Hacker News new | comments | show | ask | jobs | submit login

Enforcement of regulations in the USA isn't grossly different in practice. For the kinds of topics that regulations tend to cover, I doubt it could be otherwise--the complexity of the topic makes it impossible to draft law that can be objectively applied to all cases, that ambiguity makes accidental noncompliance common, and regulatory discretion is required so the accidental noncompliers don't get screwed. I accept that as unavoidable, but not as good. The regulations have the force of law, and the penalties--the loss of one's livelihood, or even prison in the extreme--may be just as life-altering as for any other law. So all other things being equal, I'd prefer that the regulators act with as little discretion as possible. That gives everyone the fairest chance to comply with the rules, even if the regulators for whatever reason dislike them.

The GDPR indeed says the punishment should be proportional; but what does that mean to you? Are you sure it would mean the same thing to a regulator? A regulator who dislikes you? If they said that 10k email addresses and MD5-hashed passwords leaked from someone's game server was a worst-case breach, then I'd say that was ridiculous; but I don't see what in the text of the law lets me say that it's objectively false.

The USA has no concept of a separate entity for sole proprietors. It's just you, even if you're trading under a business name. If the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does. In any case, the real question is perhaps commercialness, where (a) lots of hobby projects have some small commercial element, ads or donations or a tee shirt or whatever (and to be clear, I do think privacy regulation should apply to them, just more specific regulation); and (b) I strongly suspect the GDPR applies to some noncommercial activity too--would the EU let a political group pull a Cambridge Analytica with all volunteer staff? I haven't researched that, though.

If I lived in Germany, then I'd probably have pretty good faith in my regulators. But imagine the example of that Soros-linked group in Hungary (which I'd edited my first comment to add, so you may have missed it). I don't think that's hypothetical--political organizations keep lots of data, so I suspect that somewhere, a group is making plans to comply with the GDPR, as interpreted by regulators whose government considers them "enemies of the state". What would you do in their place? Wouldn't you wish the text of the regulation gave the regulators less room to maneuver?

>if the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does.

Well, they are seperate entities so the loophole exists for how the US handles it but in the EU there is no loophole.

>In any case, the real question is perhaps commercialness

Last I checked you don't need commercial elements like ads, donations or anything like that to be considered commercial. Running your own git server with open registrations would be considered commercial (there is additional seperation in that you don't have to pay taxes unless you are profit-interested).

>I strongly suspect the GDPR applies to some noncommercial activity too-

Monitoring of any kind that is strictly outside private interest.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact