Pretty much any start up starts out as a "fly-by-night website". Maybe this guy's just an idiot, but regulations like this harm small businesses and innovation. You can debate the merit of them, but this is what they cost.
You're being downvoted unfairly. It is what they cost. Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
The question is more on the side of, is the cost worth it? A good and much longer-running example of this is in the medical industry. There are massive regulations around development of new drugs and treatments. Massive regulations around experimentation on humans. This stifles innovation and prevents potentially life-changing drugs from making it to the market faster, or sometimes ever. It also prevents a lot of other things, such as crackpots from entering the mass market and selling poison as an anti-aging drug.
Is it worth it? There's still debate about this today, especially when promising cancer treatments are taking years/decades to reach the market (=> how many lives are lost during that time? What's the tradeoff for someone who is terminally ill anyway? etc). I'm not nearly informed enough to pick a side in that debate, but it goes to show it's not necessarily a bad thing for "fly by night websites" to be heavily impacted by regulations like these.
I get what you’re saying, but I’m not sure it’s fair to compare PII management to the medical industry. Personally I think the new regulations are rather ham fisted, with so many edge cases that it looks more like a denial of reality than an attempt to regulate it.
I also think it’s going to be pretty harmful to startups, and that we’ll see more businesses just trying to avoid Europe at all costs. Regulation like this can either be easy to comply with, or they can be effective, you can’t really have both at the same time. Even then it just boils down to the old tension between security and compliance. I work with a lot of PCI orgs, all of them have AoCs, very few of them are actually what I would view as compliant. They all managed to satisfy the box checkers, but the DSS doesn’t do much to protect the consumers in most situations. The reality is that the DSS is just a mechanism of shifting accountability around, which is what I see the GDPR as. A bunch of politicians using poorly written regulations to shift accountability on to the market.
The medical industry is a decent analogy though. Highly regulated, high barrier to entry. Which is bad. Overall though, probably better than a free-for-all (e.g. Theranos), as we've learned from several millennia of humans being awful or incompetent.
God forbid we try and apply some of those ethics to IT. (Europe is big on privacy, again a somewhat hard-learned lesson.)
Except that approach ignores the nature of risk. The impact of getting a drug wrong is catastrophic, the impact of disclosing some PII is far less. This impact also decreases proportional to the size of the organisation, unlike the regulatory burden.
To compare PII to medicine is trying to invoke an emotional reaction, not a reasoned one. I don’t think this regulation is well designed at all, I don’t even think it’s going to achieve half of what it’s trying to do. But it will achieve increases compliance costs to pretty much every company, costs that will put startups at a serious disadvantage to established companies. Europe thinks they’ll have some protection by claiming every company in the world must comply, but only time will tell how that will work out for them.
First, European law works differently, and the way we write laws is different. You can't interpret them in the context of the US law system, where everything must be ultra-explicit and overworked. Also, only regulators can levy the fines/sanctions, they don't result from law suits from individuals.
Second, Europeans take privacy serious, and it's a right for us, similar to free speech in America. Also, while not as bad as some medical risks, identity theft is not fun. But, yeah, the risks are different, and the GDPR is pretty mild compared to medical laws, no? I mean in Europe, you can't advertise prescription drugs.
Third, Europe is not claiming every company in the world must comply.
But if you're mad at governments overreaching, maybe you could sort out the requirements FATCA/US tax law puts on foreign banks, or the US attempting to extradite "cyber criminals" before you get to the GDPR?
I am not personally the federal government of the US, so I’m not sure why you’re directing that whataboutism at me. However, comparing identity theft to death or permanent disability is not equivalent no matter which way you look at it.
In any case, none of that responds to any of the points I made. The EU does think this regulation applies to every company in the world (unless you can somehow prove you don’t handle any EU data subjects data - which almost no company could do). One of the reasons being that they don’t want to only hamstring European company’s with it, as that would be a very poor strategic move for their markets. How enforceable this ends up being is entirely unknown at this point, and you can bet there’ll be a lot of legal challenges ahead regarding this.
I'm making the point government "overreach" or whatever you feel it is happens daily, and IMO, GDPR is the least inappropriate of those.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?
I think you’ve misunderstood how GDPR works. If you handle the PII of a single EU data subject, then you are in scope for it, regardless of whether you intentionally solicit EU customers or not. Even a small restaurant or auto shop is likely to have a mailing list, or a CRM, or other records containing PII. It would be almost impossible to prove they don’t have a single piece of EU PII.
This does completely ignore the nature of risk, because it does not consider impact at all, which traditionally accounts for 50% of total magnitude. A SaaS company with 50 customers has to comply with exactly the same set of regulations as Google does, and faces €20,000,000 fines, regardless of the fact that the small company poses a quantifiably smaller risk to PII. There’s also an argument to be made that the small company is less likely to become the target of a sophisticated attack, as an adversary is much less likely to invest huge amounts of effort into breaching a small set of PII.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So it's simply not true that "you are in scope for it, regardless of whether you intentionally solicit EU customers or not." I could continue, but I suggest you actually read it if you're going to argue about it.
So spare me with all this "risk" bollocks. You're just another person willfully misunderstanding our laws, and spreading FUD to try and impose your culture and your rules on our society.
The difference here is that the GDPR is widely believed to be aimed at Facebook, Google, and friends, and those companies are a threat to privacy partly because of the enormous scale of their data collection in addition to the intrinsically private nature of the data itself.
The question, then, is whether a small "business" that's closer to a charity or a resume padder needs to be regulated in the same way as Facebook when it doesn't collect data on the same scale. I don't think this applies to medical startups, where human lives are at the same risk regardless of how many customers are using the tech.
Have there been any exemptions for smaller businesses? If not, it seems pretty clear the GDPR is targeted at them too.
The online ad-tech industry is pretty fragmented [1] and widespread data-sharing would certainly be a problem even without the larger companies. It's not like Google or Facebook invented it; this goes back to nearly the beginning of the web. And the offline component goes back even further.
You're spot on with your observation in the medical industry. I've been researching stem cell treatment for a condition i have and the impact regulations (which i fully support btw) have had is that now there are a bunch of hucksters and a bunch of legit businesses offering stem cell treatments and it is practically impossible to separate the two. Despite being well versed in reading scientific papers and internet research in general it is impossible for me to separate fact from fiction. Added to that there is also a significant number of people spreading FUD which adds unwanted noise not only in the marketing side but also on the flip side making it all the more difficult to decipher the landscape.
Related to GDPR i can definitely see a similar situation developing where large entrenched player leverage it to gain an unfair competitive advantage against startups who could threaten then in their market, using the same FUD tactics. This is a silent killer which will wipe out grass roots innovation in Europe.
> Those costs can be mitigated though; there's a lot of businesses that make it their goal to solve regulations for small startups.
Part of my concern is that in order for those regulation-solving businesses to have a working business model, they can't just support every stack under the Sun. Instead, you'll get something like GDPR for Azure™ — which means that it'll be that much more expensive for a startup using an outside-the-box stack to get started.
That's the point of a lot of regulation, really: to insulate firms which already exist from disruption.
