Yep, it will cost money, but the big companies will have compliance automated, and will continue business as usual.
Now about the small companies, the ones that can will shut down European operations and continue elsewhere; the ones that can't, in particular European startups and small tech companies, will have to close shop or face severe penalties every year.
In the end, most of the damage will be done to small and medium European tech companies.
We have a product that deal with quite a lot of personal information (top quintile).
Sure, it’s a headache right now but certainly not insurmountable. The law itself is easy to read, sensible and not needlessly long. You definitely don’t need a lawyer to understand it.
Also, I know that a younger/smaller company with a more modern tech-stack will have a munch easier time implementing data minimization, profile erasure tools and proper encryption/security. For many large companies data is spread out over so many products and systems that just mapping it all up is a painful task.
Also, as a consumer I think 95% of the law makes a lot of sense! Citizens deserve it!
Think of the typical consumer of web apps, like people who run Wordpress and Shopify sites and click their backend together with tools like Zapier and the like. How can they comply without an universal protocol embedded into all the tools they use, without losing the advantage of automation? They have to delete stuff manually, and hope that the marketing tools they use provide options to delete it.
What GDPR does is that it makes starting your own business less attractive, and funnels people back into the traditional work environment. And by doing that they also reduce the amount of potential customers for smaller startups aiming at small business and these people.
I would claim the opposite. If you're starting a business you'll research how to click your backend together in a way that doesn't leak all of your user's data in all directions. Than you'll build a backend that never had these problems to begin with.
It's much more of a pain for companies that already have a tried and true stack but didn't use the two full years of warning to replace the parts of the backend that isn't compliant. No rest for the wicked.
As someone trying to start a business : boo frickin hoo. This is not kindergarden, this is adults trying to run a business. The deal of private property and capitalism is: private person figures out how to do things within the law, profitable, and then gets to keep said profits, minus the subscription fee for the society that enabled that business ( taxes). If the law is nonsensical, private person can try to change it. This law is not that. It is what everyone wants for their data, if they can get it. So i'll gladly deal with the headaches, because at least my data is protected by the same law
The more noise I see some people making about how hard it will be to comply with GDPR, the more likely I think it is that they or their employer are abusing the hell out of their users' private data.
The "this will help <evilcorp>" line of arguing seems to be an attempt to play on the hatred privacy advocates have for Surveillance Valley at the moment, and trick them into arguing against their own best interests.
And how will your costs increase when you have to provide data to dozens, hundreds, or thousands of letters like the one the OP posted, each one asking for different things?
Managing the data is easy, managing the compliance and reporting will be the hard and costly part.
Don't be all gloom and doom. I agree with your parent comment that it's a reasonable law, and the general sentiment that it's manageable both when you're small (not a lot of overhead in collecting one user's stuff and shipping it) and when you're large (automate all the things). And I don't think that many requests will come in, even while the new law is still hot.
Also, 99% of the law already exists in the Netherlands. I did my first request last week actually, after I discovered a company did WiFi tracking on me. I got a reply today, very professionally and complete (and fast, I should add: they had 4 weeks). I was impressed and it gave me a lot more confidence in the company. And it didn't look like it cost them a lot of time, either.
Its probably safe to assume that the person you're recommending this to has absolutely no idea about the general concepts of software development, or the rough orders of magnitude of information that is reasonable to store and serve with modern infrastructure available to nearly any small business.
Its reminiscent of the willful ignorance displayed by the Cuyahoga County Recorders Office, in Ohio. The office responded to FOIA requests by demanding $2 per photocopy, even though the documents were already stored on CDs. They hoped they could simply make freedom of information too expensive. Their legal argument was that the files could be semantically thought of as photocopies of the documents.
Here's a verbatim reenactment of a deposition in the case where a county employee puts on a charade of not knowing that a photocopier is.
As a European start-up founder, I agree with this. The unintended consequences of the GDPR will be to (1) cement the power of Google and Facebook, since they have logged in consent (2) kill third party retargeting companies, ironically French company Criteo being one of the promient examples (3) generally make life harder for Euppean companies, and sharpen the incentive to ignore the EU market where possible.
As a user I do feel some privacy regulation is a good thing. There are certainly good things about GDPR (e.g. a lot of third party ad tracking deserves to die). However, I am far from convinced that the GDPR is the saviour some people think it is.
> (1) cement the power of Google and Facebook, since they have logged in consent
I might be missing something, but won't they actually have to get your consent again, on everything, but this time in details and with option for you to refuse without service degradation?
> (2) kill third party retargeting companies
Good riddance. That would be the second most annoying ad technique today, after ads interrupting your video streaming.
So, both Google and FB track people around the web, as do many web-retargeters. The web-retargeters have no reasonable way to get consent, but big G and F do, so it's likely that they will fill the gap in the advertising markets created by the lack of web-retargeters, thus increasing their power.
For a little while, until there's more general support from third parties to help small businesses address this. Just like taxes, insurance, and everything else small and medium businesses are required to deal with.
Oh, and EU users finally get the privacy they deserve.
By guiding their business to be compliant and privacy-conscious. I really do think that's a good thing in this case, even as someone who is generally not a fan of the 'we will help you navigate the bureaucracy' type companies.
All this could backfire, but it's better than nothing, at least.
> By guiding their business to be compliant and privacy-conscious.
That doesn't solve any issues. The cost isn't knowing how to be compliant, but all the operations required for compliance. Even if they have a business model that is 100% compliant, they still have to account for the large costs of reporting and certifying the compliance.
For example, replying to all those letters that OP mentioned.
This is the very sector that has only achieved its current status by automating away the menial tasks that you claim will overwhelm them. If humans can figure out how to make two rockets land autonomously and concurrently, I don't really see us getting tripped up on this one.
> This is the very sector that has only achieved its current status by automating away the menial tasks that you claim will overwhelm them. If humans can figure out how to make two rockets land autonomously and concurrently, I don't really see us getting tripped up on this one.
Guess you didn't read my first comment, did you? Facebook and Google will be fine, as they are big enough to automate this. Smaller companies, especially local ones, won't.
I can make the very same retort to you: In a separate post, I said that solving these sorts of "burden of compliance" problems has continually defined the successful players of the internet industry for the last quarter century. I don't argue they've solved them all, nor that they don't fall prey to regulation themselves. The extent to which companies start wilting under this burden will also be the extent other companies will address those pain points like they always have, with machines that don't get stressed out because their data and requirements grew faster than they could.
Poor small companies, they want more data then they need, like the ones that track you in the browser and not even tell you that you are recorder, I hope that some of those would at least tell that I am recorder and give me the option to allow or not.
You know that you can keep the data that is requiered to do business.
This sort of letter is now and then sent to swedish public offices asking for information. One recent one was asking for all information recorded the last year, sent in to the whole countrys public offices or whatever to call them. And here you don't get a full month to respond to those questions. The law says basicly "Drop everything and answer it now while the person stands outside your office waiting".
You can also do this to any company about your own information since many years. In school the teachers often did it as homework for the pupils to select some private company and write to them asking for all information they have. This has been tuned down because of the load it put on private companies now though.
Feels good that we have most stuff down already so not much changes.
I have already bookmarked this "nightmare letter" [1], that was posted on HN a few days ago.
[1]: https://www.linkedin.com/pulse/nightmare-letter-subject-acce...