I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.
Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.
Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.
I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.
Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.
In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.
The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.
Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.
I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.
Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.
Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?
If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.
> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.
I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).
Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.
Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.
On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)
That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.
It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.
And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.
> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.
And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.
That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.
Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?
> And there are plenty of areas where my data is used against me
And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?
That just isn't true.
There have been enough leaks that the public knows even European governments spy on their own citizens.