Hacker News new | comments | show | ask | jobs | submit login

A GPDR-like law would open up entirely new ways of doing business partly because these companies could no longer do business the way they are. “Free” services could no longer make their money by selling your data.

You're completely disregarding the fact that it takes significant resources to comply with a law like GDPR. Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance (audits etc.), legal expenses, and on and on. Most startups simply can't afford this.

So you may wind up with more "honest" services, but there will be far fewer of them and they'll have more power and leverage than they ever have before because of the lack of competitors and artificial, enormous regulatory barriers to entry. GDPR is a startup killer.




I'm not disregarding the cost of compliance. In fact it's implicit in my argument. Some business models would no longer make sense. Others would look more attractive. It would increase the cost of, or completely do away with, doing things certain ways which naturally opens the door to doing things differently. Yes, there likely would be fewer services initially.

"Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance...GDPR is a startup killer"

That doesn't have to be the case. The law could easily carve-out a "safe harbor" of sorts for companies that commit to not gathering or storing any but the most basic information about their visitors.

"... there will be far fewer of them and they'll have more power..."

Or existing companies could loose a lot of power and leverage because their business-model doesn't makes sense. New ones could pop-up in their place.

I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

Privacy is good, long live disruption!


I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

You’re missing the point. These “tyrants” can fully afford to comply (while paying scores of legal staff to scour the law to find and exploit every possible loophole), but startups can’t. That means no competitors will be able to emerge and challenge them. These companies will still be able to do much of whatever they want simply because consumers won’t have a choice. GDRP consolidates market power in the hands of entrenched competitors that can afford to comply.

Privacy is good, long live disruption!

Privacy is good. Killing the ability for startups to compete is bad.


Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

I mean, it’s not like Facebook and Google aren’t already big enough to smother would-be competition in the cradle. In the other scenario competition may still be smothered, but I still get some regulatory privacy protections.

EDIT: Also, as a matter of principle, I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.


Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

GDPR compliance and "trampling your privacy" are not remotely related. GDPR is massive overkill and unnecessarily burdensome.

I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.

EU startups will burn - not dozens though, hundreds or thousands of them - and even more will never get the funding to start because no one wants to invest in a business that can be killed instantly by massive fines at the whim of the government. US startups will thrive because they are not subject to GDPR if they don't target EU customers, even if there is some incidental EU traffic to their sites. I don't have to protect your information GDPR style on my US site, even if you are from Germany, as long as I'm not actively trying to get people from the EU to my site. But most sites outside the EU will just block EU traffic anyway (which is what we decided to do). So enjoy your new, smaller Internet with companies that will "trample your privacy" anyway because you have no competitors to go to for their services. Yes, you will be informed about what they're doing in vague terms, and yes you will have given them "informed consent"....but is it really consent if you have to give it because there are no alternatives?


I think you're disregarding that these are huge companies whose business models and moats would be significantly disrupted by a GDPR-like law. To quote GoT, chaos is a ladder. This could help new innovative companies compete, at least in the short term, against these established behemoths.


This could help new innovative companies compete, at least in the short term, against these established behemoths.

Again, most “new innovative” companies can’t afford to comply with laws like GDPR.


I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is, but it will force companies to adopt better policies to avoid problems. Startups right now are best positioned to make the transition whereas the behemoths will be forced into significant spends on legal fees or insurance - not to mention scandals such as the Facebook debacle that has so many people up in arms.

Disruption is startup paradise.


Having just lead the GDPR effort at my company, I disagree. It's absolutely a burden. It slows down sales and makes customer relationships more difficult and expensive. Any custom integration we do needs to have a custom data processing agreement put into place and reviewed by a lawyer. I now find myself paying lots of new fees to various places: the ITA, DPA, the Swiss data authority, and organizations like ISSA. It forced us to get a more expensive insurance policy.

On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.

Plus the fact that we just spent $15k in legal fees going over our new privacy policy, data protection policy, updated MSA, updated order form, new user agreement, etc, I can say with confidence that it is indeed expensive and burdensome.


I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is

You’re saying this based on what exactly? Have you actually been in charge of trying to comply? I have. For us, it was going to be a 7 figure endeavor (upfront, and then 6 figures/yr for ongoing compliance, insurance, etc.) and we are pretty small (a few million visitors/mo spread across several sites). We made the decision to just block EU traffic, even though we have been advised that GDPR probably doesn’t apply to us anyway. I can’t have one of the 28 countries that GDPR applies to randomly decide that it applies to me because they’re a little short on tax revenue that month, then have an expensive legal fight that will end in a multimillion-dollar fine anyway.


Citation needed


We're a small business and it cost us about $50k to become compliant, if you add up the legal fees and hours spent on technology. We are also forced to get a more expensive insurance policy.


Citation needed for what? For proving that GDPR compliance is expensive?

https://iapp.org/news/a/recent-survey-shows-gdpr-compliance-...

https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b2...

https://www.dri.org/home/2018/02/26/gdpr-it-s-coming-it-s-ex...

https://www.wandera.com/blog/gdpr-expensive-data-breach-pena...

Those were just on the first page of Google. There are hundreds of others. That's not even counting my own experience with it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: