Hacker News new | comments | show | ask | jobs | submit login
StreetLend.com shuts down, citing GDPR regulations (streetlend.com)
724 points by cbeach 84 days ago | hide | past | web | favorite | 1123 comments



What many posters here miss is that there is a big group of tech people that have no interest in dealing with legal matters more than the bare minimum, and overall deem them risky. I am one of them. People like me are well-aware of the fact that if we are not experts then we're absolutely gonna lose because a dedicated lawyer can and will dig up material you couldn't prepare yourself to defend from.

Thus, complying with something somewhat ambiguous like the GDPR is still an expense -- of time, money and risk -- that many small website owners won't be willing to spare.

Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.

The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.


From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts.

Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.

The really ironic thing about that this is that streetlab imagined itself “ethical” when it’s entire business model was selling your data...

The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.

That being said, the GDPR is really hostile toward startups trying to make money the same way Facebook and Google does. You need to have a massive legal department to do that, and Streetlend obviously did not. But is that really so terrible?

It may call for a new business model for the internet, and that may seem impossible right now. But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.

Startups will find a way to make money that isn’t selling your data.


> Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.

If you mean he just slapped some Amazon ads on his site to support his side project, then accusing that guy of "selling your privacy data" requires quite a bit of mental gymnastics and is a pretty dishonest description of the facts.

The blame here is wholly with the users for putting their data online in the first place (really, you can go a very long way with my.fake.name@gmail.com!) and especially Facebook for providing the framework that enables this all.

*edited for grammar


You're completely ignoring the point of GDPR. The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.

Blaming users for providing their personal data is strange -- if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?

If the majority of banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?

As for the Amazon bit, I think you're underselling it. Amazon tracks users in arguably unethical ways (due to the lack of consent, and the scope, and the inability to opt-out) and display their ads is inflicting that on your users. If you care about your users privacy (which is what GDPR is trying to enforce) then you would know that "just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data. I do agree it's not trivial to handle GDPR if you don't have a lawyer (though you can get a data officer from a legal firm), but complying with laws is part of doing business.


> The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.

See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me. Even things like pictures, once shared, are no longer under my control. I actually feel it's fundamentally dangerous to make users think they actually control data they don't.

> If you care about your users privacy (which is what GDPR is trying to enforce)

I also disagree with this. The GDPR doesn't do anything to make companies handle my data more carefully or responsibly.


Data about me is my data, and if the government gives me the right to control it, I have that right.

If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely. The rest of my data is no different. I own my data and the data about me, not them.

GDPR gives users the controls and governance over their data that should have always existed, but that tech companies gaslighted users into believing doesn’t exist.


> If I share a photo, it’s still my photo

This is where it becomes murky for me.

If you send me that photo via email, should you subsequently be able to revoke my access to that photo. If so, by what means?

If you used a closed messaging system (say Facebook's messaging system, or Apple's Messages), should you be able to revoke access?

If you follow the argument a hop, skip and a jump away, what happens if I submit a photo to a publication and they run it on their website? Can I revoke access? What if that publication has published that photo in a physical form?

ie, where is the line where a reasonable person should expect that the data they have willingly shared/published has slipped beyond their control?


If you give someone a license to reproduce a digital asset, you lose the ability to revoke access to it.

All other rights are reserved. Would it change the dynamic to be able to revoke access to assets in a private messaging system? For sure. But copyright law (at least in the US) supports this right of the copyright owner. The inability to revoke access is a failing of the tool or the product, not the law.


Isn't it pretty standard for website T&Cs to say something along the lines of "by uploading content to this website you are providing [website owner] with a license to reproduce the content"? Sometimes those T&Cs will be quite broad - non-revokable, across all media (including forms not yet imagined).

> The inability to revoke access is a failing of the tool or the product, not the law.

Does the law need to change? Or (in the case of email) is it fine as is because the reasonable person realizes that once you hit 'send', the content is out of your control?


> Data about me is my data

I'm sorry, but it's not. Full stop.

> If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely.

I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

> The rest of my data is no different.

Exactly, you have no control over it.

> I own my data and the data about me, not them.

No, you don't _own_ your data.

> GDPR gives users the controls and governance over their data that should have always existed

No, on all accounts. There is no reason at all that you need to delete accounts or force anyone to delete any information about you. That's all just silly.

> but that tech companies gaslighted users into believing doesn’t exist

That's also silly. If you don't control something, you don't control it. Full stop. I don't understand why you don't understand that.


Neither of you are really using supporting evidence in this discussion, you're both just two sides of a value argument increasing in volume.

On the one hand, the other guy is legally correct - gdpr's purpose is to legally give individuals control over data about them (pictures they upload, addresses they input, whatever). That control is responsible on a site to site basis - if a person's naked picture is leaked online, every single IP address that hosts it must take it down if requested, or violate gdpr.

You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.

You can both disagree about the morality of this but simply restating both of your points with more "full stops" is pointless. If you're both really having trouble understanding each other's positions, step back and try to defend the opponent's decision.


> You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.

Which is my point. You no longer retain any control over it. A law saying you have control over it is silly, because it's worse than worthless: it makes me think I have control over something I don't have control over.

Laws cannot magically manufacture things which cannot ever be created.

Moreover, the gdpr doesn't prevent any of the problems that have caused data breaches in the past. The way that Target and Equifax (both of which could easily claim the data they had was essential to their business: Target with credit cards and Equifax being used by banks to coordinate information) are both equally likely under the gdpr and both equally unpublishable.

As for Facebook and Cambridge Analytica, how would this have been prevented? Facebook can just ask you to opt in to their usage of your info to use their service. Facebook can share information with other entities that claim to be gdpr compliant. Other entity then shares information with other people outside of Facebook's control.

I just don't see how the gdpr changes a fundamental fact: you no longer control something someone else has. Laws cannot change that. Laws can give you recourse, but they cannot change it. I actually believe that it's dangerous to believe that I have control over things I don't: it's a false sense of security.


So what's the point of your argument? Should we scrap GPDR because it isn't 100% effective in curbing personal data misuse? You could argue along similar lines that almost any law gives you a false sense of security - why do copyright laws exist, do they give the music industry for example a false sense of security that their audio files can't possibly be copied or shared? No, but they do provide legal recourse and they do set up a framework for acceptable use. If facebook shared your information with another entity without your consent, that would be a violation of GPDR and you would again have legal recourse.


Perhaps the public could be forced to realize that they are responsible for what data they share and with who?


And now we're back to the argument that we shouldn't protect the public against systemic unethical behaviour, and rather we should protect the bad actors while blaming the public for not being educated enough. Wanting better education is a fine goal (and one I agree with), but the reason why we have seat-belts (as well as driving lessons) is that sometimes you also need other protections for the public. The same logic applies for consumer laws. We don't blame the public for not doing enough research to know that their new phone charger blows up after 3 months -- we blame the manufacturer.

Also there's the fact that companies can end up sharing data to other parties, or a company can be acquired and change their mind about what the data will be used for (which is allowed because of the originally nebulous scope of their T&C which was specifically designed to allow for expansion without asking for user consent explicitly when usage changes). GDPR provides methods for users to be protected in both of those cases -- while just enforcing education does not.

Not to mention that if education was mandatory, then the same companies complaining about GDPR today would be complaining about educating users how their services abuse their dignity. Cutting Google/Amazon/Facebook/etc slack for making hundreds of billions from users' personal data and creating "Big Brother"-esque profiling systems for their billions of users doesn't really seem rational to me.


What if we make companies behave responsibly instead? There are less companies than people, and it is easier to go after them.

If I owned a site I would not have a problem to delete someone's personal data.

Also your sugguestion is that if you want to keep your data protected then you should not be using anything on the Internet or make any deals because once you have ordered something on Amazon it can sell your data to everyone else? Or when you rent an apartment, realty agency should be allowed to share your name, SSN, bank card number and address with everyone? No, I don't think it should be this way.


You are correct that GDPR means "you cannot functionally control something someone else has," but you are missing the aspect of "force."

If I find the person that owns the server hosting my data, and I put a gun to his head, and I say, "remove my data," do I now control that data?

What if I instead pay someone else to go around putting guns to the heads of server owners? If I build an army?

What if instead of that I communitize my resources into a legal system that doesn't put guns to people's heads, but will take their money away and put them in jail if they don't follow the laws?

Don't get me wrong, I'm with you in the hacker-culture sense: fuck the system, man, if Google wanted to it could probably blackmail individual US government officials to the point that it took the country over. I get that. I guess we can get deep into a political science debate about governments and social contracts.

Put it this way: Is your sense that you can walk to work without getting mugged a false sense of security? If not, the only alternative is homesteads with militias (not walking to work anymore), or, arming entire populations (putting the burden of self-defense on the people). In the past, this has been tried, and led to gang rule.

If we "give up" on legal systems, we have ample evidence for what happens. When you apply those lessons to the digital space, maybe it's not 1:1, I guess some countries will be learning that for us, while others will try things like GDPR.

It's all a journey for human civilization. People like you that promote self-defense are great because we get amazing government-agnostic tools out of the deal. People that support GDPR are also great because we can test out "social contract" methods.

What's wrong with dancing around both sides of the aisle?


It's not about giving up on the legal system, it's about taking responsibility and not sharing data with people you don't trust, or don't trust to keep secret.

The gdpr makes people think that they don't need to think about what they share and with whom. Do you really think companies are going to significantly change just because of this? I highly doubt it. Sure there will be some things, but in the end many of the same patterns and uses will emerge.


It's not about giving up on the legal system, it's about taking responsibility and not sharing data with people you don't trust, or don't trust to keep secret.

You keep writing as if everyone has a meaningful choice about who gets data about them, but clearly that is not always the case. Someone may obtain data about someone else from a third party, and you can't avoid sharing a certain amount of data and still function as a normal member of society.

The idea of absolute, black-and-white privacy, where either you share personal information or you keep something completely to yourself, isn't very useful in the modern world. Our conventions must be more nuanced than that, and in practice that means what really matters is who gets access to data about you and what they're using it for.


> not sharing data with people you don't trust

That means basically don't share them with anyone, don't sign any contracts, don't work and live in the street. Because even your employer or real estate agent can sell them to anyone else in your model.


Is there an example of "control" that is not of the "you have legal recourse" nature ? Outside of crypto, I can't think of any.


Yes, not giving ownership away to a party with no contractual obligations to you.


You'll find living this way to be difficult and frustratingly annoying.


> I'm sorry, but it's not. Full stop.

Aside from the "nuh uh; uh huh" nature of this exchange, I really don't understand what your position.

> I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

I'm not sure what youre definition of "control" is, but based upon the arguments you've made about "control" above, I assume you mean it in some absolute sense.

Ownership definitely implies control. He can use DMCA to compel a third party to stop publishing his photo, for example. How is that not "control"?

Your definition of control seems to be somehow about capability or power, rather than normative ethics or legal right. Which is a rather absurd way of talking about this issue.

In that sense of control, I don't even control my own body. Someone who is stronger than me can hurt me; can rape me; can even kill me. I have no control.

Of course, for normative reasons, we make laws against other people controlling me in certain ways even though they have the power to do so.

Data privacy is no different. The discussion is not about what degree of control a party is physically capable of exerting. The discussion is about what degree of control the government should grant to each party.

The fact that someone somewhere is capable of hoarding my data, does not imply that this outcome is just or optimal. Your position is a textbook example of the naturalistic fallacy.


I don’t “understand” it because it’s not true (controls need not be technical; they can be regulatory, policy, or other methods). Save your apologies, regulation is coming to fix the deficiencies in data rights and protection. Looking forward to more of if it the same fashion.


> I don’t “understand” it because it’s not true (controls need not be technical; they can be regulatory, policy, or other methods).

No, control is only one thing: the ability to constrain the actions of another. You can _never_ prevent your ex from sharing nudes of you; you can only recover damages.

> Save your apologies

I'm not appologizing for anyone.

> regulation is coming to fix the deficiencies in data rights and protection

No, regulations are coming to give users a false sense of empowerment at the cost of everyone else.


I agree with you in principle but your argument has veered into unsound territory. Do you not believe it's possible for the threat of damages to end up preventing an ex from sharing nudes of you that they otherwise might have? Sure, there's a level of determination that will surpass that barrier, but at least there's a barrier.


Fear of damages isn't control. You can't force an ex to delete those nudes for instance, or prevent them from letting their friends view them.


Following this logic to its conclusion, there is no such thing as control and all laws are pointless. You can't force people not to kill each other, but you can enforce punishments that dissuade people from doing it (and in some countries create regulations to make it harder to acquire tools to do said killing). Same thing goes for stealing, perjury, fraud, assault, breach of contract, defamation, etc.

I actually cannot think of a single instance where someone has "control" over something and the law exists purely as a way of exercising that control, and I can think of hundreds of examples where laws exist to stop people from doing things they may be physically capable of doing but would produce a negative effect on society if permitted. Maybe there is such an example, but it'd be an outlier.


Sure you can. You can lock up anyone who isn't willing to obey the law and continues to cause harm to your ex by sharing the photos, for example. In fact, since revenge porn is now a criminal offence in many civilised countries, that is very likely what will happen.

If anything, the anomaly here is that inappropriately using or sharing personal data about someone is in most cases still only a regulatory or at most civil matter and not a criminal offence. Obviously such an act can potentially cause far more harm to that individual than many physical acts of violence that do carry jail time.


>Sure you can. You can lock up anyone who isn't willing to obey the law and continues to cause harm to your ex by sharing the photos, for example.

Actually, this isn't true, for the purposes of this analogy.

You can only lock up people who are in your country and under the control of your legal system. If your ex flees to Russia and sends out these photos from there, good luck prosecuting them and putting them in jail.

This is the internet we're talking about. An EU law doesn't apply outside the EU, in places like Russia, the US, China, and many other locales. What's the EU going to do when sites in those other countries refuse to take down pictures based on this EU law?


Threatening someone with consequences if they perform some action may not prevent them from doing what they are determined to do, but it will dissuade many. The entire basis of modern society and law is built on the idea of threatening people if they break the law, rather than completely preventing them from doing anything illegal. This is not control in, say, the unix permissions sense, but it's control in common parlance.

What are you actually trying to say here?


If fear of damages isn't control, then you have no control as anyone can break into your home and steal your photo.


If I meet you and write down a note about you afterwards, is that your data? I would argue that no, it is my data even though it is about you.


It's not their data explicitly but that doesn't mean you can do what you want with it or that companies have no obligation to them just because it's your note. They may not be able to request access to view that note or take advantage of the many GDPR provisions, but if the note contains personally identifiable information about them and said note is leaked to the public then companies will still need to remove that information at their request despite it being your note.

This is similar to some other laws, you can be as slanderous as you want to someone in private but if that slander makes publication then you open yourself up to a lawsuit. You may own copyrights to the image you take of someone in public, but you cannot use their image in your merchandise despite owning the copyright to that image. If someone is doxed in an email, and the email hosting provider used is compromised and has their emails linked to the public, the person who was doxed has just as much right to request that the publicly available emails be removed from search engines, etc.



> Data about me is my data, and if the government gives me the right to control it, I have that right.

So if I investigate you, take your picture, etc. have I stolen from you?


Not stolen, but quite probably violated several laws in connection with privacy and personality rights. And this is already the case in many EU countries, no GDPR needed for that.

I actually hadn't considered it before, but I imagine that being a PI in e.g. Germany must be a veritable legal minefield.


It is.


You own that photo, not me. You get to control how it’s used unless government regulates otherwise (based on US law, the EU might be different).


GDPR takes away the right to trade your data in exchange for services.


It absolutely does not. That is still entirely legal. All the GDPR does is make sure that the entity you're trading with is up front about what data they are collecting, and what it will be used for, giving you the ability to make an informed decision.


That's not all it does. Among the other things it does:

It requires the entity to give you the ability to delete your personal data, which means a contract where you grant a service a permanent and irrevocable right to data about you in exchange for a service is illegal.

It also requires the entity to provide an equivalent service to any site visitor that chooses to not grant their data to the entity, thus making the business model of trading even revocable access to one's data for a service unviable in the long run.

It makes it illegal to offer a service in exchange for data that is stored without end-user retrievability. Therefore, it makes a contract where you grant a service irretrievable data about you in exchange for a service is illegal.

All of these reduce the range of possible voluntary interactions. It's anti consent.


No, they do not. Not a single one of those reduces the range of voluntary interactions. If anything, they increase the range, because now it actually is voluntary.

And it is bonkers to imply that something that requires you to actually get affirmative consent from the user is "anti consent". You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.


I just gave you examples of voluntary interactions that are now illegal under the GDPR programme, and you respond that none of the examples reduce the range of voluntary interactions. It's bizarre.

>>You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.

I agree that it is anti-consent. I don't have a problem with laws requiring more legible consent forms.

My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored.


"I just gave you examples of voluntary interactions that are now illegal under the GDPR programme, and you respond that none of the examples reduce the range of voluntary interactions. It's bizarre."

No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.

"My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored."

No, you didn't. All you did was post a list of "transactions" where the company has all the say, and the user really has no input whatsoever. No one is going to miss those transactions.

If you truly, honestly are concerned with "consent", then you should be applauding this law, as it does require actual, informed, affirmative consent. Not the "Here's a great wall of text, agree to give us every little bit of data with no recourse whatsoever for you or don't get any access to the service at all" form of "consent".

I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".


>>No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.

I have difficulty responding to such an immature mischaracterization of what I listed.

I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.

You're infantilizing people when you claim they're not capable of consenting to the sale of their personal data. In fact, no court of law would ever agree with you that these contracts are non-consensual ipso facto what the user offers, which is why the only way these kinds of contracts could be categorically disqualified is to circumvent the courts' purview of establishing consent, by resorting to statutory interventions like GDPR.

And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

What you're doing is absolutely reckless.

>>I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".

Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.


>I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.

And in that set, you predicated that the user could not revoke consent. That means that it is not a free contract.

>And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

A contract in which one can not revoke consent is a contract in which one can never truly give consent. If I am unable to revoke my consent, then it can never be in the interest of the user, because my interest may change in the future.

>What you're doing is absolutely reckless.

No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

>Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Which is what you're pushing for. You don't want me to be able to withdraw consent later, thus my selling of data WILL affect my future self.

>Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.

It still affects your future self.

Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent! You should be ecstatic that you will now be able to exercise greater freedom than you could before. You will have that most basic of freedom to evaluate whether or not something is still in your interest, and if it's not, withdraw, without the other party still benefiting off of your information.


>>And in that set, you predicated that the user could not revoke consent.

No I didn't. I said that these contracts enable the user to sell their personal data. If a personal data sales contract includes a clause allowing you to 'revoke consent' AFTER 'selling' your data, then you are renting your data, not selling it.

By making contracts without such clauses illegal, you are reducing the space of contractual interaction, in making it impossible to sell one's personal data.

>>That means that it is not a free contract.

Again, I have difficulty responding to such immature mischaracterizations of reality.

Selling your personal data is a 100% "free contract".

>>No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

You obviously don't care to debate this issue based on rational arguments and facts. You're debating in bad faith. You've already made up your mind and are more than willing to mischaracterize the situation, and people's position, to push your views.

>>It still affects your future self.

Everything you do affects your future self, but this particular type of sale does not cover data genereted by your future self. It only covers what you have already generated.

It's absurd and totally dishonest to compare it to selling oneself into slavery. It's nothing more than hysterical fearmongering about the free market, in support of government limiting people's contractual rights.

>>Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent!

You're once again mischaracterizing the ability to re-voke a sale, after the fact, as "withdraw consent".

When you sell something to someone, you no longer have a claim to that something, and thus the other party no longer needs your consent to maintain ownership of it.

That I really need to explain the semantics of ownership to you, and explain how allowing retroactive and unilateral reversals of sales makes it impossible to sell something, shows just how completely delusional and dishonest you're being.


Only if you don't have a contract with the entity...

All the changes are to "consent", which is the naive consent of clicking "I accept".

You can still do anything with a proper, considered, contract.


Terms that you accept by clicking an "I accept" button can be a proper, considered contract. From what I understand GDPR requires more legible terms of service, in place of the undecipherable legalese one finds now, which could potentially help with the issue of users not understanding what they're accepting.

I don't see why the new rules couldn't have been limited to those of this sort, which ensure that users are providing considered agreement.


I guess I was wrong. My impression was there are restrictions on the exact terms of how you can exchange your data with companies.

At the very least, my original statement was overly broad.


See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me.

Why do we protect any rights by law? Usually it's because some harm is likely if the right is not protected and the potential victim cannot effectively protect themselves due to some imbalance of power.

Reasonable people can debate how far privacy rights should be protected and where the balance lies between protecting the data subject and allowing data processors to do useful things. Maybe the GDPR doesn't strike the ideal balance here and favours one side too much at the expense of the other.

However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession. Many social conventions have proven to be useful, and we codify them in laws so that everyone can see what is considered acceptable behaviour and so that people who try to undermine those norms for their own benefit at the expense of others can be dealt with.


> However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession.

No, it's more like making it a crime to break or lose something lent to you. At most it's a civil matter handling damages, not an extension of control over the item lent (baring any contractual agreement).


I don't see why the criminal vs. civil distinction matters here. The point is that you can have legal control over something without necessarily having physical control over it.

Put another way, how is protection of privacy by restricting what someone may lawfully do with personal data any different to protection of physical property by restricting when someone may lawfully use or remove it? Typically you can't physically stop someone from sending your email address to someone else once they have that information, but then typically you also can't physically stop someone from stealing your TV while you're out once they have a big sledgehammer and access to your front window.

I think most of us would still say that we have legal control over our possessions, and most of us would still say that theft is unacceptable behaviour and should be punished. In Europe, where perhaps we tend to have stronger feelings about privacy than in some parts of the world, a lot of people similarly feel that they should have the ability to restrict how data about them is being used and shared, and that some things that some organisations have been doing until now are unacceptable behaviour and should be punished if they continue to do them.


The purpose of the law is one thing, the means through which the law is enforced is another. One can agree with the purpose of the law (people should have control over X) but not with the means (civil damages or criminal penalties).

"To have legal control over your PII" and "To have legal control over your possessions" are similar in nature. The fact that such purposes are implemented in different ways, for mostly technical reasons, does not diminish the argument.

The main technical reason is that, right now, loss of control over PII is widespread, and individually processing each claim would likely overload the judicial system of EU countries which usually don't have class action lawsuits. GDPR simulates a class action lawsuit using regulatory bodies, to be triggered by refusal to comply with a significant number GDPR requests.


> once shared, are no longer under my control

GDPR attempts to fix that.


Let's talk again in 1-2 years. My prediction is that your premise will be wrong by this time in the EU, i.e., there users will have control over their data.

(not perfect control, but that is the same in every area where law is broken, e.g., there are burglars, but still I think you would consider being in control of your personal belongings, and nobody would argue that we should stop prosecuting burglary because many burglars will always get away with it)


I'm always willing to change my opinion based upon data. I'm looking forward to that discussion in a few years. Regardless of who ends up being "right", it will be interesting.


>>The point is that users should be in control of their data

Intentions and effects do not always align. The effect of GDPR is to make any business model where a user trades their personal data for a service illegal.

Business models involving voluntary exchange should not be prohibited.

The fact is, the free market already gives users control over their data. They are not obligated to use any service that requires private information from them.


GDPR doesn't make illegal the trading of personal data for services. It requires consent for each piece of data (in detail, not a catch all) , and requires an option to remove your data, or opt out of specific uses of said data.


If a party must provide a service for users that refuse to provide their personal data, as long as it provides that service for users that agree to provide their personal data, then there can be no business model based on trading personal data for a service.

And by mandating an option to remove your data, it makes a contract where a user gives a permanent grant of their data to a service provider, in exchange for a service, illegal.


you are ignoring the _actual_ point of gdpr, enshrine the right to be forgotten in law to bypass the right of reporting.

they could have alredy fined current privacy abusers under the existing law framework. this will be used to stromgarm independent news sources.


>if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?

I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away.

Disclosing information in proportion to trust is a basic life skill. I understand that many in the tech community are frustrated to see the general public failing to exercise this discipline, and maybe regulation is the best way to protect them from themselves, but that's not obvious.

>If the majority banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?

False dichotomy. You want a spectrum of financial products that depositors can choose from according to their risk tolerance. It's essential that we have stable, regulated, insured checking accounts. It's also essential that we have self-directed brokerage accounts.

>"just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data.

A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?


> No, it is not obvious that choices with risks attached should always be regulated away.

The assumption is that all users are actively making a choice. Many are not aware of the choices they are making, and I think it's wrong to punish them for it -- when companies profit off this lack of literacy and people rush to their defense whenever people start talking about regulation.

I don't want companies like Google and Amazon to be able to hoard massive amounts of personal information about a large portion of the world's population, and not have to respect the rights of the people whose information they have acquired.

> You want a spectrum of financial products that depositors can choose from according to their risk tolerance.

If effectively everyone of importance just uses Amazon (or Google) ads then you don't get a "spectrum" and there's no choice involved. You have an option to either use or not use a majority of the internet. Yes, you can use ad-blockers but that's not a long-term solution.

> A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?

Most users are not aware of how these things work. I agree that if everyone knew how to block those ads and what the actual problems are with them, then things like GDPR might be less necessary (though the right to retract consent is something that should be enforced).

But even then, ad-blockers are a defense against an industry that is over-stepping ethical boundaries every day. At which point do you say that companies which inflict systemic violations of ethics on billions of people should be held accountable? Or is it always the fault of the people because they didn't care enough about their personal information?


Seems to come down to having to protect users from their own lack of understanding.

What ethical boundaries do you think are being overstepped through advertising?


It’s not advertising itself that is problematic. I’d be fine with an image loaded from the origin serevr. It’s the attached pervasive tracking and monitoring, coupled with the real security risks that come with the current incarnation of advertising technologies.


The irony is that if instead of passing legislation to try and "protect users/citizens from their own lack of understanding", a government would instead invest heavily in educating their users/citizens on privacy matters in order to minimize the unknowing populace, i.e. the "fodder" for shady data selling companies (like Facebook/Google). Then you would have companies arguing undue interference with their businesses (I don't know the correct term). And my guess is that's the way big companies prefer it since they can lobby easier when it's not laws but instead "education initiatives" and other fuzzy programs. And they could also counter-invest heavily in another set of "public education programs" where they could try to inform the users/citizens about how valuable they are when they don't understand/care about how their data is monetized. And with the advertising power/know-how these companies wield that match would be easily won against some random government propaganda.

I could imagine a major ad campaing where this question is posted all over the city:

"What ethical boundaries do you think are being overstepped through advertising?

Think for yourselves, don't let the government tell you what to think!

Sincerly, your friends the advertising business"

That's a hard fucking question for me to answer concisely, so I wont do that. Sry.


Once upon a time, someone similarly pointed out that, if "they" wanted to improve vehicle safety, rather than mandating seat belts, air bags, and antilock brakes, they should just put an 8" long, razor sharp spike in the middle of the steering wheel---to make the dangers obvious.

The current state of data privacy doesn't even include the spike.

As you point out, education is a fine idea, but it isn't going to work if there is a major industry based on it not working.


Facebook don't sell data they sell access to customers based on data. Thats a very important distinction.


And that provides a profiling oracle that can be used to determine data about individuals. Once they interact, you know. It's not even difficult to pull off.


Yes just like your Safeway loyalty card or your credit card uses the data you give. Or you voting and comments on this website is used to determine how to treat you here. Or the analytical data you have on your website. Or amazon.

Are you going to stop using all these services that track you some way or another?

Most digital companies wouldn't exist if they weren't allowed to use the data.

So instead of just blanket calling it something it isn't and something that certainly isn't unique to FB or Google why not actually discuss the fundamentals rather than scapegoting someone just because they are some of the most successful.


> Most digital companies wouldn't exist if they weren't allowed to use the data

This is a statement you're not possibly able to prove, and you've even left "the data" open, so you can quibble about the definition in future replies (despite the GDPR clearly giving one).

Terminating replies here due to the gross intellectual dishonesty; have a great night.


GDPR doesn't scapegoat anyone, it applies to anyone interacting with the EU or operating in the EU. The reason why Google/Facebook/Amazon are being mentioned is because they are the most obvious (and prolific) violators of user privacy. If we spent all our time mentioning all of the companies which violate user privacy on a systemic basis, we would never be able to get to the argument.

> Most digital companies wouldn't exist if they weren't allowed to use the data.

GDPR does not deny you the right to use user data, it regulates usage. This is such a ridiculous strawman that it doesn't even classify as a fallacy, it's just simply a lie.

> Are you going to stop using all these services that track you some way or another?

(I have stopped using many of the services you mentioned, but you're actually touching on the reason why regulation is necessary.) It is unreasonable to tell the general public they should stop using the internet if they want to maintain their privacy and dignity. And that's why there need to be regulations to provide protections for the general public when using a technology that is so central to the modern world.


Again. "Violators on users privacy" in what way? You present this as if it's a fact, it's not it's an interpretation. That's the lie here.

You are still using them one of the biggest users of personal data your ISP and that's a service you pay for.

Don't pretend you are stating facts when you are just stating you personal opinion.


Violations as defined in statute by the GDPR, which applies to anyone who collects PII on people within the EU. The ISP thing? I'd expect EU VPNs to start selling pretty well.


> Seems to come down to having to protect users from their own lack > of understanding.

I had the impression that this is rather clearly regulated by the GDPR. A user has to consent to each use of her data. And you have to explain the use in an understandable way, no legalese. Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked). I don’t see how this could hurt any ethical business model.


If it's anything like the cookie consent, it will just be an annoyance and nobody will be anything wiser. The amount of "no clue what this is" among non technical people I know is 100%. But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.


The GDPR requires users to be able to say no, and not lose any functionality except that which absolutely requires this data.

If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.


>>If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

This arbitrarily limits the range of businesses that can exist. For the sake of people who value their privacy having nothing denied to them, it reduces the services available to everyone.


> If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

they can. a business does not even need to do business with you. it's not a right that a business needs to service you. and btw. this is german law.


The rules involve "degradation of service", which is related to existing customers not new ones. So if you have a newspaper subscription and you request that they no longer use your data for a purpose, they cannot cancel your subscription or degrade your service (unless it is impossible to provide a service without said data).


they can cancel your subscription. because they can always say it is impossible to provide service without said data.

heck they can even rely on other laws to cancel your service any time they want.

in the next years GDPR will change nearly nothing. except that it will kill some smaller businesses.

GDPR is not strongly enforceable, if people think they have a right to something they still need to go to court.

the only thing which might change is that it will be easier to delete accounts and data (which is a good thing).


> The GDPR requires users to be able to say no

Even better, it requires the use to say “yes”.


> If it's anything like the cookie consent,

It won’t. It will just replace the common “no one reads but clicks” TOS. And the user can change her mind anytime she wants.

> The amount of "no clue what this is" among non technical people I know is 100%.

If you can’t explain a non engineer or scientist how personal is collected and used it’s probably not a bad idea to outlaw this practice.

> But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.

It’s certainly not enough but a step in the right direction.


But the GDPR itself is written in legalese. There are many interpretations like yours, but then, without a lawyer, it's a dangerous game to play. The cost of the lawyer may be prohibitive to some small businesses, let alone side-projects.

I'm actually pro-GDPR but this needs to be kept in mind.


A user has to consent to each use of her data.

This is a misunderstanding. Consent is only one acceptable legal basis for processing personal data under the GDPR. Almost everyone is going to use it as little as possible in future because of all the extra red tape involved. Ironically, that probably means a lot of organisations will now be straining to justify processing on some other basis and to minimise use of data subjects' explicit consent and exposure to the associated subject rights.

Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked).

It's not that simple, because for example organisations may have legal obligations or legitimate interests in processing data about someone even though it may not be in that person's interest. Consider these:

[ ] I agree that my bank may keep records of the money I owe them.

[ ] I agree that the car rental firm may keep a record of me borrowing their vehicle.

[ ] I agree that the school where I'm applying for a job may do a background check before trusting me to look after kids.

Obviously there are many issues like this where consent for the data processing can't be voluntary and independent of everything else that is going on.


Facebook has been party to gross human subjects research misconduct on multiple occasions. It's not just the advertising.


"I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away."

Speaking of false dichotomies...

I think you'll find that self-directed brokerage accounts have more regulations than checking accounts because they provide more opportunity to commit fraud.


You're completely ignoring the point of GDPR. The point is that users should be in control of their data, and when they give it to someone they have the right to know what it is used for and to be able to retract consent for its usage.

That might be the theory, but there may be unintended consequences in practice.

As others have said, introducing regulation always has a cost. In this case, the cost appears to be that a small side business that has been providing a useful service to the local community for several years will no longer be available.

It doesn't matter whether the business was actually violating the GDPR. It doesn't matter if the person running it misunderstood the new regulations and formed an exaggerated view about the potential risks. The end result is still that his service isn't there any more.


If there's demand for said service, then there will be some new enterprising individual who will try to provide it at a profit.

The level of risk and profit is going to adjust to the correct balance over time.


If there's demand for said service, then there will be some new enterprising individual who will try to provide it at a profit.

It apparently wasn't running at a profit even before these new overheads. It was essentially being provided as a gift to the community by the person running it, and that person is not prepared to accept what he perceives to be a lot of extra risk just for doing people a favour. Why then is it reasonable to assume that someone else will step in and be willing to provide the same benefit to others despite the additional overheads?

The level of risk and profit is going to adjust to the correct balance over time.

Again, why should we make such a strong assumption in general? Previous ill-judged regulation of tech industries by the EU hasn't gotten any better with time. They still haven't fixed the "cookie law", which must be on the short list for most useless and widely ridiculed law in history! More seriously, they still haven't fixed the VAT mess, which finished too many microbusinesses and caused significant damage to many more slightly larger ones.


If Amazon and FB make unethical tracking tools and you put them on the website, you are most definitely an accomplice to their acts.

"But it's such a small site/ the person's side project" all the more reason to stay away from this. Having a code of ethics where you end up using the most profitable option anyways is not a real code of ethics

The point of ethical judgement is that it's _not_ the best choice by other factors


How do you go from Amazon ads for ladders to unethical tracking tool?

He's not making a profit. Meaning he's actually paying out of pocket to allow neighbours to lend stuff to each other. Yet he's abandoned his code of ethics?


Sorry, I wasnt reading closely enough. I did not realize that the site might have been just affiliate links. I think affiliate links are not much of an issue, personally, mainly because they don't rely on tracking.

But many ads are those that track you across pages and use many of the same stuff as Facebook to show you products. So if you're uncomfortable with that, it's important to put pressure on that.

If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many. It's helping to support a good cause, but wouldn't it be nice to get good things without contributing to an unethical system in the process?


>>If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many.

But likely in complete compliance with GDPR... As Adwords and FB Ads would be in compliance.

That is the entire point of laws like GDPR, it has nothing to do with User privacy and everything to do with Ensure their can be no competition to Adwords or FB in the future.


It's mind-boggling that people are trying to cast some Amazon affiliate links into a nefarious invasion of privacy. On the advertising scale, from 1 to late-90s, I'm-probably-going-to-catch-a-virus-from-a-shady-ActiveX-component, this is maybe a two.


If all the author of the article was doing was Amazon affiliate links, then the entire premise of the article is unjustified.


> The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.

So many contradictions in one paragraph.


This. GDPR is a huge burden for small companies. The extra work for implementing the new GDPR requirements can completely halt any new development if you only have a small team of developers. For big companies the workload is relatively much smaller.


If your business model is based on something that will violate the GDPR, like streetlend selling user data to advertisers, then should you really be opening that business in the first place?


The parent comment point has been missed or understood but not used. The point is that small companies which are valid must jump through significant hurdles to satisfy gdpr. Contracting an expensive DPO (are they going to be doing you a service in pricing or making out well) to set this up may be more than some small businesses can handle.


Larger than small business here, we are not employing a DPO and we are complying with GDPR.


You are employing a DPO if you are compliant. https://digitalguardian.com/blog/what-data-protection-office...

You most likely already had one and are now paying them to do this as well


> You are employing a DPO if you are compliant.

In the UK the ICO is the governing body, and they say I don't need one. From their guidance linked below

>The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.

I am neither a public authority or carry out those certain types of activity.

https://ico.org.uk/for-organisations/guide-to-the-general-da...


If your business model is based on something that will violate the GDPR,

That is COMPLETELY IRRELEVANT to what people are saying. If someone complains about me, am I obliged to defend myself? If I don't, am I subject to ruinous penalties? If I do and am victorious is the complainer required to compensate me for all of my costs?


>If your business model is based on something that will violate the GDPR

Again, part of the problem is that it's not clear what does and doesn't constitute a violation.


I'm afraid I disagree entirely. If your business is aggregating data in order to sell more effective advertising then you are walking a line and need a lawyer. If your business is selling widgets and you collect personal details in order to complete orders then you are just going to have to write some documentation.

I can tell you as someone who is working in an old school retailer/wholesaler we are not, and neither is anyone we are talking to through various trade bodies, employing lawyers to do GDPR.


Actually, you can keep order data as it has to do with VAT law but you have to keep it in line with GDPR... So it not just writing some documentation, rather making sure your data is secured with up to date and taking into account state of the art technologies etc...

Lawyers can't help you with ambiguous laws very much as it takes precedents to make sure what the words mean.


Other way around. This business was opened half a decade ago, with users being perfectly fine with it (or it wouldn't have stuck around). The GDPR on the other hand has flown under the radar and only suddenly became a thing that service providers (generic "service", not "internet service providers") were made aware of in legal context. So if we're raising eyebrows, it's at the EU and the GDPR. Not at sites that have operated to user's satisfaction for five+ years.


The first GDPR draft was released January 2012 so it wasn't really a surprise move


That's what they said about the EU VAT changes as well. "How are small businesses surprised by this new rule that comes into effect in under a month? We've been discussing it in committees they've never heard of somewhere in another country for years!"

The reality is that almost all businesses are small businesses, and most businesses are microbusinesses. These sorts of organisations don't have full time resources watching out for potential legal hurdles coming down the line in a few years. Many of them don't have full time resources at all.

It's ironic that a law where one of the main effects is to dramatically increase notification requirements has resulted in barely any media coverage and no notification from any official sources to any of my businesses yet. What media coverage there has been mostly seems to have been prompted by people being surprised by the sudden wave of privacy-related emails. So, how is this not going to be a surprise move for millions of small businesses if no-one did anything to tell them about it?


Please, I work for a "small" business and the management have been going on about it for months.

If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.

Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.


If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.

Why? Most businesses are very small and don't have any sort of in-house legal team, and won't go actively looking for expensive external legal advice if they aren't aware that they have a need to.

Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.

That is an entirely unfounded assumption. There is literally no relationship between being technically competent in protecting personal data, having a positive attitude towards respecting privacy, and being aware of new laws coming out of the EU.


Yes, and talks first started in 1996, and yet here we are today with massive problems because small business, and especially self-employed startups etc don't have an on-call lawyer that knows everything about EU regulation. Or anyone. They wont' have heard of this from anyone until it hit the news, only a few months ago. Is a few months enough to understand and become fully GDPR compliant? Probably not. Do you know all the EU laws currently in the works that are going to affect your website 5 years from now? Probably also not.


What about small companies that don’t sell data as a business model?

GDPR punishes the vast majority of businesses that do not have business models reliant on selling user data in favor of trying to catch the ones that do.

Unfortunately, I fear this regulation will do absolutely nothing to stop the bad actors from selling data as they do now.


It's a major pain for us.

But I'm completely in favour of it anyway.


That sort of depends if you were complying with the UK Data Protection Act (1998), or any of the other European acts stemming from the 1995 directive, already. GDPR is only an incremental step from there. It would appear that lots of people considered the DPA as optional, yes GDPR is quite a bit of work for them.


If you find complying with the GDPR is a huge burden, then you really, really need to go back and look at your data collection practices.


> You can hire a data protection officer at a legal firm for almost nothing,

Failed reality check.


Thank you for highlighting this gross misinformation.

A Data Protection Officer, especially from a law firm, is not in any way imaginable "almost nothing" regards the cost.


Seriously. What world does this person live in? When I think “lawyer”, “almost nothing” isn’t the first thing that comes to mind.


Especially when Streetlends is literally already operating at a loss.

I can't imagine it's a cost less than five figures.


The massive legal team part is indeed the problem as it further entrenches Facebook and Google from competition in that space.


A couple moments though:

Google and Facebooks manoeuvring to adapt to the GDPR give a clear road map of the legal requirements. Bluntly, they're not that bad, and they're better for a new startup who can adapt to them from the ground up than an established venture who has to find new ways to make money.

The reporting requirements of the GDPR can be large, but for most companies most of the time you're dealing with a relatively unchallenging piece of legislation. Most of the requirements are just to be able to explain what happens with user data and handle sporadic deletion requests. Loosely connected, separately stored, IDs are the solution to this (pseudonymization). It's a different style of development, but far from tricky. That's systems development, not legal.

This is a legitimate threat to startups reselling user data and overly friendly web-tracking solutions, yeah. To them I say "boo-hoo". For the rest of us? IT regulation with legal teeth is a promising indicator for IT companies. There are more of "them" than there are of "us", and if our legal issues are getting play that means our salesmen will also get play.


> for most companies most of the time

I know you didn't intend to, but you've nailed the problem: the ambiguity and doubt. Most (<100%) * most (<100%) is a fraction times a fraction, never a good equation if the upside is low.

I doubt the StreetLend dude made much cash out of this project, so why bother? It was likely just a convenient excuse to kill a side project that had little value that sucked a lot of time, but still, the ambiguity no doubt helped push him towards this outcome.


The penalties for noncompliance are supposed to be “effective, proportionate and dissuasive”, and can start off with warnings. The law only has the headline figures as upper limits (plus damages, IIUC).

This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.


In my businesses case, EU revenue was <1% of gross.

Even though we never resell, mine nor monetize data, the increased risk of legal action was not acceptable to us.

Have you ever filed a claim on an insurance policy? Your premium will certainly go up next time that policy is up for renewal.

It’s unfortunate for our users. They’re quite upset that we’ve decided to drop all EU customers. But, we’re not willing to take on any additional risk for such a small revenue source.


Your call. IIUC, it covers EU citizens not just residents. I only mention this because way you phrased that sounds like you’re dropping the region not just the nationalities.


My counsel disagrees with this statement. Some Googling seems to confirm that.

https://cybercounsel.co.uk/data-subjects/

1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.

2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.

Luckily, my organization is not “established” in the EU.


Doesn't seem true on the ground. There isn't even many consultancy opportunities getting companies GDPR-ready. 99.99% of companies are managing just fine getting someone to skim the rules and make some guidelines to put with all the other guidelines and internal docs they already have in a big binder.

Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?


> Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?

Note that you're on a site pretty much dedicated to the ongoing viability of end-user-is-product companies, hence the backlash here. My experience, same as yours, is that anyone who provides a service for money isn't having any difficulty at all complying with the GDPR.


The flip side of this argument is that we weren’t seeing a whole lot of new Googles or Facebooks without the GDPR.

I don’t think you’re going to disrupt Google or Facebook without trying something new, and the GDPR certainly forces startups to think different.


On the contrary I think that without any regulation, Google and Facebook are able to completely entrench themselves and take advantage of us all in the process.


There are finite moves in the game.

The best moves liquidates Facebook and google.

This is an unviable move.

The next best move is to build laws which enforce behavior.

This always results in additional complexity which cuts into the profit profile of firms.

The same way that health regulations hurt many fly by night operators, and force standards on bigger firms.

This is the only outcome in the game which is acceptable to all parties.

It is the rational move.


The issue is that after Google and Facebook has abused users' data for so long and made so many tens of billions of dollars from that abuse, they're now allowed to keep that money, so they have a huge head-start on anyone else who can't abuse users' data anymore.

The law is needed, otherwise everyone would continue to abuse users' data more and more. So that's clearly not the solution. The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.

People say that capitalism is the "worst economic system, except for all the others", and that's true. But one of the main issues with capitalism and why it gets to be so broken in the end, is that when companies abuse their powers, the punishment almost never fits the crime. If it did, I think capitalism would be a much more optimal economic system. I think this is by far the biggest issue.

As an example, Intel made tens of billions from anti-competitive moves against AMD, and it was only fined $1.4 billion, a fine that's still under dispute even a decade later (Intel has yet to pay it).

Samsung, and other memory makers have been caught at least once in the past, and now again, doing price fixing. But the fine was and likely will be again much smaller than the profits they made.

Then we have the big banks, which also made a ton of money from screwing people over, and again they were fined at "record levels" but still much less than they made in profits.

This is how the incumbents keep getting ahead of the others, even when stronger regulations pass - they never have to truly pay for the crime they did in the past, and they get to keep 95% of their profits from that crime. That isn't how things should work - the governments should take all of the profits they made from the crime and the fine should be added on top of that. If a company grows 10x in size in a decade from abusing some law and consumers, then the governments should absolutely take back 90% of its size when it's punished later. That's the deterrent.

Now in regards to privacy, the laws weren't that strong before, and I don't really believe in punishing people or companies for laws that didn't exist, which is why governments need to be much more vigilant from the birth of new industries, and not wait until they are mature and most damage has already been done.

Maybe my solutions are a little too extreme, but I do believe more needs to be done compared to what governments are doing now. We can't just let companies get away with almost all the profits they made from abusing consumers.

Also, there need to be stronger anti-merger laws. That's for sure. We almost never need to let companies merge, and if they do merge, that almost always ends-up not being in the consumers' favor. If some companies can't compete on their own anymore, then so be it - let them go bankrupt. The rest will either become stronger, or new entrants will appear. I think that's still preferable over allowing them to "survive" under a bigger company. Let the creative destruction flourish in the market, as it's supposed to.


>The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.

Probably not far enough. You need to outright shut them down, put them in a prison of sorts, fine them, and then let them continue operating after their term is up. Do not let them sell, do not let them split. But people will lose jobs, ads will be taken out to fight it, and it will be held up in court for far too long. Google and such have ingrained themselves in a way that to properly punish them for their actions is not politically tenable, because the only fitting punishment would destroy these companies and cause significant economic harm.


Yours is a very adequate criticism to the system. I especially agree that we need much more heavy-handed deterrents and more proactive government!

Alas, many people make money off of loose regulation and they are thus biased.

I am afraid we won't see any improvement anytime soon.


How have Google and Facebook abused users data?

Users have been giving away data to google and facebook to use their services. What exactly do you mean have been abused about that.


All of the data was taken without consent. The user might have clicked some 'I agree' checkbox, but they were not in a position to give consent. We could, to compare it to other similar issues involving lack of consent, call it statutory data theft.


Not it wasn't taken. You give over the use of that data to FB when you use their service. Just like you do when you get a loyalty card in Safeway or pay with you credit card.

Calling that stolen is mixing your personal opinions with facts.


If what it says on the blog is correct then he is using affiliate links for amazon for similar products to what you search.

At it's core it is the most ethical a free service can make money (aside from donations). He isn't selling the data or showing personally targeted ads. (Of course it could be using some amazon plugin that does it anyway for convenience or from ignorance, but he can do it without it through amazon apis)


> Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.

Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.


Then what's the problem? I have to be honest here, this smells far more of FUD than anything based in reality. Nothing in the linked post is talking about anything which the GDPR makes harder.

Unless you're doing something shady with user data (and you _know_ if you are) the GDPR essentially comprises having _some way_ of giving a user all the data you store on them, and _some way_ of deleting that data.

In this case both of those appear trivial to automate, and even more trivial to just do if somebody actually wants those things. Shit, dropping email login and only accepting federated auth would get you there in one step, unless you're doing things you're not saying.


You're acting like you know exactly how to comply with GDPR, while using the term "essentially" to admit that you don't know 100%. Meanwhile you're faulting someone who runs a non-profitable community project for expressing realistic fears over what the law could do to him, because he isn't sure what risk it lays on him.

I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.


The place I work does actually store personal data for a variety of reasons, and we also work for a bunch of other companies that do, and the path to GDPR compliance hasn't been painful. The biggest issue is, as you say, research, but if the sum of your data storage is an email address, a name, and a physical address, then you're hardly falling into any of the nuanced cases.

I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".


Because looking into it takes time and effort? Even if he looks into it and finds ambiguity then, if he cares enough, he'd need to talk to lawyer, which may cost money.

> This isn't a newsworthy event or "proof the GDPR ruins businesses".

It is anecdote that complying to a far reaching and ambiguous law has real consequence.


And again, the entire point being made is that it's damn-near impossible to soundly reason about the GDPR.

This is, again, because the legal text is ambiguous.


> that we're not going to be a target while some of the ambiguities get worked out in courts.

I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.

I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.

Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.


>>>Then what's the problem?

Clearly you have no understanding of any legal system in the world works if you believe only people that are guilty of violating the law are sued and ruined by the law.


So should we... not have laws? I don't understand this point, why is that any more true for the GDPR than any other law?


>why is that any more true for the GDPR than any other law?

Because the GDPR is extraordinarily ambiguous.


Indeed it is. We engaged our legal counsel (top 5 global firm in the tech space) to help us understand its impact on us. Even the firm’s “expert” on GDPR still had unanswered questions saying that many nuances will have to be fought out in the courts. That’s not an acceptable risk to my small business.


Laws like GDPR are written in such away that make them open to "legal trolls" in the US we have several of these laws that are routinly used to extort settlements out of small business. These laws are generally viewed as good laws with good intentions but because of their poor wording are open to massive interpretation and thus abuse.

Patent, Copyright and Disability Access laws in the US are to examples commonly Abused laws for this type of behavior

The problem is the legal system in most nations are setup in away that gives the guilty and the wealthy an advantage over the innocent with limited resources

Laws and Legal Systems should be

1. Very Specific and not open to interpenetration

2. Have options for "settlement" as this rewards the guilty, and harms the innocent

3. Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access

4. All Civil Cases must have to show Actual Damages not Theoretical Damages

that would be a start


> Laws like GDPR are written in such away that make them open to "legal trolls"

Except with GDPR all you could do is report them to the member states governing body. So no trolling.

> Very Specific and not open to interpenetration

Except this makes them inflexible and leads to them having to be constantly redrafted. So no use to the world of the HN.

> Have options for "settlement" as this rewards the guilty, and harms the innocent

GDPR is between you and the regulator, they already do this work and the whole aim of the process is to stop you doing bad things. A fine is a late step in the process for organisations who wont listen.

> Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access

Is off topic when it comes to GDPR, see my previous answers

> All Civil Cases must have to show Actual Damages not Theoretical Damages

Again off topic with GDPR, but in the UK that is how damages works already, isn't it?


>> You can hire a data protection officer at a legal firm for almost nothing

What? Define almost nothing. For small businesses it is a wishful thinking they can hire anybody from a legal firm. They probably don't even have a lawyer or a legal department as they can't afford such luxury.


> But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.

And now we are finding out LED lights are bad for our eyes and our sleep, so we may go blind sooner and die sooner.

Ok that might be a bit extreme, and besides there is an efficient incandescent tech that will probably come back and save us (and you can argue the EU helped that too)... but my point is the EU has good intents but their creations seem polarised into either extremely preemptive or extremely reflexive and are often premature and poorly thought out, fighting for something for the people but often without thought for how they will directly hurt the people.

For tech the EU isn't exactly unique in this respect though, the UK for instance recently tried to inact some pretty rediculous laws that undermine basic technologies that make the internet work.


>almost nothing

Yeah, I'll just get a small loan from my father.


> You said:

"From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts."

> But the comment you commented on said:

"The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous)."

The issue seems to be that the resources required to resolve a delta - from Streetlend's pov - are perceived as excessive. Too much risk; not enough reward.

Look at what happened with Thiel and Gawker. Right or wrong is irrelevant if the opposition has deeper pockets and can bleed you to death (in legal fees).

> Startups will find a way to make money that isn’t selling your data.

Perhaps, that could be true. But plenty will not want to be caught in the crossfire in the meantime. And that too is a biz decision.


“can hire a data protection officer at a legal firm for almost nothing”

Out of touch with reality much?


Unfortunately there is no more site to prove it, but I would imagine something like this. GDPR on its own shouldn't be a problem for Streetlend, there was something more, users data releated and how to make money off them.


so is every site that uses affilate links selling your data? I didn't see anything else mentioned in the description.


You have to identify your data class which takes a lawyer. You have to assure that no data is held longer than 48 hours even telemetry without providing an export and delete function. You have to support level 4 data requests which will take a lawyer.

Just like all regulation its very doable but its way more cost effective for the big players.


I think your misunderstanding how his site worked. Where did you get that it sold private data to Amazon?


Could you share the name of a legal firm charging ‘almost nothing’ for a data protection officer? Because the ones I’m finding definitely cost more than ‘almost nothing.’


Ugh, sorry but no, the EU can't claim any credit for the success of LED lightbulbs.

They can take some credit for the dim and dimmer mercury containing CFLs, and the ludicrously expensive and somewhat unreliable early LEDs, if they like.


> the EU outlawed environmentally shitty lightbuilbs

when did that happen?



Here in the US you mostly see fluorescent energy saving bulbs, even though incandescent bulbs are widely available in the pharmacies and in the supermarkets. And that is because they are cheaper to operate: the market decided that, rather than a regulator.

>Startups will find a way to make money that isn’t selling your data.

It's hard to argue with statements like that. What if they don't? There are plenty of startups providing extremely valuable or fun services (like flightradar24 for example) that are supported by ads. After GM, Ford and Chrystler there were basically no successful auto startups in the US for 70 years. This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.


> And that is because they are cheaper to operate: the market decided that, rather than a regulator.

This is not true. The US has parallel regulation that encourages the phase out of incandescent bulbs [1]. True to form it's a lot weaker than the EU regulation but it sends the same message.

> This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.

This is not true. In fact the GDPR makes it clear that for small businesses (<250 employees) most of the control burden is relieved.

[1] https://www.epa.gov/cfl/how-energy-independence-and-security...


Both the US and EU regulations were widely flouted; it was easy to get incandescent bulbs in practice. There's actually one in the room I'm in now for the simple reason that getting any other kind of bulb to work with dimmers was a nightmare; until a year or so ago, nearly all the dimmers sold in the UK were designed for incandescent bulbs only. The EU had, and still has, no interest in actually fixing this. Instead of making LED bulbs more practical to use they plan to crack down even more strictly on the alternatives, including new efficiency restrictions that effectively ban most stage lighting used by theatres and concerts.


I got some LED bulbs recently that are all glass, so they look exactly like incandescents, they have the same color temperature as "warm white" incandescents (i.e. 2700K), they are as bright or brighter than the incandescents they replace (800 lumens) and they are $1 apiece in quantities of 2. This may be an aberration, but it has certainly made me certain that I should always search for good and cheap LEDs in the future, and not waste time with any other type.

I also found some LED bulbs that have simulated filaments inside clear bulbs for an old-fashioned look, and again the incandescent color temperature.

I've even found cheap LED replacement bulbs for the various interior lights in my car that look just like incandescents.

So I think it's kind of passé to be debating LEDs at this point.


Have you found an LED replacement for the light in your oven? As far as I'm aware, those are all still incandescent, simply due to the temperatures involved.


Has someone prohibited such bulbs? In the US, I think there was some exemption for utility incandescents.


I'm not sure you grasp how poor the LED situation is over here in the UK. Some of the other light fixtures here have similar glass LED bulbs (non-dimmable, naturally) and they're pretty decent replacements for incandescents so long as you can live with the limitations - they're also discontinued and cost several times that price when they were available. The only place I can find selling something similar is charging £5.50 (about $7.50) per bulb for something off-brand, though I guess at least that claims to be dimmable: https://www.toolstation.com/shop/p95506 The last off-brand LED bulb I got from there died after about a month mind you.


I have to make two points.

1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.

2. China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government than hire expensive EU lawyers and then implement EU specific blocks.

FYI we do not collect any data other than for spam and DDoS attack mitigation, but apparently if you have any third party code in your site like ads you have to subject all of that to this expensive audit.

Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible.


> If your revenue is less than €20m their fine is flat €20m

Rubbish, this is just spreading FUD.

From the UK ICO: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."

Look at the track record of the UK ICO - how many small businesses and side gigs have been fined £500k? How many businesses of any type have been fined the current maximum of £500k?

So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?


It's scaremongering to assume that a country would enforce the letter of the law? I am not a lawyer, how can I tell when a judge will or will not enforce a ridiculous law? After all, England almost jailed something for training their dog to give the Hitler salute or for posting something mean on Facebook.


Is it scaremongering to assume the maximum fine? Of course - years of legal precedent for current DPA clearly demonstrates this. If the track record showed hundreds of small business people rendered destitute thanks to half million fines it wouldn't be, but it doesn't. It's a maximum not a fixed penalty as one would typically get for a parking offence. If they're not fining anyone £500k why are they going to suddenly fine everyone £17m?

Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.

Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.

nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.


>> nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.

That's the most interesting thing about the GDPR. While some developers are picking up their ball and huffing off home, others are actually 100% behind the regulation.

It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.


> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.

Or the competitors' software.

Consider some business that was doing what GDPR requires already: users could delete their data, they could request a complete copy of it as well as an explanation what it is used for, and it was only used for defined purposes that the user signed off prior anyway.

Sadly, that reduces flexibility somewhat, but they're doing it because they consider it the right thing.

For them, GDPR levels the playing field and makes sure that they never have to stray from this conduct just to remain competitive with companies that aren't so nice to their users.


> It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.

Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data. I also don't believe that data about me is data I own. To me, the gdpr feels ineffective at the real issues causing me harm (leaked info) and also a giant burden on companies that fundamentally changes how the industry has worked, but in a way that quite frankly, doesn't make any sense to me. The data about my order isn't my data to control.


>Nothing about the gdpr solves the problems of companies having insecure systems

It doesn't directly prevent insecure systems, but discouraging companies from storing information they don't need and transferring it on to third parties for whatever reason they feel like massively reduces most people's exposure to this risk.

>The data about my order isn't my data to control.

If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.


> If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.

That's not even remotely true. A right to privacy does not mean I get to control the actions of others.


That's not what's grandparent wrote, it wrote that you have a right to know what is done with your data.

Nothing restricts what others can do with them, they just have to state it so I can decide whether that's ok for me or not.

The lack of this clearly defies the right to privacy, just consider the extreme case of "I'll dump your data on GitHub next week"


"Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data."

Requiring disclosure of a breach within 3 days of it happening, as opposed to the several months that is commonplace now, is a big help.

"I also don't believe that data about me is data I own."

Everyone disagrees on this point. Right now, Europe says the opposite.

"also a giant burden on companies that fundamentally changes how the industry has worked"

Good. Currently the industry is geared to suck up every last bit of user data like a vacuum, regardless of whether it's actually needed, so they can sell it. This has gone on for far too long, and I'm glad to see the industry hopefully move away from it.


>> I also don't believe that data about me is data I own.

If I place a camera in my house so that it's recording what's going on in your bathroom- is that data you would like to be kept private, or not?


Probably in part because it's exactly those developers that see how easy it is to leak data to third parties that won't respect it at all and will track the everliving shit out of it.

I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.


> I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.

Why is it sane to assume data I've sent to a service is my data to control?


With respect but it's you who says it isn't. You need to explain why it isn't.


I started writing a lengthy reply, but instead let me ask you this: why would a service be privileged to do anything with your data that they did not ask you for permission to do?


Interesting part for me is the hilarious FUD where we got none when DPA came in. A good part of GDPR is already here with EU Data Protection Acts and what constitutes personal data is much the same. Many of the Kafkaesque and corruption scenarios should be possible under DPA and other laws yet haven't been happening.

GDPR increases maximum penalty to be high enough that it could be a penalty to a Google or Facebook for a serious, wilful, breach of regs, in an environment where the tiniest fraction of reported cases get any fine at all (16 of 17,300 reports for 2017 in the UK) let alone the maximum. Internet now certain that one man software companies and hobbyists with non-commercial regex sites will receive £17m fines, every time and it will be used as a stick to beat one's political enemies with or, most comically of all, pay for local infrastructure improvements.

I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data. Just a reasonable effort to enhance DPA taking into account new techniques and misuses of data. Deletion for everyone, not just a minority - thanks to FB et al feeling it's fine to never delete, and run shadow profiles on all. The highest penalty will be saved for the most offensive cases involving multi-nationals. It will be interesting in a few years to see how many maximum fines have been levied. My bet is none at all, once or twice if there's an especially egregious breach from an Amazon or Google.

I've little doubt that just as I feel more should have attracted fines under DPA I'll feel more should have got GDPR fines.


>> I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data.

My intuition is that the people who complain are that fraction of developers who actually care about their profits more than their users' privacy.


I'm sure that's a big part of it when every app wants to do a data grab. I'm also left thinking US law doesn't really do proportionate after a few of these discussions! :)

For us in Europe 20 years of DPA must help - I doubt there's many here would want to go back to pre-data protection.


So you did the research and found out that England probably won't endorse a law to the fullest extent. My point is that a simple tech guy building a company won't know that statistic and how it relates to their specific case.


If I tell you that the maximum sentence in the UK for possession of marijuana is 5 years in prison or an unlimited fine, are you going to tell me that everybody who's ever been caught with marijuana has been thrown in prison for half a decade or bankrupted?

No, in fact, most people get served with nothing more than a formal caution or a £90 fine. This is normal - this is how the law works in this country. Anyone who doesn't understand this hasn't even been paying attention to the lowest-common-denominator newspapers, which are constantly screeching about how people usually don't get anything close to maximum sentencing.


[flagged]


For many, that lawyer for an afternoon is an additional $1000 out of packet expense on a side project website that wasn't profitable to begin with.


Well then your “side project website” is unsustainable.

It’s not complex - we don’t let people away with flouting regulation because it’s burdensome. “It would make me unprofitable” is not a valid reason to ignore health and safety laws, or hygiene laws.

“I just want to run a food truck as a side project but not care about making people sick or not” is obviously ludicrous. Why is personal data somehow fair game?


Why are you assuming that everything on the internet must be a revenue producing business?

Someone doing it for love or passion is now faced with GDPR compliance and the risks and hassle that come with it.


I am assuming no such thing.

Just because you are not making revenue doesn’t mean that you don’t have to abide by regulation. The GDPR is intended to solve a very real and present issue; if you run a side project that deals with personal data, then the fact that it makes no money doesn’t mean that your mistreatment of personal data isn’t harmful!


I'd rather block all EU IPs than bother to break working technology that is operated and maintained freely.

How do you revoke PII from a distributed information system, like anything using a blockchain or distributed version control? You don't.


You can. You just need to think about it and have the correct controls in place.

If you choose to block all EU IPs instead of implementing the most basic data security and retention policies, then it’s for the best that EU users are not able to use your compromised service.


You cannot force peers of any decentralized distributed system to forget data. They can pretend to and appear as compliant peers and yet retain the data.


Then why are you storing PII on them?


Have you ever used git and supplied a username and email as your author? That's PII in a distributed service that cannot be revoked.


That is also PII being used for the purpose it was collected for (identifying a contributor) and I believe falls under Art.6(1)(f) of the GDPR. You would likely have a hard time convincing anybody that you can apply the right to be forgotten to a git repo - especially as that particular processing can be argued to not be requiring consent once you have submitted your commits.


The author details are not necessary for the core function of git; the change itself does not need the PII. Moreover, my concern is general for when PII is in such a distributed system; git is just one example of many.


I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits. Under GDPR, that's how it would've been designed in the first place. Of course, this'll never happen without a complete fork of git.

Once you've got that sorted and you can change/remove identity information, the likes of GitHub have no issue so long as they have GDPR-compliant contracts with any business partners who can access git repos. Obviously, anyone using GitHub who decides to store all identity data forever is, generally speaking, not GitHub's problem, same as someone who noted down the names of all their friends on Facebook isn't Facebook's problem.


> I've always felt that git is poorly designed for that reason. At the very least, there should be an "identity block" that commits etc point into, rather than embedding names, emails, and other identity information into immutable commits.

Misuse of git isn't a problem inherent to git.


Putting your name and email into commits is the default behaviour of git, and git will not work until you do so. This is design, not misuse.


No, putting the name and email you give it, if you give it one, is by design.


So the GDPR is entirely irrelevant because we could just give fake details to companies? And giving correct details to anyone, ever, is in fact “misuse”? That’s not how the law works, nor is it how it should work.


This was specifically about git. However, it does appear that you need to at least provide a user identifier for git. I can understand why that would be useful in a distributed system. It could be opaque identifier, but you're points taken in this case.

Can you explain how they managed to cope under the twenty or so years of things like data protection law or eg PECR?

Can you explain why they can cope with PECR but can't cope with GDPR?


Laws that are stupid and not widely enforced because they are stupid are damaging to the entire concept of law. Particularly if they can hang over like a sword of Damocles if you piss off the wrong people.


This is getting silly.

The law will be enforced, just as current data protection is.

The law can be enforced without every case attracting the maximum penalty. That's why nearly every law has a range of penalties.

Accidental and minor breaches can attract a minor penalty or a letter asking you try harder. Wilful and repeated breaches affecting many customers will attract harsher penalties.

Same goes for speeding offences - go 40 in a 30 limit, get a fixed penalty ticket. go 140 with the GoPro race footage of you and your buddy posted to twitter expect a much larger fine and a driving ban.

In neither instance is it not enforced, or damaging to the concept of law.


I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.

What @megaman22 is saying fully matches my experience as an Eastern European -- piss off the wrong people and the law will fall on you with its full might. Some people would really love to make an example out of you if you give them the chance. And I don't think that only applies to E.E. but have no data either way, it's just an observation from news and hearsay from affected people around here.

I fully support the GDPR and I'll do my utmost to comply with it even for hobby projects.

That was never something I disputed in my root comment that spawned this big sub-thread.

What I said and will continue saying is -- laws like these open even more doors for legal trolls, big players and nasty competitors to exhaust you out of business. The fact that it doesn't happen on a massive scale in my eyes means nothing; or rather, it means that agents used as an example to scare off others isn't something that's done often because usually just a few lawsuits and their aftermath are plenty enough for those many others to get the message.

So IMO using statistics here is not a strong enough argument. I am not trying to alter your thinking. We actually agree on most points but I simply can't agree that past statistics are a good proof that the new law won't be used in a more heavy-handed manner than originally intended.

To me, that remains to be seen yet and none of us can claim with certainty that what seems likely to them will materialize.


Almost missed this thanks to the incorrectly flagged message up thread.

> I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.

You may be right in our chances of agreement!

I see a judiciary separate from state which is more than happy to put politicians back in their box when they introduce bad or overreaching law. Governments of all colours complain about the judiciary and Lords here in the UK - which I see as proof that the separation basically still works. I see data protection bodies that are separate from government and politics. I see occasional stories of record fines or breaches from mainly Western Europe and talk to friends and conclude small business and solo developers are not being fined or trolled into oblivion in nearby countries either. Yet EU DPA is most of what GDPR is with smaller maximum fines. Why isn't the disaster scenario you foresee already happening with current DPA and other laws? Why are so few fined for breaches and only the most extreme cases getting fines?

I'm less aware of justice systems further east and yes it's obvious that former Soviet bloc are going to be rightly more sensitive to and concerned about corruption. I'm also not aware how successfully that's been left behind from adopting EU laws and years of membership. That said, reading the pieces that turn up on HN it seems that the US is the one with problems of corruption in the justice system currently. No doubt that's also unrepresentative thanks to what's being shared about a vast nation.

So, the legal trolls - it's going to be registrars and data protection bodies bringing cases or seeking sanctions. Just like happens with current DPA. This does not appear to be akin, or anywhere near, the US DMCA where large media companies massively abuse takedowns via automated software and triggering numerous trivial errors. I don't see the scope to exhaust someone out of business - yet it's clearly easy with DMCA. There's nothing a Sony can abuse to pick on a little guy with GDPR - they can report me to the registrar.

You're right that it remains to be seen, but I sincerely doubt our data protection bodies are suddenly going to break out thumb screws and bring orders of magnitude more cases when they've kept fines for the final, extreme, and rare sanction til now.

I honestly expect that just as I feel more should have attracted fines and sanctions under DPA I'll find that GDPR is also being too lightly applied. We'll see. I've been wrong on the internet before. :)


The speed limit analogy is terrible. Or maybe perfect, for my point.

Because speed limits are not enforced, everyone goes somewhere between 5 and 15 mph over, all the time. But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily. Yeah, the jackhole that burns tire at 110 past a school-zone is most likely to get pinched, but almost everyone on the road could.


>Because speed limits are not enforced

and yet

> But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily.

Sounds like enforcement to me.

The solution is also simple. Don't drive over. I don't do it. If the sign says "50 kph", I drive "50 kph" and not more.

Driving over is entirely voluntarily ignoring the limitation set by the law so don't go and be all surprised when somebody CAN FINE YOU FOR THAT.


The GDPR gives authorities various ways to deal with corporations that are breaking the regulations.

When a corporation is compliant and only has minor infractions, they will (most likely) write a sternly worded letter.

But if you're constantly and repeatedly or willfully ignoring or breaking the regulation they definitely won't leave it at a simply tap on the fingers.

Plus, I don't think any regulatory body is looking for bankrupting a corporation. They will obviously size the fine according to how much the corporation has in turnover or profit.


So we are just supposed to hope that they will be nice to us when inevitable violations occur under one of the 28 unique interpretations that this law will be subject to?


I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction. First you get a letter, then a sternly worded letter, then a tap on the finger, a hard tap on the fingers and if you still refuse to learn the lesson then they break your knees.

If you have minor infractions caused accidentally and you cooperate I have doubts that any regulatory body for the GDPR will go beyond sending a simple letter asking you to fix a problem.


Perhaps it's a cultural difference but here in the US we interpret all laws literally, fully expecting maximum penalties. And yet they are trying to apply this law to American startups who can barely afford a lawyer here, let alone a EU counsel.


laws are interpreted literally in Europe too, or they wouldn't be laws. But most laws have a range of penalties, and often account for intent and attitude. E.g. in US law you have "manslaughter" (voluntary or not) and "murder", for example. And you have different penalties for first offense and repeated offence.

I am not one to say "trust the EU government, it is good". But the intent of the legislator is obviously not to kill businesses willy nilly, it is to punish certain behaviours, they have no reason to willingly cause a business to shut down, which is why the GDPR explicitly accounts for collaboration.

In the end, it is up to you to decide not to abide to the law. There have been local regulations forever, this won't change much.


This does not resonate with my experience. In the US, reporters will often describe sentences as "up to 1024 years", but the actual sentences are different. See https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc...

Note that, in parallel to the EU regulation, the statutory maximums can be enacted(ever since Booker judges can use their discretion again), but in reality most judges rule within the sentencing guidelines.


> I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction

Yet. Wait until the company is another political organization that is identified as an enemy or competition. Then these laws become tools for shutting down dissenters with selectively applied fines, even to companies outside of the EU.


Could you provide an example of such a thing happening? Preferably for minor regulatory infractions in startups since that is the topic here.


That’s not what the law says they have to do. All reasonable businesses have to assume the worst case, not the best case. These governments have a built-in financial incentive to not be lenient in any way, shape, or form.


That's the US, yes. EU regulatory bodies are generally rather lenient when you attempt to follow the regulation.

And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.

There is a good flowchart in this thread too, I recommend to study it.


But they have never had the extraterritorial reach that they are claiming under the GDPR either. This could easily be used to suck money out of foreign countries. I don’t think they’ll play nearly as nice with people that don’t vote in their own countries.

I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced. Either way, the net result will be that EU residents will have access to a far smaller universe of content and services. Most businesses just won’t take the risk.


>> This could easily be used to suck money out of foreign countries.

We both contributed to a conversation where you made the same point, a few days ago:

https://news.ycombinator.com/item?id=16888026

Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.


It’s a very simple procedure. Make accusation, get judgment, domesticate it in the US, get paid.


But why would you "get judgment" if you are not in violation?


It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.

The people saying how easy it is don’t know what they are talking about.


>> It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.

By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.

Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.

Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.

This is from an article I quoted earlier:

Coordination and Consistency

Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.

One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.

https://www.infolawgroup.com/2016/05/articles/gdpr/gdpr-gett...

Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.


> I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced.

What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).


That and privacy shield (or equivalent). The EU courts could simply go the the US courts and tell them that under privacy shield, the company violated the EU law. Then the US court could decide that, yes, the company did indeed violate EU privacy law and enforce the fine on their side.

If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)


> While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.

https://www.privacyshield.gov/article?id=How-to-Join-Privacy...

So how does that affect companies that don't elect to join Privacy Shield?

Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...


Without privacy shield, I guess the EU might still try to go through the US court system to have a foreign claim enforced in the US.

I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)


Apparently, existing treaties that the US has allow for the domestication of EU civil judgments in US courts. The prevailing logic right now is that nothing new would need to be passed to allow for that to include judgments issued under the GDPR. Here is one article, there are many more:

https://community.spiceworks.com/topic/2007530-how-the-eu-ca...


From that article:

> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."

That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...


Yes, because that will certainly be the case, like any GDPR lawyer or consultant will tell you.


> After all, England almost jailed something for training their dog to give the Hitler salute or for posting something mean on Facebook. reply.

He wasn't 'almost jailed' - he was fined £800. And the video involved him saying 'Gas the Jews' over and over again to his dog, to which the dog reacted.


The real crime here that it wasn't funny at all. But imposing fines for telling bad jokes and spending tens of thousands of GBP of tax payers money is just wrong, wrong, wrong.


I don't know how close he was to being jailed, but Washington Post (MSM) wrote "Now it will probably land Meechan in prison." [1]

[1] https://www.washingtonpost.com/amphtml/news/the-intersect/wp...


Typically the law in this country has been to impose relatively small fines for malicious communications, and even these are sometimes dropped on appeal, as with the Twitter Joke Trial. The WaPo has it wrong in this instance - Britain isn't Thailand.

https://en.m.wikipedia.org/wiki/Twitter_Joke_Trial?wprov=sfl...


This is usually how laws work. They specify minimum and maximum punishments for various offenses.

What part of this is a problem for you?


Scotland actually, (and Scottish Law, not English).

(And for that matter it was his girlfriend's dog).

But yes, I agree with you - you have no control over the Court's decision if found guilty.


It seems like you're suggesting that it's a non issue because of the assumed benevolence of the regulator.


Big difference between Europeans and Americans. Europeans assume benevolent regulators/government, Americans assume malevolent regulators/government.


So if you're a startup owner who happens to not be well connected, or have a bad lawyer, you get hit with the full $20M fine, while a huge corporation that is politically well connected gets fined proportionally much less?

There's no good way to frame this for a small business. Are you seriously suggesting that the mere benevolent feelings of a judge or board and how their mood is that day is the only thing standing between a startup and bankruptcy? If you're saying a small business should never be fined that much, why isn't that the letter of the law? Why does the court even have the option to completely destroy a startup like that?

> So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?

Where are you getting this ludicrous assumption that the law won't apply the maximum fine? If you don't think they should be able to, why isn't the law simply sensible, and should apply a lesser fine?


I don't know how the legal system works in the US (I'm starting to think not very well), but that's not how it works. The process in the UK is something along the lines of the court will assess means to pay, then a fine will be levied. I wouldn't expect any business to go bust as a result. They might go bust from the bad press causing a mass exodus of customers, they might get to look extremely stupid, they might find themselves tight for the forthcoming year.

> Where are you getting this ludicrous assumption that the law won't apply the maximum fine

They have never yet applied the maximum in 20 years of the current DPA, why presume they're itching to start next month? This makes no sense to me.

Under the DPA 1998 the largest fine was issued in 2016, to a multi million pound company. £400k, so still only 80% of the maximum. Look to precedent across the entire EU.


> Why does the court even have the option to completely destroy a startup like that?

Supposing 100% of the startup's revenue comes from GDPR violations and they've been doing so for, say, 5 years, then the fine should really be 500% of annual revenue. Or even multiply that by 2 or 3 for punitive purposes. It may or may not destroy the startup, depending on how well funded they are. They could be breaching privacy for reasons other than revenue.


> Or even multiply that by 2 or 3 for punitive purposes

The only place and time where the concept of punitive damages and GDPR overlap is the United Kingdom between May 25, 2018 and March 29, 2019.

[edit: and Ireland. They might want to reconsider, given that they host many of the European HQs of US companies.]


So why doesn't this apply to larger companies?


I'm not disputing that it's biased in favor of larger companies.


> If your revenue is less than €20m their fine is flat €20m,

As I posted elsewhere, this is NOT true.

>The $20 million fine is not automatically applied. Here's a flow chart which details the process of a GDPR breach: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp...

>from https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio...


While not “automatically applied,” what part of what you linked to says they won’t use their discretion to assess the maximum penalty in most situations? What stops them?


There is a set of rules that are followed when determining a fine: https://www.gdpreu.org/compliance/fines-and-penalties/

These rules look at whether your company has infringed before, whether you've notified the state on your own, etc. pp.

The current Information Commissioner Office system has a similar system in place. Out of 17,300 cases reported in 2017, 16 resulted in a fine. Source: https://www.infosecurity-magazine.com/opinions/gdpr-timebomb...


There are no rules in what you linked to that would prevent or even deter maximum fines in every single case. The only limits imposed are $10 million for lower level fines and $20 million for upper level (or percentages of revenue, whichever is higher - the static amount will always be higher for smaller businesses).

Edit: to those downvoting this (and all of my other comments) - this comment contains only facts. So please show me where it says that there are circumstances under which they must fine you less than the maximum. Otherwise there is nothing to downvote.


It's in article 83 of the GDOR:

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

Note: proportionate


I think this highlights the EU vs US perspective on Government nicely

In the EU you tend to trust your bureaucrats to make a "Fair and Just" application of the law

In the US we tend to expect our bureaucrats to be vindictive, corrupt, petty, and generally impose fines and penalties not based on the law but based on their personal feelings about the target of their "legal action"

Thus such open ended wording like you posted being classified as a "rule" scares the shit out of most Americans


> I think this highlights the EU vs US perspective on Government nicely

And the differences in the legal systems specifically. I think this is why a lot of HN commentators are finding the GDPR vague. In the US rule based regulations are the norm. For better or worse this tends to allow those with clever lawyers to search for loopholes. UK law is much more principle-based, which means trying to abuse the exact wording is not going to save you from a fine, and equally a technical-breach of wording is not going to get you prosecuted. It's not just the civil servants that we trust with this, it is the judges too.


In the US we have learned that trusting government normally does not work out well for the citizens of that nation.. you end up putting people in jail for Tweets, and Jokes ;)


Proportionate is subjective and means something different from person to person.


Explicit criteria existing deter maximum fines, since it opens up the authorities to counter-claims that they did not take criteria in your favor into account.


To most small businesses, whether the fine is $5 million or $20 million doesn’t matter - they still can’t pay it. So if some of these factors are considered and “only” $5 or $7 million is assessed, that’s still a company killer.


Under what circumstances are you expecting to receive a $5m dollar fine? To me (who is assessing this risk at a UK SME) the idea of an SME receiving this kind of fine is absurd. As the poster above said, the law asks for proportionate fines.

The big number max fines in GDPR are there to deal with companies like Google and Facebook who can write of $5m as a rounding error.

People who have been fined at all under the existing DPA, being enforced by the very same people as GDPR, have been negligent, repeat offenders. I don't believe anyone has ever received the maximum fine in the existing regulations. That just isn't how UK law works


> what part of what you linked to says they won’t use their discretion to assess the maximum penalty in most situations?

There's at least twenty years of regulation under existing DPA law, where the maximum fine has never been asked for nor applied.


They need tax revenue, jobs for their citizens, and goods and services that their citizens want?? It doesnt even make sense for them to run around, shutting down every business they can. It would hurt them.


> What stops them?

Some people just accept it when someone says they won’t do something that they totally can.

I know, it doesn’t really make sense. If someone tells me “well it says that we can do that if you go by what’s on paper, but we wouldn’t actually do that”, then change it so that it says on paper that you won’t, or I’m inclined to think that you totally will, because you totally can.


Agreed. Sounds like every employment contract I've ever read (and usually not signed).


Compliance is trivial and involves steps that are already best-practices anyway. You won't need to split any atoms.

https://techblog.bozho.net/gdpr-practical-guide-developers/

The penalty isn't meant to be something you afford. It's a penalty. (It's a feature, not a bug.) I'm having a really hard time not being sarcastic right now but compliance with the law might also end up being an economical option worth looking into. Cheaper than lawyering-up for being sued by shysters for non-compliance, and cheaper than being penalized for non-compliance.

Mind you, taking whatever-it-is off the internet is fine too. I totally understand. What I don't like is all the whiny sanctimony and martyrdom. "Yes I'm taking my thing off the internet, but first I'm going to make a big deal about what a tragedy it is for the world." Um no. The fact that your thing is a "small business" means few people care about it. (Sad to say. More people care about Facebook than about you. That's why they're the big incumbent.) And it emphatically doesn't mean for example, that you're some hallowed, heroic underdog who deserves protection, especially when you won't even afford the same to your own users and their data.


Here's a story for you.

I'm a hobby developer. I once made a tool mostly for myself, but decided to put it online. A couple thousand people use it, and it runs at a loss but I keep it up mostly because it's useful to some people out there. My tiny website isn't hurting anyone or breaking the internet the way Facebook or Google may be. To claim that having to spend my hobby time implementing a bunch of extra features is just "complying with the law" is bullshit, I'm sorry. In terms of scale, it's basically as if I forced you to do full safety test on a toy car you made for your kid, just because GM cars had safety issues.

And I'm not special. There are plenty of other small devs like me with thousands of small niche web tools out there, most of which are ran purely as a hobby, out of our own pocket. I may not make a blog post and get it to the top of HN, but devs like us have 0 incentive to keep our sites online.

HN loves to complain about things like AMP killing the web, but to me this is orders of magnitude worse.


You don't have to implement any new features to comply with the GDPR. You just need to be clear with users about what data you are collecting and what you do with it.

I really think some people are just completely blowing this up into something it's not, probably because the only thing they've read about it is others scaremongering.

As a business owner that cares about privacy, I was basically compliant already - all I had to do was reword my privacy policy a bit to make it more human-readable.


>You don't have to implement any new features to comply with the GDPR.

How do you deal with user requests? You need at least somehow be able to gather the data, pack it into an user underdstandable format, and delete database entries, also from your backups.


If you're a small business, you are likely to receive a very small number of such requests, if indeed you receive any at all. For most small businesses, someone would simply do a manual extract/delete of the data if it was ever requested.

Regarding backups, realistically you are not going to be required to delete from them as it's completely impractical to delete a single user's data from backup. You just need to be straight with your users - tell them that their data will be removed from your live system immediately, but that some data will remain in archive, securely encrypted, until the end of your defined retention period.


/export?userId=x (make sure to validate they are logged in)

gather data: select * from every table that has userId

pack it into understandable format: every language i have used makes json, xml, csv pretty darn easy

delete: delete from....

backups: i am surprised your hobby project takes backups. perhaps have a table with userIds that were deleted, and when you make your new backup, remove all their data?


> delete: delete from....

Ah yes, and then all of my data has holes in it that I need to deal with. "Hmm, we only have 5 orders for this, but we're missing 6". "hmmm, we charged this credit card, but there's no order for it and I'm not sure if we ever shipped anything?" "hmmm, how do I delete this tracking number from the postal systems' records?"


I thought we were talking about hobby projects here? If you are shipping things, collecting payment info, you should be taking things seriously.


Since when does selling things exclude something from being a hobby?


Etsy https://www.etsy.com/ is full of shops of people who create things as a hobby, but do try to sell things. There are many hobbyist creators who make a few things and try to sell some of them, at least to recoup costs and maybe even earn a little money. In many cases I suspect they earn about $0.001/hour. As a business, it's terrible; as a hobby, many enjoy it. I think "earning a competitive wage" is a reasonable cutoff for at least being on the road to a "real" business.


hmmm.. if we're going to draw a line between "hobby" and "profession", then that's perhaps the most obvious way to do it.


Then you have a legitimate reason for keeping some of the data (book keeping, shipping) and not for others. Delete the data you can, keep what you must.


> Then you have a legitimate reason for keeping some of the data (book keeping, shipping) and not for others. Delete the data you can, keep what you must.

Will regulators agree with what I "must" keep?


I suspect most people just ignore the backup part. Out of sight, out of mind...


are you a lawyer?


No, I likely would have mentioned if I was ;)

I found the ICO's guide[1] fairly straightforward to understand though.

https://ico.org.uk/for-organisations/guide-to-the-general-da...


Personal data is a big deal and should be treated as such. If you're hell bent on storing your user's personal data then you need to treat it as such.

Your argument boils down to "I don't want to take special measures to protect your personal data, so I shouldn't have to".


Personal data is literally anything related to a person. That encompasses a few sensitive kinds of data, but is not a big deal in the general case.


What on earth are you doing that could cause a problem?

If what you're doing could cause a problem I'm pretty sure I'd rather you didn't without the ability to deal with it.


Just like StreetLend, most likely nothing, and it's just a fear, but again you need to realize that this is a site run purely as a hobby. I'm sorry but reading through legalese and combing my website's code to make sure it's compliant isn't part of my hobby. I'm not a company, I don't have millions of users, I just run a small tool that a few people use. Yet apparently I run the risk of being fined $20m...


If you think a hobby app runs a risk of being fined $20m then you clearly haven't looked into this at all. Why don't you do that first before getting worried about it?


There are lots of guides out there designed for humans.

Essentially, all you have to do is tell your users what data you are collecting and how you will use it.

Also, if a user asks for their data, you give it to them, and if a user asks for their data to be deleted, you delete it. I imagine if either of these things were to happen today, you would do as they wished GDPR or not.


>There are lots of guides out there designed for humans.

It's not even remotely okay to use random people's blog posts as a compliance strategy.


> There are lots of guides out there designed for humans.

> It's not even remotely okay to use random people's blog posts as a compliance strategy.

Then use the simple, human friendly guide from the body who will be enforcing it in the UK. I did. I thought it was simple.

https://ico.org.uk/for-organisations/guide-to-the-general-da...


Its funny that your being downvoted, but using a random persons blog for legal compliance seems risky.


You already had to comply with many other complex laws, like copyrights, trademarks and so on. I don’t see why a privacy law is anything different or special.


>many other complex laws

It takes 30 seconds to find out whether your identifier violates a trademark. Your content is trivially not a copyright violation if you created it yourself. Hobby projects are not debating the finer points of fair use and whether the conflicting name is for a sufficiently different kind of business to avoid confusion. But every HTTP server handles personal data, and a web-based tool with a database backend especially so, so all the subtlety of GDPR is in play.


> But every HTTP server handles personal data

But not all of them have a good reason to log it. /dev/null


Hard disagree. Abuse prevention, performance metrics. Httpd logs are a basic and necessary tool.


Most server/frame works log ip address, but do not tie them to an account. If the account is deleted and the ip addresses are not than that seems like a potential violation as long as ip addresses are considered personal information. As a result the most common configuration is potentially in violation.

How about asking and recording a persons birthday when really all you need to know is if they are the age of majority? A birthday is more information than needed which seems like a violation GDPR when interpreted strictly with my cursory knowledge. Seems unlikely though that any regulator would enforce such a distinction though.


IP addresses are only PII if you are able to actually use them identify an individual.

> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:

there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. [1]

So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).

[1] https://www.whitecase.com/publications/alert/court-confirms-...


> So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).

Makes sense.

Given the above still seems like a potential issue to not delete the ip logs.

1) Bob signs up for a service and is logged

2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.

3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.

Weather the data processor can relink the two records with reasonable probability in step 3 depends on the particulars of the circumstance.

I assume cases like the above will be judged, at least in part, based on the data processor following best practices, and operating in good faith(not actively trying to unmask individuals and actively try to prevent unmasking).

Currently I would not let the GDPR stop me from going forward with any web services plans, however my casual reading of GDPR articles on HN and beyond have not made it obvious how cases like the above will be handled.


What about cryptocurrency? Lots(most?) record ip addresses, after which independent analysis can be done.


> What on earth are you doing that could cause a problem?

Nothing. Anything. This regulation assigns huge amounts of legal and financial risk to any hobbyist and will likely be selectively applied.


> To claim that having to spend my hobby time implementing a bunch of extra features is just "complying with the law" is bullshit, I'm sorry

100% agree. And your situation applies to millions of hobbyists, personal websites, projects, startups, and small businesses around the world.

GPDR appears to be intentionally burdensome, a classic regulation strategy aimed at protecting large incumbents while stifling small business, innovation, and newcomers, or even side projects like your own.


Please sit down for an hour and watch this: https://www.youtube.com/watch?v=-stjktAu-7k

It is by far best GDPR presentation and explanation of lots of misconceptions. Please report back what you think about GDPR when you finish, I am curious it you will still feel threatened.


I watched it. All one hour 42 minutes of it.

From the presentation: "guilty until proven innocent". How can you NOT feel threatened?!


Congratulations (btw, I really like the guy explaining it)! Now you should probably understand the need for it and why multiple clones are going to start to pop out around the world, not to mention that you know more about GDPR than 99% of people beeing negative about it.

Guilty... is really not something special, IRS anyone? ;) Did you catch something else? Something useful maybe? About borrowing a car for instance? :)

The GDPR is actually late, I have a few IoT devices and I verify them by isolating them on network and sniff out communication (mitm on wifi and old school 10 port hub (yeah, the one screaming everything to all ports) for wired. It is a sad sight, even if they have absolutely no need to contact outside servers (I would never have a device like Siri in my home) they still do, another case would be broadcom drivers on android calling home. Someone has to stop this madness.

I know a lot of people are pissed off due to GDPR, but I will gladly ask them again in 10 years. I think they will change their mind.


There is zero risk running hobby projects for developers. GDPR only applies to the relationship between a business and a consumer. If you have personal hobby-projects, they are 100% outside of the scope of GDPR. You can continue to collect any information you want etc.. What is defined as a hobby project differs with regulation in different countries, but usually it's something like revenue < 5000 €.

You can continue running all hobby tools you want.


Do you have a reference for this? I've seen nothing to suggest non-commercial projects are exempt.


>Compliance is trivial

Compliance depends on how well your understanding of of a bunch of fuzzy terms like "legitimate interest," "level of security appropriate to the risk," "necessary in relation to the purposes for which they are processed," "no longer than necessary," etc. align with 28 different regulators and judiciaries. That's as far from "trivial" as it gets. Bozho.net is not a lawyer, not your lawyer, and even if here were your top-tier lawyer specialized in data privacy he wouldn't have a clue what courts were going to take these things to mean in the context of GDPR, because there aren't any judgements yet. Security and minimization standards are also about "taking into account the state of the art" - do you know what the state of the art is, and is your organization capable of implementing it? An entirely plausible outcome here is that only the most advanced engineering organizations have technology that meets these standards.


> the most advanced engineering organizations have technology that meets these standards.

Horeshit. There is nothing advanced about storing only the data you need. However, if you've been hoarding like crazy and weighed down with technical debt, and haven't used the last two years, then yeah, might be hard.

Yes, it's a new law, yes, in practice it will be defined by judgments. How is this different from any other new law, other than this one impacts IT harder?

And let me guess what the alternative is: do nothing.

Consider also that European law is different to US law. We draft laws and contracts in a conceptual/abstract way, whereas in the US where everything has to be exhaustive, explicit, and over-worked; just in case anybody dare sues.

GDPR recognises one-size-fits-all won't work. Yes, that means it has some vague terms. Yes, you might have to show you thought about the implementation, and that you erred on the side of privacy.

It's funny how everybody always talks about the maximum fines, not the other sanctions that the GDPR can impose. Guess that's just more sensational.


> Compliance is trivial and involves steps that are already best-practices anyway.

Isn't that besides the point?

You can be 100% compliant and still be sued by somebody. And you'd have to pay some lawyer a lot of money to make it go away.

That risk already existed before the GDPR (anybody can sue anyone for whatever reason they can come up with), but GDPR is high profile enough to make people scared.

About a decade ago, I ran a website that made heavy use of user uploaded GPS data. I didn't sell any data. The only ad income was Adsense.

If I had bothered to restore the server from backups after a HD crash, I'd probably take it down now. Just not worth the potential trouble.


> You can be 100% compliant and still be sued by somebody. And you'd have to pay some lawyer a lot of money to make it go away.

I fail to see how GDPR makes that new. You can be sued for any reasons already, being in the right or not.

E.g. 99% of useful websites violate some patents (that shouldn't ever have been issued), actual predatory suing about this issue happens, yet no one closes his website because "the patent situation makes it too uncertain".


> You can be 100% compliant and still be sued by somebody.

No, someone can report you to a member state's compliance organisation.


> Compliance is trivial.

Indeed it is: the first 100 pages of the text detailing what compliance means are a manual for how to read the remaining 5000 pages, and a warning that there will be per-country variants of the law, which I'm sure will all be very clear, made easily available and not at all weird or objectionable, or require being well-versed in the legal intricacies of said member state at all !

/sarcasm


You make this assertion elsewhere in the thread. It is incorrect. The entirety of the legislation is 88 pages long and it is really quite straightforward (full link preserved) [1].

Here is a set of (easily available) interactive tools, explainers and guidelines from ICO in the UK which explicitly outline what compliance looks like and what steps you can take to achieve and demonstrate it [2]. It’s available as a 162 page PDF, if you insist on counting pages, but much of it relates to the processing of sensitive data or data relating to children which the majority or orgs can skip.

[1] http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

[2] https://ico.org.uk/for-organisations/guide-to-the-general-da...


Mind you, taking whatever-it-is off the internet is fine too

We won’t take our services off the Internet. We’ll simply block you and your overbearing friends in the EU from accessing them. You might not miss one of us, but you’ll likely miss hundreds of thousands of us. Enjoy Facebook. That may be the only site you still have access to when the dust settles.

Compliance is trivial

Since you are saying that, I can guarantee that you haven’t actually read the law or been in charge of trying to make a website compliant. That is an absurdly incorrect statement. Billions are being spent around the world on attempts to comply with it.


> China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government

Hell of a way to defend the most absurd and overreaching displays of censorship we see on the modern web.


You miss the point. He’s saying that GDPR is worse than Chinese GFW.


They’re wrong, though.


They're not arguing about the laws themselves, but rather the implementation.


He's saying that it's safer for him for China just to block him out of their territory than for the EU to allow him and open him up to GDPR-related lawsuits. Even if the lawsuit is scurrilous or the fines a misunderstanding and can be reversed, that can be tremendous effort and anguish for a person. Often requiring years in court.


> outsource due diligence to the Chinese government

That is easily one of the more absurd statements I've seen this month.

> Well meaning regulation like this written by people who have never created anything pratical in their lives

And websites whose customers advertising agencies, and whose product is people, create something? Attempting to track and then monetize everything everyone does online is _creating_ something now?


> And websites whose customers advertising agencies, and whose product is people, create something? Attempting to track and then monetize everything everyone does online is _creating_ something now.

This is snarky, and intentionally simplifies things down to a dumb level. Here's a list of things that "create something" while relying on an advertisement model for revenue: - Gmail - Facebook - YouTube - StackOverflow - Reddit (to some extent) - Yahoo - Miniclip - Neopets

I can find a hundred other examples that are ad-revenue supported by create immense value.

It's a difficult balance to strike, and while not perfect, this model has allowed us access to so many good services that would otherwise not exist. Saying that none of them "create something" is just wrong.


Facilitating anything online is in GPDR scope, regardless of whether data monetization or advertising is involved.


How about storing data for spam or DDoS mitigation? You need that data for those filters. But it's in the scope of GDPR. Do you give the spammers that data under SAR requirements, so they can improve? Or do you keep lawyers to justify denials of each request (some of them bogus?) We have done a lot of due diligence on GDRP and we don't "track or monetize" everything. Have you?


> 1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.

With the amount of creativity observable for inventing tax-avoiding business structures, I'm sure if the minimum clause weren't there, big players would quickly find a way to spread their revenue over dozens of small entities, each looking like a "small business" on paper.

So I'm not sure it would be even possible to make a regulation "with teeth" that explicitly exempts small players.


A related thread that you might find useful w.r.t to anti-small business biases in GDPR.

https://news.ycombinator.com/item?id=16909945


" This regulation is specifically (deliberately?) anti small business"

No, it is not.

"Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible."

No, it doesn't. It demonstrates that far too many "entrepreneurs" are people who want to play fast and loose with regulations, and not be held accountable for anything.


Don't think of regulation as a binary - on or off. Instead, think of it as an adjustable knob.

The higher you turn the knob, the harder it becomes to (compliantly) do things. Also (if the regulations are working as they should), the less the things that people do produce bad side effects. But the "harder to do things" part mean that fewer things get done - fewer new products and services get created. As the knob goes higher, not all of the things that don't get done are things that the regulations are designed to prevent. Some are perfectly fine things, but the burden of proving it is too much for the single person tinkering in their apartment to ever try to turn their idea into releasable reality.


Sure, I agree with the knob analogy. I just don't think this puts that knob anywhere near too high. Quite frankly, if this industry was guided by ethics, most of these things would be things that companies are already doing.


"This" (GDPR) may not. There's more than one regulation that make up "regulations", though. It's the total load that's the issue, not one directive.


I don't believe the entire load is anywhere near there, then. Also, for a lot of these things, once you have the procedures in place, maintaining compliance does not take much effort.


I highly doubt it is deliberately anti small business. However, governments don't actually know what the outcome of their laws will be until they are out in the open and if governments claim to know what the outcome will be, they are likely lying.


According to this it is up to €20m: https://www.gdpreu.org/compliance/fines-and-penalties/

And you prefer China's policy of censorship over the EU's policies of protecting consumer's privacy. Well that's interesting.


China policy is pro small business and EU is anti small business.

I am pro small business, and I am against censorship.

I see however historically opposite trends over the last 20 years: China is getting more free speech and is getting more pro small business, and Europe is the opposite. And it's not a coincidence. I think eventually the censorship curves of China and EU will cross. Small business friendliness curves crossed perhaps 15 years ago.


> China is getting more free speech

That's just not true. The West hoped that would be the case when Xi took charge, but it's gone in the opposite direction since then. How many chat apps can you use where the CCP isn't listening in on your conversation? They practice wide scale censorship on their own social media, Western social media sites are blocked, and important sources of information like Wikipedia and the New York Times are blocked too.

https://freedomhouse.org/report/freedom-world/2018/china

> China’s authoritarian regime has become increasingly repressive in recent years. The ruling Chinese Communist Party (CCP) is tightening its control over the media, online speech, religious groups, and civil society associations while undermining already modest rule-of-law reforms.


It is misleading to say that "China is getting more free speech," as this phrase conjures notions in the west of unregulated political speech: by anyone, to anyone, for any purpose. In fact, the policy line that has been set forth in China is quite clear, and it does not lead in such a direction.


China's policy is pro China only and to suggest that they're regulations wouldn't change if Alibaba was 20 times the size of Amazon or any other reversal of size between US and Chinese companies is ridiculous.

The GPDR might end up being bad regulation, but we we're already getting bad results for the average citizen. If the industry wasn't going to regulate itself, and it's hurting citizens, are governments supposed to just stand back and hope it works out for the best? Maybe in a libertarian paradise, but no national government is currently running on that paradigm

Edit: also free speech != No regulations. Companies aren't people and they shouldn't be getting the same rights as people. You can't just do whatever you want to make a dollar and then try and claim free speech protections


Companies absolutely should have free speech rights. A company is a group of PEOPLE who have joined together to sell or promote a product, service, or policy.

Should a union be denied freedom of speech? Because a union is a corporation as well. What about the Sierra Club? Should they be silenced? They too are a corporation. Should a teachers union be allowed to speak, but Khan Academy denied the same right? Should organizations advocating free WiFi be allowed speech, but Comcast be denied the same right?

The “companies are not people” tripe being parroted since Citizens United is a naïve and dangerous road down which people are attempting to travel. At the core of the issue is the right of free association. Free association is fundamental to free speech and a free society. Profit motive is irrelevant because profit is just as valid of a goal as “better schools” or “better public policy” or whatever the cause might be.


People are composed of cells that work together for a common purpose. Is a person a cell, to be treated the same way we treat actual cells?

Governments are people who have joined together for the common purpose of governing. Does that make a government indistinguishable from an individual person, which is basically just a cell?

Is there a difference between one kid running across your lawn and 10,000 kids organized for the purpose of running across your lawn?


People are granted free speech because they are considered valuable, unique, irreplaceable, self-conscious entities.

A corporation is a piece of paper registered for $100 that can be destroyed without penalty. It is a tool for achieving an objective, just like a computer. Many people join together to make Wikipedia, but we don't grant that website free speech...


I don’t know why you are downvoted since your comment is a well formed addition to the discussion.

I upvoted you and I am seeing this on HN more often now. That people would use downvote as a signal of disagreement.


We're in a thread where people are claiming that China's approach to regulation is objectively better than the EU's because it let's them do whatever they want as a company. I was always going to upset some people who are the pro corporate ideology by claiming that companies aren't people and HN has been turning more and more into reddit as it's gotten more popular


> Small tech owners can't fight such litigations.

Yes. This I think is a downside of the law. Some small owners are going to have a more difficult time.

But this is true for any regulation like food safety regulations, construction regulations, etc. They hurt more a small restaurant than a big chain. But in the end, these regulations are there to protect the customers. Small restaurants have closed and will continue closing for not following food safety regulations. But what is the alternative? Is business creation the final goal of our society? Or there are things more important?

In summary, small businesses are going to have to extend their insurances to also cover risks related to GDPR. But it's the price to pay for having safer data.


TBH most food & construction safety laws are way more small business friendly than the GDPR. Food safety has a well defined relatively easy to follow rule set and food inspectors come in and give you a food safety rating, which you can work on and improve. It won't destroy a small mom & pop restaurant with a $million fine.

For construction, you build your building to 'code', an inspector comes in and stamps the building and then your done. If your not code compliant, then you can correct without much penalty at all, not get a $million penalty and you don't have to go to court or get lawyers. Making your own shack in your backyard isn't an arduous process as far as code compliance goes.

Since most software is constantly modified and edited, I don't think the construction model really works. More the food safety one or a data fiduciary one.


>food safety rating, which you can work on and improve

But the GDPR works like this too? The $20 million fine is not automatically applied. Here's a flow chart which details the process of a GDPR breach: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp...

from https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio...

If you breach the rules, a simple reprimand without a fine is possible too.


Is the 20M EUR maximum reduced by law, or just by regulatory discretion? The USA is currently demonstrating (with DACA, marijuana enforcement, etc.) the fragility of the latter.


The law explicitly lists factors the regulators have to take into account for determining the fine. If they give a large fine for a small infringement, they're going to have a hard time to claim they took all factors in your favor in account properly.


From what I've seen, it's partially like in the US - each EU member has its own data protection authority which imposes those fines, but they are closer linked than the US states' laws. I can definitely see some EU countries slacking off on enforcing, or being less/more harsh than the others.


But 20 million is possible right? Even for a small offence? Where in the actual text of the law does it say that they will never impose the maximum fine for a trivial or minor offence?

It actually doesn’t say that. This law has the effect of small business essentially needing a 20 million insurance policy to protect against the possible whims of an overzealous regulator? It’s either insure yourself for 20 million or risk losing your entire business over potentially a trivial matter.

When people in the UK have been jailed 8 months over traffic cameras or prosecuted and jailed for speech, I wouldn’t give a European government the benefit of any doubt. Willingly inviting an unelected regulator, accountable to nothing but the letter of a badly written law created by another unelected government body — that’s just foolish.


It’s probably not possible. I wouldn’t map the (EU) GDPR on how a US-like legal system works. E.g. it’s very unlikely that the regulator seeks maximum penalties in the EU, and worst case you could go to court arguing that a penalty is non proportional compared to other cases (and win)

The maximum fine is a cap, not a guideline.


> It’s probably not possible.

That's one of the funniest statements I've read today. Or annoying, I'm not sure. Definitely meaningless.


> Where in the actual text of the law does it say that they will never impose the maximum fine for a trivial or minor offence?

Article 83 (including related recitals)


Don't use people personal data and dont allow others to spy on your users (ads, analytics,..) and you wont need to do anything.

Work in best interest of your users and you will be compliant. I don't think that this is harder than food safety regulations.

By the way, the technology is changing fast and a strictly defined law with "do" and "don't"s would be downplayed in weeks. that's why GDPR is conceptual (and thats why everyone is pissed off, as they can't downplay it - how many sites have you seen that are giving you a fair cookie choice?)


It is not a $million fine: https://www.gdpreu.org/compliance/fines-and-penalties/

And in food or construction if you willfully break the law then that can be criminal and you will face severe fines and/or jail. It's all about your intent.


GDPR isn’t concerned about intent at all — which is why it is a well-meaning, but horribly written law.


it absolutely is, see as an example Art 83, "General conditions for imposing administrative fines" which has at point b "the intentional or negligent character of the infringement".


To me, asking a small developer with a site that gets a few thousands users to implement GDPR is like asking a dad to do full safety test on a toy car he built for his kid, just because a big company like GM had safety issues. The problem EU is trying to solve here are large companies like Facebook making monopolies and syphoning data. So why the hell do they have to impose rules on small hobby websites that run at a loss?

There's a huge chunk of the web that is filled with niche web tools, mostly made as a hobby, running for free. I myself own 2-3 such sites. Now, I'm forced to spend my hobby time adding a bunch of new features on a site that already loses money? I'm sorry but the couple thousand people that depend on this tool will have to find someplace else I guess.

HN sure loves to worry about AMP killing the internet, well to me this is far more dangerous. Can't wait for larger troll companies bullying small devs with lawsuits and killing all their competition using GDPR.


> Now, I'm forced to spend my hobby time adding a bunch of new features on a site that already loses money?

What new features do you think you need to implement to comply with GDPR?


Dealing with missing user records. Deleting all records pertaining to a user, which may break a well-normalized database. Keeping track of any analysis you did and why (e.g. scanning server logs to see country of origin to see if you may want to seek out a translation of your UI?)


In practise, 'it depends'. It may be that it's simple enough to delete everything, or it may be that you anonymise, rather than actually delete. E.g. if you have a `users` table with:

`id, name, email_address`

You could simply blank out everything apart from `id`.

Regarding logs, it might be worth thinking about whether you actually need them to contain personally identifying information (e.g. IP addresses, usernames) - if not, just don't log them.


Just replace deleted user's data with "Mr. Deleted 1234, 1234@deleted.com".


presumably you have laws that require street vehicles have a valid license before they can go on the road. Do you remember the police arresting someone because of a toy car they built?

If not, then why do you expect the EU to go after the equivalent site with a few thousand users?


> Do you remember the police arresting someone because of a toy car they built?

Does this apply? [1]

[1] http://fortune.com/2017/07/21/five-year-old-fine-lemonade-st...


since

* the fine has been cancelled and the council has apologised

* this is such a rare occurrence to be worth news reports

I'm going to say it validates the point.


Sure. Going back to your question

> why do you expect the EU to go after the equivalent site with a few thousand users

You are saying that they DO that, but then will (probably) apologize afterwards. Some website owners consider that an unacceptable risk.


Logically, it's very unlikely. Realistically, seeing the risk of a $20m fine, I sure as hell won't take the chance and will take down my site until the dust settles and the kinks gets ironed out.


> But what is the alternative?

Status quo? Baby steps? Enforcement of existing statutes? Consumer education? Promotion/support of preferred alternatives? Codified small business leniency? Objective enforcement clarity?


I don't dispute the goal of GDPR -- I support it fully. My worry is that it could be abused by legal trolls. They are a fact of life.


GDPR violations aren't something a troll can sue you over. All a troll would be able to do would be to raise a complaint with their national entity responsible for it, who analyzes the complaint and then takes action themselves if deemed appropriate.


But legal trolls have an array of legislation to attack you with. GDPR is just the latest one.


GDPR is an easy one because it's fairly ambiguous and doesn't yet have precedent


GDPR is for the most part making explicit things were implicit in the pre existing EU legislation, many of which have been subject to EU court rulings. There is a ton of precedent.


yes but the argument is that one hit from the gdpr can kill you and maybe even most likely will even if you're in reasonable health, and most other legislation you can survive a few hits if you're not already critical.


No. The first hit from GDPR violation will be from the regulator, asking if you actually are in violation, and giving you advice about how to come back into regulation.


I didn't say the argument was correct, but people probably also don't want to deal with the regulator for their little side gigs even if it's only the regulator asking questions.


Agreed. GDPR simply made me aware of that once again. I still feel the trolls should have minimal amount of attack vectors to small businesses, though.


Why would legal trolls use GDPR? What's in it for them?


>>But what is the alternative? Is business creation the final goal of our society? Or there are things more important?

The alternative is to let consumers fend for themselves, and if government is going to help, limit that help to investigating and punishing fraud, enforcing contract law, and providing free information resources to help consumers make better informed decisions.

Yes business creation should be the highest goal of society. New businesses are what counteract income inequality and drive innovation.

We need innovation to solve the already existing problems in society, that claim tens of millions of lives every year. There is no zero risk path open to society.


I'm not sure what GDPR is protecting me against that wasn't already covered by PCI-DSS and existing cybersecurity standards. Not being financially defrauded is the only thing i care about. For everything else is easy to avoid sharing personally identifiable data if it's really a concern.


One of they key things to me is increased fines that are available. I've likely had my data and families data lost through a variety of terribly insecure services having breaches.

TalkTalk lost 150k peoples information (including bank account numbers, sort codes, dates of birth, etc - people who later then received scam phone calls with people who knew their details) due to extremely basic security failings. They were fined £400k (a record fine). They then did it again and paid £100k.

Properly securing the site and the data over many years could easily cost more than that, added to the chance you'll not get hacked or fined and it is perhaps even a financially sensible position to not put the effort in.


I think being responsible for negligence in security practices and GDPR are not the same. GDPR is overreach. There is a saner middle ground, for example in Australia new laws coming in mean executives can go to prison for the negligence in your example. That makes more sense as it doesn't invalidate 90% of standard tools processes in technical marketing for example.


I think it's interesting you find a fine to be overreach but imprisonment not.

> That makes more sense as it doesn't invalidate 90% of standard tools processes in technical marketing for example.

Can you explain in more detail?


I'm not talking about the fine/prison. The overreach is that they dictate how you have to handle data. In Australia you are only obligied not to get hacked and are trusted to figure it out for yourself. In Europe they have all this right to be forgotten BS and reams of compulsory opt ins etc etc


I don't really have a problem with requiring consent to work with personal data. Right to be forgotten is restricted and I can't think of obvious cases within the restrictions here: https://ico.org.uk/for-organisations/guide-to-the-general-da... that I disagree with.

Stronger restrictions on what data you can hold without good reason or consent means that inevitable breaches become less important.


Do you prosecute your friend and aqaintances for uploading pictures of you to Instagram/fb etc? Block all tracking script/pixels on the Web? Avoid using the phone in order to not generate meta-data?

I'm not sure how it's "easy to avoid sharing identifiable data"?


For the most part no (i block ads because I'm not interested in them not for privacy concerns) but I'm also not irrationally paranoid about such things. I've lived in a world where I'm photographed hundreds of times a day by cctv etc for most of my life. Im not really sure what difference a few photos on social media will make


The difference is the size of the aggregated dataset on you and those you are associated with, and how it might be sold, augmented etc. Granted, some places it might be legal to sell cctv footage too - but it will also fall under the GDPR (not the GDPR alone, there are surveillance bills and "ant-terror" provisions... But there's one remedy for government overreach (throw the government, through elections or protest) another for private overreach: government regulation/laws).


I understand the risk of aggregate data etc and do think we need to hold companies accountable however I disagree with the fundamentals of how GDPR tries to achieve this. It’s the wrong abstraction. I also value what free services, indie apps, small scrappy startups and general maker world productions provide society and life in general way more than I value absolute privacy.


PCI-DSS is essentially about credit/debit card data. GDPR is about personal information is general, such that you need to let your users know what you are collecting, what you will do with it, and how long you will hold it.


A point of fact though — PCI isn’t a law, it’s a voluntary standard.


Yes however i can choose to not interact with non compliant service. The ignorant need to be educated rather than the informed punished.


There are almost no companies that respect the customer's privacy because of the lack of regulation so you can't in fact choose anything.

Companies have failed to regulate themselves since the dawn of time, this is how the world works.


You won't get PCI-DSS accredited without an audit.


Only Level 1 compliance requires an audit. Below that a remote scan of public IPs and a self-assessment is sufficient.


Are people dying from data being collected for website analytics?

It’s a false dichotomy to compare the risk of DEATH from bad food safety to the annoyance of getting a targeted ad whilst enjoying an online newspaper article for which you didn’t have to pay.

Elevating data obtained while surfing the internet to the level of food safety or building codes is ridiculous.


The attitude you have here is exactly the reason why GDPR is required.

Companies worldwide have consistently failed to safely store and process personal data. There are new data breaches every day. Irresponsible processing of data has a direct negative effect, and that’s not related to the idea that it’s misused for advert targeting.

Minimising the incompetence we’ve seen worldwide by treating it as “just some data collected while surfing” is baffling to me.


I have a little birth control pill reminder iOS app I made like 7 years ago that I still maintain in the app store. I don't make really any money off of it but I keep up with it because it has a good amount of users. I don't THINK any of the GDPR stuff falls under anything the app does, but I sure as hell aren't taking any chances. I just removed it from any country that fell under "Europe" in the app store. I guess my point is I agree with what you're saying, and here's an example of a little hobby app that GDPR killed for EU countries. It's not worth my time, money, or risk to bother with it.


> I just removed it from any country that fell under "Europe" in the app store.

I'm afraid that in your overreacting rush, you might have removed your app from European countries that are not within the European Union.

Though if you are collecting more data on your users than you need (why would you need personal data at all for this app?), you might have been doing them a favour anyway.


I think you're right that I've likely selected countries that I didn't need to, but I'd rather be safe than sorry.


GDPR will also apply in the EFTA countries (Norway, Iceland and Liechtenstein), so you did right by doing Europe rather than EU at least


Don't worry, there are plenty other of similar apps.

The Berlin-based clue comes to mind, they were offering period tracking, estimation and other features. One day you get a full-screen pop-up saying that they changed their privacy policy and they share your intimate data with so and so and there is no way to access the app and your data any more without accepting.

Most apps nowadays aren't tools, they're sophisticated scams designed to steal people's information.


Yeah, and since this one was removed by the author, it was probably the case too.


Are you storing any user data? Sounds like it could all be stored client side and the GDPR is irrelevant to you.


I'm not storing any data other than a day of the year and wether a pill was taken. It has Google Analytics and a crash reporting tool in it, and I'm not sure how those play into the whole thing.


I'm not familiar with iOS but is the crash reporting not part of the OS/store? If so that is there problem.

> It has Google Analytics

There's a real issue, you've been bundling spyware with your application for years.


Edit: I re-read it and it looks like it only applies if you are a business with physical presence in EU or if the user is accessing from EU

GDPR applies to you if a EU citizen signs up from somewhere outside EU as well, but since you don't have any physical or online presence in EU I don't think they will do anything.


GDPR applies only to people physically located in EU. Citizenship doesn't matter. Read Article 3, Territorial Scope.


Just to clarify your point: it applies to users physically located in the EU. Fines assessed under it apply businesses that serve them anywhere in the world, which is what makes it so damned scary. The EU government has essentially declared itself the Emperor of the Internet.


Transactions with EU users should be expected to comply with EU law. What’s unusual about that?


Money doesn't have to change hands to create a GDPR obligation. And if you mean "HTTP transactions," it's a fundamental shift in the nature of the internet to block countries by default and enable them only after studying and complying with local regulations. Maybe it's an inevitable or even healthy shift, but it's certainly not a "usual" dynamic today.


It's certainly not a recent development to require compliance with law even for products or services that are free.

Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.


>It's certainly not a recent development

Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?

Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.

The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.


The end of the sentence was "not a recent development to require compliance with law even for products or services that are free".

Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.

In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.


>Free doesn't mean you are exempt from complying with law

It doesn't, but free on the internet has so far meant you're only on the hook for your own jurisdiction's laws.


I was just clarifying that the Internet’s new Dear Leader will be trying to reach outside its borders to enforce this law. It doesn’t just apply to companies in the EU.


If you provide services to users in the EU, then you’re “in the EU” and should be expected to meet any regulations. Not complex.


>If you provide services to users in the EU

All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.


Which is why many of us will be blocking EU users.


Absolutely baffling. Unless you’re doing something malicious, compliance is minimal. So I guess that’s good for users?


People that say this have not actually read the law, talked to “experts” about how to comply, or attempted to comply themselves. I have, and you’re just flat wrong.


I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.

I’m confident that compliance is:

- Straightforward for any non-tech firm;

- More complex but not that hard for most tech firms that handle data;

- Far more complex for large organisations than small ones;

- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.

I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.


I won’t contue arguing with you, other than to say that what you’re saying flies in the face of everything we have been told after spending thousands of dollars on experts and independently researching the issue for hundreds of hours. If you do a simple Google search, you’ll find that we are not alone in this view, and in fact you may find yourself alone in your view that compliance is easy and costs next to nothing. Chances are quite good that if you thought it was “easy,” you’re not fully in compliance.


One thing is completely curious to me. All around the thread there are some people saying that they will block EU users.

I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?

I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.


@matthewmacleod GDPR in spirit is good for users as it tries to ensure that companies are following good practices wrt user data and users have control over data. But implementing it completely is not easy for small projects and startups.


I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.


As a small business owner, I disagree - I was essentially compliant already, with the policy changes required taking an evening to implement. (OK, there was some time spend reading before then, but still).


Ok, I will take a stab here to see how you ended up doing it in one evening.

- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.

- What did you do about data backups? - What did you do about external error reporting services? - What did you do about analytics services?


The only reason we log IP addresses is for security purposes (e.g. to block IPs that hammer the service, for forensic investigations, fraud prevention) - in GDPR terms, that is a "legitimate interest".

Regarding backups, realistically you are not going to have to delete data from them, as it's completely impractical to delete only data for a particular user from archive. If a user requests their data to be deleted, delete it from the live site and be open with them that some data will remain in archive - securely encrypted and untouched - for your defined retention period.

Regarding analytics, we use Google Analytics, which uses IP addresses to guess location, but doesn't make them available in the admin site - so GA doesn't actually give us any PII. As such, we simply reworded the privacy policy to be more easily readable, so it's completely clear what data we collect and why. The forthcoming Privacy and Electronic Communications Regulation (aka ePrivacy Regulation) should provide some clarity if anything else is required, but it seems likely that simply having cookies enabled in your browser will count as consent.


How would they have the jurisdiction to fine a one man company established say in Panama?

What about companies like Alibaba?


What if the EU citizen is living a abroad?


The EU citizen living abroad doesn't get the benefit of this EU regulation, just like an American living in London can't assert US laws against the British pub he's drinking in.


We (people who operate online services) are exposed to legal action already, but we aren’t worried about it because realistically there’s such little risk of being targeted. The same is true of the GDPR, the organisations responsible for ensuring GDPR compliance are going to have their hands full for years and years to come, by the time the little guys have anything to worry about the situation will be much better defined. I cannot see a scenario in which I’m going to be pursued because of accidental non-compliance with my revenueless service when there are so many large companies that can afford million dollar fines who can’t even store passwords properly.

if you’re so risk averse that any minuscule chance of GDPR noncompliance precludes you from running an online service... aren’t you already not running anything because of existing legal risk?


GDPR simply reminds me of the other possible legal venues small owners can be sued over. So you might be right on your final point.

Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though? You are claiming they will be safe for years but what if bigger players want to make an example out of 5-10 smaller players and just report / sue them to hell and back?

I know I am reaching but this possibility can't be dismissed just like that. Historically, bigger players have exhausted smaller competition with legal fees and effectively drove them out of market. We cannot in good conscience claim GDPR won't ever be used like that.

I'll be happy to be proven wrong in several years time from now, but right now I am simply not sure if GDPR is gonna be used for or against the free market (competition). Not claiming either way, just saying the risk wouldn't be worth it for me for now.


Not biggest players, but your competitors to make your life a hell. I already have competitors that are butthurt and spread shit about me since their clients come to me and they lose business.

That's what I'm afraid of, not getting randomly picked by the regulators.


But would another company even have standing to sue? The GDPR is about personal data of natural persons. Such data subjects can sue under Art. 79 if their rights are violated. The most another company could do would be to “incentivize” a natural person to get their rights violated by you and then sue.


> Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though?

The language of the GDPR makes frequent references to the scope of the processing activity and to its frequency. The law purposefully applies less to smaller controllers. The authorities have made their job harder for going after smaller controllers.

Moreover, the GDPR is done in the scope of the EU, which is not very litigious. Bigger players are unable to bring legal claims against smaller players in any way. The only way for them to game this system would be to fraudulently lodge complaints at the data protection authorities who would have to not notice what is going on and actually bring action against the smaller players.


I'm a small business owner and this is my concern at all. What stops a competitor to just pay a lawyer to sue you or report you to GDPR authorities. Even if you are 100% compliant(which I doubt), you'll still have lots of issues, stress and wasted time with the audit.


Exactly. Even if you win, you won't win anything of much value -- most (if not all) of the money will likely go to your lawyer. And you have a lot to lose, mostly wasted nerves and time you could have spent improving your business -- or simply living your life stress-free.

Defending even from bogus lawsuits is a huge expense of human energy for the non-experts (I'd wager that's 99% of the world's population).


We're a medium-sized software company, and we had to create a dedicated GDPR position so someone can look into everything and decide whether we're GDPR-compliant, and if not, how we can fix it. GDPR really complicates everything, even though most uf us (devs) are actually in favor of it (because we don't really like the idea of companies tracking us forever).


article 12 accounts for this, the DPA can refuse to act or fine a reporter if the request is unfounded or abusive.

Maybe as a countermeasure for abuse it's too small, but it's not a totally absent concern.


Sue you for what? What "suing ammunition" exactly does the GDPR provide your competitors with?

The authorities are not idiots, and have limited resources - they are only going to be chasing the true bad apples that are willfully infringing the GDPR.


Suing you directly will not fly in the EU (maybe in the UK, but that is only going to be an issue for 1 year or so).

I suspect the DPA will start with a letter, where you will need to explain your current practices.

Then, nothing more happens (if you are mostly-complind and good-willed). Maybe you will get some written instructions to better yourself.


> Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.

Even if they could fight, why would they want to? There are lots of us with tiny things on the internet where the burden of maintenance is only slightly below the enjoyment we get making it available. Increase that burden and the costs are negative and things get shuttered.

Question, if I have a small thing and don't want to preemptively concern myself with GDPR, as a non-EU site operator can I tell an information requester "no"? Might I harm my ability as a person to travel to the EU? Ignoring the standard "if you do nothing wrong you have nothing to worry about" and "the GDPR is really easy to understand" arguments, and assuming I'm not wanting to do any real work, would it be wise for me to just add known EU subnets to my firewall?


In the spirit of my original comment I'd answer "yes" to your last question. If I wanted a legal career I'd pursue that -- but I don't. So I'll cut my loses. That doesn't mean I am a shady operator, it means I don't want to risk being sued for money I don't have and likely end up in jail; in EU you can't just declare bankruptcy and run free afterwards.

Hobby or goodwill projects (==not turning a profit) just aren't worth that risk.


> in EU you can't just declare bankruptcy and run free afterwards.

Incorporate in the US?


Well, that's yet another legal black hole I don't want to fall into, but yours is still an excellent point.


I thought the gdpr applied to all EU citizens, even if they're not in the EU. If so filtering IP addresses isn't enough.


It cares about the location where you're targeting your goods or services, the location where the data processor or controller is established, or the location where the data is processed. Not anyone's citizenship. Much reporting has been sloppy about this, but the more precise info is consistent.


That's fairly contrary to how I've understood things. Can you provide a resource on that?


Here's one:

https://www.wileyrein.com/newsroom-newsletters-item-May_2017...

I got a couple of small details wrong, but not the main point: citizenship of the data subject is irrelevant.


Ok, that does seem to be the consensus and a good reading of the law.

However, IP blocks are still useless for the reverse reason: someone "in the Union" could be vpned through another country. (For example, I'm on vacation somewhere in the EU and VPN through my home computer to purchase something and have it delivered to my house in the US. By virtue of being in the EU at the time, at the least that specific information collected during my stay would be subject to the gdpr. How would said company ever know?


If you're making a purchase for delivery to the US and using a VPN to hide your EU location, that wouldn't bring the website under the scope of the GDPR regardless of your physical location: the EU guidance talks about signs of targeting the EU for the offering of goods or services.

Examples they list: use of EU languages or currencies not used in the host country, use of EU domain names, specific wording addressing an EU audience.

This kind of nuance is where it's good that humans are the ones enforcing the GDPR, instead of needing a programmable rule.


> 2. Article 3(2): "This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b. The monitoring of their behavior as far as their behavior takes place within the Union."

This doesn't seem to discuss intent at all? I mean, we could mince words about what offering a service means, but that doesn't seem productive and unless there is some other part of the law redefining this, won't make me comfortable.


The official EU guidance (not in the text of the GDPR) clarifies what offering means - it requires some evidence of intent to target the EU, rather than merely not blocking the EU.

While that point of guidance won't have region-wide binding force of law unless the European Court of Justice rules that way, I'd be extremely surprised if any national supervising authority or court system would contradict such a document, since the official guidance's reading is clearly among the possibilities consistent with the text (admittedly not the only one) and predictability of this kind of law is key to achieving its goals. Even if they do, they wouldn't likely penalize people with more than a warning if they haven't announced their weird interpretation in advance.


This is an excellent example of the problems people are worried about though.

Q: is it possible to be in violation of the gdpr in a situation where you could never know you needed to be compliant and have taken steps to avoid serving EU countries?

A, official: Yes.

A, unofficial: Most likely not if no one's having a bad day or has a bone to pick or is just being uppity.


The official answer isn't necessarily yes, though. The official answer is more ambiguous than that - "offering" can mean what you think it means, but it can also mean what the official guidance says.

Also, both answers are official and from the EU institutions. One is the law, and the other is meant to help interpret and apply the law. I'm not talking about third party compliance guides (except for the link I shared), of which there are many.

With all of that said... If you have both taken steps to avoid serving EU countries AND have also done things which they view as targeting EU countries, the answer would be murkier. For example, if you block European IP addresses but also use .de and .fr IP addresses and accept Euros, they might consider it to apply despite the IP block.

I'm also not sure what would happen if you took no explicit steps to target, but saw 80% of your customers coming from Europe on a sustained basis and did nothing to stop that.

Overall, the law will be interpreted with its own intent in mind: it should apply if you're engaging with Europe, but not automatically globally.

I understand if you want more certainty, but that's how computer programs operate, not laws.


It's the other way around: it applies to people within the eu, regardless of citizenship so for example a non-eu national that resides within the eu would be covered but data provided by a eu national while living in the us wouldn't be covered.


Yes, I realize that now, but since I can't wait to say I've been told so, I'll keep getting downvotes :)

The recitals do sound as if it applies to citizens, however the actual definition of a data subject for a company outside the EU is someone "in the Union".


I understand that Germany may impose criminal penalties for certain violations of the GDPR, maybe other countries too. In that case yes, you could get arrested changing planes in Frankfurt, and spend time in German prison. The probability of that of course seems very low.

An EU government could try to convince your own government to enforce their fine / injunction / extradition / whatever. I don't think the USA has any treaty or other law that would compel them to. I'd guess that Trump's administration would treat the request as something between a joke and an attack on American sovereignty, so I doubt that's a major risk here. Other countries may vary.

The easiest path for the EU to enforce is probably through your customers and vendors, probably starting with payment processors--like, require everyone who processes payments in the EU to transact only with people who transact only with GDPR-compliant companies. My personal guess is that everyone with a business model that depends on breaking the GDPR will move offshore, and the EU will play the same game of merchant account whack-a-mole that the USA does for online poker and such. I'd guess that the effort to enforce offshore will be big enough that only the most egregious violators will be worth the attention.


Pretty sure there is an extradition treaty [0], which the US makes use of to e.g. try and get British hackers extradited [1]. Such requests can be blocked (also [1]).

[0] http://ec.europa.eu/world/agreements/prepareCreateTreatiesWo...

[1] http://www.bbc.com/news/uk-england-42946540


Yeah, but extradition treaties generally require "dual criminality", that the offense be a crime in both countries. If your offense wasn't a crime in the USA, then you probably won't get extradited; and if it was, then the USA probably has jurisdiction too (assuming you were physically here when you did it), so the USA can prosecute you itself.


The link to Mr. Love's case, or Mr. Dotcom's ongoing case clearly show being "physically here" didn't seem to factor into those requests.


Fair, and my reply was unclear. I mean that if the act is a crime in both countries, then it's a crime in the USA, so you'd be committing a crime with or without the GDPR.


But none of this is new, as Sklyarov found out.


Or, to put it another way: a big group of tech people who have no interest in protecting the data of their customers, preferring to be able to cut corners and do as they please with information that is not theirs.

There is nothing in the GDPR that allows for a person or lawyer to sue a company for GDPR non-compliance. All they can do is complain to the regulatory authority in their EU country, which has the sole power to issue fines. And if you're not taking care of my data, then I have no problem at all with you being fined.


Is deliberately missing the point giving you pleasure?

I stated exactly what I had in mind, the rest is your projection and fantasy.

You say there is nothing in the GDPR that allows a person / lawyer to sue a company. I have no reason to doubt that. Okay. But laws aren't that clear and cut; there are overriding laws, parent laws, derivative laws... the spaghetti black hole is huge and everybody who isn't a hardcore specialist lawyer can't possibly hope to be 100% informed and protected.

That was my original point and still is. How did you transition to the hint that I am (1) farming personal info, (2) not taking care of it, and (3) I deserve a fine.. guess that's one of the Universe's mysteries.


After more than a decade of privacy abuses from almost all companies, I am perfectly ok with the collateral damage to start-ups, apps and personal projects that this law will cause, as long as it stops the abuse.

Society doesn't owe entrepreneurs a business model, but it does owe people a dignified life and some control over information that can be used to harm them.


Finally somebody who makes a balanced commentary.

I fully agree and that's why yesterday I deleted 7 hobby projects -- all their databases and hosted apps, cancelled VPS subscriptions and never made any backups.

Never put ads, never put trackers, never sold anything to anyone. Hell, I just checked their VPS dashboard once a month, that was all.

Since I don't want to deal with the legal baggage I am doing my part in NOT contributing to the rampaging privacy abuses and simply destroyed anything goodwill that I created in the past that might have collected any shred of personal data.

Thus I am perfectly okay with my personal project being a collateral damage of the GDPR. I believe in the GDPR and want to see responsible private data usage.


I paraphrase: what most posters here seem to miss is that most chemist cannot be bothered to read up on environmental rules. It should be my right to dump toxic waste wherever I want, because I am a chemist.

Sorry, but society doesn't work like that. You are always responsible for your actions no matter if you earn a profit or not. And not bothering to read up is also not an excuse.

Companies take risks. This is just another one, that has to be managed like all other.


Good thing I am looking for your pardon then. Let's try that again:

(1) I have a few hobby and free projects hosted on the net where people sign up and might fill up full names. Never made a penny out of them, never had any trackers or ads -- just a bunch of acquaintances used them, and maybe 50-100 strangers.

(2) I don't want to deal with the GDPR.

(3) I delete the entire database without backing it up.

(4) I delete my hosted app and don't renew my VPS subscription.

Zero damage done now and in the past because I never sold any data to anyone.

What part of that gives you the hint I am irresponsible? Society might "not work like that" as you say and since I don't want to deal with extra legal baggage, I am simply doing my best not to contribute to the abusing privacy problem. I delete any and all traces of personal data my hobby apps gathered.

Really, what's so unclear or tempting in my original comment that makes you people attack me?


First of all, I wasn't attacking you, but your statement, that to me sounded like "who cares about the law, I am a programmer". If that wasn't what you meant, then I am sorry to have misunderstood you.

Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..

My point was, any data you collect has a risk of doing harm and we have historically grabbed everything in sight, just in case - as if there was no potential downsides to it.

What happens when somebodys sideproject (which hasn't been updated for 18 months due to lack of interest) gets hacked and a gay persons sexual preference and home address is leaked and that person is killed by haters? (extreme example I know)

I have no problem with you doing the above 4 steps, but I do think that we, programmers, have a collective responsibility to safeguard people against non-obvious (to the layman) dangers, the same way as any other industry.

And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.

Fact is that the "new" regulation aligns with what most europeans would have belived had been the law all along (and actually was, just mostly non-enforced).

I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..

Click-through EULAs are also not binding in Europe for example, I am interested to see what happens when a DPA takes an american company to court due to having given themselves unlimited consent on page 2712 in their EULA.

If those companies withdraw from Europe, I welcome the collateral damages of some innocent but lazy projects..

Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?

All the american scare-mongering about the fines are people that don't understand European law practice.

And the whole affair of Facebook moving non-EU people away from the Irish juristiction to have them not under the GDPR shows, that it will probably work as intended. (Some people call it Lex Facebook already)


> First of all, I wasn't attacking you, but your statement, that to me sounded like "who cares about the law, I am a programmer". If that wasn't what you meant, then I am sorry to have misunderstood you.

You did misunderstand me. I take partial responsibility but really, give us the programmers at large a bit credit. A good amount of us have a lot of culture in other areas and aren't that immature. (Sadly however, a lot are so I can understand your negative assumption.)

> Fact is, at we have a giant tragedy of the commons due to loose and fast play with peoples personal data. This is similar to what happens in third world countries where people play fast with working safety or environmental laws..

100% agreed with this and your next several paragraphs. I never thought that was okay. Never. But I had a rather cynical view on it: no laws about it? Sure, let's abuse as much as we can! That's how corporations are and that's how they will always be -- it takes a certain mindset to grow into a corporation and I am afraid that being rather scummy is practically a job description for the people who make the corporations come into being, and grow. I also always thought that when the inevitable regulation comes, that's NOT gonna change like anything.

Imagine if FB made you click "I Accept" on a dialog box that deliberately obscures the fact that they want to gather and use your data. What can you do? Report them? By the time a judge calls to them, they might have a switch to make the popup look 100% legit but who cares -- by that time FB or any other corp. might have the "informed constent" of millions of people, again.

It's a huge game of cat and mouse and IMO the regulation we see now is just the first step. I anticipate tens of other steps so things aren't gonna get better anytime soon.

So there you have it. An opinion from an Eastern European dev. ;)

> And the tone in this thread is hysterical from the "ooh the GDPR is devil incanated" group.

IMO only if you feel you are on a mission to calm down histerics. Our perceptions are warped by our preconceptions, we all know it. Example: in my eyes yes, there are alarmists, but much more people who are outraged by the inevitable fact that all of us have to become a little bit of lawyers in order to not get chased by the EU (and not only in terms of the GDPR, of course; there are many other venues through which we can be attacked). I understand the idea of GDPR and I support it fully but that doesn't stop me from disliking legalese.

I don't want to ever abuse people's privacy but I also like to remain a programmer, not become a half-hawyer. Okay? That was my message all along.

> I also acknowledge that the US have vastly different ethical standards and that everyone is free to be exploited as much as they want..

As an European, yes, that has been my observation for a LONG time. USA tech sector has a huge ethics problem and the VC-enabled tech bro culture in SV is only making things worse with time. Somebody should definitely do something because the world is taking notice. VCs operate on reputation as well and sooner or later more and more of them are gonna start refusing to fund startups.

> Do you really think that a thought about what data you really need (and why), the need to actively safeguard the data (especially the sensitive) and a need to formalize those thoughts on paper is a unbearable burden?

OF COURSE NOT. But again, that's my point. It's an expense you absolutely have to spend when you make profit. But I didn't; like the OP, I had hobby websites. It's a simple cost calculation. I don't want to become GDPR expert for things that don't make me money. Thus I shut down my personal projects. If and when I become a guy running a service for profit, I will go the extra mile and shoulder the burden of protecting personally identifiable information.

> All the american scare-mongering about the fines are people that don't understand European law practice.

Not sure it's only that. You can call me a scaremonger in this instance as well. It's just that I am no expert lawyer -- and for me this fact leads to the conclusion that I can be brought down if an expert lawyer wants to get their hands dirty with me. Nothing more, nothing less. Our so-called "justice system" favors the side with the better-paid / more-experienced lawyer and that's pretty much historically proven, especially in Eastern Europe. Maybe it's less visible in most of EU and USA but from what I've read through the years it seems to happen quite a bit there as well.

Maybe the people disagreeing with me believe in the system much more than I do. Perhaps my cynicism is seen as non-constructive. But it's well-founded in the reality I live in.


Okay, we are in agreement in principle then.

I just want to add, there is a huge difference between working as a programmer for somebody else and for yourself.

In the latter situation, you have implicitly agreed to shoulder all risks and burdens..

In the former you are a salaried professional, and somebody else has the potato.


This is why regulation favors incumbents. The rules don’t help any individual company, so they won’t self-regulate, but the cost becomes a barrier to competition and innovation.


There were "legal matters" on the Internet before the GDPR. These scary rogue legal firms can already target you if they want, without the GDPR. Yet plenty of law abiding small Internet businesses existed yesterday and will continue to exist tomorrow.

I don't currently run a business online, but if I were, honestly I'd be more worried about the usual headaches like accepting payments legally, dealing with spam/fraud/abuse, finding product/market fit, etc. GDPR would be somewhere around 500th on my list of "start-up things that give me crippling anxiety."


This is why I don't get all the hysteria and all the "block all EU IPs!" comments of people in this thread. For years, there have been 28 different data protection laws in the EU that you could be sued with. Now there will be a harmonized one.

So from getting sued 28 times with 28 different laws you have reduced your risk to being sued with just 1. Now, in order to have an online business in the EU you just need to comply with 1 data protection law instead of with 28. How is this bad?

What I suspect is that many people were just not aware of the 28 previous data protection laws that they needed to comply with, at all, and are now realizing that these laws exist.


I don't see how your points and mine conflict. They don't, IMO.

GDPR simply made me aware that I am not willing to go the extra mile for hobby projects so I shut them down and never sold any info to anyone, nor have I served ads/trackers.

Many commenters of my sub-thread here are making me look like a histeric and that's seriously annoying. It's all about deciding if a cost is worth it and I figured in my case it wasn't. Why make it more complex than that?


... well, you set up a LTD precisely to limit liabilities in that catastrophic case scenario but you'd probably find that people "coming after you" will be proportionate to how much you have to come after ... I.e. if you're a guy with a side project that makes no money; you're unlikely to attract "parasitic lawyers".

Further, in my opinion the GDPR is wholesome. You ought to implement it even if it didn't exist. If your business relies on playing fast and lose with user data then IMO it's not an honest business ...

Further still, the worse punishment is 4%/20M; it's not the default intervention or anywhere near the only way that the GDPR will be enforced.


Regarding your first statement, GDPR does not apply to personal projects. Only to business to consumer interaction. You are at less risk (in fact, zero), if you don't have an LTD as you are outside the scope of the law.


The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

They don't even need to dig up any possible violations - just the legal process alone is enough to kill any side project.

Or, "You can beat the rap, but you can't beat the ride." For a small company or individual, even winning a GDPR case will be a Pyrrhic victory.


Yes, and people keep missing THAT point exactly.

Guess they believe in the system more than I do. My country -- and the EU -- has been known to have cases where a big player makes a grizzly example out of a small player, in basically every business area.


>he problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

>Small tech owners can't fight such litigations. I am kind of baffled how this point evades so many people in this thread.

Isn't this the same with the other laws, like copyright,trademark, patents, software licenses? I could say the same about one of this other laws, like you may have a video of you doing something cool and a bit of copyrighted music could be heard in background then you coulg get sued by a big bad law firm, the difference is that in this case the regular citizens are protected and not the budget of big music publishers.


True, GDPR simply adds one more lane from which you can be attacked. Never claimed otherwise, and you are correct.


I'm baffled by the fact that people think you can be sued for non compliance. You get reported to a government authority that will address the issue.

The point to protect users, not to prosecute companies for operating. However, GDPR would be enforced if you just ignored it.

It really isnt such a big deal.


For my hobby projects I'm more worried about getting expensive letters from greedy lawyers telling me about some non compliance issue (Abmahnung) not about government authorities. Especially since you often have to sign agreements which include high fines for a second violation (Strafbewehrte Unterlassungserklärung). Considering the complexity of the regulation, reliably avoiding violations and regressions sounds difficult.


I am resisting a push into converting from an on-premise, installed product to a SAAS model for precisely these reasons. I don't want to be responsible for that liability, and I'm just the engineer doing the work. It's a minefield, compared to the way things were.


That seems backwards; with a data agreement between you and the saas - the saas takes on much of the liability for the day to day (eg: making sure data is actually deleted - from backups as well).


I think megaman22 is saying they don't want to become a SaaS, for exactly the reason you say.


Ah, yes. On a second reading that's probably true.


> The problem is what happens if a legal firm or an agency targets you.

Nothing. GDPR enforcement is carried out by each country's regulatory authority; they're the only ones who can sue, target or take action against you for non-conformity.


I guess you never heard about the German "Abmahnung" industry.


OP of the top-level comment here.

A lot of people here: please CHILL. You make me look like a histeric. Not what I had in mind.

- I don't want to become a semi-lawyer or hire a lawyer until absolutely necessary.

- I had 7 hobby projects where people could fill out full names if they wanted to.

- I deleted all of them -- apps and database -- without backing them up. Never served ads or trackers, never had a 3rd party JS on any of them. Unless somebody had unfettered access to the VPS-es without me knowing it, I never leaked personal info.

It's a very simple cost calculation: I don't even want to invest 2 hours in reading the GDPR in details nor do I want to rework the hobby projects to encrypt the personal data in the DBs, hence I refuse to be a part of the abusing privacy problem and delete anything that might have gathered any personal data. I believe in the GDPR and this was my way to at least not contribute to the problem.

Seriously, what's so unclear? You can repeat to me that "knowing laws and protecting from bogus lawsuits is a fact of life" but it doesn't have to be before I have a business -- which I don't. So I still respectfully disagree that I have to learn legalese today.

So seriously, don't get so worked up over a comment that expresses a sentiment that I want to become more law-aware only when absolutely necessary and not a minute before that.

Geez.


So why not wait until a regulatory authority gets in touch raising concerns, and then delete?

You don't want to hire a lawyer until absolutely necessary, but you're willing to delete everything way before absolutely necessary?


Simple: I like coding and solving problems, not learning legalese.

My hobby projects were inconsequential. Nobody cares about them much, including myself. I prefer tinkering, not becoming better versed in legalese.

It's rather fascinating to me how I keep being misunderstood. I guess I am not stating things as clearly as I imagine.


Encrypting all user data doesn’t get you out of the gdpr if you hold the key to decrypt the data.


Fair point, but I personally wouldn't ever do that. There are well-known solutions to the problem: the user's cookie after authentication is not persisted on the server and only an ID is used (the key is derived from the password, otherwise this wouldn't ever work). Then another part of the cookie serves as an ephemeral key that the backend uses to decrypt and serve the personal data back (through HTTPS). Again, that second part of the cookie is never persisted on the server.

I am not asking anybody to take my word for it, just saying how my ethics and tech education tell me I should be doing things.


Are many US based businesses considering limiting access to EU consumers to avoid GDPR? Reselling user data seems to be part of many business models, and I don't know if EU is such a huge market internationally, especially without UK. I support the goal of improving data privacy, and in general GDPR is seen positively by those I've talked to, but the EUs last attempt resulted in useless, intrusive cookie warnings all over the place.


> [...] there is a big group of tech people that have no interest in dealing with legal matters more than the bare minimum, and overall deem them risky.

Then maybe those people shouldn't be opening side businesses? Running a business implies having to deal with business matters which include legal.

For example in Switzerland if I want to open a small cafe in the corner selling home made cheesecake, I'll have to first figure out what the exact regulations in my state are, obtain a permit for opening one, create a "Hazard Analysis and Critical Control Points" concept and send it to the authorities, make somewhat sure I get accounting right, maybe getting a permit for infrastructure changes, etc.

I'm not talking about GDPR especially because I don't know enough about it yet. And in general I am sceptical of laws and regulations that don't seem absolutely necessary.

What I don't get is why anyone should care that some tech people running a business don't want do deal with legal like everyone else? What makes us so special?


I don't run a side business and I don't collect personal data.

I had 7 hobby projects that very few people used. After I read on the GDPR yesterday, I simply deleted all their databases and apps (without backing anything up) and didn't look back.

I believe in the GDPR and I don't want to become a part of the problem. The lowest friction solution was to just delete stuff I don't deem at all important.

If I am to open a business, I'll cross 100 rivers to be GDPR compliant. And you are correct -- us the techies aren't special, of course.

I only asserted that for hobby projects or projects that are not turning a profit the extra effort is simply not worth it. Nothing more.


> You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that.

This is still debatable, because what if in near future your encryption turns out to be weak and all the personal data become readable again? Things like this... This law was really not thought through.


>> The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

As I understand it, you will be able to appeal or somehow else address the European Data Protection Board, that will be tasked with ensuring the consistent application of the regulation:

Coordination and Consistency

Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.

One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.

https://www.infolawgroup.com/2016/05/articles/gdpr/gdpr-gett...


Block all European IPs. It's just not worth the risk.


I admit that I'd do that. Lowest friction solution. I don't want law enforcement agencies knocking on my door because I host a hobby project on a free / $5 tier VPS for years.

My intent isn't malicious. I simply don't want to invest in more maintenance. Hence I'd block EU, yes.


Do you also block all US IPs to avoid patent infringement claims? What makes you think the GDPR is broader in scope than the patents the USPTO hands out? In the patents' case, there is even a direct financial incentive for companies to sue you, whereas in the GPDR the interest of the regulatory body is primarily compliance.


That won't completely protect you, it would only greatly reduce your surface of exposure; the eu user could still reach you via a vpn or simply sign up while vising the US.


Ask if user is European, and if they answered yes, deny them service. If they lie, then you have plausible deniability to mistreat their data.

Users of free services will just set their country to non-EU, and continue to consume the services. GDPR will gave achieved nothing in that case.


If you have no presence in the EU, to what sort of "risk" do you refer?


I havent read the papers but only few online summaries, but each mentions very strongly that GDPR directive are not limited to you running business or webste in EU zine. You need to implement GDPR if someone in Australia is using European IP. You also should assume that signup IS EUROPEAN if you havent given them the chance to say otherwise on your registration form. For example European citizen can visit your US based website when he/she visits USA, sign up then go home. Since she/he is EU citizen, you need full complience on your end. Or face €20 mil fine (I assume your startup is not making more than that off of 4% revenue)


How is the EU court going to fine your American corporation?


They can arrest the CEO if they step foot on EU soil.


I don't imagine a European country arresting an American for something that was done in America that is legal to do in America would go over real well with the US government.


https://en.m.wikipedia.org/wiki/United_States_v._Elcom_Ltd.?

This stems from the United States making their laws apply globally.


Your link does not work, because it ends in a period. HN takes the period as being the end of the sentence rather than as being part of the link. Here are working links (mobile, non-mobile):

https://en.m.wikipedia.org/wiki/United_States_v._Elcom_Ltd.?

https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.?


Also question how would they know who owns the company? I don't think US Gov would easily give out info on US company to foreign country or Union for such no-crime related abuse.


Yes, I understand all of that. But you didn't answer my question.

My company has no presence in EU, and neither myself, nor any one of my employees are going there.

What's the risk?


The risk is an EU court telling google to stop dealing with you because you're in violation, or even worse: a payment processor like Visa. No to mention that you and your employees are now unable to safely fly anywhere within the EU or anywhere with an extradition treaty with them.


so would it be sufficient to add a line to the TOS checkbox label: "I affirm that I am not a citizen of a EU-affiliated country"

that seems simple enough - I think I'll add that to the projects I'm working on.


Not enough. You also need a screenshoot of the form they completed and you need to keep it on file.

There is so much info I read on this today I closed the article but it said that their ticked-box consent and IP is not sufficient.


You don't necessarily need a screenshot, a copy of the webpage the user saw would IMO be sufficient.

You need to be able to show the user agreed and what they agreed to exactly. A screenshot might do that but might also not be sufficient (if there is more text elsewhere on the signup process related to privacy)


For all downvoters:

https://www.mailjet.com/gdpr/consent/

Scroll to: How do I store consent under GDPR?

The record of the IP address, location and time at which someone submitted a consent form is insufficient without a screen capture of the form itself.

You welcome!


The specific recital is here: https://gdpr-info.eu/recitals/no-42/

A screen capture is the easiest way to achieve compliance but the regulation leaves open other methods as long as you can show that someone gave consent and to what exactly. (IMO you could also store the HTML of the webpage they viewed at the time)


That’s the weirdest thing. What do the law mean with a “screenshot of the form”


There is nothing about a screenshot in the law.

The law says you have to be able to prove the user ticked the box and provide an audit trail for it, IIRC some recitals mentioning that you should be able to reproduce the exact agreements the user made (ie, either in text or as a screenshot) so that you can later show the user and any regulatory body that asks what they agreed on.


The regulation is about capturing data of EU citizens, regardless of what IP they reach you from -- so this won't keep you safe.


That's not what it says. See Article 3 [1], and the accompanying recitals.

[1] https://gdpr-info.eu/art-3-gdpr/


No, those recitals are exactly what make my point. Numbers 23 and 24 of the accompanying recitals on that page state that, even if you are not established in the EU, if you profile people "within the EU", the regulation claims to apply.

"Within" is a physical location, so arguing that IP block associated with request is a perfect proxy is at best a legal grey area. For example, an EU citizen could use a VPN to access your services and then send you a data request. See here for discussion: https://www.gdpr360.com/gdpr-ip-addresses-and-classification...

If this seems like a low risk incident, consider that there are litigious people inside the EU (as everywhere) that may actively explore the boundaries of the law.


Careful. You were talking about capturing data in the comment I responded to. Now you are talking about profiling. These are distinct things under GDPR, with different rules.

Profiling data subjects in the EU is covered, regardless of where the processor/controller is located.

If you are processing personal data but not profiling and you are not established in the union it only applies if the processing is related to the offering of goods and services to data subjects in the Union.

For those who are not profiling, blocking EU IP addresses should help establish that they were not envisaging offering goods and services in the Union.


I was loose in introducing the word "capture", which blurred the distinction you're making. But the OC seems to be suggesting that IP blocking is likely to be a one stop solution for someone trying to avoid GDPR details, and your replies leave open that impression.

In fact, there are many ways someone might be profiling without knowing it. For example, precedent about when logging IP addresses constitutes PII is still evolving and seems to apply in cases that would be unintuitive to many US businesses: https://www.whitecase.com/people/tim-hickman. And there have been arguments that geolocating based on IP might itself be data enrichment that contributes to an argument that you are profiling!

Similarly, I haven't seen a clean interpretation of what constitutes offering (or clearly not offering) services to EU users, which determines application to a data processor. For example, if I offer a Portuguese translation of my site for Brazilian users, have I offered service to continental Portuguese?

IANAL but nobody knows exactly where GDPR will apply yet. I think the better takeaway for someone who is trying to respond with minimum effort is: IP blocking might help you build a defense, but it might matter how you implement it and it might not be sufficient.


Note that the regulation talks about where the requester is, not where they report to be.

Some legitimate experts have concluded that this wording allows someone in the EU using a vpn they reports them as coming from outside the EU to be covered.

That seems like a low risk incident to me, but I’m not a lawyer & I can see where that interpretation comes from.


Can anyone give an example of a company that has been targeted by legal firm or an agency ? All I know about it patent trolls. So how would these legal firms make any money from the GDPR !?


Apart from selling services related to the GDPR, such as helping companies with complience or helping individuals report problems, they won't. It seems a lot of people haven't even read the cliff notes version but are happy to proclaim the sky is falling. The GDPR will be enforced only via the appropriate agencies in each country where it is law.


Form a limited company and run the site from that. If you're prepared to shut the site down anyway, then that remains the worst thing that can happen for non-compliance.

There's no need to shut the thing down just in case someone sues you when that hasn't happened yet.

On the other hand, there's a good reason to shutter your site because you don't have time to make it respectful of people's privacy. By all means, shut down your site because the GDPR makes you realise that! But that's not what OP is saying.


>Look, it's not hard to encrypt all personally identifiable information; there are ready-made frameworks that let you choose which DB columns you encrypt and how. You can generate a key for each user on creation and have their data encrypted with it. The problem is NOT that. The problem is what happens if a legal firm or an agency targets you.

The problem is also not botching the encryption process -- and relying blindly on some "ready-made frameworks" is a sure-fire way to do that.


I'll immediately agree to that but in the spirit of the GDPR which allows you some screwups, isn't that still better than keeping non-encrypted personal data on a small VPS you have no idea if other people have no unlimited access to?

I shut down my hobby projects because I didn't want to rework them. Deleted everything, never sold info to anyone, never served ads and had exactly zero external JS snippets on them.

If I am to open a business, I'll however work a lot to be GDPR-compliant. I believe it was about damn time for something like that to emerge.


Yeah, that's what I was talking about couple of weeks ago here. I was afraid that GDPR will stifle innovation and it's just a beginning.

GDPR is highly vague omnipresent regulation with huge strict fines. It's like infamous cookie law times a million.

They could make it into a good law, my opinion on what should have been done:

Keep good parts, such as:

- Appoint official 'security' representative who're responsible for breach disclosures, promoting security practices etc, that person can be personally held responsible for shifty company behavior (though nothing draconian) like non-disclosing a breach, so they would be motivated to be on user side in the company.

- Let users ability to download their own data

- Let users clear way to tell company that they want to stop using their account (and related data gathering)

- Mandate more open disclosure of what is done with data gathered from users

And also:

- Mandate easier ways to review EULA and changes to EULA (like each change should be available separately, describe what changed and why)

- Create system of centralized disclosure of security vulnerabilities by third parties, with record showing request and response publicly after some time. Maybe also create some system of grants for third party penetration testing for larger players in the internet.

- Split available data into categories, like 'non-sensitive data', 'sensitive data', 'highly sensitive data'. Medical records, financial records etc is highly sensitive and higher standards are applied. Email and name is non-sensitive data (so you could run a simple forum, or any other simple free service, where you only want email from a user, without being afraid).

- Split companies into tiers, under 50 employees or 100000 users nothing applies; 51-1000 employees higher standard applies; over 1000 - full power applies. This also should be tied with previous point - for example, smallest tier company should still be responsible for some rules if they deal with highly sensitive data, and if it's largest tier company they should be following some rules even if they only deal with non-sensitive data.

- More sensible fines. For example 1% or $100k, whichever is smaller for the first time, 2% or $1m second time etc. Designated security officer can also be held responsible in the same manner (like, % of salary and later being forbidden to work as a security officer). It can also be tied to tiers of companies.

- Start applying law gradually, beginning with just applying it only for european countries.

I believe that would keep benefits for users and won't create giant problems for the industry as a whole.


With one minor exception, you have just described GDPR.

The exception being: there is no minimum for fines. So a small company could be fined absolutely nothing for an infringement if it was representative of the harm caused or they fixed the issue.

Also. Security representatives--actually called data protection officers--are only necessary at large scale or highly sensitive operations.

The law is being applied gradually. It is already in effect and has been for two years. The approaching deadline is when the penalty clauses will come into effect. How it will be applied remains to be seen, but has no bearing on the validity of the legislation itself.


Not exactly, I specifically left out 'right to be forgotten' part. Also, I didn't see anything specific about tiers for companies and data (I didn't read the whole law, only its explanations) - when you clearly know what applies to you. With GDPR as you said small company could be fined nothing, but it also could be fined a lot - that's the problem, you don't know for sure and that's a risk which streetlend.com was afraid of. If they could just look at GDPR and say "ok, we're a small company and we don't hold any highly sensitive data, so according to the law we just need to provide users with clear ways to stop using our service; ok, keep going" it would be much easier. One of main problems of GDPR is uncertainty around it. Also with gradually I meant geography - only within EU for its companies, because frankly I don't like idea of countries deciding to apply their rules in the internet worldwide - it can get messy pretty quickly.


In my mind, the right to be forgotten is implied by your bullet point "Let users clear way to tell company that they want to stop using their account (and related data gathering)" By the definition of data processing, streetlend has to delete all my data to stop processing it.

It is pretty clear what streetlend needs to do to be GDPR compliant: if the user data is actually being sent to the third parties (the ad networks) then users need to explicitly be told this. If the data is not being sent to third parties then users already consent to their data being stored by entering the data (the data is necessary for the performance of the service operated).

Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).

As for the geography: if your interaction with European citizens is incidental and not purposeful, you cannot be charged under the GDPR. It is only if you are actively trying to target your goods or services to the European market that they will enforce against you. This is obviously the case since they will have no power to enforce the law otherwise, but it is also covered by the three paragraphs of Article 3.


I didn't say about data processing, but data gathering. What I meant about stop using account is that they won't send you any new notifications, won't show you as a possible friend for other registering people etc. By data gathering I meant that they won't track you anymore, like if you exit facebook, they should still adding info about you through all the like buttons etc.

> Next to that: allow users to delete their data when they close their account (this should be as easy as setting cascade on foreign key constraints).

That is definitely not easy and doesn't work like that. That's why it's common practice in any serious system to have 'deleted' flag instead of actual deleting.

> It is only if you are actively trying to target your goods or services to the European market that they will enforce against you.

Yes, and if you target whole world like most sites in the internet do, you're targeting Europe?


Why would a small, unprofitable website be the target of an opportunistic legal team?


Spite. I've seen big players (controlled by pissed off influential person) chase down small businesses in my country relentlessly, to the point that the father of a family had to serve in jail for 2 years because he couldn't afford the fines. The lawsuit lasted 3-4 years and the poor guy was called to court basically every month... It was awful to watch.

Eventually some good souls gathered the fine money and bailed the poor man. And then the suers got pissed and tried to raise the fine, eventually had to pay for... I don't know the legalese for that, but basically they took it too far and the judge called them out on it and forced them to cover ALL legal expenses.

My point however is that for ordinary people even the nerves and time lost in a lawsuit are too big a price to pay. We aren't machines, these things get to us.


The law is not even in effect yet. The persecution you're talking about is imaginary. Those of us having trouble being so imaginative probably tend to prefer waiting for evidence.


Lack of foresight is not a virtue, it is a bug.


Wasting time & energy planning for a scenario that never happens is over-design.


Good luck with that mindset.

Besides, who said it will never happen? What can you be sure will "never happen"

Can I use your crystal ball?


You're right. On that note, it's best to never leave your house. It's just not worth the risk. How can you be sure that debris won't fall out of the sky? Do you have a crystal ball?


I'm aware of the risks involved in going outside and I plan accordingly, that's why I have a life insurance. I wasn't the one who said that was a "scenario that never happenS"


What kind of insurance can you buy for GDPR non-compliance, where it costs you less than actually complying?


> What can you be sure will "never happen"

Because there are ~25 existing sets of laws on the same topic [based on GDPR's predecessor framework, but evolved in different ways] that GDPR normalized into a single, common modern framework. Nothing horrible happened with those old laws.


Ok, then don't comply and shut down, but I don't see what's ambiguous about the GDPR in this context. Also, they goal of the EU is not to fine the hell out of small businesses; it's compliance. Companies found to be out of compliance will be worked with and an attempt to conform to the spirit of the law shows good faith.

This article sounds a lot like sour grapes and shows no real attempt to actually figure out what compliance would look like.


> Ok, then don't comply and shut down

Which is what the site in question did...


Right, after whining about GDPR, which is relevant to the remaining 90% of what I said and the content of what I was responding to.


> The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous).

And in that case the regulator would write you a letter asking you to fix it. At that point you have the choice to fix it, or to write back and explain why you can't fix it now. Or you can ignore the regulator, which may lead to a small fine.


That’s why I would think that no matter what you do you’re probably still technically exposed so not to worry.


What’s the upside for a legal firm to target you? You’re not going to pay fines to them, right?


Legal firms acting on behalf of a competitor or spiteful customer?


I don't think this actually happens.


You aren't willing, so you exit the market. Someone else will come along, who is willing, and fills the need while respecting people's privacy. Everyone wins.

Considering one can be sued for just about anything, or accused of patent infringement for just about anything in tech, the fear of litigation isn't a compelling argument.


Probably because, compared to the status of legal matters in the US, blaming _europe_ of all places for being legally murky is just mind boggling.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: