Citation needed. I have seen absolutely zilch about the implementation of GDPR in countries like Hungary, Romania or Bulgaria. And they are members of the EU as well, you know.
It's in the text of the legislation. Chapter 7 sets out the requirements for the European Data Protection Board to ensure consistent application of the regulations across all member states.
Article 83 states that any penalties must be proportionate to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to prevent or mitigate an infringement and the degree of cooperation with the supervisory authority.
However there is a grand plan to do the absolute opposite, which is to adopt the entirety of EU law into UK law. The so called "Great Repeal Bill" or whatever they are calling it this week.
Sure, feel free to "leave", really, no offense. We talked to a lawyer in Germany regarding this (we are a small software company with 5 people). His response was: If you don't do shady shit with customer data, you'll probably don't have to worry. Also, if you are in a "contractual agreement" (e.g. EULA), you can apparently justify most data collection without any change at all.
Even though that's a personal risk you're willing to take, it might not be one everyone else is willing to. One might question a law that asks everyone to take risks (or pay/pray for peace of mind).
There are many other laws where you‘re taking risks. Maybe you‘re violating some US securities statute? Maybe you‘re violating some German accounting rule?
Why haven‘t all those doomsayers closed down their businesses long before the GDPR?
I mean, technically I'm taking a risk when I step out of my house every day. So why ever walk?
There are varying degrees to which people see laws as affecting them. Small business tech owners, when a law says they have work to do, are going to feel affected. If there was a securities or accounting law that felt similarly overreaching one could expect a similar reaction. This is especially true if there is an alternative (locking out markets) that is easier. It's not helpful to try and compare the situations. It's also not fair to consider people weighing the costs of these laws as doomsayers. They aren't closing down their business, they're just restricting it to more business-friendly environments in their view.
You've made many concrete, general statements in this discussion which turn out to be relevant to your personal situation and your personal appetite for risk. Maybe that's not an effective way of holding a conversation about the general issues around the GDPR?
I'm not sure what else I should reply to something like your comment before tbh. Neither can I predict the future, nor am I a lawyer. I'm just posting about my opinion, which I got by gathering information online and from consulting with a lawyer. I've stated the conclusion I've come to, based on this information and yes, I believe that to be correct (or as correct as one can be about a law with no reference cases in court yet).
I was just pointing out, that when a lawyer says "probably", he usually has a good reason to do so. And it's my strong belief that the reference cases in court will not be fought by small companies, because they rarely are.. There is just not enough money to make fit the effort you need to put in winning the first case. Before there is not one single case, I don't think it's necessary to panic and shut everyone out.
You don't need to believe me or agree with me, but reducing this to "my personal appetite for risk" is really weird.
You stated your extremely general conclusions, and only later mentioned that they were relevant to your personal business. And in this particular sub-thread, you made a very general statement about risk, again without qualifying it at all. And you only mentioned the lawyer after you were challenged about a general statement.
Maybe you have huge assumptions that people reading what you say will add all kinds of limitations to what you say? I don't. It leads to terrible discussions, like this one.
I'm sorry for making too generic statements, I'm not trying to have a bad discussion, really.
Regarding the personal risk comment, I could've been more clear: From what I got, no lawyer can give you a guarantee at the moment, that what he says is actually what will happen. So in the end you'll have to take action based on recommendations, and take a risk - or, as the op, shut out all European users completely. My personal risk is continuing to do business in the EU, even with this uncertainty. You couldn't have guessed all that from my earlier comment, so I agree it was bad..
Regarding that, i wonder how DPAs will handle cases. I can totally think of small businesses or professionals like doctors reporting each other to the DPA. Can DPAs easily dismiss complaints?
Risk is a part of life. Even before GDPR there was a risk that you were violating some privacy law in countries that your customers were connecting from. By putting your product out there, you've taken on most of this risk already.
There was a previous 1995 directive for instance. It didn't have the teeth of GDPR, but was actually rather similar. It would be hard to be compliant with That and in breach of GDPR.
That rather makes the anti GDPR arguement sound like "yes I know that is the law, but I was breaking it over the internet so that doesn't count"
Because European courts and regulatory authorities are not run by gibbering morons. The Data Protection Directive was materially similar to the GDPR and was enforced by the same supervisory authorities. The DPD gave member states total discretion as to the level of fines, with no upper limit. I have found no evidence whatsoever of irrationally large or unreasonable fines under the DPD.
You could be breaking the law in any number of countries. What steps are you taking to comply with the laws of Saudi Arabia or North Korea?
Well usually they aren't any kind of social or economic hubs, so I don't really worry if I can't enter or do business with north korea in my day to day life.
The EU on the other hand...
Also almost all laws stay in one jurisdiction, they don't go beyond their own country.
