Hacker News new | comments | show | ask | jobs | submit login
GDPR: Don't Panic (jacquesmattheij.com)
863 points by grabeh 4 months ago | hide | past | web | favorite | 800 comments



For those of you understandably intimidated by the GDPR regulations themselves, here's a good summary in plain English: https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...

The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...

In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.


There is nothing - and I do mean nothing - written into the GDPR that requires any warnings of any kind, or places any limits on fines, except for $10/$20 million or 4% of revenue, whichever is greater. Period. A multimillion-dollar fine without warning for a first, minor violation is perfectly lawful under GDPR. The idea that "yes it says that but we can trust EU regulators to not assess large fines against foreign companies, even though they would benefit handsomely from them" rings hollow to me.


I think you and everyone making similar points in this thread are getting tripped up by the difference between rules-based regulation and principles-based regulation. This is unsurprising, given that the US is so heavily rules-based, but the EU (certainly the UK) has a long history of principles-based regulation.

In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).

An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).

A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)

You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.


What you dub principles-based regulation others call trust-based regulation, or randomly-enforced regulation, or we-know-it-when-we-see-it-based regulation. Some don't appreciate this type of regulation.

I think the unfortunate thing is that, when the previous/existing incarnations of these protection laws were/remain unenforced, many assumed it was because of lack of "teeth". But those of us familiar with how these principles-based regulatory bodies work know that it's more about confusion and regulator apathy. Nobody here is watching the watchers. Instead, there's a bunch of people foaming at the mouth with pitchforks asking for more laws and dismissing alternative concerns as hysteria or not understanding how laws work. We should be discussing how to solve the problem, yet we continually devolve to discussing the government-led solution presumably because we feel helpless and can't consider better options.


And rules-based regulation means you commit 3 felonies per day https://www.wsj.com/articles/SB10001424052748704471504574438...


Going on a bit of a tangent here, I am becoming concerned with how we discuss these things. You're completely either for or against it. And if you're against one way you are automatically for the other. If you think one thing is bad, obviously you need to be corrected that other thing is bad too. And then you'll get extreme examples showing it. Call it whataboutism, appeal to emotion, whatever.

Every time these GDPR discussions come up, someone is always quick to say the US is worse, US is getting a taste of its own medicine, that dissenters must want surreptitious data collection, and on and on. Oddly enough, bringing it full circle, the tendencies for humans to argue in these directions instead of stay focused on the issue at hand make me glad to have more strict boundaries that are less subject to the whims of idle thought. Obviously this can't be absolute, so we should craft our rules to limit their scope at least from the outset. It's not about one country/continent vs another, it's about the goals and how they are achieved. Some believe and/or have experienced difficulties conforming to all sorts of government rules, it is a human thing not a location one. IMO, we need to stop deflecting and we need to stop being so absolute. People that are feeling pain of impending laws are not hysterical and laws are not magically OK because other forms/interpretations have downsides.


I think this is a situation where it's easy to see the mote in someone else's eye. I tried to provide a summary using the standard terms for both approaches (in practice, making it clear I preferred a principles-based approach); you jumped up to rebut (in practice, by trying to find the most derogatory synonym for "principles-based regulation" and accusing opponents of "frothing at the mouth"). And then both of us are astonished by the level of partisanship in this argument ;)

It's true, I do think that a more principles-based approach is usually preferable. (And I will happily marshal anecdata to that end!)

But it's naive to think that any approach comes without a cost. Even the PayPal example I mentioned above could be coloured the other way: A company makes a major investment in a foreign market, only to find the rules changed underneath them by a capricious government agency! (Someone brought up IR35 down-thread, and that's an excellent example too.) Is that an acceptable cost for the outcome? I'd look at the overall state of (eg) consumer financial protections in the US vs the UK and say "yes"; but I'm open to evidence-based disagreement.


Meh, I'm less concerned with disagreement (or the words used) than I am with deflection. To be clear, and brief, I am not saying one approach to law is better than another (though I too have my preferences and of course corruption anecdata abound). In this case, I think neither legal approach is preferable with such a large statute. But if we are resigned to this option, one could argue that the size/scope of the legislation can only happen with vagueness and trust. In general I think we could arrive at a GDPR-level statutes (at a global level no less) after working up to it. And I don't believe the regulatory bodies' failures themselves justify doubling down on those same failure-causers. I could talk about my suggestions for days, but in general a good set of first steps would be simple transparency requirements for specific uses and tangible enforcement.


> I could talk about my suggestions for days

This sounds like it would make an interesting blog post!


Thank you for bringing this up. I never knew PB law was a thing. I thought it was just poorly written. Being a yank, I just assumed they forgot the corner cases. I am anti authoritarian by nature so I tend to view authorities as Djinn that must be tightly constrained by wording lest they find a way to misbehave. I would have thought PB would have a higher risk of regulatory capture and corruption of regulators than RB. What is a small business owner's recourse if a regulation is being selectively enforced to favor a competitor? To they need to find funds to retain legal representation? What if the competitor is much larger?

Edit: I realized this might sound passive aggressive. I like the idea of human judgement in regulation, but I really want to know what checks are commonly used to account for all actors involved potentially being malicious.


I think your tangent is merited and unfortunately there seems to be a lot of polarizing comments (I might have done a couple, but there are some that really go over the top in either direction, like "hiring a lawyer to be your DPO is trivial" or people spreading FUD and saying how they will have to shut access from the EU to their personal site, etc.)

But in essence people are missing the bigger context.


Principles-based regulation means you're still committing the same number of crimes per day if you somehow anger the wrong people. If the local police don't like you, then principles-based laws can be used to single you out and target only you.


They don't need regulation to do that, though


That's a myth, and the article you posted is an op-ed piece with no substance to back up the claim it makes.


The source is the book of that name, written by an US lawyer. There's some discussion and better sources on Google.



It's a meme passed around the right-o-sphere based on deliberately misreading laws and/or constructing insane scenarios.

It has no statistics behind it, just made-up stories.


Remind me to tell Aaron Swartz how abusive & capricious prosecution is just a figment of his imagination...


That's not anywhere close to what we're talking about, and fuck you for making light of his death.


This is it. Thank you, I commented about my local experiences with government in Europe and US/Canada but did not know the correct terms and you're right, I think this is the big difference and a driver of fear outside of the EU. In Canada I found the police, by-law enforcers, and almost any official are essentially rules based robots, very much different to my experience in the UK. Thank you for teaching me about rules-based and principles-based regulation. This is one of the big reasons I enjoy living in Europe tbh, a bit of discretion and old 'common sense' is actually quite an awesome thing.


Why should we trust the EU?

The EU’s digital commissioner said in 2015 that the EU should use regulation to "replace today’s Web search engines, operating systems and social networks" with EU companies.[1]

And they've passed or proposed ridiculous laws like cookie warnings and link taxes. We have reason to be suspicious of their intentions.

1: https://www.wsj.com/articles/eu-digital-chief-urges-regulati...


You have to keep in mind that the EU is not as integrated as the US on a political level. You need diplomatic leeway to get everyone to agree to do anything: instead of saying "this is what we'll do", it's "this is more or less what we do, everyone gets to fill in the details on their own". Without that level of flexibility and autonomy for individual countries, they would block the legal process even more than they are now.

As for the link tax: I would blame the publishers pushing for it, not the EU.


The corpse doesn't care who held the knife.


An advocate of rules-based regulation would say this can make regulators unpredictable and capricious.

Unfortunately, so might students of history. Ask anyone in the UK who was working in the freelance or contract world when IR35 was introduced.

In that case, too, the principle was reasonable enough: there was a loophole in tax law where you could decide you're a contractor instead of an employee and pay less money despite for all other practical purposes still being an employee, and this was being actively exploited by some people.

In that case, too, the reality was that most people working in the sector probably wouldn't be challenged by the authorities, not least because the enforcers had limited resources.

But in that case, too, a given individual's status was often unclear. While some of those who were deterred or subsequently received penalties really were engaging in obvious tax avoidance, other reports described crippling penalties for people whose arrangements appeared to have been quite reasonable but to have fallen foul of someone in government's dubious interpretation.

This led to substantial amounts of time and money being collectively spent by the freelance and contractor community incorporating new legalese into contracts and paying for advice and taking out insurance policies. An entire trade body was formed primarily to deal with this threat. Even today, those of us who take on any sort of individual contract or freelance work from time to time have to be careful not to say or do certain otherwise reasonable things, or to allow others to do so, for fear of tipping the balance or giving any appearance that might be subject to challenge.

And the irony is that while the law arguably had some effect initially in getting contractors to go back to being permies if they were just using it as a tax dodge, overall it appears that IR35 has raised very little extra tax revenue for the government. It turns out that the vast majority of contractors and freelancers were operating in that fashion legitimately and continue to do so, and most enforcement actions appear to fail to the extent that the government even tries any more. Nevertheless, the rules still hang like a sword of Damocles above the whole sector.


> It turns out that the vast majority of contractors and freelancers were operating in that fashion legitimately and continue to do so

Which we know is definitely NOT the case for companies storing your data correctly.


Are you claiming that most companies are not storing data in compliance with current law today? There's a meme about how all businesses are trying to exploit personal data mercilessly at any cost, yet among the small businesses around here and the people I know who work there, none of us is in that line of work, nor I suspect would any of us want to be.


I do not believe that the vast majority of companies which are significantly impacted by the GPDR were storing data in a reasonable manner, no.

Having to spend some effort to make sure you are in compliance with a huge new piece of regulation is expected and I understand that people complain about having to do it. However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.


I do not believe that the vast majority of companies which are significantly impacted by the GPDR were storing data in a reasonable manner, no.

If that's your personal belief then obviously you're entitled to your opinion, but have you seen any actual evidence that that is the case?

However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.

Perhaps, but as you say, what we know now is that there are some initial compliance costs for everyone. If nothing else, we all have to understand the new regulations and our obligations under them, and we will now have to allow for additional subject rights and stronger and more specific documentation and notification obligations, which generally apply retrospectively as well.

I admit that part of my concern here is not specific to the GDPR, but rather to the general practice of creating ever more rules governing businesses. Every time some new regulation comes along, the costs of running a business go up. Not only does that impose some level of overhead on established businesses, it also has a chilling effect on new businesses starting up, and on paths to growth like starting a side business that can expand to something full time and later to take on additional employees. If a new regulation is necessary to achieve some positive effect, then those overheads might be justified as well, but I remain to be convinced that this is the case for most of the new rules and regulations that have come in over the decade or so that I've been doing this now. The GDPR is just the latest example of something perhaps well-intentioned but poorly implemented.


> If that's your personal belief then obviously you're entitled to your opinion, but have you seen any actual evidence that that is the case?

I can't speak for that other person but I've seen lots of evidence to that effect. I look at ~40 companies / year at the moment and a large percentage of those has issues. Usually not because of malice, mostly because of lack of resources or unfamiliarity with regulations.


There is a bigger problem with GDPR compliance.

Say I use a DDoS prevention service (like cloudflare). They get my user data, and also have to be under scope of GDPR as well. And since IP isn't indicative of EU citizenship status, a company had better apply GDPR to everything rather than just a subset.

In the end, this law makes a "We respect the privacy of your data" subset of providers, and provides a great way for us users to identify bad actors (Google, FB, Amazon, etc).


a company had better apply GDPR to everything rather than just a subset

And that's what Cloudflare chose to do. We are treating all customers the same regardless of location.

"Of the companies I spoke with for this story, both Cloudflare and Mozilla will be GDPR compliant no matter where their customers are located." https://www.fastcodesign.com/90171699/what-is-gdpr-and-why-s...


I'm absolutely glad to heard that (about CloudFlare).

The GDPR is becoming a "I'm doing the right thing" checkbox. At least with the European rule, we data-drained Americans can rely that these services might cost more, but we retain our rights.

Lack of will have to be scrutinized. Smaller places may make the determination based upon reasonable answers, or be malicious. Facebook/Google/Etc wouldn't exist in their current forms if there was strong privacy rules in place.


> This is unsurprising, given that the US is so heavily rules-based, but the EU (certainly the UK) has a long history of principles-based regulation.

This is a good point, but many people seem to forget that most misdemeanor criminal offenses in the US are punishable by fine and/or up to 30+ days in jail. People do not often get the jail time so most don't even think about it, but it is available as an option to the judge for things like repeat offenders.


Unfortunately in the US, any conviction leads to essentially a work "blacklist," whereby employers do background checks and deny employment for anything they find within 7 years.


Not for non-violent misdemeanors. Unless you're a flagrant offender you will normally be slapped don the wrist and given a stern lecture in the form of a class. Source: was in a fraternity in the US where literally nothing bad happened to anyone I knew with a misdemeanor outside of a fine and class


A lot of companies won't hire you if you have a criminal record of any kind. Some won't even hire you if you have any record of arrest, regardless of conviction.

Which fraternity?


If the court seals the record its nearly impossible for anyone but government agencies to discover


> If the court seals the record its nearly impossible for anyone but government agencies to discover

No, it is not, because background check and other third-party intelligence firms aren't purely reactive now, they have and use tools to proactively vacuum up public records and maintain their own DBs. After-the-fact sealing of arrest records or expunging of convictions has no effect on data that is already in third-party hands.


Never knew this, so is it that just no employer cares enough about minor misdemeanors or the cost of doing so makes it not worthwhile? I've never heard of anyone getting a job offer taken back because of a minor misdemaonor


exactly what the GDPR helps you with...


Yes, but that costs money and not all states do it. My state has a fully searchable arrest database with mugshots.


wasn't there just a story about background check startups finding these records and using them?


Now if the government interpretation of GDPR will differ from a website owner's they'll be able to shut it down with a fine. Since this law can be interpreted in so many ways they can virtually fine any site they don't like, because depending on interpretation every site can be found non complaint. This is huge and dangerous.


> In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set.

Given that description, after a couple decades working in some and dealing daily with the acts of other agencies who which issue and apply regulations on the US, let me assure you that the regulatory system in the US is nothing at all like “rule-based” as you have described it.


I have also been extensively involved in compliance issues at US companies in the financial space and this comment is dead-on. The idea of rule-based regulations is a complete straw man as far as I can tell.


>and you'll have to engage with it on those terms

Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.


Good lord, it's like you didn't read the article.

Or, you're fine with a competitor who isn't afraid of entirely reasonable international laws coming in and eating your lunch.


We ran the numbers on how much it would cost to establish compliance, and with that alone it was barley worth it based on the current EU customer base we have.

We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.

We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.


I find it amazing so many companies are willing to advertise the fact that they will abuse their customers in the way you are doing right now.


Where did I advertise misuse of our customers data? Compliance and privacy are not the same thing, just like compliance and security are not the same thing. We have a great privacy policy and we don’t misuse our customers data in any way.

For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.

Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.


You are advertising that your handling of personal data is so haphazard that GDPR compliance would be expensive. You are admitting that you aren't good enough for the EU, and therefore that you aren't very good in general at whatever you do.

I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.


I’m sorry, but this is simply the naive opinion of somebody that has clearly never had to deal with compliance before on a meaningful level.

My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.

This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.

We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.

You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.


I'm arguing from the point of view of a customer, not "slandering". Customers are going to have a choice between GDPR-compliant companies and USA-only ones and (if they care) they are going to assume the worst about why the GDPR can make a company retreat from the EU market.

As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.

You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.


Right now we are going through a federal audit. We sell only to US orgs, but also have a social media platform.

Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.

(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)

If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.

And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".

Edit: > "My customers are all happy with my privacy policy,"

Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.

Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.

Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.


So because you don’t have many in-scope systems, you believe that the cost of compliance is going to be the same for every company in the world? And what did I say that gave the impression that I don’t respect my users or their data?

Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.

In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.

As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.


> However, that’s not how we manage risk.

I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.

Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.

Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.

I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.

Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.


I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.

For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.

Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.


> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type

I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.

Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?

If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.

> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).

Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.


Great points. It’s all about risk and the cost/benefits of complying.


I think the underlying idea here, is that data is "radioactive". Quite a lot of data can be fed into classifier systems to accurately identify people (not just computers), their trends, their shopping habits, and other much more private things.

In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.

The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.

https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...


Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.

I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.

I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.


> I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.

And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.

> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.

And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.


> It certainly doesn't appear to be a false dichotomy to me.

That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.

Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?

> And there are plenty of areas where my data is used against me

And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?


That, and the fact that a good chunk of present day Europe was under the Soviet boot for 40 odd years and the people there got to see up close how dangerous data is in the wrong hands (in that case: the government).


Unfortunately your reasoning is not correct here.

Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.

On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)


Countries are made up of individuals and not all individuals have the same mental make-up. Yes, there are quite a few worrisome developments but there still (maybe not much longer) is an institutional memory of these things that is for the moment exerting a positive influence in this particular domain.


In that case and now, in this case, too.. the government will have a legal monopoly on the data.


There is nothing that will magically transfer corporate data to the government.


I'm not sure what you mean by this. No magic is required, only sufficient desire by those in power.

That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.


> It was that now only governments are allowed to gather and keep this data.

That just isn't true.


That's a pretty extraordinary claim, requiring extraordinary evidence.

There have been enough leaks that the public knows even European governments spy on their own citizens.


> And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".

Comments like this come across like a personal insult.

For you an others, please refrain from such comments I see it shutting down interesting conversations(that help me understand additional view points).


> Compliance and privacy are not the same thing

I remember the time we had very good privacy policies but getting that project to be compliant with COPPA was still a significant effort, so I think I get where you're coming from.

Once we became compliant, quite frankly, I felt a lot safer and more confident in affirming that our privacy policies were very good. Maybe it was some kind of sunk cost syndrome, but I was glad we did (were forced to do) it.


What amount of money would you have to invest and for what? Data retention?


thanks, you’ve pointed out a great signal that now exists. don’t do business with companies that choose to pull out of the eu market rather than comply with gdpr. these are companies that have made an explicit decision that user data privacy is a burden not to be cared about.

my company OTOH is choosing to apply gdpr principles globally.


Compliance and cost of doing so does not equate to privacy. Remember when all of the auto manufacturers in Europe "complied" with new regulation by spending a fortune on testing?


And in your mind there is absolutely no possibility that a reasonable explanation would exist why a company would pull out because of it?

How about cost of compliance? For example, just the fact that you need to figure out whether you are compliant or not costs money. If you ask for user consent, then you must be able to later show that you got said consent from the user to work that data. You also have to take into account the risk of fines if something somewhere goes wrong. We, as software developers, should be intimately aware of how things can go wrong despite everyone trying their best.

All of these things cost money. If the cost is greater than what the business from the EU brings in, then it's not worth it. The fact that there are people who immediately and only jump to the thought they don't care about privacy is very worrying.


There is a difference between complying with GPDR and caring about privacy.

I completely and utterly care about privacy, but things like not tracking IP address and allowing people to request removing them are a bridge to far. I can’t comply with that. I treat my customers important PII (names, addresses, etc) very delicately. But the cost of complying GPDR is too must.


> I completely and utterly care about privacy

and

> allowing people to request removing them are a bridge to far.

Are dissonant. You will have to pick the one or the other but you can't both care about privacy and not allow people to request removal of their data. That should be fairly obvious.


GDPR does allow you to record IP addresses in access logs and whatnot. And I'm not so sure people can actually ask you to remove their IP addresses; they'd have to demonstrate use of that IP over the relevant time interval, which is beyond most people. So I think while GDPR requires you to have a good reason to collect IP addresses, it doesn't meaningfully impose an obligation to be able to expunge them in removal requests.


and what will you do when Canada follows in the EU's footsteps? Or the rest of the world? When they finally put pressure on the US to do the right thing? Because this is the right thing to do.


Or just ignore it, take on EU customers anyway, deal with the risk.


An option that I see a lot of companies taking, we considered it, but decided it wasn’t worth it. I personally know of a few companies that have decided to blatantly ignore it until they see how offshore enforcement works out. If it ends up being favourable, it’s a strategy we may adopt.


I was considering that as well, but I think I’ll take a wait and see policy as well.


>(and investing in compliance with European - absolutely not international - regulations)

Did you think about this before typing?

Clue: how many countries does an EU-wide law directly apply to? One? Or many?


You are playing on semantics, anyway EU regulations apply to no country as it’s enforced by each member of the union, not by EU itself.


The GDPR regulation directly applies in all member states, and does not need individual states to do anything at all to enact it. If national courts decline to enforce it then it can escalate to the Eu courts.

It is also international in that it applies to EU citizen date no matter which country it is held or processed in.


That’s not true. It’s implemented by each data regulation agencies in each country. The CNIL in France for example. There is no EU GDPR agency.


It is true — you need to read the actual GDPR rather than online summaries.

The GDPR creates some new criminal offences that can be prosecuted through courts without the regulatory authorities being involved in Clauses 162 & 163.

Article 82 allows individuals to sue in court for compensation if breaches of GDPR rules cause harm.

The regulatory activities are on top of this.


I read the article, and I found it more than slightly dismissive of this option, particularly because the article (and other commentors, it seems), in effect, makes the inference that the main goal of avoiding compliance is a continuation of some nefarious behavior.


A bunch of companies are going to do this and then regret it when they notice that their competitors really didn't have to do much work to become compliant.

Then they'll try to come back... after their EU user-base was kicked out and forced to find alternatives.


That’s assuming that a competitor can make it cost effective.

If the original business couldn’t, its unlikely the competitor could.

I know in my business I’m shutting off EU sales.


> If the original business couldn’t, its unlikely the competitor could.

Considering amount of FUD spread about fines, even here, with fairly educated readership - I don't think you can really trust other people's cost / benefit analysis, even when they happen to have same variables with same values.

People are often wrong even in much clearer cases . . .


Then they can just do that. I'm sure other companies will be happy to scoop up that business.


We’d be quite happy if that happened. Seeing our competitors investing in Europe would simply mean less competition in markets with much greater growth.


Sounds like that's a solution everyone can be happy with!


It is not possible, unless you'll check id and residence certificate of all visitors. Blocking EU IP is not sufficient.


This is, yet again, untrue.

https://gdpr-info.eu/recitals/no-23/

> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.


Not sure why downvotes. If you block EU IP, EU resident accessing a website on holiday outside EU will not know that the website is not meant to offer services to EU residents. Solely blocking EU IPs is not sufficient. What would do probably is to have a banner on the website, where user is informed that website doesn't allow EU resident visitors with "Leave" button. Now the problem is if the EU resident confirms that he/she is not an EU resident. Then controller or processor is still processing protected data, but unknowingly.


If you block EU IPs but your business is not targeting Europeans who are on holiday you don't need to comply with GDPR.

If you block EU IPs but your business is targeting Europeans who are on holiday - well, you probably still don't need to comply with GDPR because you've demonstrated attempts to actively avoid European residents.

The test in GDPR is not "does any European ever use the service?" but "are you targeting them?"


No, this is only not targeting people accessing internet using EU IP addresses, it doesn't exclude EU residents.


I am having a hard time seeing how EU judgements will be enforceable in the US?


I was really wondering that as well. Can we be held accountable?

It would be nice if the GDPR had a piece about “if a company refuses sales, even if they accidentally happen, the company isn’t liable” and/or “blocking EU IPs or redirecting to a no sale page is sufficient to avoid compliance”.


Probably they will not be - but there are cases of extradition of EU citizens to the US for various crimes like hacking. Who knows, maybe it will happen the other way around or some people will have to take holidays in the EU off the list.


[flagged]


Same here. EU makes up such a small amount of or customer base, and EU customers spend far less money with us. Which is generally true in most industries, US consumers spend far more than consumers anywhere else in the world.

If we ever choose to enter the EU again, it will be a careful and deliberate choice, and will likely only ever happen if our growth slows in other regions.


As a formerly European person running internet companies in the USA this baffles me. Why the teeth gnashing over being told not to spy on your users?


We’ve got a great privacy policy, and don’t abuse our customers data in any way. However compliance would be very expensive for us, largely due to some of our early architecture decisions. The liability is also insane, and we don’t want anything to do with it. When we looked at how little our EU customers were worth to us, it was a very easy decision to simply abandon them.


so you say. if you don’t have strong processes to make sure that is true, it isn’t true. gdpr is mostly about ensuring you have such processes. if you can’t do things such as tell the user what data you have, and delete it, you do not have a great policy.

methinks you need some advice from better counsel. i bet that you are closer to compliant than you think.


Do you actually think the only way to respect users privacy is to comply with GDPR? That is an absurd and narrow minded opinion. Do you also actually believe that the entire regulation is reflected in your two line comment?

Listen, you’ve said higher up the thread that you are plan to spread FUD about all companies that don’t comply with GDPR as a marketing strategy for your own product. I don’t see how anybody here could possibly take you seriously. GDPR is going to have a lot of unintended consequences, and people aren’t going to be happy with all of them. One of them is that small to medium sized companies will reconsidering doing business in the EU, another is that the scope of the legislation is especially anti-competitive for small EU based businesses. There’s been a lot of FUD going around HN recently that the only reasons a company would plan to pull out of the EU are hysteria and malevolence. That’s not true, and for many companies this is just a simple business decision.


> That’s not true, and for many companies this is just a simple business decision.

But likely based on incorrect advice.

You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.


If you ask US-trained lawyers (especially those with exposure to the tech or financial sectors) to perform an impact assessment of a European regulation, don't be surprised to receive a full-on Chicken Little response.

The reality is that the law is not a programming language and compliance is about alignment with principles, not blindly following a set of rules.


Huh? The entire thing is a set of rules that must be blindly followed.


Not exactly in the EU, see the principles vs. rules debate above


Sounds like he analyzed if very closely, so probably not base on incorrect advice.

And I’m guessing he can’t share too much about why since he has said its based on architectural decisions, which might reveal business secrets.

The biggest reason I don’t like complying with GDPR is the IP address situation- I’m going to continue to track them and I’m not going delete them because somebody requested.


Why is storing client IP addresses long term a useful thing for your business to do?


> I’m not going delete them because somebody requested.

Why do you think you need to delete them when requested to do so? Can you point me to the bit of the regulation that makes you think that's a requirement?

Here's the Right to Erasure: https://gdpr-info.eu/art-17-gdpr/

Which bit do you think applies?


When I read it, I see that the "The data subject shall have the right to ... erasure of personal data ... where one of the following grounds applies: ... the data subject withdraws consent...."

I imagine that HTTP logs associating URLs and IPs are personal data because they associate users with activity, so they would have to be removed.

It's pretty hard to destroy individual log lines (they're often aggregated in zipped files, for instance), and logs show up in lots of places: your load balancer may log, your web server may log, your application may log, those logs may be backed up to tape, you might have debug logs captured for analysis from any of these systems, and those debug logs might be present on developer machines, not on servers or long-term storage.

That basically means that if any user asks to have their data erased, you have to figure out whether they owned that IP address at that time (so they can't ask for others' information to be removed), then delete all those logs, potentially rewriting your whole tape archive(!), potentially having developers destroy the debugging info they were using to track down a memory leak or whatever (on laptops, or in the ticketing system, or in heap dumps, or wherever it might be).

It's pretty easy to say "don't keep logs of IP addresses", but that's one of the major ways people detect malicious traffic, e.g. spam, denial-of-service attacks, and break-in attempts. It's hard to live without that.

Am I reading something wrong? Is there something I missed in that section that makes it easier?

Is "so we can look for malicious traffic" enough of a legal ground for processing to keep personal information around indefinitely even if the user asked for it to be removed? I can't imagine that's so, as that would be a pretty big loophole.


> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

There are several justifications for procesing user data. One of them is consent. But there are others. One is "legitimate need". You're not using user consent to process this log data, you're using a legitimate need justification.

https://gdpr-info.eu/art-6-gdpr/

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Legitimate interest doesn't let you gather everything and keep it forever, but standard practice log rotation seems like it's compliant.


The proper way to deal with this is to rotate out the logs after a finite amount of time (you are doing that anyway, right?) and then to delete the logs after yet another period of time, once they have outlived their useful life. That's good practice anyway so I really don't see the problem.

Looking for malicious traffic is not a loophole that allows you to keep data indefinitely - even if nobody asks you to remove it - you don't need to keep it indefinitely.


>compliance would be very expensive for us

Care to expand on this? What would you need to do that you weren't doing already?


I'm not the person you're asking this from, but any regulation tends to require extra work to be done. Just the fact that you need to know that you're compliant requires work. Then you have requirements such as being able to prove that users gave you this consent, being able to prove that you did delete all the user data in all the possible places (including back ups, VMs, crash dumps on developer machines etc) when requested etc.

You also have to take into account the risk of the fines. The fines are enormous and there are no guarantees that the regulators will not slap you with the highest fines "to make an example of you" or because you just rubbed them the wrong way. Even if you try your hardest to comply and think you have all the bases covered, it could very well be that you are not compliant because something was overlooked or there's a bug somewhere or something else entirely. You can never be certain about this.

Now you add up all of these costs and compare it to how much the EU market offers you. If the costs to comply exceed the income, and there's no near-future opportunities for large growth, then it would make a lot of sense to just pull out of the market.


If you are already compliant with your great privacy policy, what are some specific things that you find too expensive to be worth it? All I read from GDPR detractors are vague hand wavey claims of “compliance stuff” being expensive. I’m obv not a professional compliance expert so ELI5.


This argument makes about as much sense as "if you have nothing to hide, you have nothing to fear" in support of surveillance laws. Presumption of guilt is a terrible rule to live by.


Actually your argument makes no sense because it amounts to : I am honest therefore there is no need for laws. Thousands of years of human history suggests you are wrong.


GDPR and “not spying on your users” are not even remotely related. GDPR is a massive regulation requiring significant resources that most small businesses simply don’t have.


Can you list one or two of those "significant resources" you need and tell us why you need them, and didn't need them last year?


Insurance to cover the liability of GDPR fines, massive legal fees, and development time to name a few.


Surely you already had "cyber" coverage on your general liability policy, right, since you are handling users' data? I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.

Massive legal fees for what, exactly?


>I haven't been notified of any changes in premium for our policy related to the new regulations, fwiw.

I don't see how you can legitimately believe that there is not going to be an increase in costs. Either the insurance company was overcharging you before, they're lowering their margins or the price goes up. Anything else would require that the risk would be basically non-existent. The price might not increase right now, but it might increase next year or the year after that or the service might get worse.

>Massive legal fees for what, exactly?

To deal with situations that you didn't expect to happen, but did happen anyway. Even if you try your best, mistakes can happen.


In most industries, US consumers spend far more than consumers anywhere else in the world.

Not any more. China's citizens spend twice as much on international tourism as US citizens do. The EU has 508 million people. The US has 325 million.


The GDP, the consumer spending market and the consumer spending per household is all higher in the US than the EU. You can cherry pick out a few industries where other countries spend more than the US, but it's still the most valuable market by far in most industries.


One could read this as you're being dodgy with your user data. If you were reasonable with the data in the first place, then compliance costs nothing.


That doesn’t compute.

There is a difference between what GDPR says is okay with user data and what is actually okay with user data.

We may be reasonable with user data, but either disagree with a portion of GDPR (like IP addresses) or do not have the time or money to very we comply.


Still don't understand the issue. IP addresses are being kept private like with all the other user details right? You still can have web logs with ip addresses without needing consent.

And also (as stated in numerous places) that you won't get hit with fines. If you aren't compliant (and it would take a big violation to get their notice) you are given ample time to comply. Or you could in your case if you really are violating it flagrantly then you could just block access to EU. But you would have to a big violater.

So if you look at a prisoners dilemma outline you've got:

- you are violating / you block EU: outcome is no market access to EU - you are violating / you don't block EU: you have access to the market and if you are caught violating you got ample time to change or you can just block EU and you're in the same boat as before - you aren't violating / you block EU: you just blocked access for no reason and losing out on a market - you aren't violating / you don't block EU: You have access to the market

So if you don't know you're violating or you wonder about the IP address and weblogs issue which is minor, then the prisoners dilemma show that best go with continue as normal. There is no case were you would be hit with big fines.


To be honest I know nothing about law enforcement in the EU, but the one thing I have heard about in recent memory is that guy who made a video of his girlfriend's dog saluting hitler, and was subsequently tried for a hate crime, convicted, and was charged with a pretty hefty 800 GBP fine after being found in violation of the Communications Act of 2003[1]. Seems like a pretty poor example of principles-based regulation. Maybe it's just an outlier though, idk.

[1] https://en.wikipedia.org/wiki/Mark_Meechan


The actual ruling was that him saying 'Gas the Jews' tens of times during the video was calculated to offend, rather than the dog thing


Oh okay, I actually misremembered what I had seen, I thought it was just the saluting thing. I just checked the original again[1], and that being said I still don't see how this isn't a ruling that is overblown; he's saying "wanna gas the jews" in a playful way to his dog over and over, and the dog responds when this is said.

The ruling was that this was a hate crime, because it was "menacing, anti-Semitic and racist". I have trouble seeing how a Nazi pug that responds to "gas the jews" is anything other than silly bit of absurd comedy. I can't realistically see this video actually advancing any legitimate hatred, or having any negative consequences other than some people laughing at how silly it is, and some people just thinking it's kind of stupid.

[1] https://www.youtube.com/watch?v=5rdWlVyN9es


At a guess you didn't have any family and you don't know anybody that has family that ended up in a gas chamber?


I know several people who fit that criterion. I didn't say it wasn't rude, crass, impolite, or ignorant. I said that I don't think it counts as a hate crime, and that it doesn't fit the criterion for "menacing" society. How many people do you think fear for their personal safety because of that pug?

For what it's worth, I grew up in a town that was roughly half jewish, reflected in my circle of friends. When I was younger, extremely crass jokes that made light of historical tragedies were made at everyones expense, including ones that historically affected my family. It was clear that the intent of these was not to instill terror or provoke hatred. It was more of a pissing contest, to see who could say the most absurdly offensive thing.

Were these the types of situations where we should have had more sensitivity to the real weight of these tragedies? Sure.

Were these hate crimes? Absolutely not. When someone commits a hate crime against you, you probably wouldn't regularly invite them over to your house for the next several years...


> I said that I don't think it counts as a hate crime

That's curious given your background. I know a couple of people that still have the tattoos on their arms and one guy who literally has no family at all and it pains me to see that people think that this is just a matter of bad taste. "Gas the Jews" is not a joke, my sense of humor is pretty broad but it does not stretch that far.


To be clear, I'm not arguing that it wasn't a horrible atrocity that completely destroyed many peoples lives, and and I'm not arguing that the genocide itself was in any way funny. The joke isn't that the event itself is funny, it's the absurdity of context in which the statement is being made that's funny.

I can't even count the number of comedy central stand-up specials I've seen that casually make jokes about absolutely horrific things that destroy lives. Jokes that play on children dying, slavery, the holocaust, rape, murder, pedophilia, torture, etc. I guarantee you that both you and I both know someone (or are one person removed, at most) that has had their lives destroyed by one of these things, or something of a similar caliber. Does that mean that none if these jokes can be funny, in any context? If so, I'd say you'd be hard pressed to find a single comedy special that counts as funny; virtually every comedy special I've seen makes light of one of these horrific things in some way.


I'm a big fan of George Carlin, so I can see where you're coming from ('Elmer Fudd', if it rings a bell) and yet I can't cross that particular bridge. Sorry. But thank you for the conversation.


Okay, I'm familiar with that. I get it, everyone's got their own limits on what they can make light of. And sure, ditto.


Funny simply isn't relevant. If you bludgeon someone to death in a funny way, it's still a crime.


I have family that suffered at the hands of communists. Many were deported and exiled, some were sent to gulags. Some of them made it back, some died there, because the conditions in Siberia were horrible. Do you think it would be reasonable to start fining or jailing people who make jokes about "being sent to the gulag"?

I think you're simply appealing to emotion here to justify an unjust ruling and an unjust law.

I think the person you're replying to has a point in saying that some laws in Europe are pretty ridiculous. However, the difference is that that's a local law in the UK and not one that affects the entirety of Europe. Nor is it a widespread law in other European countries.


Who is talking about jailing, the guy just got a fine. It was pretty big (still less than one paycheck, no?), but if that is the worst case you can find, I think you can make fun of anything.

And fwiw I do think Europe is oversensitive about Nazis-related stuff. But for good reasons.


I don't know, EU members seem perfectly willing to toe literal rules for perverse outcomes in some areas. Open market gamesmanship, for one, such as the proliferation of national standards as a way to exclude 'single' market products.

Maybe they are trying a kind of best of both worlds approach?


Great explanation. I didn’t know the difference between US and U.K. law was so fundamentally different. Thank you for educating me on the correct terms.


This sort of explanation has been very popular by people who are trying to reduce the overall concern level of the community. You're not wrong. You very well could be right and this could be how it will work. Let me give a view as to why it doesn't matter.

The problem with this approach is if you run a large or small company or are a sole proprietorship or simply have a hobby site, you can't write off legitimate fears of heavy handed enforcement. No one wants to be the example.

In the former cases, if your company is how people are feeding and clothing their children, do you want to be the person who says "Oh well we tanked the company this year because weren't worried. Someone on the internet told us they'd be gentle! How could we have known they'd be serious about levying the maximum penalty!?"

If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.

I'm on my company's GDPA compliance team and it is serious business. Our European footprint is small but not insignificant. If we were an unreasonable bunch, we'd just shut the whole thing down and move on. The very expensive very well versed German legal counsel we're paying to help us do this right completely disagrees with what many are saying here. We have no reason to not believe them as they have a lot of experience with the German laws the GDPR is based on. We're paying them far more than the fines we'd see because we believe in doing the right thing. Ergo, we must take the "hard" regulator view rather than your "kid glove" view. Our lawyer's underlying point in every discussion is that this is really really serious business and that they're not fooling around. Adding to that is a GDPR like law is likely to be implemented in Canada and other jurisdictions in the future. We must be ready for that as well.

I think GDPR is great for consumers. I think we'd actually be in a better/easier place if it were a requirement in the US since everyone would have to follow the same rules. The problem is that implementing it takes time and effort to do well at scale. To not loose your competitive edge against other large competitors that do not serve the EU and can operate under only US law. These are real concerns that have nothing to do with the regulators and whatever their whims are.

So even if you're right, these are the real costs. You're going to be held accountable to the people you let down if you put your company in peril. You're going to be held accountable if you loose marketshare because you got this wrong and an unencumbered competitor outmaneuvers you. And most of all, you simply cannot assume the best case, kid glove, approach is what is going to happen. THIS is what people are frustrated with.

I do hope that the EU is fair and equitable (which is my belief) but it would be irresponsible for me to act as if that is the only possibility.


That's a fair assessment and in line with the proportionality of the costs associated with becoming compliant with the GDPR, it sounds as if the company you are working for is smack in the middle of the range where the turnover:compliance costs is at its worst. This is unfortunate but I don't see any way in which that could have been avoided. For trivial companies the cost is negligible because the costs are small or nil, for large companies the cost is negligible because their turnover is huge (unless they are misbehaving on purpose, then the cost might be very large), for companies in the middle it hurts the most but it is still worth doing it and doing it right for all the reasons you listed.

As for this part of your comment:

> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.

It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.


Wow I wish we had principle-based regulation in the US. It seems like rules are made specifically so that only wealthy, entrenched institutions can follow them without significant burden. When those institutions fail, the fines don't seem relative to profit or size of the company or anything.


I suspect it wouldn’t work in the US. Principles based regulation requires some level of concensus on principles. We don’t have that in the US. Polarization breeds rules worship because you don’t trust the other people to use their discretion.

Consider, for example, how every major social issue devolves into a Constitutional litigation. Whereas in Europe people just vote on stuff.

And as to regulatory approaches I think you’d be surprised. European regulation is often quite conservative.


Oh totally agree. Just think about the DMV. The people who work there cite the law word with zero discretion. Most US companies are like that as well. It's quite dystopian.

Well lets say it wouldn't work with the current ruling class mindset where everyone they employ is stupid and unable to think critically.


It depends on where you are. In places like Oregon, the DMV is a friendly place full of smiles where expiration dates can slip a few days and you don't have to change your hairstyle for your ID photo.


> A multimillion-dollar fine without warning for a first, minor violation is perfectly lawful under GDPR

Come on, this is just scaremongering. Newsflash: If you run a business, you are already responsible for adhering to hundreds of other laws in which the fines could reach millions. But you don't see people running around screaming that the world is ending, because they know that the laws will generally be applied fairly, given that a large economy (like that of the EU) relies on just application of laws to maintain stability.

Running a business, like anything else in life, requires the ability to make reasoned choices from somewhat ambiguous data. And the data here is somewhat ambiguous for good reason - it's to prevent businesses from exploiting loopholes and rendering the law ineffective. If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.


I have a feeling there are a significant number of people who are young enough to have only worked in digital media, and who aren't used to the idea that businesses are regulated. It's been such a free-for-all until now that they're not used to the idea that there might be externally-imposed limitations on what they can do. I don't mean that in a dismissive way - nobody willingly reads complex legislation in industries that they're not involved in - but it would explain some of the more naive complaints.


> you are already responsible for adhering to hundreds of other laws in which the fines could reach millions.

Source please?

> If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.

I'm not running one right now. It's not the situation that give me anxiety, it's just that it no longer seems interesting to support European customer for a potential business if that imply that I risk that much over their information. They just removed a big bunch of potential customer for a potential company. I would already try my best to limit the amount of PII but there's many time you just can't.

I'm from Quebec. Here we have laws over lottery. You know what it imply? If you make a lottery here in Quebec, you need to follow some simple regulations (I personally know people that did it essentially for fun (not for profit)) so they are pretty easy to follow, and pay the taxes for the winner. You know what I had to endure each time I went on an online contest, a broad exclusion because it was just not worth it to follow theses regulations. It's crazy the number of contest where you could literally do CTRL+F "Quebec" in the rule and find our little province (nowadays I see more of "where law forbid it" or stuff like that, but I haven't try to participate for a long time on a contest either).

Do theses companies had too much anxiety for our regulation? None at all, they were some multi billions companies that did this. It was just not worth it.


Canadian here. You are making assumption about decisions you don't know about,- like "Do theses companies had too much anxiety for our regulation? None at all, they were some multi billions companies that did this. It was just not worth it."

That is a sweeping generalization and if you dilute and guess what the most probable reason for excluding Quebec was,- it's probably for the best. It was a shady contest to begin with.

The Canadian sweepstakes law and corresponding province laws are not that hard and costly to comply with as well. Look at the countless valid and non-scam contests present and available to our citizens. You, I and rest of us should be glad that rules like these exist since a there are people companies out there willing to part you with your hard earned money.

As an example, you just need to store my skill testing answer and if I get awarded a price, reset a flag that I need to fill out a new answer. In Quebec, you need to give monetary guarantees to make sure you pay out and give contest rules out to the bureau ahead of time. That is not a tall task. It's for the better if those shady contests did not want to participate


“Not that hard and costly to comply with”

That’s what you think. But its still a risk, because its different. It’s still easier and cheaper short term and long term just to skip the oddballs.

It’s why you see so many online contests in the US that only apply here. Not because they want to avoid it, but because its easier and cheaper not to comply with other laws.


> > you are already responsible for adhering to hundreds of other laws in which the fines could reach millions.

> Source please?

Tax laws come to mind for one.


Which other violation could cost me a 20 million dollar fine ?

Sure, they will probably don't give that fines, but they could, what if I run a small business that interferes with the activity of some other business run by for example someone that is friend or can corrupt the people in charge of doing the fines ? They will fine me for 20 million dollars, sure I can appeal, a normal trial in my country lasts at least 5 years, in this time I will probably go out of business...

The fact that they could it's a big problem, they should have specified a proportion between the size of your company and the maximum allowed fine.


In order for prevent the law from becoming feckless, there had to be an element of discretion on the part of the enforcers. It’s there to cut the bullshit of companies who use blatant trickery/loopholes to make themselves seem like a smaller company in order to reduce their potential fines.

But as I already said, the stability of the EU’s economy depends on fair application of the law. If the EU levies a 20 million Euro fine on a company with 20 million/year in revenue, the chilling effects of that action would cause much more than 20 million in damage to the EU economy. That should be blatantly obvious. Despite propaganda to the contrary, the EU has a very good record of behaving as a reasonable government entity, moreso than most. They’ve championed quite a few consumer-friendly pieces of legislation that have managed to not destroy the applicable sectors.

If you think this is a valid concern, I can only assume you’re just as worried about other outcomes that have insane, struck-by-lightning levels of unlikelihood, in which case you are not going to have the spare cycles to be able to successfully run a business anyway.


> Which other violation could cost me a 20 million dollar fine ?

Tax code violations, for sure. Environmental regulations may also carry huge maximal fines. Some misdeeds can even lead to criminal prosecution and land you in jail (but generally, they won't, except for the worst of transgressions).

Note that the GDPR requires fines to be proportional to the offence. If you really worry about some regulator fining you for 20M euros just because they're having a bad day, you do have legal recourse available.


This law may be not a big deal and not heavily regulated and not impact US small businesses at all - but many don't want to be the first to find out. After the dust has settled for a few years, then I'll make a conclusion if it has been applied fairly.


In principle I might agree with you, however the EU has a long history of striking a fair balance between consumer rights and commercial interests. There is no point, in history, of the EU doing anything remotely like you've described. Which actually gives me more faith in the GDPR than legislation in a corrupt ecosystem as corrupt individuals will find a way to warp legislation in their favor anyway.

So yes, I do trust the EU and their history has proven that the aforementioned idea isn't a hollow one.


Related to this, there is a difference in culture that may had add to the fear for people running SMEs outside of Europe. I am talking about a difference in the culture of fines, at least at the local level of government based on my personal experience. When I lived in Canada (and the US briefly) it was common for me to get fined for various trivial offences. I used to joke I should have a fine budget, or at least fine schedule for attending court. The local authorities set speed traps, fine for crossing the road at the wrong place, not shoveling snow quickly etc. My parents in-law and everyone on their whole street got fined for parking their cars on the street by a by-law officer instead of their driveways when the houses were new builds still getting constructed and new drive ways were clearly in the process of being constructed and could not be entered. There was someone in the news who got arrested for not mowing their lawn. I'm not making this up, just do a search, in fact it seems dozens of people have been sent to jail for not paying fines for not keeping up with landscaping in the US. Now since being back in the UK for six years I've not received a single fine, had any interaction with the police or courts. There is a big difference in how fines are applied in Europe and I agree with your comment that I do trust the EU more in this regard, based on the way they operate historically.


> Now since being back in the UK for six years I've not received a single fine, had any interaction with the police or courts.

I'm 26, have always been Canadian and I never seen what you talk about there. It's disturbing that you had this experience.

The only fine I ever heard someone get where relative to the road and were mostly parking and speed tickets. Even then, I also don't know anyone that doesn't drive 120 kph on a 100 kph road and about the parking, the signs are pretty self explanatory (though they can become pretty complicated where there's more than one).

If you consider that you follow what any signs, well that would means you shouldn't get any of theses fines. Theses fines are also defined and you know what you risk if you don't follow the signs.

Now say the same about GDPR... pretty harder I would say.

People drive at 120 on a 100 road and that's alright even though cars kills thousand each year, much more than keeping your shipping information in a database, yet you risk a much bigger fine for keeping that information without following the "signs".


Yes, literally nobody has die for misuse of privacy data, and now you can go to jail over it.


This is true, I have never received a fine -- and furthermore, I personally don't even know anyone who has received a fine! Could of course be that some did and kept it to themselves.


I think UK is a special case here. In other EU countries it is not uncommon for corrupt civil servants to drown companies in fines to the point of bankruptcy.


Considering Europe's history of bloody nationalism, and the recent resurgence in that nationalism, as a non-European I don't trust Europe to refrain from using GDPR to persecute non-European companies.


In England and Wales, you could be fined £10^99 for having a crumb of cannabis in your pocket. There is nothing - and I do mean nothing - written in the Misuse of Drugs Act that requires any warnings of any kind, or places any limits on fines. The maximum sentence for possession of a Class B controlled substance is five years imprisonment and an unlimited fine. Period. A fine larger than the number of atoms in the universe is perfectly lawful under the Misuse of Drugs Act. The idea that we can trust judges and sentencing guidelines rings hollow to me.


> In England and Wales, you could be fined £10^99 for having a crumb of cannabis in your pocket. There is nothing - and I do mean nothing - written in the Misuse of Drugs Act

Not true.

https://www.legislation.gov.uk/ukpga/1971/38/section/25

> The fourth, fifth and sixth columns show respectively the punishments which may be imposed on a person convicted of the offence in the way specified in relation thereto in the third column (that is to say, summarily or on indictment) according to whether the controlled drug in relation to which the offence was committed was a Class A drug, a Class B drug or a Class C drug; and

https://www.legislation.gov.uk/ukpga/1971/38/schedule/4

Cannabis is currently class B, thus

> [F8 3 months or [F4 £2,500], or both].


You've misread the legislation. The maximum sentences you're referring to are for summary convictions at a magistrates court. Possession of a controlled substance is an each-way offence which can be tried at either a magistrates or crown court. There is a higher maximum sentence if your offence is tried at a crown court, which is listed in schedule 4, namely "5 years or a fine, or both".


But that law has to be read in conjunction with others, which set out when trial is at magistrates or crown court; and what the sentencing guidance is.

The courts must follow the sentencing council guidelines unless it's in the public interest not to do so.

https://www.sentencingcouncil.org.uk/wp-content/uploads/Drug...

The starting point is 100% of weekly income; the range is 75% to 125% of weekly income.

> Band B 100% of relevant weekly income 75–125% of relevant weekly income


Judges don't have to adhere to guidelines as these are only guidelines. I have seen couple of cases where people were punished severely for something rather minor. Only thing you can do is to complaint about the judging.


English judges do have to adhere to the sentencing council guidelines.

https://www.sentencingcouncil.org.uk/about-us/

> The primary role of the Council is to issue guidelines on sentencing which the courts must follow unless it is in the interests of justice not to do so.

> The Sentencing Council is an independent, non-departmental public body of the Ministry of Justice and replaced the Sentencing Guidelines Council and the Sentencing Advisory Panel in April 2010.


Yes, but the point I'm trying to get across to people is that there's a general legal requirement that the legal and administrative systems be proportionate, even if it's not incorporated by explicit reference in every piece of legslative text.

(I can't lay hands on it at the moment but there are clear guidelines to UK judges on what constitutes reasonable fines for offences, such that it should be feasible for the person to actually pay the fine)


There's a proportionality requirement written into the GDPR. The commenter I was replying to is making a completely specious argument.

https://gdpr-info.eu/art-83-gdpr/


UK judges don't have to follow the guidelines - these are just guidelines, but judge can use his/hers own discretion within the law. In case of drugs some judges expose almost psychotic hatred towards drug users and can deal punishment outside of the guidelines.


Yes and there's nothing saying I won't be arrested and thrown into a cell for the rest of my life if I say something incorrect by mistake when entering the US.

There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.

Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.

See how ridiculous that sounds?

All fines can be administratively and judicially appealed.


> I won't be arrested and thrown into a cell for the rest of my life if I say something incorrect by mistake when entering the US

For the rest of your life? Source please?

You can be put temporarily into a cell for plenty of stuff but that's temporary. A fine is pretty permanent and when it can be millions, well that's probably the end of your business too.

> There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.

Isn't it simply paying back what you should have + interest? (with some threshold)

Paying taxes is already part of the cost of running a business too (and that's a pretty low cost for a startup, versus having an actual trained DPO).

> Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.

Which is exactly why you try not to put copyrighted image over your website. Most of the times PII isn't something you can just avoid for a business.

> All fines can be administratively and judicially appealed.

Any appeal represents a cost. A cost that you can't always support until the end.

At the end, it's all about the cost of the risk... that's it. GDPR seems a pretty high cost.


The IRS is probably the best US example of "proportionate punishments" and why people should not be overly afraid of GDPR.

The tax laws are vastly more complex than GDPR. The maximum penalties for tax fraud seem to be $250,000 + cost of prosecution + 5 years in jail.

If you make a small mistake on your taxes, and the IRS notices, you will probably receive a warning and have to repay it with interest. If you make a negligent mistake, you may be in addition be fined a small percentage, like 10-20%, of the amount you failed to declare. You have to conduct very large scale and intentional tax evasion for the maximum penalties to apply.

The IRS could argue for and try to apply the maximum penalties for a lemonade stand, but they don't. And people go on with their lives, put in their best effort to comply, and can be confident that they will be treated fairly.


nothing requires you to be let out of those cells. All those people in Guantanamo are going to die there.


[flagged]


You're right, laws in Europe are uncivilized, maybe that's why they have the highest rate of incarceration in the world.


[flagged]


I think you've got it backwards. GDPR is bringing civility back. I think it's great legislation that favors peoples privacy over business profits made by invading that privacy. As a business owner myself, I'm glad something like GDPR came along. I think it better reflects the society I want to live in.


https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd. ?

The guy committed an "US crime" in Russia, where what he did was not illegal. He arrived on US soil, where he committed no crime.

He was still arrested and charged.


That’s one guy in one case (that was eventually dismissed). There are probably a few handfuls of other examples you can post here. It doesn't hold a candle to the millions of people and businesses liable under the GDPR who face a nasty framework of foreign laws with no limits on fines other than $10/20 million.


Go read the law again. Read what the friendly people are answering in this whole sub-thread started by you.


Many countries believe their law applies extraterritorially. The US Foreign Corrupt Practices Act applies to any company that does any business in the US. A German director of a Canadian company that pays a bribe to an Ethiopian government official can be prosecuted under the FCPA if they set foot in the US. Sweden will prosecute citizens, and I presume residents, who purchase the services of a sex worker abroad. I don’t believe Kim Dotcom ever set foot in the US before the New Zealand government arrested him on foot of a US extradition warrant.


Or, you know, just block European clients from your service if you don't agree to our laws?

It's not like if the US laws didn't have any extraterritoriality.


It's not like if the US laws didn't have any extraterritoriality.

This is a disingenuous argument. The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website. In fact, no country has ever done this before.

GDPR is different, and not in a good way.


> The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website.

The US has clearly passed many laws that meet all those criteria but the last (and with much harsher, often criminal rather than merely financial, penalties), so unless you believe that operating a website is somehow a unique class of activity deserving special protection from extraterritorial application of laws, this is a pointless comparison.

And there's actually a number of US laws affecting website operators that arguably meet all three criteria, as other comments point out.


> The US has never passed a law that is this easy to violate outside of its own borders

The US has a law requiring US citizens living and working outside of the US to file taxes in the US. Not doing that is a crime. You'll probably argue that this is different, since it concerns American citizens, but it isn't different, because it's a US law that is very easy to violate outside of its borders.


Lol, the US has FATCA which makes it very difficult for fin-tech startups to work with americans. I'm an e-resident of Estonia, and almost all financial services state they cannot serve US clients.


*FATCA ;)


[flagged]


Except that FATCA's sole purpose was to raise money, and the US isn't even compliant itself. FATCA is a whole different ball game to GDPR, and I don't recall the complaints from Americans when EU instituions were forced to implement it. In addition, the costs for implementation of FATCA were huge. Most people are halfway there with GPDR compliance already, unless they're doing something they really shouldn't have been doing.

GDPR is not a money making mechanism but a way of forcing compliance. I think that's the difference that many US people don't seem to understand.

Also I was responding to the comment that the US has never done anything like this, which is completely false, US people tend to forget what it's like for the rest of the world.



Right, which is why my Canadian business doesn't have to follow COPAA /s https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Pr...


You make it sound like US laws don't extend outside the US. Many of them do.


Nope. Read the law and check on how many countries have extraterritorial reach in their laws...


There is actually an over-arching requirement for proportionality in all EU regulation: https://ukhumanrightsblog.com/2015/06/27/supreme-court-on-eu...


But that is in the eye of the beholder. With a maximum fine of $20 million, a country like Germany might say, for example, "Ok, small American company, yours was a minor violation. We'll only assess a $2 million fine - that's only 10% of the maximum! See how lenient and proportional we are? Danke und tschüss!"


You can litigate disproportionate fines, and there's a general requirement for proportionality in both EU law and under the ECHR.

Again, people are assuming that this is the first and only directive that has fines associated with it. It isn't. You don't hear a lot of people talking about the three month prison sentences possible for CE marking, for example - because very few of them have been handed out and only for egregious violations such as unsafe machinery that has caused injury.


You can litigate disproportionate fines

Who's to say that 10% of the maximum for a minor violation isn't proportionate? Also, most small businesses do not have the resources to hire competent counsel on the other side of the planet to litigate these things.


> Who's to say that 10% of the maximum for a minor violation isn't proportionate?

A large body of case law, well-defined guidelines for evaluating harms and mapping them to fines, and the EU's general fear of stymieing economically productive activity (the motivation behind GDPR is to enable more data trading, not less, but within better-defined legal boundaries).

We have had laws with "open ended" sentencing guidelines since the very beginning of organised society. This is a solved problem.


It's like people are only now discovering that they are in fact living in a well structured society.......


There's a lot of American libertarians that believe government is intrinsically bad, for some reason. And also a monolith; they don't see any difference between bits of government, different branches, different types of enforcement, and so on. They're very loath to admit that it takes a certain minimum amount of structure to keep the roads open and the lights on.


> to keep the roads open and the lights on

I'd cynically add:

> and to prevent people from killing and robbing each other each day

There's a reason we have Wikipedia articles like this one:

https://en.wikipedia.org/wiki/Highwayman


I do agree with the power of government to break the prisoners dilemma regarding to public works, but not that they have that much control over people's behavior.

The tendency of people to follow laws has shown little relation to blunt enforcement. It has to do with peoples tendency to follow norms.

https://en.wikipedia.org/wiki/Group_cohesiveness


>we can trust EU regulators

I want to stress that this is a major point of political polarization in Europe at the moment. Even if this claim is true, it warrants a clear and articulated defense.


Also any Americans reading “we can trust X” will likely get a good laugh out of this.

It is irresponsible not to assume that if the law is written a certain way then at some point, the law can (and likely will) be enforced that way when it suits the government.


> It is irresponsible not to assume that if the law is written a certain way then at some point, the law can (and likely will) be enforced that way when it suits the government.

With the caveat that "the law" in this case isn't just the GDPR, it's the entirety of EU case law. GDPR exists in a particular legal context.


I get the impression I am misunderstanding EU law (not necessarily a surprise) when folks say things like "Civil law vs. Common Law" or "legal context."

If a law is on the books, it can be enforced in the EU, right? I understand there is precedent but precedent is not law, it's merely the common understanding of that law in that particular context. Precedent is overturned all the time (not to mention ignored when convenient), as it should be.

Is there a critical difference here that I am not understanding? Perhaps it has to do with the fact that the EU is not a state, but a high level guiding body for a number of states?


That is a fine analysis but I'm not sure what your question is. All laws exist in a legal context and analyzing them while being ignorant of that context is futile. That's all I was saying. I think almost all the people armchair-analyzing the GDPR in a hyperbolic manner would be equally useless at analyzing their own laws, in their own countries, for what it's worth. (someone in another comment said something contrasting the EU with places where laws are "not open to interpretation." Dear lord...)

That doesn't mean Jacques' analysis is not worthwhile, by the way. He is not ignorant of the legal context. Judging by the reaction to the article, this is going to be one of those situations where you can lead a horse to water but you can't make him drink.


I thought the article was well written, rational, and measured, and with the right leaning toward not capturing data to avoid worrying about the GDPR.

That said, I would've liked to see a bit more healthy skepticism about the ability of any sort of government or organization to avoid mis-using laws with a wide breadth when it suits them, especially if things slide toward tech-protectionism.


Agreed, for some reason people tend to forget that Austria, Italy, and the UK among others have explicitly said the opposite of this


I mean some of those are bad examples, like the UK's government isn't great w.r.t. privacy (Investigatory Powers Act). Shocker that they might disagree with EU regulators.

But fair enough, nobody should be trusted blindly. This is why we have appeals and legal avenues to create checks and balances. So in the context of this discussion, it's pointless. We don't have to trust them. If a fine looks disproportional, there are legal remedies. Up to the ECHR which is generally quite careful in it's decisions.

If you don't trust the EU's legal system, that's a different problem. One that rings a bit hollow, and doesn't really further the GDPR discussion.


That is absurd and wrong. The law says the fine needs to be proportionate:

GDPR 83.1: Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.


Proportionate is in the eye of the beholder. As I stated in another response, an example might be that a low-level offense receives a fine of only 10% of the maximum - just $2 million. And apparently I don't need to worry, because I can just spend six figures hiring an attorney in a country I've never been to, who possibly speaks a language I don't, who will fight the case for me if the fine is out of line.

Sounds very workable.


The mandate of the regulator is to create compliance. Of course any institution can randomly decide to act outside of their mandate. If they would start to do so, the courts would rule them in. Same as anything. Doing business in the US, with it's notion of punitive damages that are completely unconstrained by law is a much larger risk.

On that token, have you actually at all looked into how "proportionate" is interpreted legally? After all this isn't new and there are a vast number of regulations using the same legal language. Yet somehow business in Europe has not stopped. So prima facie your concerns are absurd, you have not brought evidence that there is an issue (or anything at all unprecedented really) and I have to wonder what motivates you.

As others have said, if you have no interest in complying with laws that protect my privacy, then it's appropriate for you to not do business here.


> who possibly speaks a language I don't

I'm assuming you speak English. Do you really think there's any lawyer in the EU, competent to litigate EU law, who doesn't speak near-fluent English?

(Actually, if the lawyer is from continental Europe, and you only speak English, they do speak at least one language you don't, but I'm guessing that's not what you meant.)


It doesn‘t need to be written there. It has been written elsewhere, long ago.

All state action is subject to judicial review, where proportionality is a big factor.

It‘s an aspect of due process that is being reviewed and enforced by every court, up to the constitutional courts.

Example: the German criminal code threatens „up to five years“ in prison for theft.

That does not mean that a first-time theft of a not-too-valuable object could get you five years. Impossible. But not written in the statute itself. But even if a court was mad enough to hand out such a sentence, the revision stage would be swift and without any uncertainty.

Actually, it‘s hard to conceive of a first-time theft-offender going to prison, instead of paying a fine or at least having the prison sentence suspended.


Isn't there wording that says the punishment is proportional with your transgression?


There is... Article 83.


> If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.


> I don't really see what's special about this law

The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.

> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.

Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.

The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).


The consulting companies use exactly the same MO that Y2K consultants used. Cherry picking case studies and data sets to make executives think the sky is falling when in reality it's not all that hard to be compliant with GDPR and it really is comprehensible by an average person spending a day or 2 reading up on it.


Exactly that. Working as a data analyst for my agency's clients I had more work in making sure my clients do not panic after having other consultants claiming, that the world will end and what not.

It is possible to comply with GDPR in most cases with not too much of an effort (I know some processual stuff is just boring and ugly, but doable).

It is possible to not have a cookie wall of horror, if you "just" want to do tracking (analytics) or first party onsite marketing.

It will get more complicated with personalized recommendations, profiling and stuff. I have to admit this - especially with third party vendors and such - will be a little bit more fun/challenging.


The amount of discretion and lack of clarity in the penalties is part of the problem. It opens you up to risk based on the whims of politics and the regulators and increases uncertainty. Laws should be clear, limited, and understandable - this is not.


I really don't know why people think that the authorities will (or even could) automatically punish each minor infraction with 4 % of global revenue or 20 million €. GPDR article 87 specifies in great detail when fines should be imposed and how their value should be calculated, and the Article 29 WP also has a guideline on that:

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.


I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?

Edit: If there is such a thing I bet it's Cambridge Analytica/"SCL group" involved, since they made their money from large scale nonconsensual abuse of political personal data, and have an arm dedicated to swinging elections with misleading Facebook adverts.


There is probably a large number of consultants who make money out of getting "GDPR ready" etc. and in whose interest it is to maximize the fear.


I mean part of the issue is that I literally cannot answer the question "are we GDPR compliant?". The amount of time we've spent figuring out whether we need to sanitize apache logs has been ridiculous.

If you search for GDPR IP address you'll get 100 different opinions on what you need to do. That in my opinion is what makes this law ridiculous. How can companies be expected to comply with something this unclear? I'm sure I would have had your opinion before I was the person who is ultimately responsible if my answer to GDPR compliance is wrong.

Everyone having issues with this is somewhere in the line of fire for a wrong answer to any of these questions. Our concern over the fuzziness of this law is very valid, I don't like uncertainty personally.


Regulators want to see that you thought about the issue and formulated a plan.

If they ultimately disagree with your judgments, they will tell you, and you'll have plenty of time to get a common understanding.

They will certainly not fine you just because you made a honest mistake.

They will maybe fine you if all you have to show is "I didn't want to find a plausible way myself, nobody spoon-fed me, it's not my fault".


When all else fails, just make something up. In the unlikely event anyone asks, just tell them you have no logs with their IP address. What are they going to do, check themselves?


Because those people tend to come from a country which doesn't have laws open to interpretation and thus mark people who drunkenly pee on a fence with the same sex offender tag than child molesters. If you're country functions in a way where laws can't be interpreted according to context it's hard to think of a different system.


Which is an indictment of the laws, but not necessarily the system.


But they are different systems. For example contracts in the EU tend to be way shorter, as long as you get the gist. Contracts in the US are painfully long, listing things out explicitly, etc.

This exactly what rules-based regulation (US) and principles-based (EU) regulation means, and why the GDPR is written the way it is.


Because they don't know anything about EU authorities and have no reason to trust that they have the interests of US small businesses at heart? To them, this could potentially be a money grab with no pain to their constituents. It's already playing out to some extent with their new tech taxes.


In an ideal world, yes. But that leads you down a Kafkaesque hole of bureaucracy - at some point you have to stop adding detail and leave things open to interpretation. There are plenty of laws out there with fines "up to €X" and, from my limited experience, I don't think the GDPR is especially ambiguous compared to others.


Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!


Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.


I think this is a common misinterpretation though because of the lanauge - that the maximum fine is actually the minimum, because the figures that are talked about are "€20m or 4% of global turnover, whichever is the greatest." It's the emphasis on "the greatest" that has an undercurrent of "we're going to fine you the maximum of these two numbers."


I'm not sure what you mean by "actually the minimum". They will find you the maximum of those two numbers, at most, if you flagrantly disregard the law.


Yeah, this is the confusion - it's difficult to write it out in a way that isn't ambiguous! I think the fact that there are two numbers, the higher of which is the maximum fine, may imply to some people that the lower figure is the minimum - i.e. if 4% of your global turnover is €100m then €20m is the minimum - but of course there in fact isn't a minimum. It might have helped comprehension if there had been an arbitrary minimum figure - say €100 - to anchor the discussions.


The problem with that is that it would introduce a minimum fine, where currently there doesn't need to be a fine at all (if you coöperate).


Ah, I see what you mean now. That's not how I understood it, but some people might.


>Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

Nothing in the GDPR states this. It's obviously the intent, but ultimately it's left up to the bon vouloir of EU regulators.

It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.


>It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

No it isn't. Read Article 83.

https://gdpr-info.eu/art-83-gdpr/


Neither Article 83 or 29 impose any actual limits. They say that those imposing fines should take some things into consideration. After which they can impose a multimillion-dollar fine.


Kinda common in continental European law... Nothing new, nothing to be scared of.



It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender. You can, of course, say "don't be slow then", however, when for an out-of-EU entity (be it biz, or NGO) simple math doesn't show it is worth the effort, then it makes perfect sense to stop offering services to EU. Which is a side effect of the legislation. OP apparently understands it puts GDPR in a bad light, so he says about "overreaction" in every topic related, and this post is likely comes as the response to the latest one.


But merely being a repeat offender isn't enough to trigger the maximum fine.

You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.

Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.

https://ico.org.uk/action-weve-taken/enforcement/


Note that this is the UK agency, you might see different behaviors if you scanned the Belgian regulators enforcement list.


Sure, but the people spreading FUD about this are not referencing anything at all.


> It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender.

When I read things like this I realize how many companies are not treating user data as they should. Protecting user data should already be built into the company software and process.

Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.


As a user I suppose they should do whatever satisfies me, and I'm not always need a bunch of populists from EU parliament, who can't write a clear text, run to save me, making field even more favorable for big corpos at the expense of SMEs, and small non-profits in the course of action.

>Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.

That would be good news for the EU, of course. Even before GDPR, entrepreneurs were routinely advised to incorporate in US instead, and the legislation likely added incentives for that.


Yes. We've had PECR for years. If companies are surprised by GDPR they're probably already violating PECR.

But, dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen. Why do people think GDPR is sudden;y going to make things so much worse?


The OP reacts to news of businesses stopping serving EU, and those businesses are from outside of the Union. So PECR is not so relevant.

>dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen

Don't you really see how absolutely wrong is this? When law is composed in a way which makes it in practice only selectively applicable, it leads to erosion of justice, and invites for corruption.


The whole world has had TWO YEARS to be compliant. "It takes time" is not an excuse.


I didn't see the text TWO YEARS ago. Did you?


General law applies as well. There's lots of case law on the size of fines.

Which means in practice that if x other people have been fined around y for an offense similar to yours, your fine has to be in the vicinity of y. Ditto if x people have been fined more for larger offenses or less for smaller. This kind of assessment is routine. General. It's not something that needs to be written into each and every law.


Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.


The law says that the fines should be "effective, proportionate and dissuasive". That gives companies ample room to challenge a fine that is way out of proportion to the damages caused to their users.


You say this as though "challenging a fine" were trivial.

After countless months spent in a courtroom and tens of thousands of Euros in legal fees, even if you win, you lose.


If you are fined 10k-100k you have the typical problem of whether it is worth fighting..

But you are supporting the argument that you could be illegally (according to article 83) fined 4 million euros as a first offence because a regulator wants to be disproportionate and set an example with your small company and then have costs of 10-100k to throw out an obvious case, but it wouldn't be worth it?


It's worth it but it bankrupts you.

No customers, no investors, and all your cash gone before your appeal is heard.

Block all EU traffic. Just cut the transatlantic cables.


I don't think there's a need to cut the transatlantic cables, but if a company doesn't want to take proper care of user data then it's perfectly reasonable that they stay away from that market and let other companies have that business.


Maybe you should list all of the possible cases that could be initiated against you as a business owner in the US and which ones you can and can't guard against before you worry about that cable.


If the penalties were exact and written into the law then companies could simply make more from your privacy data than the fine they would have to pay. That would have the opposite effect of the law. Adding a clause that the fine is discretionary gives the enforcer the ability to adapt to this sort of behavior.


> based on the whims of politics and the regulators

Political whims? Maybe in the USA judges and prosecutors and police cheifs are elected every few years and these things are political and can change, but this isn't the case in many EU countries.


That Varonis link gets posted quite a bit, but it drastically over simplifies things and even tries to poke fun at some aspects of the legislation. The ICO site is a much better read for this.


Fair point - my intent was to point out that some sources which are less intimidating than others. If all you read was the Varonis link you'd be in trouble, but if someone's the kind of person who thinks that they can read one blog post and understand the GDPR I'm not sure they're the kind of person that can be helped anyway...


I would even go as far as saying that that article is straight up wrong/misinterpreting at least some of the articles.

I randomly checked Article 14, as I am wondering how I am expected to communicate to users that I don't collect any PII([0]), and it turns out Article 14 is not about

"You need to tell people what you’re doing even if you’re not collecting personal data."

but about

"Information to be provided where personal data have not been obtained from the data subject" = "You have collected personal data about the data subject, just not directly from them, but via some other source"

[0]: Even though I'm not sure if that's even easily possible for any company that has a website, now that IPs can fall under PII.


Pardon me but, what does ICO site mean in this context?


Information Commissioner's Office: https://ico.org.uk/about-the-ico/


The link to ico.org.uk in the comment above.


The Information Comissioner’s Office site, as linked in the grandparent post.


I am concerned that the effect of this legislation on the private individual is the opposite of the stated intention.

People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.

One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.

This feels very wrong on just about all the conceivable levels.


I am not sure where you are, but this is usually standard. You can’t film someone at a place where there’s some expected form of privacy and use that footage publicly.

Talking about GDPR, the fact they had to ask is proof it works. It’s an opt in. Your friend now has the option to say yes if they want to share it, but the default is no.

There are also provisions for withdrawing consent after giving it. The agreement can’t go above that law.


What ? It's the opposite, it allow you to access and delete the data, even if you gave consent one time. And your image concern a lot of other old laws, even if you sell it you can get it back later.


I have difficulty in understanding your language and in following your logic. Surely, signing away the rights to your records for over 50 years can not be better for you than not signing them?


GDPR states, that even if you give consent now you can withdraw this consent anytime. So even if OP consents now and in one year decides he/she doesn't want the daughter's videos being used anymore he/she can do this and the school needs to honor that (or else: big fines).

So GDPR helps you in maintaining control over your data as you see fit.


This law has nothing to do with signing away the rights of your image to be used for publicity, though. GDPR does not come into play at all in the scenario with your friend’s daughter; the school is likely abusing laws in their request and should be investigated, but those laws aren’t related to GDPR and the existence of GDPR does not somehow cause the daughter’s position to be weaker here.


I'm skeptical this is genuinely because of GDPR.

Consent could be withdrawn before or after GDPR. My guess is that the school have realised they're at risk of having to reprint all their promotional materials if consent is withdrawn.

So they need a contract, a model release. They needed that before GDPR. If you don't like the terms, don't sign it.


Under the GPDR, you can't "sign away" your rights. You always have the right to cancel any "contract"/"agreement" like that.


.. but not having the opportunity to say no to the form and the data being taken anyway is worse?


English may not be my mother tongue but I can logically follow an argument. Your friend' daughter was not obligated to sign such contract and GDPR reinforce previous laws protecting her image ;)


How is this relevant to GDPR?


Art.7(3): "The data subject shall have the right to withdraw his or her consent at any time."

https://gdpr-info.eu/art-7-gdpr/


The only thing which would make that outrageous would be an element of force (which would make it not consent anyway, but I digress). Instead, you're giving an example that explicitly allows for a denial. That's exactly as it always should have been, so I really don't understand what the point is that you're trying to make here.


The point is simply that the school is now at risk of huge fines, so in turn it puts pressure on parents to sign as strong as possible waivers. Not many people here seem to understand it but that is what is happening.

The force is of purely psychological nature, of course: "surely, you don't want to cause problems to your school?"


What richmarr said. If a contract is in place, then the terms of contract would take precedence over GDPR as "legitimate interest". In other words, zero change before or after GDPR. If the school is trying to get free modelling out of the kids with tick boxes, they risk the consequences, GDPR or otherwise.


Under the GDPR, consent must be revokable, at any time, and as easy to withdraw consent as to give it. So you could sign that. Then 5 minutes later withdraw consent.

Additionally consent must be "freely given". If you would be punished (e.g. expelled from school) then you haven't given consent, so they can't use it.


"freely given" is not a very clear concept in these circumstances. Parents do not want to antagonise the school and/or put their child at some kind of disadvantage, so they sign. Is that still "freely given"? It looks like GDPR is being used (as an excuse?) to make parents sign things which otherwise they might not. I hear you say that that is not the problem of GDPR and you can withdraw your consent later but how many will know that or remember to do so?

From the above "school might have to reprint all its publicity materials if consent is withdrawn" it is clear that this would be viewed as being antagonistic towards the school and its interests.


> Parents do not want to antagonise the school and/or put their child at some kind of disadvantage, so they sign. Is that still "freely given"?

That's a good point, and there might be a court case about that. I agree that the parent probably doesn't have enough free choice. If the law was to say "That isn't freely given", then the school doesn't have consent, so they can't use the images!. That's the beauty of it. It's a different legal viewpoint than "signed contract uber alles". DPA should look at if you had real consent.

> it is clear that this would be viewed as being antagonistic towards the school and its interests.

Good? The whole point of the GDPR & EU data protection law is to push the pendulum the other way, because it's gone too far. If someone can come up and force them to reprint everything, and then someone else force them to reprint everything, well maybe they should collect less personal data? If they didn't collect personal data, they wouldn't have this risk. EU law is trying to discourage massive data collection.


Is that a GDPR issue, or a copyright/"release" issue?

(note that privacy and GDPR issues apply differently for children)

> natural rights to their data which they would otherwise have

This is not a thing. Data has traditionally "belonged" to the entity doing the recording of the data.


That's a US-ism. Somewhere between many and most countries have a "natural rights" concept that considers certain creator/subject rights to be inalienable and neither belonging to recorders or permanently assignable to them.


Well, I don't know. I am asking. She is a minor under orders of the school, so she is in no position to refuse being filmed, anywhere in the school, showers, toilets, anything.

Suppose she in later life becomes a Hollywood star and her school starts selling these recordings of her on the internet because, after all, her father has given them a permission to do this for fifty years ahead?


"she is in no position to refuse being filmed, anywhere in the school, showers, toilets, anything."

This actually made me chuckle a little. I genuinely have no idea if you're joking here because this sentence is ridiculous.


You could just ... not sign the permission form?

(Which EU country is this btw?)


> I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data

We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice. Until then being in compliance with GDPR is gonna be like herding invisible cats, and it's likely well intentioned people will get burned and OP ends up with major egg on his face within a years time. I want to drink the EU koolaid as much as the next person, but that's just naive.


> We are still waiting for the first court battles that will help determine how GDPR is actually enforced in practice.

I'm wondering if this is yet another point where cultural differences are muddling the discussion. In particular, the difference between common law systems (like the USA) and civil law systems (like nearly all of the EU).


this is a major difference indeed.

In Civil law systems, the judge his interpretation matters much less then in common law systems. Mainly because everything is already codified into law.


Reminder: you have to legally comply with every letter of the GDPR, not just the TLDR version. Saying "but we implemented the TLDR version" is not a legal defence.


Saying "we got the major stuff right, missed some of the details, sorry about that" will keep the fine small. And... de minimis non curat lex.


This concern applies to all laws though. Not murdering people doesn't require you to spend ages examining the exact text of a statutory definition of murder. The tl;dr version is enough for me to grasp that kicking somebody in the head until they stop breathing isn't allowed.


> people's personal data.

I remember back in the day there was no such concept on the internet. Your identity didn't translate to anything in real world. At somepoint people started to treat it as 'real world but on the computer' instead of thinking about it totally radically new way about 'self'/'identity' ect. People thought of their internet profiles as their own self. Intenet age was killed even before it started. Endless promise of internet to free human beings was thwarted by paranoia, censorship, laws ect.

More

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: