Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Is HN GDPR compliant?
99 points by tschellenbach 73 days ago | hide | past | web | favorite | 107 comments
After reading this post https://news.ycombinator.com/item?id=16954306 I thought about the small sites I like to visit. Things that started out like hobby projects such as Lobsters and HNews. I wonder, is HNews GDPR compliant? It doesn't really seem to be. Some topics mentioned in articles about GDPR:

- Ability to export data - Ability to delete your account - Disclose tracking (the voting ring detection must do some sort of tracking)




One important thing to not about some of these points is that they don't have to be made easy for users. For example, in relation to "Abilty it export data", there doesn't necessarily need to be a feature on the website for it to be compliant. They simply need to do it if you ask. So if that means having someone manually run a query to get a data dump every time someone asks, it's still considered compliant.

Of course that doesn't actually scale. That's why most all the big players are providing export features.


At my job we do it semi-automatic; i.e. there are automatic export tools, but emails are sent forth and back first.

This is because we've received only a handful of requests and because there isn't an automatic system for the extra layer of authentication comparable to answering an email with a token in it.

Come to think of it, this places an even bigger value on email: You can probably get all of someone's private data from external sites once you have their email. As if it wasn't a big enough part of stealing someone's identity already; now you can properly steal people's pasts!


That can't be the whole story though. In general, a regulation stipulating that a business provide a feature can't allow businesses to make it arbitrary difficult for a user to use that feature, since that would defeat the public policy behind the regulation.

I suspect that the line here will be decided in some court.


> I suspect that the line here will be decided in some court.

Sure. At the end of the day though people shouldn't be using GDPR as an excuse to avoid making stuff or launching their projects. As long as you make a reasonable effort to do what people are asking for via email then you're probably not going to be the test case.


Yes, making things _arbitrarily_ difficult would probably go against the spirit of the law, even if it technically complied with it. But as Alex3917 pointed out, as long as a company responded to GDPR requests by email in a timeline in accordance with the law, they would be safe.


Indeed, I noticed this in Google's GDPR terms and conditions I was required to agree to yesterday. Long story short, Google will charge you to delete your data, which I thought was against the spirit of the GDPR law:

"Google may charge a fee (based on Google’s reasonable costs) for any data deletion under Section 6.1.2(a). Google will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion."


The GDPR explicitly says you may charge a reasonable fee to cover your administrative costs.


Oh! I totally missed that. Thank you for the correction.

Not meaning to be argumentative, but is there a reference for that beyond Article 12 Section 5? (I probably missed that too.) But that section seems to suggest you can only charge a fee (or even decline to act) if the requests are unfounded or repeatedly excessive:

https://gdpr-info.eu/art-12-gdpr/

"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

refuse to act on the request.

(Google's clause was opting to charge for any deletion request that is not yet automated.)


Five euros I was told in the knowledge session at my work.


Here's your export:

https://news.ycombinator.com/user?id=lamlam https://news.ycombinator.com/threads?id=lamlam https://news.ycombinator.com/submitted?id=lamlam https://news.ycombinator.com/favorites?id=lamlam

If I was a linux nerd I'd turn that into a cat / curl combo.


Can't that be a violation in the eyes of GDPR? If they don't give users a simple button, then can't that be argued to be not giving the user the ability to export data. The problem I have with GDPR is that there's so much open to interpretation.


Articles 15 and 17 (dealing with deletion and access) both contain a provision where if the request is unfounded or excessive, you may charge a reasonable fee. You cannot charge a fee for compliance with standard requests, and "reasonable" is something that would likely be argued in court.

Source: https://ico.org.uk/for-organisations/guide-to-the-general-da...

Edit: mis-referenced article 15 as export instead of access.


If you have an email address you can give users for privacy requests and a promised turnaround time (we will respond to all privacy messages in 7 days) you're OK.


They do provide an API and public data set, so the export could be self serve.


Upon cursory inspection, the single fact that user don't seem to be able to delete their account data from here would make it not compliant. Similarly the inability to delete posts after a certain time may also conflict with the data removal stipulation of GDPR.

But as a corollary to that, GDPR laws seem to only apply where there is data that can personally identify a user. The usage of nicknames and throwaway accounts on here may mean that GDPR requirements may be able to be ignored as long as there is no piece of data that can be linked back to an identifiable user (such as an email address in their profile etc.)

Note: IANAL - So please take this as my opinion, and not a legal finding.


Nothing in the GDPR says you must be able to delete your own data. It says that you may request a business delete your personal data, and they may have to comply if they don't have a legitimate business reason not to. There's a balancing test, not a blanket requirement that every web app be littered with delete buttons.


You don't have to follow any of the rules in the GDPR if you have a good reason for doing so, which doesn't overstep the basic rights of the person. Being able to operate the business in the way that it's intended is a fine reason. So, user comments don't have to be deleted because that would change the way HN operates and creates value. However, it's harder to explain why the comments can't be anonymized by unlinking it from the user table and changing the username to 'deleted'.


American businesses should add a clause that all authorized access is predicated on a user knowingly acknowledging that they are not a resident of the EU. If GDPR becomes an issue they could abuse the CFAA to get the persons of interest extradited to the USA for prosecution of unauthorized access. It would be funny too because the data the lawyers would collect to proceed with a case would be from unauthorized access too and they could be extradited and prosecuted too and they would probably lose their jobs oh what fun lawyers bring upon themselves and those that endure their wrath.

Just floating a crazy alcohol induced idea here don't take it too seriously.


from* the USA?


I think "to". Like, anyone alleging the GDPR violation is admitting that they violated the CFAA. It's pretty stupid, though not clearly stupider than past successful uses of the CFAA.


Probably not. I really have mixed emotions about GDPR being a SaaS founder. It seems overstepping and heavy handed that the EU can enact laws that affect American's and American companies. The EU can do what it wants, but generally I am against regulation as it promotes bureaucracy, stifles innovation, and creates fluff and burden's especially on small companies such Chief Data Protection Officer and Chief Data Officer.


It's not over stepping. Don't like the laws? Don't do business there. States in the US have different laws that affect operating businesses in them, too.


Funnily enough I operate a service to download copyright-expired content.. Only most of the content is still under copyright in the US. Early Elvis works seem to be very popular.

I've banned all non-local IP addresses from the website with a splash page which tells them why they're unable to access content.

This also doesn't stop my local ISP's and hosts eventually giving up on hosting my content as they're sick of reviewing DMCA's from US-based copyright-holders. Many of the smaller ones simply give me 24 hours notice or no notice at all, nobody wants to risk a lawsuit from the big-bad US media companies.

I get several hundred letters and emails a year with copyright holders threatening lawsuits and legal action. I suspect similar issues will arise for non-GDPR compliant services in the form of user support tickets.


Isn't "webhosts that cheerfully ignore DMCA complaints" a large, well-established industry?


Not in my country, and I have no intention of hosting this outside these borders which could get me in legal hot water.


For curiosity, where are you? Are you unable to find a DMCA-proof server in a country where your content would also be legal, or is there a different problem?


It's a different problem - I'm part of the Commonwealth.

I could host it in a country that would ignore requests, but the point of the website is to do everything correctly. If I hosted my content in a country that doesn't care about copyright or DMCA, I'm putting myself at risk if I was brought into court as I've purposefully skirted around laws.

My country has proven we are held to US copyright law - see the Kim DotCom case. What would usually be considered a matter for civil court was brought into criminal court because it crossed borders and unfounded claims were made against the accused (namely money laundering) who's now being extradited.

I simply want to provide a free, legal media service to those in my country. There's no money in it - I don't even run AdSense, I simply pay for hosting. So far, so good.

If I do get dragged into court, I expect a precedence to be set for future cases. This will also open up a lot of free historical media for government-run TV and streaming services, and local media producers.

It's kind of like a weird tech protest against goofy copyright laws.


But does US law actually require you to respond to the DMCA notice? Like, the provider loses its safe harbor, but if there's no violation of US copyright law then why does that matter? That's perhaps a different test case from the one that you intend, of course...


US law shouldn't matter to us at all. We shouldn't need to know what a DMCA notice is. A copyright claim should be made in the host country's format applicable to their laws, that doesn't seem to be a reality to any of the claims I've received.

Where I am, you should receive an IP rights notice and an interim injunction to remove the works. I've never received anything like that.


> What would usually be considered a matter for civil court was brought into criminal court because it crossed borders

Wasn't it criminal because he was doing it as a business and earning money from it?


That's still a civil case in New Zealand. It's copyright infringement, you don't go to jail - you get sued and bankrupted. The fact he was making money from it doesn't change the court, he just gets sued for more (in this case, it would have been everything he owned).


This bothers me a lot as well. The EU shouldn't have domain over American companies. There's a reason that there isn't a ton of Tech companies in places like Germany.


Well internet is a connected place. Same things happen when US changes their policy. Foe example new net neutrality laws will probably somehow affect the whole world.

Also i think there are lot of tech companies in Germany they just target german audience.


They don't have domain over American companies.

Just don't accept European customer's data and you're fine.


I'm not a citizen of Pakistan.

I don't live in Pakistan.

My servers aren't in Pakistan.

Pakistan can't force me to comply with their laws just because a Pakistani national uses my site.

Same thing with EU laws.


If you want to do business in Pakistan you do.


I'm not doing business in Pakistan or in the EU.

The mere fact that a Pakistani or European uses my site doesn't subject me to the laws of Pakistan or the European Union.


The fact that they are using your site means you are doing business with them.


You know, same could be said for the US, but look how that turned out for Kim Dotcom. Extradition and humongous expenses for him - all because people in a country that was unrelated to the site decided to break their copyright rules and use it :).


They don't have domain over American companies if they're not doing business in the EU.


> It seems overstepping and heavy handed that the EU can enact laws that affect American's and American companies.

Unlike eg Kinder Eggs? https://www.cbp.gov/newsroom/national-media-release/dont-be-...


This also bothers me a lot. I've always wondered how the EU intends to enforce its laws upon my little side projects here in the US.


>I've always wondered how the EU intends to enforce its laws upon my little side projects here in the US.

It doesn't.

It's made to force you to comply when you become bigger.


So it has clauses about project/service/product size/popularity?


In fact, yes. For example, the record-keeping requirements don't apply to most businesses with less than 250 employees. The DPO requirements don't apply to most businesses with less than 250 employees. The entire regulation doesn't apply if you don't target people in the EU and don't offer goods or services to people in the EU. Some of the requirements only apply if you process data on large numbers of people regularly, rather than occasionally. And there's a recital calling on member states that enact and enforce the regulation to pay special attention to the unique needs of micro, small and medium sized businesses.


DPO?


Data Protection Officer. There are a few situations where you MUST assign a DPO (large company, or systemic monitoring or processing of data, or processing of protected data). If you're talking about a tiny side project with basic data protection and you're not doing social scraping, GDPR will likely ignore you.


Demanding privacy is not overstepping it is consumer protection. The consumer need to rely that you treat their data responsibly and the GDPR is a rule book what you need to do. And yes, this rule book knows sanctions.


I would strongly advise that we read carefully the language for Art. 3, "Territorial scope," which says:

  (2) This Regulation applies to the processing of personal data
  of data subjects who are in the Union by a controller or processor
  not established in the Union, where the processing activities
  are related to:

    (a) the offering of goods or services, irrespective of whether
    a payment of the data subject is required, to such data subjects
    in the Union; or

    (b) the monitoring of their behaviour as far as their behaviour
    takes place within the Union.
So, I would ask: Has HN made an "offering of goods or services . . . to such data subjects in the Union"? (https://gdpr-info.eu/art-3-gdpr/)

The critical issue is that word: "offering."

The language here seems to be about intentions. Has HN "offered" anything to data subjects in the Union? Maybe not. To be sure, people in the EU may have chosen to look at HN, but has HN sought to "offer" to them?

(The presence of a domain such as news.ycombinator.eu would tip to "yes.")


HackerNews is a content marketing platform for YC. They likely have European LPs and they certainly have European startups. I can’t see how they would avoid this and similarly, you just need a couple disgruntled founders who didn’t get accepted to cause a stir and report them.


A country can't tell foreign citizens how to behave, even if the country (or group of countries, in this case) writes a law saying they can.


In practice that's not true on many levels. Law enforcement happens across borders. (extradition (yes, in most cases it has to be a valid crime on both sides)) One country's law enforcement also can influence what other countries do without a good proof of anything. (Kim dot com?) That applies outside of LE as well. (points in the general direction of Middle East)

And then there's the soft influence of "we're big enough, we can dictate the rules, because who else will you trade with" which affected things like patent laws and trademarks around the world. It's interesting to see the US finding itself on the other side of that conversation sometimes.


According to the Geneva Convention, war crimes have international jurisdiction.

This means that a court in, eg, Spain can "tell foreign citizens how to behave"


GDPR isn't a treaty. The US hasn't signed on to it.


strictnein's comment was blanket statement, and not limited to GDPR.

More specifically, tuke pointed out the territorial scope of GDPR, and strictnein's response seemed to argue that the underlying premise should be invalid.

My comment was to point to a counter-example that is already widely supported.

eesmith 73 days ago [flagged]

Downvoted? Why? By people who defend the sovereign right to carry out war crimes?


I think offering the service means being available. They would have to block EU users in order to not offer to them.


Read recital 23. The mere accessibility of a website to people in EU is not sufficient to determine if EU persons are targeted.


"offering" is not a critical word here, you almost certainly can't weasel out of the regulations by claiming you're not actively "offering" anything. If you put it online and EU users use it, you're offering it to them.


This has been discussed so many times already:

https://news.ycombinator.com/item?id=16661323

https://news.ycombinator.com/item?id=16698937

https://news.ycombinator.com/item?id=16751656

https://news.ycombinator.com/item?id=16834240


Even if HN isn't compliant, I doubt any European country has jurisdiction over Y Combinator Management LLC, because they don't do business with any European residents.


If they invest in European compnies and have European LPs then they certainly do.


Regarding the guidance for Australian businesses and GDPR [1], if there are a few users based in the EU, would their whole website need to comply?

[1] https://www.oaic.gov.au/media-and-speeches/news/general-data...


Why would it need to be compliant? Ycombinator is not a European company.


But if they hold and manage data for users who reside in the EU (which they do), then I believe the rules apply too.

From what I can gather, if a user in the EU approaches HN and asks for their profile data and posts to be removed, then that falls under the GDPR laws.


No, laws don't work that way. American first amendment rights, for instance, don't extend to websites based in Europe.

You don't get to bring your laws and rights with you when you visit a website that's hosted and run in a foreign country.

edit: clarified European based websites


This depends. Those laws could absolutely be enforced if, for example, Paul Graham tried to travel to Germany.

You may not agree with the ethics of that, but that's how it works in practice. Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.


This is pure nonsense.

You might learn that the GDPR only applies to businesses located in the EU or who pursue EU citizens. It does not mean that if you Google Analytics and an EU citizen stumbles upon your site you are suddenly in violation. It is not some sort of magical global law that applies to every business in the world.

The amount of FUD and ignorance and nonsense about the GDPR is getting out of control. Why not do some research? Or actually read the regulation?

Anyways I see it's a lost cause but I find it remarkable how much BS about this topic exists from a community that prides itself on its technology acumen.


None of what I said is nonsense. The EU absolutely could enforce GDPR regulations on businesses which are not based in the EU, if persons involved in those businesses attempted to travel to the EU. That's not FUD, that's why Edward Snowden isn't going to hop on a plane back to the US anytime soon.

Your argument about "pursue" falls under the umbrella of

>Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.

Pursue isn't currently a fully defined term. Is pursuing specifically advertising and marketing towards? Or is it simply allowing to register? If I use paypal as a payment service, that allows EU citizens to pay, am I pursuing them since they can now purchase my service?

Fwiw, I agree that its unlikely that HN is violating the GDPR, and its even more unlikely that HN will be chased for any violations it did commit. But calling others' more cautious interpretation of the law "nonsense" isn't particularly productive, especially when I wasn't even commenting on the GDPR in the first place, but instead on broader ways that international law works.


All of this is spelled out in the law.

> Pursue isn't currently a fully defined term.

This is pure FUD. This is fully defined that's what makes it a binding legislative act.

Let's go to the actual law:

Article 3: Territorial Scope [1] spells out the explicit territorial scope.

> the monitoring of their behaviour as far as their behaviour takes place within the Union.

Oh, sounds scary. The latter part is clarified [2]:

> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

There's a ton of nonsense about this on HN right now but anybody who's actually read the law should understand that the intention of the law is to prevent non-consensual surveillance of EU citizens. The idea that if somebody who stumbles upon your website and you log their IP address makes you subject is pure FUD. The idea that the EU will pursue American sites who don't target the EU is pure FUD. But the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State. As they say, that's not how any of this works. There are no "EU cops" waiting at the airport. Please.

[1] https://gdpr-info.eu/art-3-gdpr/

[2] https://www.gdpreu.org/the-regulation/who-must-comply/


> ... the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State.

In that case, I'm not sure how to interpret Microsoft v. Commission (triggered by EC, ruled by ECJ), or how to make sense of the fact that the EU, IIRC, has its own (non-state) representative at the WTO, which in turn has its own (state-independent) dispute resolution system, with capacity to inflict trade sanctions.

The 'cops' analogy might be very misleading here, right?


>Oh, sounds scary. The latter part is clarified [2]:

And according to that clarification, having paypal as a payment processor might make it apparent that the controller envisages offering goods or services to data subjects in the union. That's what I said. Or it might not. Its not fully defined. A cautious interpretation makes sense.

>There are no "EU cops" waiting at the airport. Please.

And to be clear, I never said there were. I was making the point that, contrary to g-g-great-grandparent, it is absolutely possible for a country to exert control over the actions of people outside its borders, assuming those people might have interest in international travel.

If you're going to keep yelling FUD about things, you should first confine yourself to calling out things people are actually saying, instead of creating ridiculous strawpeople. Its not productive to call people out for saying ridiculous things that they didn't actually say.

dnomad 73 days ago [flagged]

> And according to that clarification, having paypal as a payment processor might make it apparent that the controller envisages offering goods or services to data subjects in the union. That's what I said. Or it might not. Its not fully defined

This is not true. Using a payment processor or accepting credit cards in no way constitutes targeting of EU customers. In that scenario you are neither data controller nor processor, in fact. I think, like a lot of posters in this thread, you've spent virtually zero time understanding the law and are just echoing FUD.


And it's very courageous of you that you're willing to risk other people's money to that effect :)

It's quite odd that you're calling a statement that amounts to "in the presence of untested law, caution is warranted" FUD.

That's like not even controversial. You're entire argument is predicated on you understanding the law better than everyone else. And well, I'm not particularly confident in a person whose most used word is "FUD" and who began a conversation by misunderstanding what I was saying. What reason do I have believe you?


Ya, but good luck traveling to europe ever again.


If that it truly the case, then I suspect we will see more and more sites refuse service to Europeans.

Are Europeans permitted to decline to be covered under the GDPR? (In exchange for being permitted to use such sites?)


I was wondering the same. I wonder where this falls if the EU resident is using a VPN. It'd likely still be on the site owner to prove that were the case.


Legal jurisdiction does not work that way.

Let's say Iran passed a law saying that it's illegal for anyone anywhere in the world to supply alcohol to a citizen of Iran, and that anyone selling alcohol must verify that their customers are citizens of not-Iran. When they attempt to enforce that against a German beer hall, they'll get laughed out of German court. Selling beer to adults is legal in Germany, no matter where they're from.

Likewise, the EU has no ability to enforce laws against American companies that don't have a physical presence in the EU.


IANAL. This is not the case.

Your analogy would be accurate if it went something like that beer garden in Germany decided to start selling beer online, and began taking international orders, including ones from Iran.

Your physical presence on the web is irrelevant. By putting yourself, or your business online, you are subjecting yourself to whatever regulations exist in the place your user is accessing your product.

As stated elsewhere here - enforceability is another topic.


Is there any reason why HN would be bound by EU laws, if it's not a European organization? What other countries laws should it be bound by, other than the ones it operates in?


Currently it may not be bound by them. But it could find itself in a situation where it matters - for example when working with / providing service to / getting service from another company in the EU which asks "so, are you GDPR compliant?" Given what HN does, that's not very likely though.


How would one manage to sidestep GDPR responsibilities? If it made sense, could you opt to block EU based IP addresses? You'd also have to ensure that any past data you have is cleansed of EU based users which could be tricky.


"Come and take them."


Unfortunately GPDR effects any site/company that has EU visitors which is nearly all sites.


Fortunately GPDR effects any site/company that has EU visitors which is nearly all sites.


No, it simply doesn't. If you've been told this you've been informed incorrectly.


The EU government would certainly like that to be the case, but it's not clear why it would be. If the US passed a law that required citizens of other countries to pay a $20/year tax (say, a GPS license fee), would that be enforceable?


I was under the impression that it only affects businesses which do business in the EU, meaning they have an officially registered company within the EU.

If my random little website isn't GDPR compliant, what is their strategy for getting me to pay the restitution if I'm not doing business in the EU? Where do the fines go? How could they force me to pay them? The worst they can do is block access to the website, but I haven't read anything which suggests that is written in the law.


What happens if a non-european comoany doesnt comply?


Because it has people from Europe accessing the site.


Okay, so now let's say your website is found non-compliant. You're a tiny operation in the US with absolutely no presence in the EU. The EU has absolutely no way to exert power over you.


Do you feel that Europeans have been "targeted"?

https://gdpr-info.eu/recitals/no-23/


This is a FAQ https://hn.algolia.com/?query=gdpr%20hn&sort=byPopularity&pr...


Short answer: No, but it doesn’t matter.

If you are a Non-EU business, that is a business with no legal presence or employees in the EU then you can comfortably skip GDPR compliance with minimal risk (some unknown obscure treaty provision?)

#notalawyer


That's actually not true in terms of the GDPR. A company, simply, only needs to have an EU citizen as a customer for the company to be regulated by the GDPR. [1]

[1] https://www.forbes.com/sites/forbestechcouncil/2017/12/04/ye...


Yes. It SAYS that. However it’s about enforcement.

Dumb example: Blasphemy is illegal in Ireland but Irish Gov can’t enforce that law in France.


No, it's not.


Does the fact that HN is not using this data to generate revenue impact their need to comply? Being charged 4% (or whatever) if HN’s revenue as a penalty would seem to be $0.


4% or 20 million whichever is greater


Ouch.


HN is the content marketing platform for YC which makes a lot of money.


Threads like this make me like GDPR more and more.

Arrogant Americans coming in 'It doesn't have jurisdiction over American companies'. Wholly misinformed.


How do you expect the EU to enforce the GDPR extraterritorially? Like, do you expect the USA to comply with an EU request to impose a fine? Or do you think they'll be successful in pushing enforcement out through the target's customers and vendors, similar to US extraterritorial application of its financial laws on banks?

My personal guess is that everyone with shady business models will move offshore, and the EU will play a marginal game of whack-a-mole trying to coerce them through their vendors and customers, especially payment processors, similar to American enforcement of online gambling laws. I expect the GDPR to be effective on large companies that want to portray themselves as respectable, and ineffective on everyone else.


EU can sue American companies without getting US government approval/ involvement as long as they have operations here.

>Or do you think they'll be successful in pushing enforcement out through the target's customers and vendors, similar to US extraterritorial application of its financial laws on banks?

At least somewhat of a deterrence. As if American KYC & AML laws are completely ineffective.

>My personal guess is that everyone with shady business models will move offshore, and the EU will play a marginal game of whack-a-mole trying to coerce them through their vendors and customers, especially payment processors, similar to American enforcement of online gambling laws. I expect the GDPR to be effective on large companies that want to portray themselves as respectable, and ineffective on everyone else.

Implying the big companies aren't the ones with the 'shady business models'? My view is that this is specifically made for the big companies.


By "shady business model", I mean something like "business model dependent on breaking the GDPR". Facebook seems almost surely still profitable while complying, just not quite so spectacularly so. Many e.g. data brokers probably aren't. Their choice then becomes to disappear or go offshore. I think many will choose the latter. American extraterritorial enforcement of its financial laws is the most successful example of such enforcement that I know, and it's still easy to fund an online poker account.

I'd agree that the GDPR is designed for large companies, and will genuinely improve their behavior. I think its effects will be similar e.g. to American cities with very strong and complex tenant protections--we create a class of large, politically-connected operators with the resources to comply, and a class of shady operators one step ahead of the law. There's little in between--if you lack the resources to be absolutely certain you comply, and the punishments for large and small noncompliance are both catastrophic, then you might as well go all the way. (Yes, I expect the regulators to mostly exercise reasonable discretion. No, I don't want the discretion of a mid-level bureaucrat to be the only thing between me and financial ruin.) That part doesn't seem positive to me.

Aside: I wonder how many people promoting heavy-handed enforcement of data protection laws without regard for the second-order consequences have argued against heavy-handed enforcement of drug laws without regard for the second-order consequences...


You will like it until the day those "Arrogant Americans" have effectively banned you from most of the internet, with the exception of the largest sites, and those based in Europe.

If you want the GDPR to have jurisdiction over American companies, American companies will simply refuse to do business with you.


Even if this was the case - if companies treating their customers' data like shit vanish from the European market, I'd be really happy. Not a big loss at all. :)

Additionally, leaving the European market opens up a big opportunity for EU-companies. Basically, that's the way to go if you want to wreck American dominance over the Internet (and the companies which matter know that very well, which is exactly why they are NOT dropping the EU).

For European citizens it's a win either way. That's why nobody is impressed by your threats - they just look like people pissed off because the EU is now doing what the USA had been doing for decades - meddling in other countries sovereignity. (If you want to interpret it that way, which imho is wrong.)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: