Hacker News new | past | comments | ask | show | jobs | submit login
Back to EU (adambird.com)
145 points by mhw 5 days ago | hide | past | favorite | 104 comments

A recent ruling (namely the Schrems II one) makes it very complicated to host and process data in countries that we used to consider as having "equivalent" privacy protection. The most prominent of course is the USA, but the UK could be on the line at some point.

For now it has an "adequacy decision"[1] allowing such transfer, but future changes could threaten that, and activist such as Max Schrems would happily (and rightfully) attack this decision if it happened.

Schrems II might be a blessing in disguise for the European hosting/Saas/Cloud industry, we'll see !

[1]: https://ec.europa.eu/commission/presscorner/detail/pt/ip_21_...

I think the UK will be fine for a while because they still enforce their implementation of the GDPR. Once those laws change, though, I'd definitely avoid storing or processing any data over there.

I don't think the UK has that much to offer in terms of cloud and storage. All the big brands are in continental Europe or Ireland. The real impact would more likely be that externalised services that some European businesses contract dedicated companies in the UK for (payroll, data analysis, marketing, insurance, etc.) could suddenly become a subject to strict privacy rules that would make it impossible to continue if the UK were to be dropped of the whitelist.

As Bruce Sterling said in Early 2016 [1]:

> Great Britain is becoming Little Britain. The UK is like a giant Cayman Islands in 2016. They used to be the wise and perfidious grownups in the geostrategic room, but now it's all about squalid, petty things like Brexit, Scottish secession, anti-immigration; British political extremes are thriving and the middle is dead as mutton. They've lost their soft-power by the bucketful; people who used to beg for their wise counsel now ignore them. What do they want -- to be Airstrip One for any creep with a trailer-truck full of cash? I've never seen them think so small.

This was even before the Brexit vote, and before BoJo became PM...

[1] https://people.well.com/conf/inkwell.vue/topics/487/Bruce-St...

Interestingly the Dutch have been very keen to capture Tech companies (or at least make it an attractive place for employees).

There is a low flat tax rate (30% iirc) for some years (was 5 when I last checked) if you're working in an "in-demand" sector, and tech is one of those sectors.

This is somewhat controversial from what I understand, not all of the Dutch like it, and I understand why: it's not really very fair to give foreigners a tax break and not your own people. But it's interesting nonetheless.

Worth noting that a lot of other EU countries have similar policies.

Spain has the Beckham law - https://en.wikipedia.org/wiki/Beckham_law - though it might not survive much longer.

Sweden has a similar policy but you need to earn over ~120,000 euros: https://www.forskarskattenamnden.se/forutsattningarforskatte...

I was really close to moving to NL to take advantage of that (vs. the insane taxes in Sweden) but unfortunately at the time I got the offer they were still in full lockdown restrictions.

>not all of the Dutch like it, and I understand why: it's not really very fair to give foreigners a tax break and not your own people.

Some people in my country fail to realize that in this case the Dutch state did not invest in the education of these people. I suspect the math works out.

I have recently moved to NL and am making use of the 30% tax ruling. To me, another attraction was the exemption from capital gains for the 5 years I have 30% ruling. If I get lucky with my investments, I can get more out of them.

> This is somewhat controversial from what I understand, not all of the Dutch like it, and I understand why: it's not really very fair to give foreigners a tax break and not your own people.

Another way to look at it would be that these expats contribute to our economy and society without having cost us money in preparation (schooling etc.) So I think it's a win-win.

What taxes are you talking about? Vennootschapsbelasting? I believe it is a reduced rate for all businesses below a certain revenue.

I really have trouble telling Dutch words from hand smash in keyboards. I love it.

My favorite is the word "angstschreeuw" (cry/shout of fear), which is the word with the most consecutive consonants in the Dutch dictionary.

"Grachtengordel" (canals) is great to practice pronunciation.

The German word is very similar: Angstschrei ;)

Along with “herfstschraalte” (autumnal skimpiness).

I'm not sure that is in the dictionary. You can get more consonants with slechtstschrijvend and zachtstschrijdend, which are perfectly normal Dutch words but unlikely to end up in the dictionary (worst-writing and softest-treading). With the transliterated Russian borsjtsj you can get one more: borsjtsjschrokkend (Borscht-devouring).

Angst scream?

German/Dutch "Angst" is English "fear", the English word "angst" is more "existential dread".

Indeed, from a specialized use in psychology of German Angst, just as Semaphor wrote

Etymologically, yes. The meaning has diverged a little, so "cry of fear" is a closer translation.

And to think that Dutch is the closest somewhat-large language to English... (skipping Scots (often seen as a dialect) and Frisian (really small)).

You can make big(ger) tax break deals with the tax authority in the netherlands if you fork over enough money. Perhaps folks pay lip service to it being controversial, but fundamentally the cultural backdrop that stimulated the historical amassing of wealth has not changed much.

> not all of the Dutch like it

I guess a majority will be opposed if you'd ask plainly. The main effect is that companies save on their payroll.

>Whilst we’re headquartered in the UK, our revenue is split 55% US, 25% EU, 9% UK

Having worked as a European expat in the UK for about two years in the software industry this is how it looks for a lot of companies. Majority of revenue is either US or the European market (largely depending on what you're selling), with the UK market at most capturing say, 20%-30% of revenue.

It makes in my mind no sense at all to diverge from the EU on privacy policy. All the difficult compliance matters hat already been harmonized over the years, most of them are sensible anyhow and good enough to build upon, and the world is more and more moving towards data sovereignty type frameworks, in Asia as well.

The British market itself is now so small on the world-stage, some kind of national solo-mission when software is so reliant on global markets

Welcome Cronofy, hope you find your bearings here quickly! (the landscape can be a bit flat, but almost everyone speaks English so that should help. Try a "stroopwafel" ASAP)

Why posted on the personal blog instead of the company site?

Because I wanted to express my genuinely personal opinion about the situation and the company blog isn't really the place for that. Appreciate that as CEO these lines are blurred but I endeavoured to show some understanding of boundaries by publishing in this way.

We will be providing more formal documentation about how customers can transact with us through the new entity and take advantage of the new oversight.

Then it would be helpful to have a link to your company at the top of the post.

The article starts immediately talking about Cronofy (using "we"), without any indication to the reader what Cronofy is and how you are related to it. Just an introductory sentence along the lines of "As the CEO of Cronofy [link to company site] (we do XYZ) I wanted to share thoughts on..." would have kept me reading. Instead, I followed the link to https://adambird.com/ at the top and didn't find anything to help provide the missing context, so I just moved on.

To be clear, if this article was only intended to be addressed to a narrow audience that was already aware of all the context then it was probably fine, but for an outside observer like HN it's very unclear.

As a data point, I'm not personally aware of Cronofy in any way. It's not a name that rings any bells to me.

Though I very much agree with your sentiment about the dumb crap the UK has pulled, and the trajectory its on.

Because I wanted to express my genuinely personal opinion about the situation and the company blog isn't really the place for that

The whole thing is about the company. Not washing.

It's legally dangerous to do that, mainly because (at least in the US) it can "pierce the veil". I know that British and Dutch laws operate very differently, but I'm pretty sure that there still needs to be a clear separation in certain cases (this is a reorganisation which is a legal tightrope).

As a Brit I'm glad you have taken these steps. Our political UK leaders are useless.

Because it is a bit politically charged and with that, by doing upon a personal blog the company always has that plausible deniability excuse and from a business aspect - this is best way as affords best of both Worlds. If it goes well, good, if there is a twitter rabble mob, then as not company domain - the good old - nothing to do with the company and the rouge individual excuse can be plausibly played.

It's a smart move, though you do see thru it all over the years.

As a Brit I'm utterly disgusted by what's happened to this country under years of corrupt Tory misrule, and yes I'm also including NuLab during the Blair years but what can I do? I have consistently voted for pro EU parties but my voice seems to be drowned out by the baying racist xenophobic majority in this country. In the end it might be time to emigrate elsewhere.

An expected result from a sad, populist ideology shoved through under the guise of "winning". GDPR has plenty of flaws, but overall is a positive force for personal data privacy. Ironically, it's the business-to-business context — where the legal fees and fines are high — where this is being tested. And the UK is definitely losing.

Sometimes I wonder if the GDPR will go down in history like, say, the Magna Carta, a legal construct that changes history.

They're similar in that both are documents that basically say "just do the things you would do if you weren't an arsehole". One is a bit longer though.

Maybe with some Amendments ... like the US constitutions. There is stuff missing.

Surely you don't have to degrade your security to a lower UK standard, you can still meet GDPR and make it clear on your website, "Do you conform to GDPR?", "Yes we do. Although the UK have a lower standard of data protection, we still meet the stricter standard"

From TFA:

> Whatever we say to our customers about how Cronofy approaches data privacy and controls, corresponding enforcement will not follow. (...) We can make our protestations about ISO certifications, data management controls, segmented data hosting. However, prospective customers won’t necessarily get that far because we’ll be discounted based on our location. I don’t blame them. Data protection is fraught and complicated. Why even entertain the risk of going with a provider from outside the EU.

I work at a global identity company in the UK - we don't have such problems. I'm afraid this blog post is nothing but grandstanding.

> we don't have such problems

Yet. Because you're still on compliance and procurement whitelists. If UK's regulation are no longer up to EU's standards, UK drops out of the whitelist and any supplier there jumps off the fast-track into the slow lane of "compliance audit". Spoiler: that's the point at which the contracting manager drops you for your far less able competitor that's hosted in Dublin or Amsterdam.

For how long now? Could it be that many EU potential customers haven't even talked to your company since 2016, and the people who are still talking to you are the ones who aren't worried about exporting their data outside of the EU?

Plenty of new customers since 2016, worldwide. Aren't worried about identity data, but are worried about their calendar?

I presume EU customers mostly use non-EU operating systems, browsers, other software. I find it hard to believe there's a real barrier.

Software you run on your machines is not a huge problem except in heavily regulated industries. Services that store and handle company's data, very much are.

If the company were to breach GDPR, which regulator would enforce it?

If UK law would require backdoors in a way that conflicts with GDPR, how could they remain compliant?

Backdoors for a calendar app no one's heard of? No offence, but bigger fish to fry. And why would the company breach GDPR if it's making such a fuss about sticking to it?

Although maybe Cronofy is not yet well-known, Adam Bird was also founder of Esendex which became pretty huge (Commify that is now known as)

Your logic is that a government would want a backdoor in this app because another app was successful? Just because the same founder? That's a lot of hopeful backdoors - poor return on investment for the government. I've worked on bigger projects than that without backdoors. "Pretty huge" is relative I guess - I certainly wouldn't describe it as that. I seriously doubt that app had a government backdoor, and neither will this one. Was that an attempted appeal to authority?

Ah, all I meant was just that since Esendex got pretty huge (e:g IIRC they did bulk texting for the Obama campaign), given that its the same founder, perhaps Cronofy could end up big too. I guess my angle was simply, this is potentially a large company, his previous one was (and apparently a decent place to work according to people I know) and its a great shame if such a good tech business is driven to moving to a different country . BTW it wasn't me that downvoted you, it was a fair argument :)

Having access to the calendar of e.g. the Airbus management would be very useful for industrial espionage.

Snowed proved that the US used backdoors in Microsoft products to access calendar entries snd emails to give Boeing an edge during negotiations.

I was thinking the same but maybe if they're UK based they can't legally guarantee a certain level of data protection. Customer trust could be eroded even if you tell them you'll follow the GDPR standards.

The reasoning is covered in the article.

The UK has ousted its boring technocrats and experts - our politicians and our public have embraced populism. We will ignore energy policy and GDPR because it's boring and spend our time debating culture wars in broadsheets and tabloids instead.

Auf wiedersehen

what's wrong with the font on that website?

Honestly what we need in the UK is a Back to the EU campaign that formulates a long term strategy for returning. In two decades England's Baby Boomer generation will no longer hold the reigns of power in the country (please God) and those in charge will have come from a generation that overwhelmingly voted Remain.

Why would the EU ever want us back? Really? By the time England's population becomes strongly in favour of rejoining, our economy will have been fairly trashed, we won't be a significant player, the EU will have done just fine without us for ages, why would they ever let a former member that caused a bunch of trouble, back in? What's in it for them? Also I'm not convinced England's population ever will be in strong favour of rejoining, with the deluge of anti-EU propaganda we're exposed to, that everything that's going wrong in this country is someone else's fault. I'd love to be proved wrong of course....

Twenty years is a long time, the way things will pan out is an open game.

I think more realistic than a trashed economy will be a hyper-neoliberal free market economy with even huger discrepancies between the rich few and the vast majority of poor, with GM crops, terrible workers rights, masses of migrant workers without access to the welfare state, meaningless digital rights, housing and offices in London owned by the world's rich who extract rent from those who live here, and so on. A sorry situation from the perspective of EU rights, but not necessarily a catastrophe from a hardcore-neoliberal perspective.

I'd bet on the UK becoming a low-punching competitor to EU economies, and one they'd perhaps be keen to have on their side.

The question is how we in the UK are transformed by the whole affair.

Sadly all you list sounds very plausible. Maybe in addition to a trashed economy!

> Why would the EU ever want us back?

It solves a lot of problems for Ireland, assuming Northern Ireland hasn't rejoined the Republic first.

My guess would be, a fair chance NI will join with the Republic. That'd solve a lot of problems really, wouldn't it? Perhaps a permanently more peaceful Ireland may result from Brexit, while a less peaceful Britain....

Hey, the EU is talking with Albania and North Macedonia at the moment and even with a thousand Brexits, the UK won't get down to their level.

Point being - every bit helps!

$$$ and fish.

Step 0: start driving on the right side of the road

Step 1: adopt the euro

Step 2: improve education for all ages and groups about misinformation, propaganda, etc. to reduce the chances of a bus driving around london from making you change your minds again in 4 years

Step 3: apply to enter as an equal into the EU, instead of trying to cut some half assed deal for half the rights and half the benefits

Step -1: Metric. Everywhere - no more miles!

The horror. It'd be like....Canada.

I have no problem with Canada joining EU.

That's got my vote for sure

The EU has a lot of downsides too though (e.g. the link tax, video age verification laws, mandatory high sales tax, mass immigration).

The UK should try to push to become a high-skilled, high-wage society like Norway and California.

Not sure why you’d assume that those who voted “remain” don’t change their thinking by then.

As other have mentioned the status quo is now something entirely different and “remain” won’t mean much in a decade.

> Not sure why you’d assume that those who voted “remain” don’t change their thinking by then.

Didn't assume that. All I said was that 'those in charge will have come from a generation that overwhelmingly voted Remain', which will be true regardless. The kind of strategic thinking needed would be how to maintain their sentiments towards the EU.

It's also of note that this generation is overwhelmingly progressive in their politics, is being denied radical action on climate change, denied the ability to buy a house, laden with university debt, and so on. The conditions are ripe for a generation who wants radical social change, and maybe rejoining the EU will be part of that.

Every generation is “overwhelmingly progressive” in it’s youth. But move to be more conservative when they age.

Look at the US in the 1960’s. Those same hippies and radicals own $1M plus homes in CA and oppose any change to zoning laws that might let undesirable live near them.

Worth noting that the generation that was the majority of leave voters were the children of the voters that joined the EU in the first place.

So I'd not count that children vote with any certainty, let alone use the "think of the children" logic given how that actually panned out.

But if the UK was to rejoin - I'd expect it will be with a clear majority who will embrace the EU beyond seeing it as easy holidays to Spain and day trips to France for cheap booze and fags - As that is how the majority treated it.

I can't see it happening but I wouldn't be surprised if we end up with a Norway type deal (which was promised by many of the Brexiteers).

But that'll enable EU people to go live and work in the UK with no restrictions, that's way worse than what the UK had before.

>that's way worse than what the UK had before

But better than what we have now.

You make it sound as if the EU will want the UK back.

It will, no questions asked. But at standard rules for joining - no rebates, adopting the Euro, etc

in ten years the drama will have settled down and the new status quo will have bedded in and the "fight" for the EU will be a distant memory




Everything we do, every place we choose to work, incorporate or just live is subject to rules. These rules are largely decided by politics. As a consequence, politics have always been here, visible or not.

> Aw shucks, politics has found its way to HN.

If there is any topic that's relevant in HN, it would be where and why to found a tech company, as well as the impact of data protection legislation on operations and product design.

> Is no where free of it?

No, everything in life is political in some way or another.

To be more precise, everything in society is political in some way or another. If you want to get rid of politics, get rid of society [1]. The denser the population, the heavier the politics so it already helps to move out to less densely populated areas. This comes as no surprise given the origin of the term politics - πόλις (polis) being the Greek word for "city" and πολίτης (polites) the word for "citizen".

The same goes for the 'net where the most populous (not so much popular) entities wield an overly large amount of political power. If you want to get rid of those politics you'll have to move out of those environments - in other words, decentralise the 'net.

Source: a classical education as well as personal experience in moving from a densely populated country to one with more breathing space.

[1] by moving elsewhere

As Dutch theologian Harry Kuitert wrote: everything is political, but politics isn't everything.

When bad politics hurt business, what choice do you have?

Hackers have always been involved in politics in some way, even if they didn't do so willingly. The GPL itself is a very bold political statement and as RMS has remarked "Even if you're not interested in politics, politics is interested in you!" (paraphrased).

The UK has launched a consolution on how to improve Data Protection Laws.

One campaign on this consultation is to abolish the stupid Cookie Consent requirement, that is evidenced again and again to be wholley pointless.

Anouther campaign with this consultation is to enable medical researches to use anonomised NHS data. The National Health Service (NHS) is huge and useing that data could usher in some great medical advancements.

The government cites a project at Moorfields Eye Hospital and the University College London Institute of Ophthalmology where machine learning technology was applied to thousands of historic de-personalised eye scans to identify signs of eye disease and recommend how patients should be referred for care.

There is no plans to weaken GDPR. Even if there was Adam Bird's company is welcome to go above and beyond the requirement.

It's all nonsense, move if you want to. At this stage he doesnt even know what is changeing, to state Brexit and GDPR as the reason is premature.

> the stupid Cookie Consent requirement, that is evidenced again and again to be wholley pointless

Is it? It caused some companies such as GitHub to get rid of third party cookies entirely, and they don't need to ask for consent for the cookies that they do use. If only the law were enforced more, and I imagine in a few more years many more companies would be compliant.

> Even if there was Adam Bird's company is welcome to go above and beyond the requirement.

It’s a brand issue. Being EU based signals that you have to obey GDPR by law, not only contract. Just like being a Swiss bank was a brand advantage long time ago.

Of course, for their EU customers any company has to comply with GDPR by law.

>There is no plans to weaken GDPR

You and I have read a very different consultation document, then.

The UK government absolutely are planning to weaken the UK GDPR.

The prospect of people protesting to save cookies and slogans upon buses saying we could save the NHS millions of clicks a year by scrapping them - has my comedy pen running away with itself.

> use anonomised NHS data

If you've successfully anonymized it, it's no longer personal data subject to GDPR?

"What the UK government is proposing is going to put us on the same footing as US companies when it comes to dealing with EU customers, ie under the auspice of a regime that can’t be trusted."

Not sure you want to alienate the US just to score some political points when by you own admission - the bulk of your business is with the US ( a country that has a larger patriotic base than the UK and more experience of how to exit a union ala 1776). Point being any US company can implement a more stringent data policy beyond the scope of legal remit within the country of operations, so that's a USP that isn't exclusive. More so given you charge in $ already and not £'s or ever have!

But then, that's why the blog is not upon the company domain (of which cronofy.uk is available still) - even they can see it is a bit too politically charged and slanted. So with that, prudent move and appreciate it is good to vent and some venting can cause issues, so a fine balance in that approach and kudos for the hindsight to see that.

As for new location - have a good look as some EU countries offer some nice incentive packages and I'm sure many would love to see those compared.

> any US company can implement a more stringent data policy beyond the scope of legal remit within the country of operations

Theoretically, yes, you are right. But some companies are just going to say, oh, you are based in the US, let's look for a different vendor.

It's not even necessarily about the GDPR. For example, US companies tend to send really shitty invoices. There's barely any info on the invoice, some don't even include the full legal name and address of the invoicer. That really sucks when the tax authorities audit you and want proof for where all your money went.

If I buy services from the EU, I can assume that they comply with the GDPR, and I know that I'll get a proper invoice with VAT, and I won't have trouble with the tax authorities.

> If I buy services from the EU, I can assume that they comply with the GDPR, and I know that I'll get a proper invoice with VAT, and I won't have trouble with the tax authorities.

VAT and invoices are part of GDPR? Financial regulations yes - sure, of which the UK is pretty darn good upon.

But if a company invoices you with bad invoices then you can just refuse them and ask the correct and resubmit - even in the USA. As you say, you need them done right for tax reasons and believe me, countries and tax laws are tight, so to ask a company to redo it with the missing information is hardly going to be an issue - more so if they want paying.

The whole aspect of assurance of compliance you make though - very valid point. Just shame such things like GDPR need to be driven by countries and not some global standard that could be audited and approved that is not tied or limited by any country.

So if there was say some International standard with an ISO number outlining such standards, companies could adopt that and get certified compliant and it gets driven that way. As with many standards, adoption by insurance/reinsurance companies goes a long way indeed.

> VAT and invoices are part of GDPR?

No they are not. VAT and invoices is just something else that's also easier with EU vendors.

> But if a company invoices you with bad invoices then you can just refuse them and ask the correct and resubmit - even in the USA

That only works well if you hire an individual contractor or a very small company who depends on your payment.

SaaS companies don't give a fuck if you are happy with their invoice. High profile example: Github won't even tell you if the invoice is with VAT or not -- it just says "price includes VAT if applicable" on their invoice. Support won't tell you what it means. How is my accountant supposed to book that? Fortunately my Github bill isn't big, so I probably won't get in trouble over incorrectly declared VAT for the Github invoice.

If there's a EU vendor, it's always going to be my first pick, because I just don't want to waste time accounting for funny US invoices.

Thank you, I grew up in the UK so the whole US invoices quirks and issues you mention are literal new to me and appreciate the perspective and experience. I do know that the Inland Revenue in the UK and TAX laws have always mandated VAT numbers have to be upon the invoice and other such stipulations. So do wonder how they handle UK invoicing with regards to VAT, but not had any dealing with them.

Did deal with few US companies in the 90's, Sprint and telco's and never an issue there, but then different times and corporate structure with those.

That said EU countries still vary and https://ec.europa.eu/taxation_customs/vat-invoicing-rules_en kinda shows how not having the VAT number can still be valid and legal as well.

Yet you still get country nuances within EU members.

In the UK, VAT invoices is kinda the rule of registered for VAT and the rules https://www.gov.uk/guidance/record-keeping-for-vat-notice-70...

> alienate the US

What is alienating about speaking the truth? Any US company must of necessity be considered to reside and operate under a privacy-hostile regime by an EU company thinking about doing business with them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact