Out of an 88 page law, 1% of an auxiliary middle of the law is carved out for small companies.
I'm not sure that counts as differential application for small companies. In the US at least, large portions of entire key burdensome laws don't apply for employers below size 50, 10, 5, etc. This does not seem to be the case here.
Does anyone know whether an official impact study on innovation was even done before its passage?
The law may be good as a whole but be overly burdensome for small companies. You should at least acknowledge that instead of just dismissing that outright.
At least my reading of the GDRP is that it tries very hard not be a big burden. If you are a small company or organisation and you collect a minimal amount of information (for example to contact them) there is not a lot you have to do.
The main thing is, you are not allowed to be sloppy. If you collect personal data, you have to think about whether you should collect it at all, where to store it, process it, and when to delete it. And you have to tell people that before you ask them for personal data.
Nothing like, we just collect a bunch of data, give copies to everybody, and have no idea what we collected. That attitude no longer works.
If you set up food regulations, are you going to exempt restaurants with only one cook? Or have aviation regulations that do not apply to airlines with only one pilot?
Given that the entire GDRP is less then a hundred pages, you can easily read it in one evening and get an idea of what you can do, have to do, and what the corner cases are that you may need to discuss with a lawyer.
But restaurants with only one cook can't afford a $300/h lawyer to tell them how to keep their shit hygienic!
If it turns out that you are in breach, they will write to you with information about what you're doign wrong and how to fix it.
In the EU we don't rely on lawyers for a fraction of the stuff you do in the US.
So if it's "innovative" a small 5-person startup should be able to wreak havoc to my personal data in whatever way they see fit? What is that nonsense. Are you seriously suggesting that "innovation" in startups should be more important than my privacy?
No matter what the ultimate decision is, no matter how sensitive the subject matter, impact studies are critical to making smart decisions.
I think you're justifying a really extreme reaction based on the worst behavior of a few companies. GDPR doesn't just go after data-resellers. It targets how a well-intended company can use and keep your data even with no third party involved.
Laws that mess up the good-guys lives are bad laws. GDPR is from the same folks who thought a law that lead to pestering users about cookies was a good idea.
Also I like the cookie idea. If only people really cared about misuse of their data they'd like it too. We've seen how good 3rd party cookies have been for some democracies.
>All well intentioned gun enthusiasts should support it.
Really black/white argument there which the issue is not. And nor is this topic. There should be more nuance in GDPR, but there isn't which creates a lot of discomfort.
>It's not stopping any well intended company from fairly using data.
It actually is, but whether or not that is an overall good thing is yet to be seen. Certainly, they did some level of testing before proceeding.
I might say yes but I still want an impact study.
I prefer governing bodies operate with an awareness of how their actions affect society.
No, and it is dishonest of you to suggest that was claimed.
> impact studies are critical to making smart decisions.
Which were done as was consulting with industry etc. well before the law was passed two years ago.