Hacker News new | past | comments | ask | show | jobs | submit login

That's the US, yes. EU regulatory bodies are generally rather lenient when you attempt to follow the regulation.

And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.

There is a good flowchart in this thread too, I recommend to study it.




But they have never had the extraterritorial reach that they are claiming under the GDPR either. This could easily be used to suck money out of foreign countries. I don’t think they’ll play nearly as nice with people that don’t vote in their own countries.

I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced. Either way, the net result will be that EU residents will have access to a far smaller universe of content and services. Most businesses just won’t take the risk.


>> This could easily be used to suck money out of foreign countries.

We both contributed to a conversation where you made the same point, a few days ago:

https://news.ycombinator.com/item?id=16888026

Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.


It’s a very simple procedure. Make accusation, get judgment, domesticate it in the US, get paid.


But why would you "get judgment" if you are not in violation?


It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.

The people saying how easy it is don’t know what they are talking about.


>> It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.

By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.

Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.

Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.

This is from an article I quoted earlier:

Coordination and Consistency

Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.

One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.

https://www.infolawgroup.com/2016/05/articles/gdpr/gdpr-gett...

Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.


> I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced.

What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).


That and privacy shield (or equivalent). The EU courts could simply go the the US courts and tell them that under privacy shield, the company violated the EU law. Then the US court could decide that, yes, the company did indeed violate EU privacy law and enforce the fine on their side.

If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)


> While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.

https://www.privacyshield.gov/article?id=How-to-Join-Privacy...

So how does that affect companies that don't elect to join Privacy Shield?

Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...


Without privacy shield, I guess the EU might still try to go through the US court system to have a foreign claim enforced in the US.

I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)


Apparently, existing treaties that the US has allow for the domestication of EU civil judgments in US courts. The prevailing logic right now is that nothing new would need to be passed to allow for that to include judgments issued under the GDPR. Here is one article, there are many more:

https://community.spiceworks.com/topic/2007530-how-the-eu-ca...


From that article:

> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."

That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: