That stuff scares me. More than US government surveillance could ever scare me. The most likely outcome is that smaller companies just don't do business in the EU. At least before they are large enough to deal with GDPR.
I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.
Over time, many people in the EU will start using VPNs to get access to the latest web sites without GDPR restrictions. Even today I have to use a VPN to access some websites (mostly news sites), but I suspect it will be much worse if noyb succeeds.
I am vastly more scared by surveillance and data acquisition, regardless if that would be domestic services or US ones. Still true that you should think about your preferred solution to tunnel out of the EU, preferable with a service outside of your legislation.
>I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.
If you're located in Germany then the GDPR applies irrespective of where your users are. It applies because you - as a data controller or processor - are in the EU.
You would have to be established outside of the EU in addition to not targeting EU users in order to not be bound by the GDPR.
What trouble? It's really not rocket surgery to be compliant with the GDPR if your business model isn't to sell (or profit from) targeted advertisements.
There's tons of fearmongering about it, though - by companies whose business model it is to sell targeted advertisements, and by companies whose business model is to sell GDPR compliance consultancy services.
It's really not rocket surgery to be compliant with the GDPR if your business model isn't to sell (or profit from) targeted advertisements.
It's not rocket surgery but it's also not trivial. Every time GDPR comes up on HN there are always people saying something very similar to "GDPR compliance is easy if you don't do dodgy stuff" and implying that anyone who thinks it's not a trivial matter must be doing something bad. This is dismissive and often seems to be based on wishful thinking about what these contributors wish the regulatory requirements said instead of what they actually do say.
The GDPR is nearly 100 pages long, in the standard English language printed version, just for the main document without all the supporting material or any additional material published by the individual regulators.
It contains ambiguities that invite broadly applicable questions like what "legitimate interests" actually means in practice.
It contains requirements to document various information and processes and to share that documentation with various parties under various conditions.
It contains provisions that could potentially conflict with other good practices (for example, the use of tamper-proof data structures for auditing or the use of diverse backup strategies for resilience) again with ambiguous if any guidance on how to reconcile competing good intentions. You can argue that this point is a stretch because it's unlikely any regulator would actually go after a data controller or data processor that was obviously doing reasonable things and trying to comply, but we are talking about legal obligations and the penalties that can be imposed are an existential threat to any small business so I think caution is fair here.
Ask a lawyer -- a real one who is an expert dealing with these kinds of regulatory compliance all the time -- how easy it is for any organisation to be sure it is fully compliant in this kind of environment, even if it has no interest in doing anything that anyone is actually likely to object to, and even if the people responsible for running it have nothing but good intentions. I doubt you're going to see the kind of one-sentence "It'll all be fine, just don't do anything dodgy" reaction we often see posted in HN discussions about the GDPR.
> What trouble? It's really not rocket surgery to be compliant with the GDPR if
> your business model isn't to sell (or profit from) targeted advertisements.
There are a lot of popular services you apparently can't use, like Stripe, and a lot of rules to follow, especially if you store any kind of personal data.
If the regulators actually enforced the letter of the law and the current court precedents fully and consistently, could you even use many popular payment methods or communications channels anywhere in the EU (or possibly the UK), given that underlying a lot of that infrastructure at some level is the use of services operated by businesses with a presence in the US?
Maybe the situation has changed again recently but I thought a literal reading of the current regulations and precedents implied that no such business can ever be compliant, because of the US laws that give parts of the US government privileged access to any data available to any such business even if that data is held off-shore?
I believe a significant part of enforcement is supposed to be a deterrent. If the U.K. fully enforced speed limits, the only people who would have not had their licenses revoked would be people like me who don’t drive or aren’t in the country any more.
It’s not clear to me that any particular analytics service needs to be run by an American firm, so the point about USA rules forcing actions on USA feels situational rather than permanent.
(I won’t pretend to know if the GDPR allowance for handing data over due to legal obligations is or isn’t relevant here, even normal law is way outside my ken, let alone international).
If you have a law that would be impractical to enforce fully and in all cases because you'd end up penalising almost everyone it affects, it's a bad law. I don't believe we should legally prohibit normal behaviour for fallible humans, particularly if no real harm is caused and no ill intent was present.
Selective enforcement is rarely a good solution to that problem. With selective enforcement you have not only reduced the risk to those who really are doing something seriously wrong, so also reducing the deterrent effect, but also penalised those who paid a price or gave something up to do the right thing and were then left disadvantaged relative to the wrong-doers.
> If you have a law that would be impractical to enforce fully and in all cases because you'd end up penalising almost everyone it affects, it's a bad law.
I think this describes almost every law, not just speed limits and GDPR but also copyright violation and drug use and… well perhaps not literally every law, but enough of them.
> I don't believe we should legally prohibit normal behaviour for fallible humans, particularly if no real harm is caused and no ill intent was present.
I don’t believe this describes GDPR. First because websites don’t really need to grab analytics, because stuff you genuinely need to provide a service is explicitly exempt from the GDPR informed active consent requirement; second because website and app development isn’t normal behaviour for normal humans, it’s a profession; third because this data does cause harm.
Yes, there are all those risks you list from selective enforcement.
It's worth noting that the specific objections to using Stripe there seem to be reasonable. Stripe has actively recommended that merchants include their scripts on all pages of the merchant's site and not just the payment pages, so that Stripe could track and analyse visitor behaviour to look for warning signs of high risk transactions. Given that a visitor to the merchant's site might never visit a Stripe-backed payment page or make any purchase using Stripe, this has always seemed a questionable degree of tracking under the EU rules, even if the intentions might have been honest.
Personally I'd be more worried that many payments using cards and other methods rely on underlying US-based infrastructure, so the actual payment processing itself could fall foul of EU data transfer rules. Obviously you can't record financial transactions properly without the various parties involved in implementing the transaction having records that will necessarily include personal data (and potentially sensitive personal data at that, depending on who a payment was being made from and to). And you most likely have all kinds of legal obligations under financial regulation to keep those records. But if there is some sort of blanket ban on processing EU personal data by any US service, that's a big problem.
Tbh, only stripe is surprising. The rest (Ga, FB, twtr) you can easily not include and be safe from the US transfers. They make money from the visitors data, of course they'll be problematic.
The stripe part is the one that will be interesting to watch, because "The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data". Anyone can easily point out that Stripe claims compliance: https://stripe.com/en-au/guides/general-data-protection-regu... So I hope that that part will die soon.
You can however implement stripe server-side where they can't see more than explicitly provided by the user for the purpose of the checkout. I believe that would have a different result in court. (We'd need to see that tested though)
But! If you're actually worked even able the stripe part, there are EU-based payment processors. More expensive, but they exist.
> I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.
If the European market with half a billion people isn't worth it for you, right, whatever I guess? I'm sure someone else will be happy to fill the gap that you so generously leave for them :)
I'm more likely to just stop using those sites with GDPR violations than try to work around it with VPNs.
What should really scare you is the vast amount of privacy violations, data collection and tracking that is happening around the web. Imagine someone following you everywhere in the real world, even getting into your apartment and noting down everything you do.
If following the basic principles laid out in GDPR is too much of a hassle for you, you should probably not be in business anyway. It's not rocket science.
> What should really scare you is the vast amount of privacy violations, data collection and tracking that is happening around the web.
Even if it would scare me (it really doesn't), as an EU citizen I would care about surveillance by the EU, not by the US.
> Imagine someone following you everywhere in the real world, even getting into your apartment and noting down everything you do.
To do what? Collect a lot of useless information? I would bother me if someone I know does it. I don't care if some abstract entity in a different country thousands of miles away does it.
What I'm concerned about is that companies collecting data on me may not be able to keep it safe (e.g Equifax). I could become a victim of identity theft, fraud, extortion, blackmail, corrupt officials, litigious opponents or authoritarian regimes.
Yes, but why can't I decide for myself whether I have something to hide or not?
I don't have a problem with people who want privacy. I can also imagine situations in which I would want privacy. But what if I don't?
If you dont want privacy, you are 100% free to make that choice. However, the default should be that things are private unless that privilege is waived.
You can decide for yourself. You cannot decide for anyone else. The point of the GDPR is that companies cannot make that choice for you either -- which incidentally increases the value of those that do want to sell their data, so you should be happy about this regulation because it increases your net worth.
Can you give me an example of a company that actually wants to buy your data and remunerate you for it?
No, as a site is not allowed to block users who do not agree to tracking cookies. The result is that many sites will rather geoblock all users than implement GDPR.
That's doesn't contradict my point that the GDPR's goal is to give users a choice. In fact, if websites can block users then it's not really a choice isn't it?
Websites can’t block European users as a way to comply with the GDPR - if your business is based in Europe you have to comply regardless of whether you serve EU customers or not.
US-based websites can which would simply mean privacy-respecting EU-based competitors will take their place.
That is surely why most large companies have entire teams human behavior psychologists, because they can't force you to do anything. Definitely not to figure out how to get something drilled deep in your brain so that the next time you see it, you're inching ever closer to buying it.
In fact, that's why Facebook ran secret psychological experiments on unwilling participants by modifying their timeline! Because they can't force you to do anything.
Who are you to decide for other people what they find useless or not? And are you implying people have no free will to decide what to buy and they need others to "trick" them or to prevent them from buying?
Do you consider yourself above other people and some sort of arbiter for their decisions?
Then you should stop writing right now because to communicate is to manipulate. People are manipulating machines. Sometimes to sell useless crap, other times (just as useless) ideas and ideologies. It comes with being a human and interacting with other humans.
People should have the freedom to choose who they listen to though, instead of others deciding for them.
I'm talking about dedicated departments in large companies that try to steer people into more purchases for profit. This is unethical unless people gave their consent.
Now you are simply describing advertising. I do not find it unethical, maybe unpleasant at most. It is the engine of commerce and driving progress. It is a sign of abundance of choice. And let's not forget a company still has to create a compelling product - no ads can override my free will.
I have a bit of knowledge about human nature and some applied logic. I do not need others to tell me how to think and I find Wikipedia a heavily biased and ideologized source.
Wikipedia is not a source. It's a list of sources. You can always add your own (reliable) sources to the list. Basing your decisions on "a bit of knowledge about human nature" is unscientific.
The solution is to make a worldwide framework where people OWN their data. That's not what GDPR does, it in fact prevents people from selling their data at will.
(People's privacy is protected by constitutions. That is orthogonal to the ability of people to choose how to use their data)
> The most likely outcome is that smaller companies just don't do business in the EU.
it's one of these:
1. blocking business with the EU
2. just ignoring the local regulations
3. big enough to actually implement GDPR
3.1. implement it partially
3.2. implement it erroneously
3.3. implement it fully
GDPR brought us the wide usage of HTTP code 451 Unavailable For Legal Reasons, the myriad of cookie stuff, endless legislation and litigation. It also split the internet into one more part. Unfortunately the part that was split off was never too successful or important to the rest of the planet.
But it also brought us a new way of thinking about data, and what personal data means. It's just that the implementation sucks big time.
Companies unwilling to actually protect your personal data and milking everything they can out of you brought you HTTP 451.
Companies lying through their teeth pretending that ePrivacy & GDPR forces them to have a cookie banner.
Companies (and clueless HN posters) that lie to you, telling you that GDPR is impossible to implement, and that if you even get the slightest thing wrong, you'll get fined the maximum fine.
Fines have always been a last resort, or for egregious and willful violations of the GDPR. Your company doesn't implement it properly and it goes all the way to a court ? For almost all cases, the court will simply tell you "you have X days to be GDPR compliant". Said X being more than 90.
> It's just that the implementation sucks big time.
Yes, the way companies are "implementing" GDPR compliance sucks, even though GDPR compliance is not that complicated. That should tell you that those companies think it is more profitable to annoy you than to have a privacy-compatible business model.
Github, for example, gets it right. It only stores data it needs for fulfilling the services it provides to you, so there is no need for cookie banners and similar. That's exactly how the GDPR intends it to work. The problem is companies dragging their feet and trying to fool you into thinking it's the fault of the GDPR that they don't respect your privacy. Incredibly backwards, but sadly it seems to work.
I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.
Over time, many people in the EU will start using VPNs to get access to the latest web sites without GDPR restrictions. Even today I have to use a VPN to access some websites (mostly news sites), but I suspect it will be much worse if noyb succeeds.