He is a 1 person team. Given him a break vs. being so aggressive in your comment. There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc. All these things don't drop from the sky.
And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
> Given him a break vs. trying to me so aggressive in your comment.
The article is spreading FUD and inciting others to spread it even further in the comments.
> There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc.
The GDPR is online, and has been for a long time, you don't need a lawyer but if you feel that gives you more comfort then fine, you don't need to hire anybody, that is just plain nonsense, and changing the UI to give users an opt out: that should have been done two years ago.
> All these things don't drop from the sky.
Indeed, this did not drop out of the sky. It has been in the works for years.
> And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
That's fine with me, the way in which it is presented is not fine with me.
Well - you haven't refuted any of his core points wrt DPO, Push & XMPP. All your comments have been stated in an aggressive tone which generally is a negative signal. At this point, I feel you need to provide more context to your core points vs. just saying read the GDPR and comply with it (or that you should have already done 2 yrs back). Even companies like Google and FB are complying with it in the past month.
This is the furthest thing from true, like almost every single question about this terrible law. Vague law + faceless bureaucracies + universal application + crippling penalties...sounds like a brilliant combo to destroy people’s lives.
as usual, the rebuttal is: there have been this kind of laws in Europe for a decade.
For example, if you're operating in Italy and don't provide 2 separate checkboxes for managing personal data directly and indirectly at sign up time you're in breach of the law.
Do you remember many people's lifes crippled by this?
Wait. So, I've had a site where there was only a single checkbox to create an account.
Now, if there was someone from Italy (I don't know, the site's gone for years now, highly unlikely but theoretically possible) does this means I'm a possible law offender and should avoid visiting Italy?
Oh, it also had no cookie banners, too...
Could be, the reason no one was hurt is that those laws weren't actually enforced any much? If so, I believe GDPR's promised to be different.
It's certainly true that even before the GDPR, almost any nontrivial business could reasonably be argued to be violating some mostly-unenforced law. I don't see that as a reason to shrug, and make the problem one step worse.
Selective enforcement of commercial law is a routine tool of unfree states--look at something like the tax charges against The Cambodia Daily. To trust in regulatory discretion is to trust that no government in the EU--a continent that within living memory hosted Francisco Franco, Giorgios Papadopoulos, and much worse--will ever be run by people you disagree with. In the extreme, a dictator can always ignore or rewrite the law; but somewhere in the slide from our present democracy to that, I don't think it's unimaginable that the GDPR could be abused.
I support privacy regulation. I don't see why it requires us to abandon the rule of law.
ETA: Downvote if you trust Viktor Orban, I guess? I'm presuming a strong case of "it can't happen here"....
My wording was awkward, but I think the meaning is clear. "...in the EU--the union of countries primarily located in a continent that..." ?
And what am I missing? They were dictators of Spain and Greece respectively. There are millions of people who can remember their rule alive in those EU countries today. What changed in the last fifty years to make a recurrence impossible? Turkey narrowly missed joining, and it's basically there now. Hungary seems well on its way.
The threat of being suspended from the EU and the (potential) economic damage from that? You can’t be a dictatorship and keep the same rights in the union, as per the Copenhagen criteria and Article 7.
Spain just crushed a political movement trying to organise a referendum through force. It arrested the leaders and the rest of the EU is helping them catch the ones that fled. They call it a rebellion and state that Catalonia can never be independent.
Not an Article 7 violation, apparently. According to the EU it's merely an internal matter.
Hungary elects a government by a wide margin, it's a popular government, and the government reflects its people's disagreement with EU policies that aren't in any treaties and weren't in anything Hungary previously agreed to. This is apparently a violation of "rule of law" and "not democracy".
The EU's definition of democracy is anything that helps the EU, simple as that.
And Russia considers itself to be a democracy. There's a big gray zone between good government and a self-admitted dictatorship. Smart modern authoritarians know that they need to maintain the pretense of democracy (for reasons like the one you note), and they do a passable job--look at something like Cambodia. That's what makes tools to exert personal power while still complying with the law as written so important.
Why do you think the GDPR needs to give the government that much power? For a simple example: Why is 20M EUR the right statutory maximum? If the regulators would never enforce it, then why does it need to be so high?
Because otherwise some companies might conclude that it is cheaper to continue to violate the law and simply to pay the fine. See Volkswagen, which got fined billions for violating the law (and rightly so), and they're still in business and have not withdrawn from the markets where they were fined. But it looks as if they did learn their lesson (for the next 30 years or so, this wasn't the first time they got caught with something like that).
Volkswagen-sized companies would be subject to the 4% of revenue limit, since that's >20M EUR. That 4% seems high to me, but not insane.
The 20M seems insane to me. If the standard for smaller companies were e.g. 100% of the last five years of revenue plus 50k EUR, then can you imagine a case where it would be cheaper to violate the law and keep paying the fine? That would be a lot less menacing to small, non-commercial or semi-commercial projects.
I'm pretty sure the regulatory bodies are thoroughly and wholly excited to take on Google and Facebook with some hefty fines and clarify the GDPR and how it applies. I can't wait either.
Google and Facebook have financial impacts in complying due to the very nature of their business.
They comply later than everyone else not because they didn’t see it coming or didn’t prepare for it, just that it wasn’t in their interest to do it earlier
Indeed, this did not drop out of the sky. It has been in the works for years.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017.
Likewise. This idea that the GDPR has been in the works for years so it's somehow implausible that very small businesses have only just heard of it doesn't stand up to scrutiny. No owner-run microbusiness is spending the time necessary to keep up with the vagaries of EU debates.
Similarly, the idea that the GDPR is plainly readable and so that shouldn't be a burden and no-one needs to consult experts makes no sense. The document is many pages long, there are many more pages of guidance and interpretation produced by both the EU itself and the various national regulators, and it's still fundamentally ambiguous on many significant practical points.
It is entirely reasonable for a small business that does relatively little trade with the EU not to want anything to do with this, and it has little if anything to do with how good or bad their practical data protection measures and respect for privacy are. If small businesses are overreacting then that is on the EU for failing to pass better law and provide sufficiently clear, concise and timely publicity and guidance on what it really means.
My business interests are in the UK, so we're stuck with this one. However, if we'd realised ahead of time how much trouble the new EU VAT rules would cause a few years back, we would gladly have sacrificed the modest part of our revenue that comes from other EU member states in order to avoid that mess, and it wouldn't have been a close decision. So I find it very hard to criticise anyone running a small business outside the EU for wanting to avoid the latest round of heavyweight EU regulations if they have a way to put themselves outside of their scope.
Thank you for perfectly describing the frustrations I have experienced with GDPR. As the owner of a small SaaS business in the US I don't have the time to follow various EU regulations that closely.
I only found out about GDPR earlier this year from a random HN comment. I can't understand the attitude from some HN commenters that everyone should have known about this for years. Where/how should every small business that could be impacted by this regulation be notified?
As you noted, the regulation is readable, but verbose and frustratingly vague. I ended up reading most of it along with countless articles from various third parties debating what it means and how to comply - and I'm still not 100% certain if the steps I've taken mean I'm actually "GDPR compliant."
I too got stuck having to comply since around 30% of my customers are in the EU. However, I gladly would have foregone all of that revenue and focused on non-EU customers only if I had known what was coming back then...
Nobody actually knows what "GDPR compliant" means. As it's up to you to demonstrate, and it's up to your regulator to decide a policy enforcement guideline, basically nobody knows. It's really, really, really burdensome, especially if you have to retrofit it to existing systems.
You know what? i'm pretty sure you can just talk to one of the european regulator in advance and ask him questions about points you don't understand. They are pretty slow but they do respond.
I'm probably a bit more in touch with this stuff than most because of the nature of my business but in the last year or so I've seen more and more companies that made real work of their GDPR impact studies (companies with vast amounts of data and/or sensitive data were further along). For all but the largest the impact has been very low, the longer ago they started the lower the amount of work they had to do.
That's the price of sitting in your office with your head down though, you can't ignore changes such as these.
This is one of the oldest HN mentions about the GDPR I could find:
> Indeed, this did not drop out of the sky. It has been in the works for years.
VOGON CAPTAIN:
[On Speakers] People of Earth your attention please. This is Prostectic Vogon Jeltz of the Galactic Hyperspace Planet Council. As you no doubt will be aware, the plans for the development of the outlying regions of the western spiral arm of the galaxy require the building of a hyperspace express route through your star system and, regrettably, your planet is one of those scheduled for demolition. The process will take slightly less than two of your Earth minutes thank you very much.
MANKIND:
[Yells of protest]
VOGON CAPTAIN:
There’s no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you’ve had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.
From "Hitchhiker's Guide to the Galaxy" by Douglas Adams
* The GDPR text, national regulators' comments, industry opinion, sample docs and a plethora of free resources have been readily accessible on the Internet for about the same length of time.
Having worked on the GDPR docs for a medium-sized business that builds learning management systems for corporate customers (about 100 live systems + dev and testing platforms where we are a processor of their personal data), it took about 3 weeks-worth of time to re-audit our platforms, complete a more detailed risk/impact assessment and write this all up together with some procedures for handling enquiries.
Yes it took time, and we went the extra mile with diagrams and tables because the docs are customer-facing, but handled in a timely fashion, GDPR compliance is not a brick wall to business continuity.
If a business already has in place a baseline level of good information security practice, GDPR compliance is not that hard.
Also, needing to have a DPO is not difficult since he already has one employee, himself. It's not ISO2700x, you don't need to fiddle around with rights in small businesses to make sure it fits the narrow perspective of a standardization and exclusiveness.
I can't speak for you, but I only heard about GDPR 6 months or so ago, like most people outside of Hacker News. Most small businesses only heard about it in the last 6 weeks.
Sure, the regulation was there, but nobody talked about it, and it's unreasonable to expect people to magically learn about EU regulations, especially if they don't live in the EU.
I saw that one coming a mile away, thank you for the quote though :)
And no, this is not about demolishing our way of life, the town we live in or the planet, it's about respecting the privacy of your users, which - for a change - is actually a positive thing. Unless of course you weren't going to do that in the first place you should welcome the development, I imagine that in a just world the Vogons would be on the receiving end of it.
Oh, and in this case the plans were not on display in the locked filing cabinet in a basement of a building where the lights had gone off and where the stairs were missing.
A handy URL has been provided for a long long time and all the debates have been recorded in public as well.
Im already respecting my users privacy. I should’t have to spend time and money to prove it any more than i should have to prove I didn’t rob your house.
Sure make it illegal to mistreat user data then punish those who fail. Don’t punish everyone up front
I smirked a bit, the EU certainly didn't advertise it in the last two years but it was definitely around. But just like in HGttG there isn't much use in yelling in protest now, grab a towel and grab something safe. (I should sent out my towel reminders to some of my users since I updated a few pages)
Similar laws have been on the books in most if not all EU countries for literally decades. How Americans can be blind sighted by the way things have been for years is absolutely beyond me.
Except in this case the Vogons already visited you 15 years ago to tell you about the e-privacy directive and 20 years ago to tell you about the data protection directives.
The decision to exclude a portion of your user community should be explained.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
Presumably the developer wants to continue to offer this app and service. His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.
> His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
This particular law is 88 pages full of duplicated terms, vague definitions and sometimes contradicting points. A very quick proof of that is the number of misunderstandings on so many points of it just in the comments of this topic - e.g. "do you need a DPO?", "do you need two separate people to avoid CoI?", "does the DPO need to be EU resident?". There are hardly two people with the same interpretation. And if people on HN have a horrible grasp of GDPR, how would an Average Joe be able to understand it idependently?
The only thing certain are the insane crippling fines.
It is extremely naive to believe you don't need a lawyer for that. You do - the same way as in some of EU's less market-oriented countries, after a VAT reg you need a registered accountant.
Well, the difference is that theft is a natural law. We are born with an instinct it is wrong.
Having a data processing officer in the EU for some definition of significant business is not a natural law and requires careful parsing of the legal text.
And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.