> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops.
...No. GDPR certainly doesn't. The often quoted "4% of revenue" fines are upper bound of fines for the serious intentional and continuous violations.[1] Spreading information like this is almost certainly the textbook definition of FUD.
GDPR is, largely, 'common sense' regulation. At the gist of it is "be responsible with users data". If you want to store personally identifiable information, that comes with it a set of responsibilities that you have to keep on top of. Delete data when users ask for it. Inform users about what you do with their data. I really think that's the minimum you could ask for.
Edited fines to align closer to the language used in the actual regulation
> Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
I was going to post something on the previous post (re: StreetLend), but I guess I'll say it here: this is a bunch of nonsense. There are plenty of other regulations that can land a young startup in hot water (DMCA, for one, which, by the way, carries a 5-year potential jail sentence as a penalty) and yet we're seeing more tech startups in 2018 than we did in 1998, not less.
DMCA is trivial to comply with compared to GDPR. The two aren't even remotely comparable.
PCI is more comparable and it would take roughly speaking 16 years of negligence to rack up the MINIMUM fine for GDPR.
As people pointed out you are unlikely to actually get fined. They say only egregious violations will get fined but the risk is huge in comparison so even if there is a 0.01% chance that may be too risky for many businesses.
Is it really trivial though? You can be jailed as an accessory under DMCA for not filtering user content or not responding to takedown notices. (Even if it just was a mail server malfunction.)
Compared to this, GDPR is walk in the park mostly identical to current privacy laws in the more aggressively private countries in EU.
> The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.
Perhaps there is a legal difference in the UK/EU that I'm missing, but surely you could be operating this business under a limited liability entity, in which case the worst-case situation is you get a GDPR lawsuit, and fold your entity at no personal cost.
In the best case, you don't get a GDPR lawsuit because i) it's actually not as bad as the FUD is making out, or ii) you get lucky. Either way, you didn't need to shut down your website.
If you can't/won't spend the money to set up a limited liability vehicle, that's a different matter entirely than you "cannot afford [a] legal team". The former is O($100), the latter is O($10k) or higher. So yes, a new barrier for hobbyists, but not in a different order of magnitude than server costs.
Many independent developers / geeks are afraid of any regulation, regardless of its merits or whether they are potentially compliant or not. They only want to write code, not to investigate/fear compliance. GDPR is a hammer that hit very small start-up landscape pretty hard.
Isn't this exactly what incorporation sets out to solve? It limits the liability between the person and the company / website.
I feel like Stripe Atlas should be getting a surge of sign ups from people who realize they need to put a firewall between their hobbies and their personal assets as a result of GDPR.
Even with whatever streamlining Stripe Atlas provides, going through that process requires making a lot of decisions, outside a typical developer's scope of expertise, that really make it obvious that this is no longer a hobby and it's now a business. That's enough to make a developer decide to just shut down a casual side project application or service, especially if it isn't making money.
Who wants to launch a side project and be faced with the prospect of $20M fines if someone from the EU signs up and decides to blow them in to regulators for whatever obscure way their side project isn’t compliant...
What’s worse is that it’s not entirely clear how to comply. I’ve spent countless hours now just trying to figure out what it all means and get specific, actionable ways to comply for my apps.
Unfortunately, it has drastically changed the projects I am considering moving forward.
€20M is the fine that would be imposed if they determine you are negligent not what the op is saying is the revenue of their startup.
The way the sanctions appear to be define is they are 4% or €20M whichever is HIGHER. Which mean you could be potentially liable for €20 even if you only have a fee thousand dollars in revenue.
Now it is yet to be seen who if any they would impose that penalty on but I agree with op it does seem like a very real possibility getting hit with the fine could be devastating. I can see why it could have a chilling effect on startups.
Please can you link to any cases given the highest fines?
The UK's ICO has never imposed the highest fine. The closest the got was imposing £400,000 on TalkTalk. Talktalk's situation was that they'd done nothing to protect user data, and hackers stole over 150,000 people's information. And 15,000 of those included bank details.
If your side project exposes 15,000 bank details you need to look after that data.
>not what the op is saying is the revenue of their startup
It seems like OP is suggesting that their side projects revenue would be far higher than 20M, so he could qualify for such a fine.
>Now it is yet to be seen who if any they would impose that penalty on but I agree with op it does seem like a very real possibility getting hit with the fine could be devastating
Why do you expect the GDPR to be so vastly different from other European regulations?
The side projects I'm considering are straight SaaS plays. The business model is not "let's acquire a bunch of users and sell their data." In fact, if I sold user data I'd be out of business quickly because my customers would revolt.
Why should I be punished by GDPR?
Every conversation on HN seems to think that people are out selling user data in nefarious ways just to make a buck. Some of us don't do that - and we're pissed that we have to be punished as a result...
You wouldn't be punished by GDPR, unless you're ignoring industry standard practive to protect that user data.
The businesses who use your service have to protect the data of their users or employees. That includes making sure any services they pass data on to are GDPR compliant.
So you would launch a side project that generates no revenue (at first) on the whims of a potential fine from a court in a country you don't reside in?
Eh. Cost of 'doing business'. I saw the analogy last time when the same author posted their last "I'm shutting this down because of GDPR" post - chefs still have to follow food safety regulations, even if they just want to cook food.
You want to write code? Deploy it to localhost:8000.
You want to launch something online and collect user data? Be responsible with it.
reply
For fun, let's say I visited one of your personal projects websites, say something like a tax estimator, and it uses Google Analytics, maybe some web fonts, and let's say you're serving ads on that website so that you can make it support its own web hosting fee. It's also hosted on your own server. Therefore you are storing and processing my data, for someone else, and perhaps for your own internal usage as well to determine if your tax estimator project is worth pursuing or keeping online.
Unfortunately when I visited your theoretical side project, you did not inform me that you are storing or processing my personal information!
What are you doing with my personal information, like my IP address?
I'd like to request a copy of my personal information from your side project.
I'd also like to update my personal information as stored on your side project, so that it is kept accurate.
I'd also like to request a copy of my personal data be delivered to a third party of my choosing.
Have you appointed at data protector officer for this side-project yet?
Have you appointed a representative within the EU yet?
Can I get a copy of all the contracts you have in place with data processors you may be using?
Finally, I'd like to request my personal data from your personal project website, and I'd like you to delete it from your servers and all services that were accessed via your website.
Sound good? How's your side project going? Is this onerous yet? This is just a "cost of doing business" with your side project, right?
> Is this onerous yet? This is just a "cost of doing business" with your side project, right?
If your side project is collecting personal data ( an IP address alone doesn't qualify ) then ethics alone should compel you to comply with such requests, regardless of GDPR. You have appointed yourself custodian of other people's data, but without any responsibility?
Hopefully GDPR will result in two changes:
1. Design-time consideration of data management
2. Minimisation of the amount of data collected
Both of which would result in better, simpler software.
An IP address, metadata, cookie ID, "online identifiers", etc are considered personal data by GDPR, all data that is collected by virtually every single website, service, or app in the world at some level, either directly through an analytics platform, web font, external library, social engagement, ads, affiliate, input form, third party login services, or even the server itself. That is in addition to names, addresses, phone, email addresses, location, social media, health data, etc.
Heh. Unsure if you got this on a fluke or you know me/looked me up - do you mean my site https://austax.money? I don't have ads though.
Look - to be honest, that's probably something I need to think about some time soon. A very realistic probability might be that I can't be bothered looking too much in depth and I'll just shut it down, but I won't be too upset about that.
Only think is that I won't go spreading some diatribe around the internet about how EU regulation is killing me. I will acknowledge that it was my own laziness that lead to me shutting down the hobby tool I built a few years ago and no longer have a need for.
Hypothetically, though it looks like you also have side projects that are relevant to the topic. I would assume nearly everyone on HackerNews has or had side projects that are using similar third party data processing, analytics, ads, and perhaps even their own linode hosting such projects, all gathering what GPDR determines is "personal data" like IP addresses, or maybe email addresses and names for signups and so forth. Now do you see why this is a hassle?
But really, how do you plan on complying with GPDR for your side projects?
> I will acknowledge that it was my own laziness that lead to me shutting down the hobby tool I built a few years ago and no longer have a need for.
What if that hobby was ramen profitable? Same decision?
> You want to launch something online and collect user data? Be responsible with it.
You imply I should "be responsible" in return for the value I'm getting from the user data?
If so, you're wrong about the value part. I don't see any value in data from users - I see it as a dangerous liability and something I'd rather was not stored on my servers.
I code in order to provide a service, which I do because it's satisfying to use my skill to build something I'm proud of, and something that helps other people out.
I do not code to collect user data.
And, by the way, I am responsible with user data - probably more so than many large organisations with the legal capacity to defend against GDPR claims.
I'll stop the implications and be explicit: the moment you consciously put a form out on the internet and invite users to enter there personal information, and you store it, you must be responsible for it. Not "in return" for anything - you collected the data, so it's your responsibility.
In the same way that if a chef who, for the love of their art, opens a street food stall and sells food, they are responsible for the food they're handing out. They have to make sure that they're following safe and healthy food preparation guidelines.
Perhaps you could stop the implications that I'm being irresponsible with data, or that I plan to be.
The GDPR is a flawed, ambiguous law that will not turn all website creators into responsible actors overnight.
Instead, the GDPR will just create more fodder for vexatious claims - more opportunities for a minority of unscrupulous lawyers to monetise the pain of creators.
But there's already 'ambiguous laws' (laws have to be ambiguous btw if they want to remain relevant) that you could be fined over! I don't really get the new problem with GDPR specifically.
> Perhaps you could stop the implications that I'm being irresponsible with data, or that I plan to be.
Look, I don't think that you're irresponsible with data. In the same way that food safety regulations don't imply that restaurants are being unhygienic. Honestly, my gut feeling here is that these were just some minor side projects that you were rather ambivalent about before anyway and you decided that GDPR was enough to 'pull the plug' on a bunch of side projects that were already on life support.
> The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting.
OP has misunderstood how the law operates.
It's not possible for an individual to take legal action. The regulator does this. The fines are fines, and they're imposed by the regulator and paid to the regulator. They're not compensation paid to the victim.
This means there's no payout for lawyers.
OP got this badly wrong, which makes me think they know very little about GDPR and are just making some political point about regulation.
[0] https://news.ycombinator.com/item?id=16954306