> Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.
Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.
Then what's the problem? I have to be honest here, this smells far more of FUD than anything based in reality. Nothing in the linked post is talking about anything which the GDPR makes harder.
Unless you're doing something shady with user data (and you _know_ if you are) the GDPR essentially comprises having _some way_ of giving a user all the data you store on them, and _some way_ of deleting that data.
In this case both of those appear trivial to automate, and even more trivial to just do if somebody actually wants those things. Shit, dropping email login and only accepting federated auth would get you there in one step, unless you're doing things you're not saying.
You're acting like you know exactly how to comply with GDPR, while using the term "essentially" to admit that you don't know 100%. Meanwhile you're faulting someone who runs a non-profitable community project for expressing realistic fears over what the law could do to him, because he isn't sure what risk it lays on him.
I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.
The place I work does actually store personal data for a variety of reasons, and we also work for a bunch of other companies that do, and the path to GDPR compliance hasn't been painful. The biggest issue is, as you say, research, but if the sum of your data storage is an email address, a name, and a physical address, then you're hardly falling into any of the nuanced cases.
I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".
Because looking into it takes time and effort? Even if he looks into it and finds ambiguity then, if he cares enough, he'd need to talk to lawyer, which may cost money.
> This isn't a newsworthy event or "proof the GDPR ruins businesses".
It is anecdote that complying to a far reaching and ambiguous law has real consequence.
> that we're not going to be a target while some of the ambiguities get worked out in courts.
I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.
I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.
Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.
Clearly you have no understanding of any legal system in the world works if you believe only people that are guilty of violating the law are sued and ruined by the law.
Indeed it is. We engaged our legal counsel (top 5 global firm in the tech space) to help us understand its impact on us. Even the firm’s “expert” on GDPR still had unanswered questions saying that many nuances will have to be fought out in the courts. That’s not an acceptable risk to my small business.
Laws like GDPR are written in such away that make them open to "legal trolls" in the US we have several of these laws that are routinly used to extort settlements out of small business. These laws are generally viewed as good laws with good intentions but because of their poor wording are open to massive interpretation and thus abuse.
Patent, Copyright and Disability Access laws in the US are to examples commonly Abused laws for this type of behavior
The problem is the legal system in most nations are setup in away that gives the guilty and the wealthy an advantage over the innocent with limited resources
Laws and Legal Systems should be
1. Very Specific and not open to interpenetration
2. Have options for "settlement" as this rewards the guilty, and harms the innocent
3. Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
4. All Civil Cases must have to show Actual Damages not Theoretical Damages
> Laws like GDPR are written in such away that make them open to "legal trolls"
Except with GDPR all you could do is report them to the member states governing body. So no trolling.
> Very Specific and not open to interpenetration
Except this makes them inflexible and leads to them having to be constantly redrafted. So no use to the world of the HN.
> Have options for "settlement" as this rewards the guilty, and harms the innocent
GDPR is between you and the regulator, they already do this work and the whole aim of the process is to stop you doing bad things. A fine is a late step in the process for organisations who wont listen.
> Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access
Is off topic when it comes to GDPR, see my previous answers
> All Civil Cases must have to show Actual Damages not Theoretical Damages
Again off topic with GDPR, but in the UK that is how damages works already, isn't it?
Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.