For what it's worth, I'd argue the same should be permitted of a small car maker. If I want to go build my own cars, step 1 should be putting a motor on a chassis and being able to drive forward. Step 1 shouldn't be adding airbags and seat belts to a couple axles.

The safest car is one that can't drive, and the most privacy-friendly software will fail to compile. You should be able to build a functional car before you need to worry about making it as safe as possible, and similarly you should be able to build a functional MVP of your software before you need to worry about compliance with a huge international policy.

Like most car analogies this one has a fatal flaw.

Before you are permitted to use your DIY car you need to comply with safety regulations to avoid harming others. You can keep your unsafe car off the street in your garage, though. Same for software that is not compliant; you just don't get to call it a "product" and let it loose on the public.

you can build a functional car, but you can’t put it on the road. you can build a functional mvp, but you can’t make it available as saas to users.

you can drive your unsafe car on the track, and your negligent mvp on your customers own hardware as in-house software.

Going along that, it's also like 3D printing house startups no complying with fire safety regulations in the name of "oh no, it's too expensive, let's just not deal with that". Actually, thinking about it, such startups would probably start somewhere where regulations are laxer, make money there, then invest in security, and finally expand to western countries where subject to massive regulations. I don't want unsafe houses, I don't want unsafe cars, and I don't want unsafe websites. Some other countries don't mind about that. To each their own, what's so ridiculous about that ?

Great point about VW btw, I forgot about that !

I disagree with the analogy. Trying to use the same analogy: If I were a one person entrepreneur trying an MVP, I would be building a bicycle, not a car. And what I suggest is have the right to put a sticker on the bicycle: "Warning, this is not compliant with the car regulations" to make sure people don't have false expectations. (Because I agree that in the real world, only a fool wouldn't be able to differentiate between a car and a bicycle, but for web services, this isn't an easy task)

A one person entrepreneur might not consider him/herself to be "being in the webservice business". Instead he/she would consider being in the business of [whatever problem the MVP is trying to solve]. It just hapens that in the 21st century, most of innovation happens online.

Back to your car analogy, it seems that people on one side argue that all companies "being in the webservice business" are 'car makers'. some people on the other side of the argument might say it's not.

Also, ultimately, it's possible that after spending a lot of time and hours examining the legal requirements of GDPR, a startup realizes it's not technically hard to comply, but the issue here isn't implementing the requirements, it's more about getting all the legal analysis, certification, handling customers requests, etc.

> If you disagree, should the US also stop prosecuting VW for the diesel cheating?

In that case, VW has clearly been in the car business for much more than 2 years, and in my example "X users", a good value for X would be something order of magnitudes less than the number of VW customers around the globe. So no, the US would continue prosecuting VW.

Well it's funny because Uber, a company that actually does seem to have financial resources, is allowed to run their apparently unsafe cars on the streets of some us states.

to be fair though uber also has thousands and thousands of unsafely driven cars on the road that we have no problem with; humans are bad at controlling heavy rolling fast motorised steel boxes

Uber seems to be worse than humans thusfar. Orders of magnitude fewer miles than average before killing anyone, covering up running red light running, misleading videos. A human driver like Uber would've ideally lost their license and faced legal penalties by now.