As a developer I can understand this point of view, but as a consumer I say it's time to grow up. Internet startups have taken a "move fast and break things" approach that is analogous to early industrial revolution approaches to worker safety, product efficacy and safety, and environmental protection.
You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.
I feel that you're ignoring the situation of small startups with just a few founders. At this stage, it can really kill your business to spend a lot of your resources on making sure you're complying with GDPR. Usually the 'consumer' of those startups are OK to take some risk, heck a lot might even sign up with dummy emails.
The Poland proposal [1] to limit GDPR compliance to only large businesses was trying to address that. But it's flawed, because a small company (Cambridge Analytics) could still make a lot of damage to users' privacy... but the intent of Poland was good.
I feel there should be an opt-out based on the numbers of users and the age of the company/service: If you can easily prove that you're not handling more than X users and your company is less than 2 years old, then GDPR does not apply yet, as long as you warn clearly on your website that you're not-yet-falling-under-GDPR. If you're still in the GDPR-waiver zone but believe to be GDPR compliant, then you can remove the warning and are subject to GDPR like every other company.
That way entrepreneurs won't be scared to try some MVP here and there. I'm especially thinking of those trying to start a startup in countries that are part of the E.U.. The rest of the world entrepreneurs can just focus on their local userbase.
For what it's worth, I'd argue the same should be permitted of a small car maker. If I want to go build my own cars, step 1 should be putting a motor on a chassis and being able to drive forward. Step 1 shouldn't be adding airbags and seat belts to a couple axles.
The safest car is one that can't drive, and the most privacy-friendly software will fail to compile. You should be able to build a functional car before you need to worry about making it as safe as possible, and similarly you should be able to build a functional MVP of your software before you need to worry about compliance with a huge international policy.
Like most car analogies this one has a fatal flaw.
Before you are permitted to use your DIY car you need to comply with safety regulations to avoid harming others. You can keep your unsafe car off the street in your garage, though. Same for software that is not compliant; you just don't get to call it a "product" and let it loose on the public.
Going along that, it's also like 3D printing house startups no complying with fire safety regulations in the name of "oh no, it's too expensive, let's just not deal with that". Actually, thinking about it, such startups would probably start somewhere where regulations are laxer, make money there, then invest in security, and finally expand to western countries where subject to massive regulations. I don't want unsafe houses, I don't want unsafe cars, and I don't want unsafe websites. Some other countries don't mind about that. To each their own, what's so ridiculous about that ?
I disagree with the analogy. Trying to use the same analogy: If I were a one person entrepreneur trying an MVP, I would be building a bicycle, not a car. And what I suggest is have the right to put a sticker on the bicycle: "Warning, this is not compliant with the car regulations" to make sure people don't have false expectations. (Because I agree that in the real world, only a fool wouldn't be able to differentiate between a car and a bicycle, but for web services, this isn't an easy task)
A one person entrepreneur might not consider him/herself to be "being in the webservice business". Instead he/she would consider being in the business of [whatever problem the MVP is trying to solve]. It just hapens that in the 21st century, most of innovation happens online.
Back to your car analogy, it seems that people on one side argue that all companies "being in the webservice business" are 'car makers'. some people on the other side of the argument might say it's not.
Also, ultimately, it's possible that after spending a lot of time and hours examining the legal requirements of GDPR, a startup realizes it's not technically hard to comply, but the issue here isn't implementing the requirements, it's more about getting all the legal analysis, certification, handling customers requests, etc.
> If you disagree, should the US also stop prosecuting VW for the diesel cheating?
In that case, VW has clearly been in the car business for much more than 2 years, and in my example "X users", a good value for X would be something order of magnitudes less than the number of VW customers around the globe. So no, the US would continue prosecuting VW.
Well it's funny because Uber, a company that actually does seem to have financial resources, is allowed to run their apparently unsafe cars on the streets of some us states.
to be fair though uber also has thousands and thousands of unsafely driven cars on the road that we have no problem with; humans are bad at controlling heavy rolling fast motorised steel boxes
Uber seems to be worse than humans thusfar. Orders of magnitude fewer miles than average before killing anyone, covering up running red light running, misleading videos. A human driver like Uber would've ideally lost their license and faced legal penalties by now.
I feel like starting from scratch GDPR really isn't that hard to handle.
If your business is based around exploiting user data however it might be a lot harder, but then that's the point of GDPR, to prevent people exploiting user data.
GDPR exists because it turns out we can't trust companies to handle personal data with the care it deserves, and I don't see why any company should be excused that proper care.
>I feel that you're ignoring the situation of small startups with just a few founders
It's that the equivalent of starting a new car company and arguing that you shouldn't be required to follow the same safety standard as Volkswagen Group, because you're still a small company?
At it's core the GDPR is simply stating that you're accountable for the data you collect and that you're only allowed to use the data for the purpose is originally collect. Building privacy into your product is much easier for someone designing something from scratch, compared to retrofitting it into the business plans of Facebook and Google.
I get the feeling that most of the people arguing against the GDPR are people who are focused solely in collecting user data as a core business. The people I know who are building actual product, where people pay for a service, are doing fine. Even though that they have to build products in a manner I suggested five years ago, where user data is either not collected or delete when processing is completed.
> You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.
They are dealing with it... by limiting their liability.
They're already on the one big island... they've just decided not to worry about the other big island across the sea yet because the one they're on is big enough for the time being.
I think I'd use the term 'putting it off for later'. Almost like technical debt. I'd probably look more seriously at GDPR compliance at about the same time I start working on internationalization and localization.
These are things I can put off until later, I don't need them to validate my startup concept. If the startup is successful, it might make sense to expand the market.
Considering Facebook even actively tracks non-users, where's the "users" choice of not participating in that glorious Silicon Valley invention?
As far as I can tell, the "user" doesn't have a whole lot of choice there and Facebook isn't the only company doing that kind of aggregated data collection.
I'd agree with that if Facebook would be that single outlier nobody wants to emulate.
But Silicon Valley isn't a monolith where everybody is on the same page about everything, I have no doubt there's plenty of people in SC who consider FB a success-model to be followed into a shining future.
Yeah but what they actually do is removing themself from market place. If I were looking for a startup, I would check for someone banning EU users, with prospective idea and copy what they have done, but GDPR oriented and voila, I am first on the market, slowly taking over the original site bussiness in EU and later the world. EU is a huge marketplace and you really need to be extremly short minded to avoid it due to some stupi legislation, not to mention that as a US cityzen I would abandon any site not going for GDPR compliancy as they are saying to me, between the lines, "we are bastardising my data". Like seeing a laser pointer on your forehead.
Will that work if noncompliant company is offering its service for FREE* by funding everything selling data and you have to charge/use less valuable static ads? Just having a larger market doesn't automatically make you're product more successful, especially when that larger market needs more mundane localization efforts that the average startup probably won't invest in for a couple years GDPR or not
Plus, blatently ignoring regulation is cheaper in the short term, and if you successfully leverage that advantage into revenue than you can start throwing money at the problem once the regulators finally do get around to prosecuting you.
Only if your audience doesn't give a fuck about originality and community. You can't copy those. Even people in the EU care about who's fake and who's real.
I agree that exposing personal data is serious, and companies should be held responsible if they violate the terms of their privacy policy. I think companies should follow the law of the land.
The thing about GDPR that I disagree with is how it aims to have global jurisdiction. If it was a US law (as a US-based developer), perhaps I'd protest it, but I'd still follow it if I wanted to work in software.
But just because it requires changes affecting companies outside of EU that doesn't make the jurisdiction global. It's the same as with any other product that you are selling - if you want to sell it in EU, it has to satisfy EU's rules, irrespective of where it's being assembled / produced.
So if you "sell" to EU residents, follow EU's rules.
> So if you "sell" to EU residents, follow EU's rules.
Surely this will just result in the development of the reseller model?
As long as the reseller doesn't collect data, they're protected and as long as the US company doesn't maintain a presence or ideally market to the EU, they're untouchable due to the lack of any EU-US enforcement agreement for the GDPR.
Part of the length/complexity of the GDPR text is to deal with "cool hacks" like this to avoid having to spend money on IT security or to respect user preferences.
I think that's fair, but I don't think it's necessarily fair to put the responsibility on foreign websites to do the blocking and vetting. If the EU wanted to block websites that aren't compliant, that would make more sense IMO.
You're working in the real world, with real consequences if you end up exposing people's personal data. The party is ending. Either deal with it, or find something else to do.