Hacker News new | comments | show | ask | jobs | submit login
GDPR: Why We Stopped Selling Stuff to Europe (brentozar.com)
53 points by chx 12 months ago | hide | past | web | favorite | 49 comments



Data protection rules are this century's equivalent of pollution regulation. The online ecosystem has trashed the global commons with huge amounts of everyone's personal data, with no meaningful control or consent to how it is used, and now it needs to be cleaned up.

There are companies that will go out of business, or have to pivot heavily, as a result of GDPR. If this doesn't happen, it's is not doing its job.

More mainstream companies will grumble about this, just like they do about environmental regulations now. But, then as now, we've done the experiment. As an industry, we were left to self-regulate for 2.5 decades, and look what we did.

I am not looking forward to finishing our GDPR compliance. Anvil doesn't rely on personal data for its business model, so it's not a big deal, just a bit tedious - it's a textbook frictional loss from regulation. But I am looking forward to living in a world where everyone has to comply.


There is a third option beyond go bankrupt or pivot, as this story shows very clearly - cease trading with the EU or citizens of its member states entirely. Like the effect of FATCA but in reverse.

That's the decision this small training firm has taken. It's a loss of 5% of revenue, they say. That's not bankruptcy or pivoting.

This seems to be the unsurprising outcome of the EU's modern "obey us or we crush you" mentality. The UK is walking away. This small company is walking away. Apparently Microsoft is at least thinking about it for some products (the connect site is back now but looks semi abandoned). How many others will look at this and conclude the risks are too high to justify the costs?

GDPR does not seem like a well thought out law. I have always been satisfied with my ability to delete things from the cloud. If I end up being banned from useful services because the costs of complying with the EU's very transparent attempts to bulk up their budget by repeatedly fining tech firms, I will not be happy.


> There is a third option...cease trading with the EU...

This is the direct equivalent of demanding the right to dump whatever I like into the river, because some other company in another country can.

More generally, this is an example of "all regulation bad" thinking. If it is inherently evil to impose any rules on companies operating under your jurisdiction (and that's what you're implying with phrases like "obey us or we crush you")... Well, now you're arguing that no government should try to solve any coordination problem. No auto efficiency standards, no pollution regulations, no product safety standards...not a world I want to live in.

(I'm going to ignore the Brexit stuff, as that's a long-standing flamewar that's already producing more heat than light in this thread.)


> More generally, this is an example of "all regulation bad" thinking

"any regulation good" is a fallacy as well, and just because data protection is a good thing, not all regulations claiming to achieve that are good, too.

And the GDPR is an especially bad and totally overblown regulation. I'd be totally fine with not being allowed to do bad things, since I'm not doing that anyway. I don't sell customer data, I don't collect PII from obscure third parties, I delete what I'm supposed to and I don't store what I should not.

Unfortunately, just not doing anything wrong does not help me at all, because GDPR requires basically everyone to be able to _prove_ , which -if possible at all- would take ages to implement properly. Sure, Google and Facebook can afford to spend a few man-years on this, and they can also afford a bunch of lawyers in case some obscure bureaucratic EU entity finds that they followed a wrong interpretation of the vague and unclear requirements in this directive.

As the sole developer for a small SaaS, I cannot afford that luxury. I can either write code, which earns me money, or I can write pages of pages of process documentation instead, which earns me nothing and does not even guarantee I won't be fined anyway, since who knows what obscure requirement may be hidden in those 201 pages of undecipherable legalese.

So my only realistic option is to do what most smaller businesses will do: Ignore the GDRP, and hope they won't come for me first. They probably won't, since they can't go after everyone at once. Sure, there's a rest risk, but hey, one can get cancer too. At least, if you get GDRP instead, you won't be dead, just broke.


I've worked for a few companies that handled clients' private information for financial purposes. There is a standard that you must observe if you work with payment cards, PCI-DSS. It is complicated and costly to implement in full, so some of the firms I worked for didn't - and instead avoided handling sensitive data that was subject to the strongest of protections specified by PCI-DSS. That meant, for example, never directly handling transactions and bouncing them off to PayPal instead. These were still successful companies, that kept growing while I was working for them.

One company I worked for sold software for card transactions and so needed to get the highest level of certification. They did and they worked very hard to achieve this, which is why they were (and I believe, still are) highly respected in the business. They also did great financially and had big contracts with huge clients.

There's also companies that specialise in that sort of thing- they help others get their PCI-DSS on. For a fee- but it's cheaper than doing it yourself, or paying the price of running wild with peoples' card data.

There are many more options than "ignore the standard" and "drown under it" is what I'm trying to say.


While this approach is reasonable and practical for credit card data, I doubt it's possible (let alone practical) for most businesses to do the same with what the GDPR considers personal data. You'd have to avoid email addresses, names, postal addresses, phone numbers, ... - even in fields where such data is not even supposed to be, like comments or emails.

Might be possible if one just sells ebooks or similar digital goods without much customer interaction. But for anything more complex than that, you're pretty much out of luck.


GPDR doesn't impose rules on companies under EU jurisdiction. It tries to impose rules on all companies everywhere. The blog post is written by an American.

The rest of your argument reduces to "all regulation is good" thinking. I haven't made any arguments about regulation in general. However, passing a law so vague there are continuous arguments about how it affects backup strategies and attaching a 10-20 million euro penalty to it is absolutely a punishment out of proportion to the severity of the "crime" (which is itself not even remotely close in severity to polluting a river - which one has the chance to actually damage somebody's health? not data processing!).


Why is it out of proportion? Leaking, exposing or selling personal data can have much worse and immediate effects on someone’s lives than river pollution.


These rules aren't about leaking data accidentally (everyone already tried to stop that), "exposing" it is vague, not sure what you mean by that.

And as for selling personal data - er, how? People get drinking water from rivers. If they're polluted you can get very nasty symptoms. I've never heard of anyone being sent to hospital because someone sold their data.

At any rate, if the goal was to tackle data trading then there'd be no need for a "right to be forgotten" which is where most of the confusion and ambiguity comes from.


>> This seems to be the unsurprising outcome of the EU's modern "obey us or we crush you" mentality. The UK is walking away.

When did the EU try to crush the UK?

And is the UK really walking away because it doesn't like EU trading regulations? I thought they're trying their damnedest to continue benefiting from those regulations.


"When did the EU try to crush the UK?"

Loss of sovereignty as it pertains to 'migrant quotas'. A country should be able to say - 'no, we have decided to not receive these migrants. These people need to go from where they came'.

Someone will have to provide links on whether migrant quotas were part of the original agreement in the formation of the EU. So if Britain decides its more important to retain their ability to make this decision vs. remaining in the EU, that's a decision Britain can make. And they did.

The African Union/OPEC (probably the only actual authority with any economic leverage in the ME) should designate areas where refuges can be returned.

Morality aside, might/power defines reality in this world. The reality is that the US stirred the pot in the ME, and the EU suffers because of it. In the absence of war crime charges/damages brought before the ITC, this is the only recourse that is within Britain's best interest, based on the election they held.


  >> Loss of sovereignty as it pertains to 'migrant quotas'. A country should be
  >> able to say - 'no, we have decided to not receive these migrants. These
  >> people need to go from where they came'.
The refugee quotas you're talking about were decided by the EU interior ministers voting in the Justice and Home Affairs Council. The UK (along with Denmark and Ireland) has an opt-out so although its interior minister (at the time, Teresa May) did participate in the vote [1] it was not allocated any refugees [2].

Not a single one.

The UK instead had volunteered to take in 20,000 people [3], primarily children from Jordan, Lebanon and Turkey. Despite volunteering, as far as I'm aware it's still prevaricating about actually taking them in. They're still languishing at Calais, or being held at detention centres in the UK.

I don't see how any of this shows that the EU "crushed" the UK, or that it caused the UK to lose sovereingty. The UK absolutely said "no, we have decided not to receive these migrants"- via the opt-outs I mentioned.

A very British thing, opt-outs. The UK has opt-outs for every little EU regulation, it seems. Yet the UK is always "losing its sovereignty" in the EU. How does that work?

___________________

[1] List of participants in the 22 September 2015 Justice and Home Affairs Council:

http://www.european-council.europa.eu/media/22968/2015-09-22...

[2] Council decision estabilishing provisional measures in the area of international protection for the benefit of Italy and Greece; see Annexes I and II, with allocations from Italy and Greece, respectively, to member states:

http://data.consilium.europa.eu/doc/document/ST-12098-2015-I...

[3] For a sense of perspective, France offered to take in 24,000; Germany famously has thrown its gates wide open; and about 2.7 million refugees are currently in Turkey, willingly or not.


Things said by various EU/French/German/British officials at various times about leaving the EU:

Leaving the EU is suicide.

It's self harm.

There must be a threat, there must be a risk, there must be a price for leaving (Hollande)

"Welcome to hell", said to the UK's negotiator on reaching the negotiation table.

"Brexit itself is already punishment enough" (Tusk)

Voting to leave will destroy 500,000-800,000 jobs due to "uncertainty" over how the EU will react (this claimed turned out to be false in the end).

The UK financial industry will be forced by the EU to move tens of thousands of people/jobs to the EU. Also all flights will be grounded. This is the "price" of leaving.

--

It is fair to say that in general everything said and done by the EU is designed to cause maximum damage, always with the caveat that continued automatic obedience to EU law and courts will make the "pain" go away (as they put it).

And is the UK really walking away because it doesn't like EU trading regulations? I thought they're trying their damnedest to continue benefiting from those regulations

The primary "benefit" of complying with those regulations is the EU does not impose bans on your products. The regulations themselves are often badly thought out - that's what this whole thread is about, badly thought out GDPR regulations causing US businesses to give up trying to sell to the EU (effectively the EU has created massive new trade barriers with the rest of the world).


>> The primary "benefit" of complying with those regulations is the EU does not impose bans on your products.

The EU is not banning any products from the UK. The benefit that the UK gets is is tarriff-free access to the common market. Any trade, with anyone is subject to tarriffs, so that's a real benefit- unlike any imagined harm coming from "bans" that never happened.


Well this is getting a bit off topic but that is not correct. The EU has been quite clear that it will ban people and companies in its jurisdiction from buying financial products from the UK: not impose tariffs but rather implement outright bans. And they are not willing to negotiate on that point. It is seen as a necessary 'punishment'.

They are also talking about banning member state citizens from buying tickets from British airlines in situations where they currently can. And possibly banning all flights from the UK to the EU. Again, bans, not tariffs.

Lastly, I note that the effect of GDPR is that effectively "Europeans" are now banned from buying training products from this US training firm. It's not technically a government ban, it's more like major encouragement to the outside world to implement their own private sector bans, but the end result is identical: you cannot buy at any price.


Like the trade ban you mentioned above, any other sort of ban, such as banning the buying of financial products from the UK, or banning flights from the UK to the EU is pure fantasy.

What is really the case is that Brexit risks causing British financial instutitions to lose their financial passporting rights, that allow them to trade in the EU.

As to flights, the risk here is that, without other international flight agreements for some UK companies (such as Ryanair and EasyJet) other than EU agreements, such companies risk losing the right to fly outside of Europe, or within the EU.

Both of the above are the result of international agreements being rendered invalid because of Brexit, and not some sort of punishment that the EU decided to bestow upon the UK.

Obviously EU competitors will step in immediately and eat the UK's lunch, wherever they find the opportunity. But I don't know what else anyone could expect. I understand the British are great believers in a free market, after all.

Indeed, as far as the UK is concerned, the market after Brexit is going to be almost completely unregulated.


[flagged]


>> You are trying to wriggle out of this, it is a form of psychological denial.

I was interested in discussing this with you further, but I am not comfortable doing so if you are going to be making more personal remarks like the one above, which I find inappropriate and offensive.

If you do not agree with me that personal remarks are not appropriate and you are not willing to give me some assurance that there will be no more of them, then I am sorry but I have no interest in continuing this exchange.


> If I end up being banned from useful services because the costs of complying with the EU's very transparent attempts to bulk up their budget by repeatedly fining tech firms, I will not be happy.

Not a EU citizen (unfortunately!), but I would rather lose access to services that are violating data privacy laws. As always, vote with your feet and your dollars.

Apologies to PG, but it's time to "Regulate Things That Scale".


> But I am looking forward to living in a world where everyone has to comply.

I'm not: the so-called 'right' to be forgotten is terrible: it means that data immutability is essentially illegal, and it means that anyone can demand to rewrite history. That's just wrong.


PS: This is GDPR, not the EU VAT thing (also referred to by the OP). The former is painful but necessary; the latter is a straight-up unmanageable mess created by people with no understanding of the Internet. This is not a monolithic "all regulation good"/"all regulation bad" thing.


> You wouldn’t think that would be a big deal – but you’d be surprised. For example, students send us information about their databases all the time as part of asking questions – and they often send it unsolicited, through unencrypted email channels. That information ends up all over the place: our mail server, our desktops, phones, laptops, search indexes, etc. I’m not really worried about us maintaining the confidentiality of that data, but now we’d have to add in new audit-able tracking.

That’s a good thing! Is it really that much to ask that when someone holds your data, that you can ask them to delete it and be assured that it’s gone for good?

Apparently, for them, it is. And I’m sure it’ll be for a number of other businesses (and their competitors will just take their place, no big deal). But I’m looking forward to a world where unrestrained data collection and handling is no longer tolerated.


> Is it really that much to ask that when someone holds your data, that you can ask them to delete it and be assured that it’s gone for good?

That doesn't give you the right to send someone your private data, in a channel they didn't ask for it, and demand that they secure that channel.

This is the tough part about being a training company online: students send in questions with their personal data, unsolicited, via channels I simply can't secure. Your PII doesn't belong in email.

> But I’m looking forward to a world where unrestrained data collection and handling is no longer tolerated.

Read the post. It's not about what we collect - it's about what people send us voluntarily. That's the part that I'm most worried about.

If I have no business relationship with those people, and they're just sending us personally identifiable data for no reason, I'm a lot more comfortable defending that in court. But if we have a business relationship where they're paying for our advice, and then they start sending more and more data, that's where I'm on shaky ground.


I am absolutely not criticizing your decision; you’re perfectly within your rights to refuse to deal with all the rigamarole of GDPR compliance. It’s easier and only 5% of your revenue, so why even bother.

And I completely understand the issue of people sending unsolicited data. I’m sorry that my comment came across as though I was targeting you specifically.

I’m just excited for a world where data is no longer a “yeah let’s just store everything with no thought”, and instead is a hot potato that you keep a trail of and want to get rid of as quickly as possible. What a difference that’ll be from the situation we have today. This article is just highlighting how just accepting random data puts businesses “on shaky ground” as you said. The GDPR will require everyone to be a lot more thoughtful about their data retention policies, and that’s just great.


Even so, the rule should at least only apply to data that was solicited. If you intentionally send data that was never asked for, through a channel not meant for that data, you shouldn't expect it to be treated the same as data that was collected through normal means.


Basically companies like facebook and google have abused the data collection and public trust so bad that EU had to come up with these absurd fines just so those behemoths would pay attention. Also is there a reason why it is a maximum of x and 2% of revenue? Shouldn't 2% of revenue big enough for a company to be scared?


> Also is there a reason why it is a maximum of x and 2% of revenue? Shouldn't 2% of revenue big enough for a company to be scared?

Nah, if it was 2% of our revenue, I'd be much more likely to take the gamble. I'd be willing to invest a little in our staffing & infrastructure to take that risk.

I want to do the right thing - but that multi-million-euro penalty means the risk/reward equation just doesn't make sense. We'd never bring in enough revenue to pay off the hit from one angry judge determined to make an example out of us.


Google was mostly compliant with the GDPR already. When you delete your account on Google, it really does delete all data from all services and all backup records etc.

They implemented it like 3 or 4 years ago. Yes, it was a lot of work for a lot of engineers.

Arguably, it's much harder for smaller companies to comply.


GDPR classifies any sort of cookie as PII. So you can request deletion of data that's the result of logged out queries, in theory.

Also the Google tool deletes your account data. It does not delete all things that are conceivably personal data. For example if you commented on or edited a shared Google Doc and then delete your account I'm not sure the comments are deleted too. So it's not quite that simple.

The law is so broad you could conceivably also demand that Gmail deletes any email you sent to it under your own name, out of other people's inboxes.


You also want smaller companies to comply, where 2% is maybe too little for them to care, as it would cost more to comply with GDPR.


> up to €10 million or 2% of your company’s annual revenue, whichever is higher

They might care about a €10 million fine if they only have, say, €2 million in annual revenue.

I remember when I first heard about this thinking "why even bother doing business in the EU?"

--edit--

Which is exactly what you were saying in retrospect...


2% of revenue is a huge fine for any profitable business.


> 2% of revenue is a huge fine for any profitable business.

Not necessarily. In a business like ours (online training) where any additional new customers basically flow through to the bottom line, if I got 20% of my revenue from the EU, and I had to pay a 2% fine now and then, it wouldn't be terrible.

I can see how some slimy businesses would say, "I'm not even going to bother complying - I'll just keep taking revenue off the table and paying the small fees."


Sure, if your profit margins were 50% on EU revenues, it wouldn’t be a big deal to pay 2% of the max fine. Or if your startup doesn’t have revenues, you could get off scot free.

But most profitable businesses are going to have profit margins in the 10-20% range, and that fine is considerable. And if the EU applies it to the last 5 years revenues, they could wipe out a years profit.

For example, Apple probably has close to $100B in annual EU revenue, $2B is a huge incentive to invest in doing this right. But if your EU business is $1M, $20,000 is probably a fraction of your cost of implementation.

The law would have been far better if it specifically limited fine levels by size of company. IE < 1M in sales, 1M to 10M, 10M-100M, 100M-1B, 1B+.


It’s on worldwide revenues, not EU revenues


Ouch, that's amazingly short-sighted.


Automating PII detection & audits is a hard problem! Especially across sundry data storages and formats.

Compliance firms typically provide a high-level paper trail, but what happens when you don't even know where the PII data is, like the OP says? What if you need to answer concrete individual Subject Access Requests?

So, as a technology company, we've attempted to solve parts of it with technology. We really hope to make that pesky "PII stuff" detection and auditing easier for companies:

https://pii-tools.com (in private beta, feedback welcome)


Whoa, didn't expect this to hit HN. I'm here if anybody has questions. (Author)


How can you prevent EU users from using your service (it seems that's where you are headed)? I can think of IP geofiltering if you have a web service, perhaps blacklisting some countries in the AppStores if you publish an app... but people can travel & VPN somehow. Will part of the registration be "Are you a EU citizen?" And if EU people work around your safeguards and manage to register, are you still liable?


> How can you prevent EU users from using your service

The first step is disallowing EU-VAT-eligible folks from purchasing. The plugin I mention in the post is really good for that - it looks at a variety of factors including the user's billing address for their credit card, for example.

It's still totally possible that an EU citizen could be on Chinese soil, using an American's credit card, while using an Australian VPN. That means the next part of the registration will be a terms & conditions checkbox saying the GDPR doesn't apply to me. (We're working with our attorney on that language.)

At that point, if someone still registers, AND they later ask for the right to erasure, we'll still do our best to delete their data. But if they try to go to the EU and complain, we'll be on much better legal ground to say, "Look, they lied to us from the get-go, and we can prove it."

Nothing's certain - just trying to mitigate our risks as cheaply as possible.


It doesn't seem like it now, but this is just a storm in a teapot. All of the necessary bits to comply with the GDPR will be commoditized sooner or later. I'm betting on sooner. This also presents a business opportunity to provide those bits.

I do appreciate the fact that it's a nuisance at best and significant costs at worst to be compliant to GDPR. Only in time we will be able to tell if it was worth it or not. Maybe the US model of free-for-all access to user data will work better, maybe the EU model will...I don't think anyone can say for certain now.

If anyone does know with a high degree of certainty which will, it's time to place the bets.


> I do appreciate the fact that it's a nuisance at best and significant costs at worst to be compliant to GDPR.

I don't know that it's that simple. What happens when you have conflicting requirements, for example (I'm making them up) EU requiring you to delete PII within a period of time and US/Homeland Security/IRS requiring you to keep the (meta)data for some period of time?

There may be conflicting requirements that have nothing to do with technology & costs.


> All of the necessary bits to comply with the GDPR will be commoditized sooner or later.

And the court cases will go through, and everybody will have a better idea of what the "right" things to do will be clear.

I totally agree - and I summed that up in my post. Problem is, that's a future - it ain't today.


Can a EU citizen call AT&T/Verizon and ask them to delete all records of their calls?

Would the call logs also disappear from "the other side of the call"?


Naive question: If there are no such laws in the US, can one just simply store ALL personal data in Iceland?


How would that fix the problem you still can't save data from users from the EU.


That's exactly it. GDPR doesn't particularly care where you're storing the data, nor whether you have a "European presence". If you're storing data on people from the EU, from the EU's perspective, you're required to follow GDPR.

From an enforcement point of view... if you have no EU presence, it'll probably be pretty hard for them to actually collect on the fines they levy, but as a director, travelling to Europe could be problematic. It's not entirely clear here, but it looks like there's a possibility of directors being held personally liable.


It’s a terrifying overreach. The law is so vague many can be considered to be in violation without even realizing it.

Far too many to even prosecute. But a politically active EU bureaucrat can just pick out key offenders to squeeze for publicity, piliticsl contributions, or even bribes.


In fact, the EU considers all citizens of the world to fall under their legal protections. That is, you don't have to be a EU citizen to have the same legal rights.


Technically this is true for the US as well. We just like to pretend there is a distinction.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: