certainly bankcrupt you if the damages far exceed what your company has in
assets (in which case your company will be forcefully dissolved and that's
that)

~~~
ryanwaggoner
Yeah, so as I suspected, it’s “widely understood”, which means discretionary
and up to the whims of regulators in 28 different countries. But don’t worry!
When they bankrupt you, you can just challenge in court! Of course, that’s
hardly novel for any country with the rule of law, nor is it cheap or likely
to succeed.

This is yet another example of: “the EU regulators are our friends! You can
trust them!”

I’ll pass.

~~~
smallnamespace
You seem to be moving the goal posts a bit here, from 'please show any
evidence of X' to 'prove X is without potential flaws'.

I mean, is there any sensible way to prevent regulators from bankrupting a
company _without_ some level of discretion and case-by-case consideration?

Moving everything into the legal system also has issues, as you point out.

------
ge0rg
It's really cynical that before I can even read this article about the GDPR,
TC makes me painfully aware that they

\- violate my GDPR rights by requiring opt-out from their tracking, instead of
opt-in

\- are going to sell my data to hundreds of "partners"

[https://gdprhallofshame.com/5-techcrunch-engadget-and-
oath-c...](https://gdprhallofshame.com/5-techcrunch-engadget-and-oath-cookie-
gore/)

Even if I would bother enough to do this dance from my mobile device, which I
don't, there is no way the article can convince me that it's unbiased
journalism.

------
niftich
The article lays out its thesis pretty well. In the wild wild days of little
regulation on personal data, everyone vacuumed up as much as they could,
because it might be useful someday, and there were few laws with teeth to stop
them. Usually, this was used for analytics and 'big data', but frequently, it
cycled back into targeted ads. Entire conglomerates made most of their revenue
this way: Google, Facebook, Verizon+AOL+Yahoo. I'm not sure Amazon really fits
here, because they make most of their money by selling you actual things
(compute, products) rather than your data to an outside party, but they do
collect a fair bit of data about one's preferences, so let's keep them here.

Now, the door's been shut behind them. It's fair to assume that big companies
are better equipped to hire experts to navigate the issue of compliance than a
random 8-person startup fresh off the press; whereas 10, 20 years ago these
exact sort of new ventures are what grew into data harvesting machines that
were usually acquired by someone with bigger wallets. This is one of the
mechanisms of regulatory capture: even if the law is good for the public, most
of the companies that engaged in the now-illegal tactics can pivot to
something else or figure out how to stay in compliance, while any new players
hoping to use the same mechanism are forbidden from doing so. This is a fairly
typical outcome when regulation is first applied in a space where it wasn't
before.

The twist is that some of the same players that engaged in the harvesting and
trafficking of personal data have also branched out into cloud computing and
various value-add SaaS to sell B2B, and they can capture some revenue from
other companies that are just going about their everyday business and are
looking to stay compliant with the new regulation. This is a boon for the
likes of Amazon, Google, Microsoft, who've engaged in both targeted ad
tracking and cloud computing. Increased uptake in their cloud offerings will
help insulate them from the tightening of the targeted ad space.

The substance of the article is solid. But for those alleging FUD, keep in
mind that TechCrunch is owned by Oath, the content subsidiary of Verizon, a
content and infrastructure company without a strong story in B2B cloud
computing, and whose revenue is chiefly derived from (1) providing bulk
telecom interconnect, (2) being an ISP, both wired and wireless, and (3)
correlating user behavior across their portfolio of sites and using their
network. One can easily make the case that these sorts of companies are among
the most vulnerable to this sort of regulation.

~~~
dasil003
It really depends on whether the regulation actually changes practices and
cuts into their core business model. A big part of GDPR is simply making
consumers aware of how their data is being used. As awareness and scrutiny
increases, it's entirely possible that ad tech as a whole suffers, and that
will hurt Facebook/Google disproportionately.

If the landscape changes significantly, that is advantageous to startups
because they can choose to avoid quagmires entirely. It's really the middle-
stage ad tech companies that don't have the cash to comply, but have too much
momentum to change course that will really be fucked.

Of course it's true that you can't start another Google or Facebook today, but
that is for many reasons among which privacy regulation is merely a footnote.
I get that a lot of fortunes were made in ad tech, but innovation will not
stop because practices need to change.

~~~
Mirioron
It's not about the fortunes that were made. It's about the fact that these
kinds of rules could put an end to the relatively free internet we have had so
far. It makes it harder for smaller sites to pay for maintenance costs while
also increasing the barrier to entry even on the very lowest level.

Remember the teenagers that were setting up their forums and messing about?
You can't do that anymore. The chance that people like that would follow these
laws are tiny. The effects of something like this are very hard to predict,
because we know that hobbyists gave us many cool things over the years and
they ended up transitioning into lucrative careers. This kind of an avenue is
severely hampered by this. I'm afraid that this kind of regulation is simply
the first step to wrestle control over the internet, and if governments manage
to do that then the internet stops being free.

~~~
dasil003
This is pure FUD. For a forum to be GDPR compliant all you have to do is tell
the user what you plan on using their data for (probably just posting to the
forum) and give them an option to delete their account. Also, the chances of
regulators coming after hobby projects is nil. A lot of people seem to be
parroting these talking points that are straight out of an ad-tech lobbyists
handbook. The sky is not falling, and the threat to the free internet is _far_
less than what we are facing from ISPs.

~~~
Mirioron
Any additional barriers to entry are still barriers to entry. These are non-
technical problems that are difficult to truly grasp, because even people who
do this for a living seem to disagree on many points.

>Also, the chances of regulators coming after hobby projects is nil.

"The regulation is okay, because we're only going to use it against the bad
guys." This is not how a society based on justice is supposed to work.

------
49bc
Don't look at GDPR and see it as some kind of slap in the face to Facebook or
Google. The reality is that regulation like this invariably benefit the
companies large enough to hire the lawyers to abide by the regulation. Similar
story for tax-law complexity.

Large corporations thrive in highly regulated environments without fear of
competition.

~~~
OldSchoolJohnny
You don't need a lawyer to abide by GDPR, it's pretty straightforward stuff.

~~~
fixermark
Nothing about data storage and manipulation is straightforward.

Is the web server software you're using logging network requests? Are those
requests possibly considered PII? Congratulations, you now have to care about
the GDPR.

[https://www.ctrl.blog/entry/gdpr-web-server-
logs](https://www.ctrl.blog/entry/gdpr-web-server-logs)

~~~
PuffinBlue
Which is to say you don't have to care much at all, seeing as you do NOT need
to inform or obtain consent from users to keep web logs that serve a
'legitimate interest' such as fraud, security or spam prevention.

Obviously if you were in the business of leaving such data insecure for anyone
to obtain or merrily selling it on to reap as much dollar from your visitors
as possible then you may be in for a bad time.

Otherwise it's just best practice to do what GDPR says anyway in the example
you provide.

~~~
fixermark
From the top of [https://www.gdpreu.org/the-regulation/key-
concepts/legitimat...](https://www.gdpreu.org/the-regulation/key-
concepts/legitimate-interest/)

""" “Legitimate interest” may be among the most confusing concepts written
into the GDPR, which is not helped by the amount of incorrect interpretations
available when you search for the term online. """

It's going to be up to individual companies and orgs how much risk they want
to absorb trying to sort this dimension themselves rather than hiring a
professional; I suspect we agree on that. But I suspect quite a few companies
will want to soak the cost of having a professional review this stuff rather
than trust their own common sense (especially if their common sense is not
European-originated but they plan to have European users).

~~~
krageon
It is not risk. If your relevant regulatory body decides that your reasons are
not legitimate (and if you definitely are using them to prevent service
degradation and don't keep them around forever, I don't see why they would)
then they will tell you so you can alter it.

~~~
fixermark
Companies hate building business models and practices around "Well, if the
regulator's cool with it, then..." That's the very sound risk makes.

------
taysic
An EU company will have a harder time targeting EU residents under GDPR than a
US company will have (for its own residents). Wasted money on non-personalized
ads could be the difference between continuing to exist for some. So it could
potentially hurt EU companies that want to advertise too - though I really
don't know the extent of advertising there.

~~~
adventured
That's exactly what's going to happen.

I can create a business model in the US market - in the vast majority of
nations in fact - that can't exist in the EU, pay for it with targeted
advertising in the US market and give the product away for 'free.' I can scale
it with US ad practices, then move into the EU with full GDPR compliance and
continue to fund that product with the vast, lucrative, targeted US ad market,
doing things with customer data and generating margin that is impossible in
the EU. The EU can't project its jurisdiction globally to prevent this
approach.

GDPR is a massive win for US companies, it increases the already overwhelming
US competitive advantage. The US tech giants can trivially comply with GDPR,
and the EU ends up as more of a tech hermit kingdom with every restriction and
compliance requirement they put into place.

Starting and building a company like Google or Twitter in the EU was very
difficult before, now it's impossible. Every future Google in the West will be
born in the US perpetually from here on out.

~~~
Mirioron
And then 20-30 years later large scale automation goes into full swing and the
EU has a smaller qualified work force to pull from. I just don't see this
ending in a beneficial way for the EU.

------
Bucephalus355
This is a good thing.

For all the criticism of Google, of which I have extensively done, very little
negative is said about their security. The fact that you can have 99 character
passwords in GMail speaks to this (Paypal and Bank of America’s limit is 20
for example).

Everyone today worships small business, but the 30 years of incredible
economic growth was partly achieved by the partnership of Big Business with
Big Labor and Big Government.

As Galbraith said at the time: “the entrepreneur, as many see him, is a
selfish type motivated primarily by greed, and he is furthermore, unhappy.”

I think entrepreneurs have contributed a lot to society, but I also think new
era’s come and go, and the worship today of “innovative startups” will not
last forever.

------
hshehehjdjdjd
I’m surprised that so many people are missing this. Google and Facebook may
come off better than most tech companies, but surely the real winners must be
whoever was not relying on your personal data to begin with? E.g. tv, radio,
and print.

~~~
graeme
If people are on the internet, they're not going back to radio because of
GDPR.

~~~
hshehehjdjdjd
That is not what I’m getting at at all. I’m referring to the changes in
relative value of different advertising channels post GDPR.

~~~
graeme
But the return on ads is based on absolute value, not relative value. It would
be irrational to spend more on radio when radio doesn't change.

~~~
hshehehjdjdjd
I don’t know that ad budgets are allocated perfectly rationally. My
understanding is that it more often works like: “marketing department, here is
XX million. Do your best with it.” Add to that the lack of perfect information
about impact and penetration, and it’s hard to determine absolute value.

~~~
graeme
Not perfectly. But over time they tend to go with what produced returns.

But yes, I suppose in the short term budgets will be fixed and some may try
radio etc again

------
theyinwhy
Thought control is such a lunatic term that I cannot take anyone serious using
it.

There is no thought control, only data (lots of ads of course) that you
yourself receive, think about and shelve.

~~~
woolvalley
'Control of the information flow to your populace by censoring bad things and
putting out misinformation, which then informs the thoughts of the populace'.

------
zerostar07
China , Russia have strategic interest to protect. The EU , i'm not so sure
what it is protecting, and reading this law it's really hard to tell if we are
supposed to have some kind of advantage now. It seems more like an extreme,
wrist-slapping attempt of its leftist lawmakers.

~~~
TheForumTroll
Leftist? The EU? Now I have heard it all!

~~~
Mirioron
Are they not? Isn't a significant portion of the EU on a ~50% tax burden?

~~~
Fnoord
Depends on your PoV.

From my [summed up] European's PoV Obama was very right wing and Trump is
veryyy right wing. From an American's PoV _that_ PoV lacks nuance. So I
generally refrain from using those simplistic terms when potentially talking
to Americans; gets discussion nowhere.

Here's the data on political groups (coalitions) in the EP. [1] Claiming these
are "left wing" is.. well.. clearly US centric PoV, but also overly simplistic
and bifurcating. Calling Europe left-wing, knowing that Europeans are going to
read it and reply is also fuel for a flamewar. Hence why I linked some data to
put things in perspective.

[1]
[https://en.wikipedia.org/wiki/Political_groups_of_the_Europe...](https://en.wikipedia.org/wiki/Political_groups_of_the_European_Parliament#Current_composition_of_the_8th_European_Parliament)

~~~
Mirioron
As a European as well I disagree with Obama being right wing. I can't even
fathom what constitutes left wing in that case that isn't socialism.

------
bencollier49
Given that Techcrunch/Oath was called out by a lot of people for "GDPR fails",
I find their impartiality rather suspect.

------
jakeogh
The EU needs another top level agency to decide what is OK to remember.

------
bad_user
I find such reasoning to be bullshit.

Example: DuckDuckGo had no issues in ensuring people’s privacy for years and
I’m fairly sure that they have zero problems with GDPR. And they are not and
have never been at Google’s scale.

What happens actually is that privacy-violating companies are trying to keep
doing whatever it was they were doing, but then discovering that no sane
individual would opt-in to being tracked, without having access blocked of
course, which then leads to lost revenue anyway.

So they are trying to game the system, which gets expensive of course. Now you
need lawyers and experts in dark patterns. But when your entire business model
depends on people's ignorance, you really can't claim the high moral ground.

Such articles are engaging in sponsored FUD.

~~~
JumpCrisscross
> _I’m fairly sure that they have zero problems with GDPR_

My understanding, from a friend there, is GDPR imposes significant costs on
their operations. The problem isn’t the intent of the law. It’s its
implementation. The administrative burdens imposed by the mandated bureaucracy
is massive.

~~~
mywittyname
How big is the team at DDG? I handled GDPR compliance for a company big enough
to have probably helped draft the law and it wasn't that bad at all. Many of
the systems were already in place because they've been industry best-practices
for a while (encryption, de-identification, internal access guards).

The two things that needed to be developed were systems around rights of
erasure & access. Both of these are pretty straight-forward systems -- it's a
REST API for getting user details from a system, and deleting user details
from the system.

I believe people are making GDPR out to be a much worse than it is.

~~~
dominotw
> deleting user details from the system.

What are you considering 'user details' ?

~~~
bad_user
Primarily data that can be used to identify the user and these have a pretty
good definition.

If you have a database with users in it, that's basically the row in the Users
table, along with everything in the database that has a user_id, which
depending on the data you're talking about, might be enough to just set the
user_id to `null`, but if unsure and if possible, then cascade delete is the
safe choice.

Basically that's nothing that a normal RDBMS doesn't do efficiently already.
If you are using a RDBMS, you should have had a sane deletion policy on your
foreign keys already.

It gets more complicated with NoSQL databases of course, but you knew already
that by using a NoSQL that's essentially technical debt you're postponing. But
having worked on many such systems in the past, it's not a tragedy and
certainly not something that couldn't be solved in the last 2 years since the
GDPR was adopted.

Honestly, GDPR was adopted 2 years ago and people now act all surprised that
it came into effect.

~~~
dominotw
> these have a pretty good definition

thank you for your response. I've been trying to find this in GDPR docs but i
can't seem to find a clear definition. Can you link me to the definition if
you have it handy by any chance.

I can tell you couple of examples where simple delete from database is not
enough.

One example is a analytics pdf report that was sent to management with geo
diagram with number of purchases dotsizes/zipcode in a city.

------
nannePOPI
Did you ever noticed that when it comes to protect a public official, for
example a cop killing someone, all the State pieces work in perfect synchrony?
I mean, everyone, from lawmakers, judges and the lowest of clerks suddently
learn how to make exceptions and interpret the laws in new ways.

Yet, I have to believe that lawmakers aren't able to stop billionaires from
screwing up the small guy without making complex regulations that impede
progress and innovation, regulations that in the end make the rich and the
bureaucrats a lot of money and sink hopes for the honest entrepeneur. I have
to believe they're making the laws in good faith because they really have no
alternative. Of course. I totally believe it.

~~~
spaginal
Regulations are written by very big companies in that space of the market. The
EU isn't immune to this, and our government in the US definitely isn't. I know
this seems counter intuitive to people not familiar with barriers to entry in
industry, but big companies easily absorb costs in regulatory frameworks that
are legally put into place. They normally lobby and ensure that whatever goes
into effect is either something they are actively doing, or can do at minimal
cost to them, while being a large cost to others.

A great example recently in the United States was in the Consumer Product
Safety Improvement Act passed in 2008. It was in response to large toy makers
using lead paint in their toys coming from China. It wasn't small toy makers
doing this, it was the Mattels. As a result of what these large companies did
with their disregard to product safety, a regulatory safety framework was put
into place that Mattel could easily absorb into their operating costs, while
small mom and pop makers suddenly had a very expensive process to go through,
even if they were not the cause of how this law came into effect.

We can all agree on respecting privacy, toy safety, etc. It's a good thing.
But just remember that usually these things are passed to protect large
companies, not necessarily for the benefit of the consumer, and definitely not
for young competitive companies trying to break into a market space that now
has a huge initial cost that may be insurmountable. The result sold to the
consumer is normally just a side effect used to promote it.

~~~
waisbrot
Is that a great example? If you gave Mattel the choice between absorbing a
regulatory framework and just having extra money would they really have chosen
the former?

You can pay for safety explicitly with regulation or implicitly with poisoned
children. Regulation hits small businesses harder; rather than concluding that
regulation sucks, maybe we should try something else like providing some
publicly-funded office to provide compliance help to small businesses.

~~~
Mirioron
You will never get anywhere close to mitigating the harm that regulation does
to innovation through something like that. Approach this from the perspective
of UX design. The more barriers a user has to overcome the less likely they
are to actually try the product. In this case the user would be a small
entrepreneur trying something small. But a lot of businesses start out as
something small. If they work then they grow, if they don't they go back to
the drawing board. If you put barriers on the way of these people they often
won't even try.

That doesn't mean it's impossible to start a business, but it does mean you'll
get a lot less of them. A lot less of them also means less successful ones and
less jobs.

