This type of law is only effective due to centralisation of Internet services. If everyone self-hosted and was accountable for their own content there would be no scope for such legislation. All HN would hold would be linked-lists of URLs, no actual comment content.
Imagine a decentralised, federated HN where each comment originated from its owner's site.
>This type of law is only effective due to centralisation of Internet services.
This type of law encourages that very centralization. Look at the provisions of GDPR, for example. Do you think a two-person startup is going to have the resources to deal with all of its provisions? Or in this case: do you think that a new video-sharing startup is going to have the resources to deal with the more stringent copyright enforcement requirements?
The EU has, in effect, made a Faustian bargain with Google, Facebook and Twitter: if you accept our regulation, we'll ensure that you have no competitors.
But what kind of startup doesn't handle personal data? All companies have that in the form of customer and supplier account information needed for billing purposes -- especially if they're not in the advertising business.
Absolutely, and that's kind of my point. Even a single person operation can comply with the GDPR, as most of the policies to do so should alreay be state-of-the-art for companies who handle personal data (in a non-malicous way). I agree there is some annoying administrative overhead, but it's definitely manageable (speaking from experience here).
It can't be everything all at once. "They process personal data" is equivalent to "they exist" and the compliance cost is non-trivial (or what is everybody complaining about?). The only remaining option is that it's destroying a significant percentage of startups and creating a moat around incumbents.
The only argument you can make at that point is that it's worth the cost, but is it? The damage to privacy of having everyone's data in the hands of conglomerates that are no longer subject to competitive pressure has got to be worse than Mom and Pop occasionally mishandling the information of their two hundred customers. Just having the centralization at all is worse than anything that could happen to any given 0.5% subset of it, because every misuse or compromise is 200 times worse even if they only happen 10% as often.
The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way. Maybe there are some adjustments here and there, or some oversights or things-that should-have-been-fixed-months ago. But most of what needs to be done has already been law in one form or another, so the programmer is trained to do it correctly. There are retention laws for tax data and business communication of 7 years and longer, which override the GDPR, so the startup will most likely be out of business before any deletion is required.
So what remains for the business part of the startup is to make sure the necessary contracts with all third parties are in place (the pressure-the-conglomerates-part), and to explain it to the users. This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with. The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.
> What is everybody complaining about?
I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe. I guess if you don't want to be GDPR compliant due to the effort that's fair, but you should know that there are much worse things ahead for a company.
However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.
> The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way.
The expense doesn't come from that. Even if you're doing the right thing in spirit, now you have to compare what you're doing to a complex regulatory framework. That's pure overhead that you pay even if you don't even have to change anything.
> This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with.
You're saying that this thing that harms small businesses and entrenches incumbents is like the other things that harm small businesses and entrench incumbents. But that's the problem. Each one you add is an incremental burden that moves the margin for how many startups you kill by another kilometer in the wrong direction.
> The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.
That is a very aspirational privacy policy that also happens to be very strict and trivial to violate unintentionally. And what are the consequences for not following your own very strict privacy policy?
This is why most of the big companies have one that says something to the effect of "we promise to use your data for things we want to do" but then have to be carefully crafted by lawyers to simultaneously minimize liability and hold up under scrutiny.
> I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe.
It's all relative. If Germany has a significant regulatory burden but Greece is a hotbed of corruption, Germany can still do better than Greece. But not as well as it could have done with less overhead.
> However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.
The pretense that complex regulations only cost you if you were previously doing something wrong is empirically false. The cost of complying with the regulation is in addition to the cost of doing the right thing and is still paid by everyone who was doing the right thing already. And it can be enough to destroy a company that was not actually mishandling data but merely had low operating margins.
I'm not arguing against any of that, including your statement that the GDPR might be the last drop to destroy a compliant-in-spirit company which has been surviving just so. I'm merely questioning the scale of the problem (based on my own experience implementing the GDPR in a low operating margin context) and their right to exist to begin with (based on my personal view on the sad necessity of data privacy regulation).
Most of the rules in GDPR apply only to personally-identifiable information that is not strictly required for business operations. The law recognizes that, when you want to ship some goods to a customer, you will have to process and store their address, and no opt-in is needed because the customer explicitly gives that information to you.
Explicit opt-ins are only required when you record personally-identifiable information surreptitiously, or share these information with other parties.
> Most of the rules in GDPR apply only to personally-identifiable information that is not strictly required for business operations.
I'm sure there are some provisions intended to help out smaller entities. But the compliance cost is the cost of understanding the legislation so you can comply with it. You still have to pay it even if it turns out not to apply at all -- because you can't know that until you go through all of it first.
“copying restrictions were authorized by the Licensing of the Press Act 1662. These restrictions were enforced by the Stationers' Company, a guild of printers given the exclusive power to print—and the responsibility to censor—literary works”
Make our own content and host it ourselves?
This type of law is only effective due to centralisation of Internet services. If everyone self-hosted and was accountable for their own content there would be no scope for such legislation. All HN would hold would be linked-lists of URLs, no actual comment content.
Imagine a decentralised, federated HN where each comment originated from its owner's site.