top | item 17157704

(no title)

tquinn | 7 years ago

I feel the EU regulators could stand to learn something. If EU citizens are small portion of your users, and your tasked with parsing this document http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

just blocking them doesn't seem like that bad of an idea, especially with the fines involved.

I think the things that bother me is:

1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.

3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?

discuss

takeitto|7 years ago

> It's a foreign requirement that feels like a violation of sovereignty.

Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.

agensaequivocum|7 years ago

>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?

Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?

>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.

eli|7 years ago

What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.

meko|7 years ago

I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.

unknown|7 years ago

[deleted]

ajuc|7 years ago

1. when you open a restaurant nobody cares you're a collage student. You have to have all the checks and permits to serve people food. It's not because somebody hates small businesses, it's because the right not to be poisoned is more important than the right to do business hassle-free. Why should internet be different?

2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.

3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.

SimbaOnSteroids|7 years ago

Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.

lopmotr|7 years ago

While I agree with your point 2 (remember CAN SPAM and DMCA!), that's called "whataboutism" which is usually seen as a bad argument. I wonder if it's only called a bad argument because people are on the receiving end of it or whether it really is faulty in some way.

viraptor|7 years ago

I don't get the complaints about how hard GDPR is and having to understand it all. If you're based in the US, have you read the actual DMCA document? CFAA? California S.B. 1386? TWEA? ADA? Or at least any interpretations of them and validated that you comply?

If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.

themacguffinman|7 years ago

Who are you arguing with that thinks DMCA was a great idea but GDPR isn't?

andrepd|7 years ago

You are speaking as if the European Union spit out this legal document and nothing else, when in fact loads of supplementary material have been released, for consumers as well as for enterprises. Of course, the actual act must be written in formal legal language.

EDIT: Example: https://ec.europa.eu/justice/smedataprotect/index_en.htm

takeda|7 years ago

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.

If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.

The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.

manfredo|7 years ago

If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.

I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.

spullara|7 years ago

Web servers are non-compliant out of the box because they all by default log and store IP addresses of visitors.

black_puppydog|7 years ago

> It's a foreign requirement that feels like a violation of sovereignty.

It must feel horrible, now that the US is on the receiving end of this for a change... ;)

ShroudedNight|7 years ago

Notwithstanding any opinions of the contents of the directive itself, as Canadian citizen, the schadenfreude of the United States getting its comeuppance is not nearly worth another foreign federal government imposing its will on our domestic activities.

geocar|7 years ago

> I think the things that bother me is:

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.

> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.

This one I can appreciate, but perhaps look at it from our point of view:

You're violating our laws that protect our citizens.

Why would we possibly have any sympathy for that?

> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?

The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.

https://ico.org.uk/for-organisations/business/

oliv__|7 years ago

"You're violating our laws that protect our citizens. Why would we possibly have any sympathy for that?"

No one forced your citizens to come to my website.

oneplane|7 years ago

> " It's a foreign requirement that feels like a violation of sovereignty."

How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.

philipodonnell|7 years ago

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.

baryphonic|7 years ago

My understanding (I could be wrong - IANAL and I haven't read the 80 pages) is that GDPR takes a somewhat countervailing view. SSN data breaches would be treated the same way as, say, whether someone likes the Beatles. The problem with GDPR from my perspective is its Draconianism.

This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.

GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.

cm2187|7 years ago

A college student working on a side project probably shouldn’t hoard personal information if it doesn’t care to protect it.

Sangermaine|7 years ago

>1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

If the side project uses personal user data, then there is no reason to treat them differently.

Tomte|7 years ago

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

And why not? The result/harm is the same.

It doesn't matter a bit whether a company's web site is handing its visitors' data over to Facebook or a "private site" does.

The side project or the private site always have the option of not participating in the adtech frenzy.

But of course they want to participate (free money!), even if they find out much later that almost no money is coming their way.

manigandham|7 years ago

No, it's not the same. The lack of proportionality is precisely why the UK/EU is such a hard place to conduct business.

These rules don't stop anything about ads, they just make them less targeted. Not a big deal, but it will increase the costs of serving users and thus decrease the total amount of commercial projects started.

solomatov|7 years ago

It's not the same. There're companies which intentionally collect and exploit private data. There're companies which are just behaving negligently with users data. There should be different penalty for intentional and negligent violation.