There are companies that will go out of business, or have to pivot heavily, as a result of GDPR. If this doesn't happen, it's is not doing its job.
More mainstream companies will grumble about this, just like they do about environmental regulations now. But, then as now, we've done the experiment. As an industry, we were left to self-regulate for 2.5 decades, and look what we did.
I am not looking forward to finishing our GDPR compliance. Anvil doesn't rely on personal data for its business model, so it's not a big deal, just a bit tedious - it's a textbook frictional loss from regulation. But I am looking forward to living in a world where everyone has to comply.
That's the decision this small training firm has taken. It's a loss of 5% of revenue, they say. That's not bankruptcy or pivoting.
This seems to be the unsurprising outcome of the EU's modern "obey us or we crush you" mentality. The UK is walking away. This small company is walking away. Apparently Microsoft is at least thinking about it for some products (the connect site is back now but looks semi abandoned). How many others will look at this and conclude the risks are too high to justify the costs?
GDPR does not seem like a well thought out law. I have always been satisfied with my ability to delete things from the cloud. If I end up being banned from useful services because the costs of complying with the EU's very transparent attempts to bulk up their budget by repeatedly fining tech firms, I will not be happy.
This is the direct equivalent of demanding the right to dump whatever I like into the river, because some other company in another country can.
More generally, this is an example of "all regulation bad" thinking. If it is inherently evil to impose any rules on companies operating under your jurisdiction (and that's what you're implying with phrases like "obey us or we crush you")... Well, now you're arguing that no government should try to solve any coordination problem. No auto efficiency standards, no pollution regulations, no product safety standards...not a world I want to live in.
(I'm going to ignore the Brexit stuff, as that's a long-standing flamewar that's already producing more heat than light in this thread.)
"any regulation good" is a fallacy as well, and just because data protection is a good thing, not all regulations claiming to achieve that are good, too.
And the GDPR is an especially bad and totally overblown regulation. I'd be totally fine with not being allowed to do bad things, since I'm not doing that anyway. I don't sell customer data, I don't collect PII from obscure third parties, I delete what I'm supposed to and I don't store what I should not.
Unfortunately, just not doing anything wrong does not help me at all, because GDPR requires basically everyone to be able to _prove_ , which -if possible at all- would take ages to implement properly. Sure, Google and Facebook can afford to spend a few man-years on this, and they can also afford a bunch of lawyers in case some obscure bureaucratic EU entity finds that they followed a wrong interpretation of the vague and unclear requirements in this directive.
As the sole developer for a small SaaS, I cannot afford that luxury. I can either write code, which earns me money, or I can write pages of pages of process documentation instead, which earns me nothing and does not even guarantee I won't be fined anyway, since who knows what obscure requirement may be hidden in those 201 pages of undecipherable legalese.
So my only realistic option is to do what most smaller businesses will do: Ignore the GDRP, and hope they won't come for me first. They probably won't, since they can't go after everyone at once. Sure, there's a rest risk, but hey, one can get cancer too. At least, if you get GDRP instead, you won't be dead, just broke.
One company I worked for sold software for card transactions and so needed to get the highest level of certification. They did and they worked very hard to achieve this, which is why they were (and I believe, still are) highly respected in the business. They also did great financially and had big contracts with huge clients.
There's also companies that specialise in that sort of thing- they help others get their PCI-DSS on. For a fee- but it's cheaper than doing it yourself, or paying the price of running wild with peoples' card data.
There are many more options than "ignore the standard" and "drown under it" is what I'm trying to say.
Might be possible if one just sells ebooks or similar digital goods without much customer interaction. But for anything more complex than that, you're pretty much out of luck.
The rest of your argument reduces to "all regulation is good" thinking. I haven't made any arguments about regulation in general. However, passing a law so vague there are continuous arguments about how it affects backup strategies and attaching a 10-20 million euro penalty to it is absolutely a punishment out of proportion to the severity of the "crime" (which is itself not even remotely close in severity to polluting a river - which one has the chance to actually damage somebody's health? not data processing!).
And as for selling personal data - er, how? People get drinking water from rivers. If they're polluted you can get very nasty symptoms. I've never heard of anyone being sent to hospital because someone sold their data.
At any rate, if the goal was to tackle data trading then there'd be no need for a "right to be forgotten" which is where most of the confusion and ambiguity comes from.
When did the EU try to crush the UK?
And is the UK really walking away because it doesn't like EU trading regulations? I thought they're trying their damnedest to continue benefiting from those regulations.
Loss of sovereignty as it pertains to 'migrant quotas'. A country should be able to say - 'no, we have decided to not receive these migrants. These people need to go from where they came'.
Someone will have to provide links on whether migrant quotas were part of the original agreement in the formation of the EU. So if Britain decides its more important to retain their ability to make this decision vs. remaining in the EU, that's a decision Britain can make. And they did.
The African Union/OPEC (probably the only actual authority with any economic leverage in the ME) should designate areas where refuges can be returned.
Morality aside, might/power defines reality in this world. The reality is that the US stirred the pot in the ME, and the EU suffers because of it. In the absence of war crime charges/damages brought before the ITC, this is the only recourse that is within Britain's best interest, based on the election they held.
>> Loss of sovereignty as it pertains to 'migrant quotas'. A country should be
>> able to say - 'no, we have decided to not receive these migrants. These
>> people need to go from where they came'.
Not a single one.
The UK instead had volunteered to take in 20,000 people , primarily children
from Jordan, Lebanon and Turkey. Despite volunteering, as far as I'm aware
it's still prevaricating about actually taking them in. They're still languishing at Calais, or being held at detention centres in the UK.
I don't see how any of this shows that the EU "crushed" the UK, or that it
caused the UK to lose sovereingty. The UK absolutely said "no, we have decided
not to receive these migrants"- via the opt-outs I mentioned.
A very British thing, opt-outs. The UK has opt-outs for every little EU regulation, it seems. Yet the UK is always "losing its sovereignty" in the EU. How does that work?
 List of participants in the 22 September 2015 Justice and Home Affairs
 Council decision estabilishing provisional measures in the area of
international protection for the benefit of Italy and Greece; see Annexes I
and II, with allocations from Italy and Greece, respectively, to member
 For a sense of perspective, France offered to take in 24,000; Germany famously has thrown its gates wide open; and about 2.7 million refugees are currently in Turkey, willingly or not.
Leaving the EU is suicide.
It's self harm.
There must be a threat, there must be a risk, there must be a price for leaving (Hollande)
"Welcome to hell", said to the UK's negotiator on reaching the negotiation table.
"Brexit itself is already punishment enough" (Tusk)
Voting to leave will destroy 500,000-800,000 jobs due to "uncertainty" over how the EU will react (this claimed turned out to be false in the end).
The UK financial industry will be forced by the EU to move tens of thousands of people/jobs to the EU. Also all flights will be grounded. This is the "price" of leaving.
It is fair to say that in general everything said and done by the EU is designed to cause maximum damage, always with the caveat that continued automatic obedience to EU law and courts will make the "pain" go away (as they put it).
And is the UK really walking away because it doesn't like EU trading regulations? I thought they're trying their damnedest to continue benefiting from those regulations
The primary "benefit" of complying with those regulations is the EU does not impose bans on your products. The regulations themselves are often badly thought out - that's what this whole thread is about, badly thought out GDPR regulations causing US businesses to give up trying to sell to the EU (effectively the EU has created massive new trade barriers with the rest of the world).
The EU is not banning any products from the UK. The benefit that the UK gets is is tarriff-free access to the common market. Any trade, with anyone is subject to tarriffs, so that's a real benefit- unlike any imagined harm coming from "bans" that never happened.
They are also talking about banning member state citizens from buying tickets from British airlines in situations where they currently can. And possibly banning all flights from the UK to the EU. Again, bans, not tariffs.
Lastly, I note that the effect of GDPR is that effectively "Europeans" are now banned from buying training products from this US training firm. It's not technically a government ban, it's more like major encouragement to the outside world to implement their own private sector bans, but the end result is identical: you cannot buy at any price.
What is really the case is that Brexit risks causing British financial instutitions to lose their financial passporting rights, that allow them to trade in the EU.
As to flights, the risk here is that, without other international flight agreements for some UK companies (such as Ryanair and EasyJet) other than EU agreements, such companies risk losing the right to fly outside of Europe, or within the EU.
Both of the above are the result of international agreements being rendered invalid because of Brexit, and not some sort of punishment that the EU decided to bestow upon the UK.
Obviously EU competitors will step in immediately and eat the UK's lunch, wherever they find the opportunity. But I don't know what else anyone could expect. I understand the British are great believers in a free market, after all.
Indeed, as far as the UK is concerned, the market after Brexit is going to be almost completely unregulated.
I was interested in discussing this with you further, but I am not comfortable
doing so if you are going to be making more personal remarks like the one above,
which I find inappropriate and offensive.
If you do not agree with me that personal remarks are not appropriate and you are
not willing to give me some assurance that there will be no more of them, then
I am sorry but I have no interest in continuing this exchange.
Not a EU citizen (unfortunately!), but I would rather lose access to services that are violating data privacy laws. As always, vote with your feet and your dollars.
Apologies to PG, but it's time to "Regulate Things That Scale".
I'm not: the so-called 'right' to be forgotten is terrible: it means that data immutability is essentially illegal, and it means that anyone can demand to rewrite history. That's just wrong.
That’s a good thing! Is it really that much to ask that when someone holds your data, that you can ask them to delete it and be assured that it’s gone for good?
Apparently, for them, it is. And I’m sure it’ll be for a number of other businesses (and their competitors will just take their place, no big deal). But I’m looking forward to a world where unrestrained data collection and handling is no longer tolerated.
That doesn't give you the right to send someone your private data, in a channel they didn't ask for it, and demand that they secure that channel.
This is the tough part about being a training company online: students send in questions with their personal data, unsolicited, via channels I simply can't secure. Your PII doesn't belong in email.
> But I’m looking forward to a world where unrestrained data collection and handling is no longer tolerated.
Read the post. It's not about what we collect - it's about what people send us voluntarily. That's the part that I'm most worried about.
If I have no business relationship with those people, and they're just sending us personally identifiable data for no reason, I'm a lot more comfortable defending that in court. But if we have a business relationship where they're paying for our advice, and then they start sending more and more data, that's where I'm on shaky ground.
And I completely understand the issue of people sending unsolicited data. I’m sorry that my comment came across as though I was targeting you specifically.
I’m just excited for a world where data is no longer a “yeah let’s just store everything with no thought”, and instead is a hot potato that you keep a trail of and want to get rid of as quickly as possible. What a difference that’ll be from the situation we have today. This article is just highlighting how just accepting random data puts businesses “on shaky ground” as you said. The GDPR will require everyone to be a lot more thoughtful about their data retention policies, and that’s just great.
Nah, if it was 2% of our revenue, I'd be much more likely to take the gamble. I'd be willing to invest a little in our staffing & infrastructure to take that risk.
I want to do the right thing - but that multi-million-euro penalty means the risk/reward equation just doesn't make sense. We'd never bring in enough revenue to pay off the hit from one angry judge determined to make an example out of us.
They implemented it like 3 or 4 years ago. Yes, it was a lot of work for a lot of engineers.
Arguably, it's much harder for smaller companies to comply.
Also the Google tool deletes your account data. It does not delete all things that are conceivably personal data. For example if you commented on or edited a shared Google Doc and then delete your account I'm not sure the comments are deleted too. So it's not quite that simple.
The law is so broad you could conceivably also demand that Gmail deletes any email you sent to it under your own name, out of other people's inboxes.
They might care about a €10 million fine if they only have, say, €2 million in annual revenue.
I remember when I first heard about this thinking "why even bother doing business in the EU?"
Which is exactly what you were saying in retrospect...
Not necessarily. In a business like ours (online training) where any additional new customers basically flow through to the bottom line, if I got 20% of my revenue from the EU, and I had to pay a 2% fine now and then, it wouldn't be terrible.
I can see how some slimy businesses would say, "I'm not even going to bother complying - I'll just keep taking revenue off the table and paying the small fees."
But most profitable businesses are going to have profit margins in the 10-20% range, and that fine is considerable. And if the EU applies it to the last 5 years revenues, they could wipe out a years profit.
For example, Apple probably has close to $100B in annual EU revenue, $2B is a huge incentive to invest in doing this right. But if your EU business is $1M, $20,000 is probably a fraction of your cost of implementation.
The law would have been far better if it specifically limited fine levels by size of company. IE < 1M in sales, 1M to 10M, 10M-100M, 100M-1B, 1B+.
Compliance firms typically provide a high-level paper trail, but what happens when you don't even know where the PII data is, like the OP says? What if you need to answer concrete individual Subject Access Requests?
So, as a technology company, we've attempted to solve parts of it with technology. We really hope to make that pesky "PII stuff" detection and auditing easier for companies:
https://pii-tools.com (in private beta, feedback welcome)
The first step is disallowing EU-VAT-eligible folks from purchasing. The plugin I mention in the post is really good for that - it looks at a variety of factors including the user's billing address for their credit card, for example.
It's still totally possible that an EU citizen could be on Chinese soil, using an American's credit card, while using an Australian VPN. That means the next part of the registration will be a terms & conditions checkbox saying the GDPR doesn't apply to me. (We're working with our attorney on that language.)
At that point, if someone still registers, AND they later ask for the right to erasure, we'll still do our best to delete their data. But if they try to go to the EU and complain, we'll be on much better legal ground to say, "Look, they lied to us from the get-go, and we can prove it."
Nothing's certain - just trying to mitigate our risks as cheaply as possible.
I do appreciate the fact that it's a nuisance at best and significant costs at worst to be compliant to GDPR. Only in time we will be able to tell if it was worth it or not. Maybe the US model of free-for-all access to user data will work better, maybe the EU model will...I don't think anyone can say for certain now.
If anyone does know with a high degree of certainty which will, it's time to place the bets.
I don't know that it's that simple. What happens when you have conflicting requirements, for example (I'm making them up) EU requiring you to delete PII within a period of time and US/Homeland Security/IRS requiring you to keep the (meta)data for some period of time?
There may be conflicting requirements that have nothing to do with technology & costs.
And the court cases will go through, and everybody will have a better idea of what the "right" things to do will be clear.
I totally agree - and I summed that up in my post. Problem is, that's a future - it ain't today.
Would the call logs also disappear from "the other side of the call"?
From an enforcement point of view... if you have no EU presence, it'll probably be pretty hard for them to actually collect on the fines they levy, but as a director, travelling to Europe could be problematic. It's not entirely clear here, but it looks like there's a possibility of directors being held personally liable.
Far too many to even prosecute. But a politically active EU bureaucrat can just pick out key offenders to squeeze for publicity, piliticsl contributions, or even bribes.