The problem is not with the spirit of GDPR. I am totally with that. The problem is the liability of it - as a small startup it is seriously scary to think that all it takes is one insane customer to pull the fire alarm and we'd have regulators and fines raining down on us even if we believe with all of our hearts we are doing it right.
Hence, the blocking of the EU - its better to block at the beginning and then expand to the EU once we have revenue to support someone handling this as an employee.
> as a small startup it is seriously scary to think that all it takes is one insane customer to pull the fire alarm and we'd have regulators and fines raining down on us even if we believe with all of our hearts we are doing it right.
You know this is not what would happen, right, that you'd be given advice and the opportunity to towards an amicable resolution?
That's an optimistic view of dealing with government, that they would actually be reasonable and helpful. Many in the US have a decidedly pessimistic view of dealing with regulations and bureaucracy.
Uber versus Night School is an example of this. Uber: Ignore taxi regulations, get tons of VC, get rich while being awful people. Night School: try to work with government and play by the rules, fail, get used as a cautionary tale.
I think something akin to GDPR is necessary and good, but GDPR as written probably isn't it. I look forward to seeing how it works out in practice, and how it develops/is replaced, and in the meantime feel bad for the developers and customers that suffer through the unintended consequences and misfeatures of it.
After the law gets clarified some, I think you're right that it won't be bad for small players. But I wouldn't want to be one of the test cases.
> That's an optimistic view of dealing with government
Calling the data protection agencies "government" may be correct in some very legalistic sense, but is utterly wrong under any colloquial meaning of the word.
Can you point me to where in the GDPR it talks about being given "advice and the opportunity to towards an amicable resolution"? (I'm not being facetious, I'm genuinely curious to read about it, if it exists)
Article 83 in general and specifically Art. 83 (2) state that "the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement" should be taken into account when determining penalties. We'll have to see what this means in practice though.
The GDPR doesn't use "should"; it states that "[w]hen deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to" that factor. Basically, if you can show that they _didn't_ take that into account, or that you tried to cooperate and were stone-walled, you will have good grounds for having the fine overturned.
My understanding is that the measures taken against GDPR infringements will very much depend on the good will of the relevant national authority.
And as a member of a EU country that for the last year has been constantly bending (when not breaking) the rules to repress and attack legitimate political reivindications, the relativism in the application of GDPR is something that I find very worrying.
We have 20+ years of dealing with tons of national and regional DPAs following national rules. Now these DPAs play by a single rule book, but other than that, little changes.
How many $300kEUR fines (the maximum in Germany until yesterday) served by a German DPA (we have 17: one federal, one per state) have you heard about in the last 5 years?
The first one was handed out by a court based on criminal law. This is not comparable to administrative fines. He got fined 260 days of his income (which is the basis on which such fines are assessed). He had two previous, very recent convictions. I'd say this is not a very harsh sentence but your opinion might vary.
The second one is a law very much like GDPR (notice the little words "up to"?). Not a single fine has been given based on that, not even a small one.
Hence, the blocking of the EU - its better to block at the beginning and then expand to the EU once we have revenue to support someone handling this as an employee.