
Ask HN: Non-Eu Developers how do you plan to handle users from GDPR countries? - rotrux
&quot;The EU&#x27;s General Data Protection Regulation is going to be implemented in May next year.&quot;*<p>Multinationals operating in GDPR-compliant countries will face MASSIVE fines if a request to delete PII isn&#x27;t fulfilled within some time-frame.  
In addition, proof needs to be provided.<p>Given that data-sprawl is an insufficient term to describe the organizational-complexity of consumer-data within large firms, what&#x27;s the plan???<p>* - Inspired-by&#x2F;stolen-from:   
https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15932232
======
jgimenez
Companies under 250 employees can avoid most of the impact of the law. I think
it's kind-of well designed, because it affects the companies who can afford
the compliance work.

------
danieltillett
By doing nothing. Either it will be found to be totally unworkable or they
will fine me and I will wait for the EU to come and collect their fine with
their army. EUFU.

------
jasonkester
Same way I deal with their silly cookie laws: don't sabotage my site's user
experience for somebody else's poorly thought out laws.

I still get the occasional angry user complaining that my website deleted
something of his after he clicked the delete button and the confirm button. So
I make his day by flipping .IsActive back to 1.

If you really don't want something to be on the internet, don't upload it to
the internet.

------
Sevii
My plan is to ban EU residents in my TOS and not bother enforcing it.

~~~
danieltillett
Not that it is likely to matter, but legally this is not much of a defence -
you are not the first person who hasn't tried to get around a law by doing
something similar. The courts don't look kindly on these sort of actions.

~~~
romanovcode
He can just block EU residents from registering to his service, obviously
explaining why.

~~~
danieltillett
Yes this would be a defence, it is the non-enforcement that is not.

------
jonathan-kosgei
If you need a way to identify EU users then you can do so via our IP
Geolocation API (ipdata.co) that returns an `is_eu` flag. Then do whatever you
like.

------
zerr
Why not just fulfill the request?

~~~
danieltillett
Principle. The idea that a country that you have no relationship with can
apply their laws to you as they wish and you have to comply is insane. What if
North Korea passes a law that says 99.9% of your income has to be given to the
DPRK? Are you going to comply with this? EUFU.

~~~
romanovcode
What principle. So you will not comply with a user who wants to remove his
personal data from your service by his request just because of principle?

In theory any person should be able to ask a service to remove all his
personal data if he wishes. EU just makes this a law which, IMO is very good.

It's funny how people praise privacy and at the same time don't want to do
anything about it for their userbase.

~~~
danieltillett
The principle that a country can apply its laws over me despite me neither
being a citizen, resident, or in anyway connected with that country.

If a user asked me to remove their data I would, but I don't want to do this
because some entity on the other side of the world decides to apply their laws
to me. Allowing this sort of activity is only going to end in tears.

------
marenkay
If data sprawl is your issue, fix your company processes and the problem will
be solved.

GDPR mainly resolves flaws in how companies relying on IT use their customers
data. Blocking EU customers is just delaying the inevitable since GDPR
equivalents will be established in US or whatever too.

