So yes, I do trust the EU and their history has proven that the aforementioned idea isn't a hollow one.
I want to stress that this is a major point of political polarization in Europe at the moment. Even if this claim is true, it warrants a clear and articulated defense.
Again, people are assuming that this is the first and only directive that has fines associated with it. It isn't. You don't hear a lot of people talking about the three month prison sentences possible for CE marking, for example - because very few of them have been handed out and only for egregious violations such as unsafe machinery that has caused injury.
Who's to say that 10% of the maximum for a minor violation isn't proportionate? Also, most small businesses do not have the resources to hire competent counsel on the other side of the planet to litigate these things.
(I can't lay hands on it at the moment but there are clear guidelines to UK judges on what constitutes reasonable fines for offences, such that it should be feasible for the person to actually pay the fine)
A large body of case law, well-defined guidelines for evaluating harms and mapping them to fines, and the EU's general fear of stymieing economically productive activity (the motivation behind GDPR is to enable more data trading, not less, but within better-defined legal boundaries).
We have had laws with "open ended" sentencing guidelines since the very beginning of organised society. This is a solved problem.
There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.
Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.
See how ridiculous that sounds?
All fines can be administratively and judicially appealed.
It is irresponsible not to assume that if the law is written a certain way then at some point, the law can (and likely will) be enforced that way when it suits the government.
In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).
A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)
You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
GDPR 83.1: Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Sounds very workable.
Come on, this is just scaremongering. Newsflash: If you run a business, you are already responsible for adhering to hundreds of other laws in which the fines could reach millions. But you don't see people running around screaming that the world is ending, because they know that the laws will generally be applied fairly, given that a large economy (like that of the EU) relies on just application of laws to maintain stability.
Running a business, like anything else in life, requires the ability to make reasoned choices from somewhat ambiguous data. And the data here is somewhat ambiguous for good reason - it's to prevent businesses from exploiting loopholes and rendering the law ineffective. If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.
I'm assuming you speak English. Do you really think there's any lawyer in the EU, competent to litigate EU law, who doesn't speak near-fluent English?
(Actually, if the lawyer is from continental Europe, and you only speak English, they do speak at least one language you don't, but I'm guessing that's not what you meant.)
Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.
Not true.
https://www.legislation.gov.uk/ukpga/1971/38/section/25
> The fourth, fifth and sixth columns show respectively the punishments which may be imposed on a person convicted of the offence in the way specified in relation thereto in the third column (that is to say, summarily or on indictment) according to whether the controlled drug in relation to which the offence was committed was a Class A drug, a Class B drug or a Class C drug; and
https://www.legislation.gov.uk/ukpga/1971/38/schedule/4
Cannabis is currently class B, thus
> [F8 3 months or [F4 £2,500], or both].
On that token, have you actually at all looked into how "proportionate" is interpreted legally? After all this isn't new and there are a vast number of regulations using the same legal language. Yet somehow business in Europe has not stopped. So prima facie your concerns are absurd, you have not brought evidence that there is an issue (or anything at all unprecedented really) and I have to wonder what motivates you.
As others have said, if you have no interest in complying with laws that protect my privacy, then it's appropriate for you to not do business here.
This is a good point, but many people seem to forget that most misdemeanor criminal offenses in the US are punishable by fine and/or up to 30+ days in jail. People do not often get the jail time so most don't even think about it, but it is available as an option to the judge for things like repeat offenders.
I'd cynically add:
> and to prevent people from killing and robbing each other each day
There's a reason we have Wikipedia articles like this one:
Or, you're fine with a competitor who isn't afraid of entirely reasonable international laws coming in and eating your lunch.
We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.
We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.
Unfortunately, so might students of history. Ask anyone in the UK who was working in the freelance or contract world when IR35 was introduced.
In that case, too, the principle was reasonable enough: there was a loophole in tax law where you could decide you're a contractor instead of an employee and pay less money despite for all other practical purposes still being an employee, and this was being actively exploited by some people.
In that case, too, the reality was that most people working in the sector probably wouldn't be challenged by the authorities, not least because the enforcers had limited resources.
But in that case, too, a given individual's status was often unclear. While some of those who were deterred or subsequently received penalties really were engaging in obvious tax avoidance, other reports described crippling penalties for people whose arrangements appeared to have been quite reasonable but to have fallen foul of someone in government's dubious interpretation.
This led to substantial amounts of time and money being collectively spent by the freelance and contractor community incorporating new legalese into contracts and paying for advice and taking out insurance policies. An entire trade body was formed primarily to deal with this threat. Even today, those of us who take on any sort of individual contract or freelance work from time to time have to be careful not to say or do certain otherwise reasonable things, or to allow others to do so, for fear of tipping the balance or giving any appearance that might be subject to challenge.
And the irony is that while the law arguably had some effect initially in getting contractors to go back to being permies if they were just using it as a tax dodge, overall it appears that IR35 has raised very little extra tax revenue for the government. It turns out that the vast majority of contractors and freelancers were operating in that fashion legitimately and continue to do so, and most enforcement actions appear to fail to the extent that the government even tries any more. Nevertheless, the rules still hang like a sword of Damocles above the whole sector.
For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.
Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.
Which we know is definitely NOT the case for companies storing your data correctly.
The courts must follow the sentencing council guidelines unless it's in the public interest not to do so.
https://www.sentencingcouncil.org.uk/wp-content/uploads/Drug...
The starting point is 100% of weekly income; the range is 75% to 125% of weekly income.
> Band B 100% of relevant weekly income 75–125% of relevant weekly income
With the caveat that "the law" in this case isn't just the GDPR, it's the entirety of EU case law. GDPR exists in a particular legal context.
my company OTOH is choosing to apply gdpr principles globally.
All state action is subject to judicial review, where proportionality is a big factor.
It‘s an aspect of due process that is being reviewed and enforced by every court, up to the constitutional courts.
Example: the German criminal code threatens „up to five years“ in prison for theft.
That does not mean that a first-time theft of a not-too-valuable object could get you five years. Impossible. But not written in the statute itself. But even if a court was mad enough to hand out such a sentence, the revision stage would be swift and without any uncertainty.
Actually, it‘s hard to conceive of a first-time theft-offender going to prison, instead of paying a fine or at least having the prison sentence suspended.
I remember the time we had very good privacy policies but getting that project to be compliant with COPPA was still a significant effort, so I think I get where you're coming from.
Once we became compliant, quite frankly, I felt a lot safer and more confident in affirming that our privacy policies were very good. Maybe it was some kind of sunk cost syndrome, but I was glad we did (were forced to do) it.
Consider, for example, how every major social issue devolves into a Constitutional litigation. Whereas in Europe people just vote on stuff.
And as to regulatory approaches I think you’d be surprised. European regulation is often quite conservative.
Well lets say it wouldn't work with the current ruling class mindset where everyone they employ is stupid and unable to think critically.
I think the unfortunate thing is that, when the previous/existing incarnations of these protection laws were/remain unenforced, many assumed it was because of lack of "teeth". But those of us familiar with how these principles-based regulatory bodies work know that it's more about confusion and regulator apathy. Nobody here is watching the watchers. Instead, there's a bunch of people foaming at the mouth with pitchforks asking for more laws and dismissing alternative concerns as hysteria or not understanding how laws work. We should be discussing how to solve the problem, yet we continually devolve to discussing the government-led solution presumably because we feel helpless and can't consider better options.
I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.
Source please?
> If you are going to crank the anxiety to 10 every time a situation like this occurs, you probably shouldn't be running a business or handling others' data in the first place.
I'm not running one right now. It's not the situation that give me anxiety, it's just that it no longer seems interesting to support European customer for a potential business if that imply that I risk that much over their information. They just removed a big bunch of potential customer for a potential company. I would already try my best to limit the amount of PII but there's many time you just can't.
I'm from Quebec. Here we have laws over lottery. You know what it imply? If you make a lottery here in Quebec, you need to follow some simple regulations (I personally know people that did it essentially for fun (not for profit)) so they are pretty easy to follow, and pay the taxes for the winner. You know what I had to endure each time I went on an online contest, a broad exclusion because it was just not worth it to follow theses regulations. It's crazy the number of contest where you could literally do CTRL+F "Quebec" in the rule and find our little province (nowadays I see more of "where law forbid it" or stuff like that, but I haven't try to participate for a long time on a contest either).
Do theses companies had too much anxiety for our regulation? None at all, they were some multi billions companies that did this. It was just not worth it.
Did you think about this before typing?
Clue: how many countries does an EU-wide law directly apply to? One? Or many?
Having to spend some effort to make sure you are in compliance with a huge new piece of regulation is expected and I understand that people complain about having to do it. However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.
My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.
This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.
We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.
You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.
Which fraternity?
For the rest of your life? Source please?
You can be put temporarily into a cell for plenty of stuff but that's temporary. A fine is pretty permanent and when it can be millions, well that's probably the end of your business too.
> There's nothing that says IRS won't prosecute you if someone buys you a soda and you don't declare it as income.
Isn't it simply paying back what you should have + interest? (with some threshold)
Paying taxes is already part of the cost of running a business too (and that's a pretty low cost for a startup, versus having an actual trained DPO).
> Or that you won't be prosecuted by someone in the US if your blog has a copyrighted image and you don't receive a DMCA request that was sent to you.
Which is exactly why you try not to put copyrighted image over your website. Most of the times PII isn't something you can just avoid for a business.
> All fines can be administratively and judicially appealed.
Any appeal represents a cost. A cost that you can't always support until the end.
At the end, it's all about the cost of the risk... that's it. GDPR seems a pretty high cost.
I'm 26, have always been Canadian and I never seen what you talk about there. It's disturbing that you had this experience.
The only fine I ever heard someone get where relative to the road and were mostly parking and speed tickets. Even then, I also don't know anyone that doesn't drive 120 kph on a 100 kph road and about the parking, the signs are pretty self explanatory (though they can become pretty complicated where there's more than one).
If you consider that you follow what any signs, well that would means you shouldn't get any of theses fines. Theses fines are also defined and you know what you risk if you don't follow the signs.
Now say the same about GDPR... pretty harder I would say.
People drive at 120 on a 100 road and that's alright even though cars kills thousand each year, much more than keeping your shipping information in a database, yet you risk a much bigger fine for keeping that information without following the "signs".
Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.
(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)
If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.
And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".
Edit: > "My customers are all happy with my privacy policy,"
Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.
Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.
Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.
If a law is on the books, it can be enforced in the EU, right? I understand there is precedent but precedent is not law, it's merely the common understanding of that law in that particular context. Precedent is overturned all the time (not to mention ignored when convenient), as it should be.
Is there a critical difference here that I am not understanding? Perhaps it has to do with the fact that the EU is not a state, but a high level guiding body for a number of states?
The tendency of people to follow laws has shown little relation to blunt enforcement. It has to do with peoples tendency to follow norms.
It is also international in that it applies to EU citizen date no matter which country it is held or processed in.
Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.
In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.
As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.
Comments like this come across like a personal insult.
For you an others, please refrain from such comments I see it shutting down interesting conversations(that help me understand additional view points).
Every time these GDPR discussions come up, someone is always quick to say the US is worse, US is getting a taste of its own medicine, that dissenters must want surreptitious data collection, and on and on. Oddly enough, bringing it full circle, the tendencies for humans to argue in these directions instead of stay focused on the issue at hand make me glad to have more strict boundaries that are less subject to the whims of idle thought. Obviously this can't be absolute, so we should craft our rules to limit their scope at least from the outset. It's not about one country/continent vs another, it's about the goals and how they are achieved. Some believe and/or have experienced difficulties conforming to all sorts of government rules, it is a human thing not a location one. IMO, we need to stop deflecting and we need to stop being so absolute. People that are feeling pain of impending laws are not hysterical and laws are not magically OK because other forms/interpretations have downsides.
But in essence people are missing the bigger context.
That doesn't mean Jacques' analysis is not worthwhile, by the way. He is not ignorant of the legal context. Judging by the reaction to the article, this is going to be one of those situations where you can lead a horse to water but you can't make him drink.
But fair enough, nobody should be trusted blindly. This is why we have appeals and legal avenues to create checks and balances. So in the context of this discussion, it's pointless. We don't have to trust them. If a fine looks disproportional, there are legal remedies. Up to the ECHR which is generally quite careful in it's decisions.
If you don't trust the EU's legal system, that's a different problem. One that rings a bit hollow, and doesn't really further the GDPR discussion.
That is a sweeping generalization and if you dilute and guess what the most probable reason for excluding Quebec was,- it's probably for the best. It was a shady contest to begin with.
The Canadian sweepstakes law and corresponding province laws are not that hard and costly to comply with as well. Look at the countless valid and non-scam contests present and available to our citizens. You, I and rest of us should be glad that rules like these exist since a there are people companies out there willing to part you with your hard earned money.
As an example, you just need to store my skill testing answer and if I get awarded a price, reset a flag that I need to fill out a new answer. In Quebec, you need to give monetary guarantees to make sure you pay out and give contest rules out to the bureau ahead of time. That is not a tall task. It's for the better if those shady contests did not want to participate
Say I use a DDoS prevention service (like cloudflare). They get my user data, and also have to be under scope of GDPR as well. And since IP isn't indicative of EU citizenship status, a company had better apply GDPR to everything rather than just a subset.
In the end, this law makes a "We respect the privacy of your data" subset of providers, and provides a great way for us users to identify bad actors (Google, FB, Amazon, etc).
The tax laws are vastly more complex than GDPR. The maximum penalties for tax fraud seem to be $250,000 + cost of prosecution + 5 years in jail.
If you make a small mistake on your taxes, and the IRS notices, you will probably receive a warning and have to repay it with interest. If you make a negligent mistake, you may be in addition be fined a small percentage, like 10-20%, of the amount you failed to declare. You have to conduct very large scale and intentional tax evasion for the maximum penalties to apply.
The IRS could argue for and try to apply the maximum penalties for a lemonade stand, but they don't. And people go on with their lives, put in their best effort to comply, and can be confident that they will be treated fairly.
And that's what Cloudflare chose to do. We are treating all customers the same regardless of location.
"Of the companies I spoke with for this story, both Cloudflare and Mozilla will be GDPR compliant no matter where their customers are located." https://www.fastcodesign.com/90171699/what-is-gdpr-and-why-s...
It's true, I do think that a more principles-based approach is usually preferable. (And I will happily marshal anecdata to that end!)
But it's naive to think that any approach comes without a cost. Even the PayPal example I mentioned above could be coloured the other way: A company makes a major investment in a foreign market, only to find the rules changed underneath them by a capricious government agency! (Someone brought up IR35 down-thread, and that's an excellent example too.) Is that an acceptable cost for the outcome? I'd look at the overall state of (eg) consumer financial protections in the US vs the UK and say "yes"; but I'm open to evidence-based disagreement.
Given that description, after a couple decades working in some and dealing daily with the acts of other agencies who which issue and apply regulations on the US, let me assure you that the regulatory system in the US is nothing at all like “rule-based” as you have described it.
No, it is not, because background check and other third-party intelligence firms aren't purely reactive now, they have and use tools to proactively vacuum up public records and maintain their own DBs. After-the-fact sealing of arrest records or expunging of convictions has no effect on data that is already in third-party hands.
Maybe they are trying a kind of best of both worlds approach?
The GDPR creates some new criminal offences that can be prosecuted through courts without the regulatory authorities being involved in Clauses 162 & 163.
Article 82 allows individuals to sue in court for compensation if breaches of GDPR rules cause harm.
The regulatory activities are on top of this.
Sure, they will probably don't give that fines, but they could, what if I run a small business that interferes with the activity of some other business run by for example someone that is friend or can corrupt the people in charge of doing the fines ? They will fine me for 20 million dollars, sure I can appeal, a normal trial in my country lasts at least 5 years, in this time I will probably go out of business...
The fact that they could it's a big problem, they should have specified a proportion between the size of your company and the maximum allowed fine.
This sounds like it would make an interesting blog post!
If that's your personal belief then obviously you're entitled to your opinion, but have you seen any actual evidence that that is the case?
However, after the initial bring-up pains any business which continues to have a problem with the GPDR most likely has a business model directly in conflict with the spirit of the law.
Perhaps, but as you say, what we know now is that there are some initial compliance costs for everyone. If nothing else, we all have to understand the new regulations and our obligations under them, and we will now have to allow for additional subject rights and stronger and more specific documentation and notification obligations, which generally apply retrospectively as well.
I admit that part of my concern here is not specific to the GDPR, but rather to the general practice of creating ever more rules governing businesses. Every time some new regulation comes along, the costs of running a business go up. Not only does that impose some level of overhead on established businesses, it also has a chilling effect on new businesses starting up, and on paths to growth like starting a side business that can expand to something full time and later to take on additional employees. If a new regulation is necessary to achieve some positive effect, then those overheads might be justified as well, but I remain to be convinced that this is the case for most of the new rules and regulations that have come in over the decade or so that I've been doing this now. The GDPR is just the latest example of something perhaps well-intentioned but poorly implemented.
I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.
Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.
Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.
I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.
Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.
Then they'll try to come back... after their EU user-base was kicked out and forced to find alternatives.
It has no statistics behind it, just made-up stories.
The problem with this approach is if you run a large or small company or are a sole proprietorship or simply have a hobby site, you can't write off legitimate fears of heavy handed enforcement. No one wants to be the example.
In the former cases, if your company is how people are feeding and clothing their children, do you want to be the person who says "Oh well we tanked the company this year because weren't worried. Someone on the internet told us they'd be gentle! How could we have known they'd be serious about levying the maximum penalty!?"
If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
I'm on my company's GDPA compliance team and it is serious business. Our European footprint is small but not insignificant. If we were an unreasonable bunch, we'd just shut the whole thing down and move on. The very expensive very well versed German legal counsel we're paying to help us do this right completely disagrees with what many are saying here. We have no reason to not believe them as they have a lot of experience with the German laws the GDPR is based on. We're paying them far more than the fines we'd see because we believe in doing the right thing. Ergo, we must take the "hard" regulator view rather than your "kid glove" view. Our lawyer's underlying point in every discussion is that this is really really serious business and that they're not fooling around. Adding to that is a GDPR like law is likely to be implemented in Canada and other jurisdictions in the future. We must be ready for that as well.
I think GDPR is great for consumers. I think we'd actually be in a better/easier place if it were a requirement in the US since everyone would have to follow the same rules. The problem is that implementing it takes time and effort to do well at scale. To not loose your competitive edge against other large competitors that do not serve the EU and can operate under only US law. These are real concerns that have nothing to do with the regulators and whatever their whims are.
So even if you're right, these are the real costs. You're going to be held accountable to the people you let down if you put your company in peril. You're going to be held accountable if you loose marketshare because you got this wrong and an unencumbered competitor outmaneuvers you. And most of all, you simply cannot assume the best case, kid glove, approach is what is going to happen. THIS is what people are frustrated with.
I do hope that the EU is fair and equitable (which is my belief) but it would be irresponsible for me to act as if that is the only possibility.
The GDPR is becoming a "I'm doing the right thing" checkbox. At least with the European rule, we data-drained Americans can rely that these services might cost more, but we retain our rights.
Lack of will have to be scrutinized. Smaller places may make the determination based upon reasonable answers, or be malicious. Facebook/Google/Etc wouldn't exist in their current forms if there was strong privacy rules in place.
> Source please?
Tax laws come to mind for one.
As for this part of your comment:
> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.
That said, I would've liked to see a bit more healthy skepticism about the ability of any sort of government or organization to avoid mis-using laws with a wide breadth when it suits them, especially if things slide toward tech-protectionism.
But as I already said, the stability of the EU’s economy depends on fair application of the law. If the EU levies a 20 million Euro fine on a company with 20 million/year in revenue, the chilling effects of that action would cause much more than 20 million in damage to the EU economy. That should be blatantly obvious. Despite propaganda to the contrary, the EU has a very good record of behaving as a reasonable government entity, moreso than most. They’ve championed quite a few consumer-friendly pieces of legislation that have managed to not destroy the applicable sectors.
If you think this is a valid concern, I can only assume you’re just as worried about other outcomes that have insane, struck-by-lightning levels of unlikelihood, in which case you are not going to have the spare cycles to be able to successfully run a business anyway.
In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.
The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
If the original business couldn’t, its unlikely the competitor could.
I know in my business I’m shutting off EU sales.
I completely and utterly care about privacy, but things like not tracking IP address and allowing people to request removing them are a bridge to far. I can’t comply with that. I treat my customers important PII (names, addresses, etc) very delicately. But the cost of complying GPDR is too must.
It would be nice if the GDPR had a piece about “if a company refuses sales, even if they accidentally happen, the company isn’t liable” and/or “blocking EU IPs or redirecting to a no sale page is sufficient to avoid compliance”.
That’s what you think. But its still a risk, because its different. It’s still easier and cheaper short term and long term just to skip the oddballs.
It’s why you see so many online contests in the US that only apply here. Not because they want to avoid it, but because its easier and cheaper not to comply with other laws.
https://gdpr-info.eu/recitals/no-23/
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.
and
> allowing people to request removing them are a bridge to far.
Are dissonant. You will have to pick the one or the other but you can't both care about privacy and not allow people to request removal of their data. That should be fairly obvious.
I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.
I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.
Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
The ruling was that this was a hate crime, because it was "menacing, anti-Semitic and racist". I have trouble seeing how a Nazi pug that responds to "gas the jews" is anything other than silly bit of absurd comedy. I can't realistically see this video actually advancing any legitimate hatred, or having any negative consequences other than some people laughing at how silly it is, and some people just thinking it's kind of stupid.
For what it's worth, I grew up in a town that was roughly half jewish, reflected in my circle of friends. When I was younger, extremely crass jokes that made light of historical tragedies were made at everyones expense, including ones that historically affected my family. It was clear that the intent of these was not to instill terror or provoke hatred. It was more of a pissing contest, to see who could say the most absurdly offensive thing.
Were these the types of situations where we should have had more sensitivity to the real weight of these tragedies? Sure.
Were these hate crimes? Absolutely not. When someone commits a hate crime against you, you probably wouldn't regularly invite them over to your house for the next several years...
Tax code violations, for sure. Environmental regulations may also carry huge maximal fines. Some misdeeds can even lead to criminal prosecution and land you in jail (but generally, they won't, except for the worst of transgressions).
Note that the GDPR requires fines to be proportional to the offence. If you really worry about some regulator fining you for 20M euros just because they're having a bad day, you do have legal recourse available.
That's curious given your background. I know a couple of people that still have the tattoos on their arms and one guy who literally has no family at all and it pains me to see that people think that this is just a matter of bad taste. "Gas the Jews" is not a joke, my sense of humor is pretty broad but it does not stretch that far.
I can't even count the number of comedy central stand-up specials I've seen that casually make jokes about absolutely horrific things that destroy lives. Jokes that play on children dying, slavery, the holocaust, rape, murder, pedophilia, torture, etc. I guarantee you that both you and I both know someone (or are one person removed, at most) that has had their lives destroyed by one of these things, or something of a similar caliber. Does that mean that none if these jokes can be funny, in any context? If so, I'd say you'd be hard pressed to find a single comedy special that counts as funny; virtually every comedy special I've seen makes light of one of these horrific things in some way.
I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.
Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?
If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.
> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).
Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.
Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.
On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)
The EU’s digital commissioner said in 2015 that the EU should use regulation to "replace today’s Web search engines, operating systems and social networks" with EU companies.[1]
And they've passed or proposed ridiculous laws like cookie warnings and link taxes. We have reason to be suspicious of their intentions.
1: https://www.wsj.com/articles/eu-digital-chief-urges-regulati...
If you block EU IPs but your business is targeting Europeans who are on holiday - well, you probably still don't need to comply with GDPR because you've demonstrated attempts to actively avoid European residents.
The test in GDPR is not "does any European ever use the service?" but "are you targeting them?"
That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.
https://www.sentencingcouncil.org.uk/about-us/
> The primary role of the Council is to issue guidelines on sentencing which the courts must follow unless it is in the interests of justice not to do so.
> The Sentencing Council is an independent, non-departmental public body of the Ministry of Justice and replaced the Sentencing Guidelines Council and the Sentencing Advisory Panel in April 2010.
It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.
And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.
> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.
How about cost of compliance? For example, just the fact that you need to figure out whether you are compliant or not costs money. If you ask for user consent, then you must be able to later show that you got said consent from the user to work that data. You also have to take into account the risk of fines if something somewhere goes wrong. We, as software developers, should be intimately aware of how things can go wrong despite everyone trying their best.
All of these things cost money. If the cost is greater than what the business from the EU brings in, then it's not worth it. The fact that there are people who immediately and only jump to the thought they don't care about privacy is very worrying.
I think you're simply appealing to emotion here to justify an unjust ruling and an unjust law.
I think the person you're replying to has a point in saying that some laws in Europe are pretty ridiculous. However, the difference is that that's a local law in the UK and not one that affects the entirety of Europe. Nor is it a widespread law in other European countries.
As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.
You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.
That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.
Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?
> And there are plenty of areas where my data is used against me
And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?
That just isn't true.
Considering amount of FUD spread about fines, even here, with fairly educated readership - I don't think you can really trust other people's cost / benefit analysis, even when they happen to have same variables with same values.
People are often wrong even in much clearer cases . . .
As for the link tax: I would blame the publishers pushing for it, not the EU.
And fwiw I do think Europe is oversensitive about Nazis-related stuff. But for good reasons.
There have been enough leaks that the public knows even European governments spy on their own citizens.
I can't speak for that other person but I've seen lots of evidence to that effect. I look at ~40 companies / year at the moment and a large percentage of those has issues. Usually not because of malice, mostly because of lack of resources or unfamiliarity with regulations.
Edit: I realized this might sound passive aggressive. I like the idea of human judgement in regulation, but I really want to know what checks are commonly used to account for all actors involved potentially being malicious.