Hacker News new | comments | show | ask | jobs | submit login

You don't have to get it all right on the first try. If you get something wrong, the regulatory body will contact you (via letter or email) and tell you what they feel like is not correct (that is the official guidance on how to handle GDPR violations).

As long as you do your best to implement the GDPR and interact with the regulatory agency in a friendly and helpful manner then there won't be much need for a lawyer (but do consider that the GDPR being written as it is is also the result of being written in the EU where law is written a bit differently)




Your comment sounds so Orwellian I can’t help but cringe.


I’m increasingly convinced that a majority of people who use the term “Orwellian” haven’t actually read Orwell’s books.


I find the use of "Orwellian" rather ironic in this context.

I run a company based in the UK, but I myself am American and most of my business experience is in the US. Despite that, I honestly have had no issues adapting to the GDPR. Considering that the business I operate has systems specifically designed to store as much data on people as possible, I find it absurd other businesses are unable to handle user/client data responsibly.

That said, I cared about privacy BEFORE GDPR and intended to act responsibly regardless of regulation.


It's not orwellian to be friendly towards authority, especially when you're a business and it's about the privacy of the users, protecting the very data that orwellian governments seek to collect and abuse.

Otherwise, I would love to hear which part of my comment was orwellian in nature?


I'd guess he's referring to your (likely correct) implication that the regulators will give more weight to your "friendly and helpful" behavior than to how the text of the law applies to the facts of your case.

The concept of the rule of law was invented primarily in countries that now belong to the EU. Is there no one left there who still thinks it's important? It's not even that people argue "the GDPR couldn't be less vague without loopholes, and this is important enough that it's worth the cost". The idea that a powerful human's best attempt to objectively apply stable, published rules is generally better than a powerful human's unrestrained discretion just seems foreign to most commenters here.

If you ran an organization publicly associated with George Soros in Hungary (whose prime minister has described him as an "enemy of the state"), then would you still feel good relying on your friendly relationship with the government? What steps would you take to comply with the GDPR as it's currently written, if you couldn't rely on the goodwill of the people interpreting it? With a sufficiently corrupt government, there's nothing you can do; but the point where a judge will accept an obvious lie tends to come long after the point where a regulator lets politics disambiguate a vague standard.


The GDPR is a regulation and not a law, thusly the implications are different.

If you produce a device that accidentally violates FCC guidelines, would you rather be immediately punished to the extend of the regulation or rather work with the FCC to rectify the issue and how to fix it for affected customers?

The other reason is that yes the GDPR is vague. It must be because in the past corporations have abused loopholes and the only way to prevent people abusing loopholes without punishing people who don't abuse them is to make it vague and then decide on their behaviour.

And again, these are corporations, legal persons. They don't even have the remotely same rights as a natural person.


At least in the USA, a regulation has the force of law. To say "regulation" instead of "law" just means the rule gets its legal power indirectly from some statute (which probably also limits the scope of the rules), instead of directly from the legislative process. I'd thought the EU was similar. Is it not?

If I ship a device that fails to comply with FCC rules, then I would prefer that the maximum penalty provided by law is also a fair and reasonable one. I understand that most regulated fields are complex enough that if we don't give regulators some discretion, then the law will be filled with loopholes and impossibly complex; but I would like to give them the minimum discretion they need to do their job. I think the GDPR fails that test spectacularly. Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

ETA: From https://ec.europa.eu/info/law/law-making-process/types-eu-la...

> Regulations are legal acts that apply automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. They are binding in their entirety on all EU countries.

So not quite the same as the US, though maybe some analogy in that the regulation is still "secondary law", subordinate to the EU treaty? But I don't see how you can describe a set of rules "binding in its entirety" as anything but law.


To my understanding the EU handles it differently. Regulation as opposed to law is supposed to be enforced in a guiding manner, recognizing that sometimes you accidentally don't comply or there is otherwise a differing implementation. You can somewhat also see that in how the EU ramps up regulation in case nobody is playing ball.

Stage 1 is when they want to fix it and they express wishes that the industry changes their ways. Stage 2 is the cookie law and Smartphone USB charging. A very vague regulation or law is implemented as a sort of warning for the industry to better go and fix it. Stage 3 is nuclear; GDPR.

The smartphone industry is as mentioned at Stage 2. The EU expressed wishes to reduce the charger garbage, nobody did anything, so they simply put out a regulation that almost literally just says "all smartphones need one common charger". Largely this has been microUSB but vendors are switching to microUSB.

The regulations are to my knowledge and experience also employed and enforced in a similar manner; first you get a nice letter informing you that your website is in violation of X. Ignore that or get aggressive towards the regulatory body and you get a less nicely worded letter with a threat of a fine. Continue that path and you get a fine.

The ultimate goal is that everyone should be compliant but it's okay to be occasionally not as long as you are willing to be helpful and fix it immediately.

>Do you really think they need the statutory authority to fine someone 20M EUR for their semi-commercial side project that made $1k lifetime total? If not, then why give it to them?

They don't you have a legal right for a proportional punishment. Unless your little side project caused damages the fine will be appropriate such that you can pay it without going bankrupt. And if it did you'll have to pay those damages on top of course.

>The GDPR applies to natural persons too. Imagine if it didn't! Facebook could just contract all the creepy stuff to a sole proprietorship operated by Mark Zuckerberg...

It only sorta does, it only does not apply to natural persons while they don't engage in commercial activity.

And a sole proprietorship is to my knowledge a legal person, even if the only natural person involved is 1. (I would know, I am basically one, or rather, small business operator would be the more accurate translation, which also has limits on turnaround and profit)

The sole proprietorship would have less rights than the person behind it and has no option but to fully implement the GDPR in any project or product. A natural person on the other hand, publishing a hobby on the internet with no commercial or business activity (which are different things in german law and you can certainly run a commercial activity without ever touching money or forming contracts).


Enforcement of regulations in the USA isn't grossly different in practice. For the kinds of topics that regulations tend to cover, I doubt it could be otherwise--the complexity of the topic makes it impossible to draft law that can be objectively applied to all cases, that ambiguity makes accidental noncompliance common, and regulatory discretion is required so the accidental noncompliers don't get screwed. I accept that as unavoidable, but not as good. The regulations have the force of law, and the penalties--the loss of one's livelihood, or even prison in the extreme--may be just as life-altering as for any other law. So all other things being equal, I'd prefer that the regulators act with as little discretion as possible. That gives everyone the fairest chance to comply with the rules, even if the regulators for whatever reason dislike them.

The GDPR indeed says the punishment should be proportional; but what does that mean to you? Are you sure it would mean the same thing to a regulator? A regulator who dislikes you? If they said that 10k email addresses and MD5-hashed passwords leaked from someone's game server was a worst-case breach, then I'd say that was ridiculous; but I don't see what in the text of the law lets me say that it's objectively false.

The USA has no concept of a separate entity for sole proprietors. It's just you, even if you're trading under a business name. If the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does. In any case, the real question is perhaps commercialness, where (a) lots of hobby projects have some small commercial element, ads or donations or a tee shirt or whatever (and to be clear, I do think privacy regulation should apply to them, just more specific regulation); and (b) I strongly suspect the GDPR applies to some noncommercial activity too--would the EU let a political group pull a Cambridge Analytica with all volunteer staff? I haven't researched that, though.

If I lived in Germany, then I'd probably have pretty good faith in my regulators. But imagine the example of that Soros-linked group in Hungary (which I'd edited my first comment to add, so you may have missed it). I don't think that's hypothetical--political organizations keep lots of data, so I suspect that somewhere, a group is making plans to comply with the GDPR, as interpreted by regulators whose government considers them "enemies of the state". What would you do in their place? Wouldn't you wish the text of the regulation gave the regulators less room to maneuver?


>if the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does.

Well, they are seperate entities so the loophole exists for how the US handles it but in the EU there is no loophole.

>In any case, the real question is perhaps commercialness

Last I checked you don't need commercial elements like ads, donations or anything like that to be considered commercial. Running your own git server with open registrations would be considered commercial (there is additional seperation in that you don't have to pay taxes unless you are profit-interested).

>I strongly suspect the GDPR applies to some noncommercial activity too-

Monitoring of any kind that is strictly outside private interest.


That's something that utterly amazes me about the EU, and your comment. A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

The EU lets every police force in the EU, or in Interpol request data interception. That is a LOT of organizations, and of course, they got caught doing abuse just the same. But, for instance, the default practice in the US is that you get told your phone is tapped (yes, really), unless the police explains to a judge why not (nearly always), BUT in that case you still get told afterwards. This does not exist in the EU. You will never be told you got tapped.

Second, in the US, the provider looks at the order, verifies it with the proper authorities, and decides for itself on scope, reasonableness, ... etc. In the EU, nope. If an order is received the only actions that a provider can take must be technical in nature. In theory an employee that does the actual tapping of the phone can't even tell his manager he's tapping phones, and definitely he can't tell anyone which phones are to be tapped or why (nor is there any obligation on the part of the requesting force to tell him why, but it is a field on the form). In many countries, this can be done without judicial oversight, or in nearly all cases with only very, very light oversight. This, to me, is far more worrying than the situation in the US.

If a local police officer in Latvia wants to tap the phone of anyone in the EU, he just has to fill out a form and fax it to interpol.

This is even weirder given that Europe has actual experience with abuse of surveillance powers, everywhere from Germany Eastward, as well as during WWII. They KNOW what can go wrong, they just have to ask their parents or grandparents to find people who were actually exposed to this. And yet ...

Next we find out that large-scale spying on the own population is done in, at least, UK, France, Germany, the Netherlands ... and not a peep. This was barely reported in the local media, in fact. We all know that most other countries are going to be worse than these, not better. And, of course, they cooperate with the NSA as well.

Hell, the US has reporting on how much they spy on their own citizens (in fact, that's the source of most of the outrage). No such stats in the EU. Nobody, not even the police forces themselves, feels the need to have the most banal, basic level of transparency.

Clearly when it comes to spying the EU is of the opinion, them, yes, perfectly allowed. Think of the children ! I mean, clearly these guys do not believe in privacy.

So yes, it is very Orwellian when they just request that you work with them on the privacy of their citizens. Clearly the result they want is not actual privacy and protections for their citizens.

If they believe in privacy protections, they have a lot of state agencies that they need to attack for not having any decent respect for privacy, as well as the fact that what few protections do exist only exist in a vast complex tangled web that errs on the side of violating people's privacy. And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).


>A lot of the protections that exist for privacy in the US against authorities mostly don't exist in the EU.

They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

I can't say anything about Latvia but in germany atleast the privacy of letter and remote communication is heavily protected and usually not granted lightly (exceptions being stuff like actual nazis)

People are definitely aware of the past and there is always a lot of outcry whenever a new law attempts to encroach on that territory, politicians have destroyed their careers with such proposals.

>And that's ignoring the fact that privacy protections have been systematically eroded further and further in Europe (e.g. recently in Germany).

Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

>You will never be told you got tapped.

I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

Again, we have different laws and legal systems (!) in the EU up to and including not having the US constitutions. I think it would benefit the conversation if you recognize these differences instead of applying american laws and principles on the EU.


> They actually do, the german police for example, generally destroys any video or image footage they make after 24 hours if there is no reason to believe they would help solve a crime.

Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

> Please note that the BND, the german intelligence service, recently shutdown a surveillance program after several thousands of people requested the deletion of their datasets.

I doubt it's the only one. Call me when they change the law back so they can't legally do this.

> I don't understand why you should be told that the police is trying to get evidence of you doing a crime? Or someone else's crime?

The idea, in the US, is that you get informed afterwards. How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Keep in mind that more than a few police officers have been sued for using surveillance on women they were merely interested in, in some cases then proceeding to beat up and harass other interested parties. I doubt that this behavior is in fact limited to (a few) US cops, we both know the truth is that (some) EU cops simply get away with it.


>Source ? This, to me, seems unlikely in the extreme. I mean this is strict enough that even I would agree they would regularly shoot themselves in the foot with such a policy.

General guidance policy and numerous court cases. Not all footage is 24 hours, most is however. Some exceptions go for 48 hours. [http://timetravel.mementoweb.org/list/2010/http://www.polize...]

Video surveillance, especially when in public spaces, is frowned upon and there is a long rat tail of court cases.

The law is very strict in when, what, who and how long video surveillance is allowed, including the 24 hour limits, though in case a crime is suspected the footage can be kept for 14 days until a crime is confirmed. [https://recht.nrw.de/lmi/owa/br_bes_text?anw_nr=2&gld_nr=2&u...]

>we both know the truth is that (some) EU cops simply get away with it.

Generally, they are reprimanded or even punished when such behaviour is discovered as it is a violation of various laws, including privacy.

>How else will you sue the police if it wasn't reasonable at all ? How will abuses be discovered ?

Generally, any evidence the police brings up in a court case requires that the police has an explanation on how they got to that evidence. That may have been illegal, in which case a second case might be brought up and the involved officers will be punished.

However, unless the evidence they collected is wrong due to the surveillance (the bar is very low on the police being guilty of forcing you to commit a crime), the evidence will be used regardless (a few edgecases but generally evidence is not poisoned if gained by wrong means like in the US IIRC).

>I doubt it's the only one. Call me when they change the law back so they can't legally do this

Already is, which is in part why the BND stopped this too.

The bar is high for someone tapping the phone or otherwise doing remote communication surveillance, [GzBBPF, Section 1, 2, 4 and 7]. Unless there is a very strong suspicious that you commited treason or commited a federal crime and there is absolutely no other way to prove you did it, they can't legally tap the phone.


I can't believe you can be this naive. Your arguments basically boil down to "the state can be trusted".

Basic dependencies of your argument: the police force will never abuse surveillance, then not make a court case out of it.

Second basic dependency of your argument: the court will easily rule against the very forces they depend on if they find violations.

These are reports German police officers that got caught, shall we say, being VERY untrustworthy:

https://www.itproportal.com/2011/09/12/privacy-boss-slams-ge...

https://www.thelocal.de/20161213/cannibal-cop-convicted-of-m...

http://www.scmp.com/news/world/europe/article/2142710/dozens...

http://www.spiegel.de/international/germany/hanover-police-o...

https://www.thelocal.de/20121017/45615

https://www.youtube.com/watch?v=vM1c_58e6jk

https://www.youtube.com/watch?v=juQD0OU6SD8

So I feel like I've provided plenty of evidence that the police cannot be trusted to act correctly, or even just sane. The German police, clearly, is no exception to this rule. Therefore Germany trusting them to do the right thing is just hiding abuse, not preventing it.

You also left the question unanswered: if tapping is so correctly and justly done, then why does it need to be such a big secret ? There is a case to be made that, sometimes, it needs to be kept secret DURING an investigation, but why afterwards ? In many cases, even that is not necessary, when for instance following or tracing someone who was brought in to the police station, it seems to me like there is no reason whatsoever to keep it a secret that the police reads his mail/call logs/... Why do they want this perpetual secrecy, if not to hide abuse ?

The answer is very simple: because Germany hires neonazis, cannibals, violent bullies and worse into their police force, and police officers like those are also trusted with tapping people's conversations.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: