Wait until GDPR is in place in May and German and other EU courts will rule FB to death.
IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
The rules are so vague that any firm could be argued to be in violation. And the EU acts as judge, jury and executioner. It looks like a way to tax the SV tech firms without needing a treaty change. After all there's no practical difference between a tax and a law that everyone is guaranteed to always be in violation of that has huge fines attached. The money all goes straight into EU central coffers.
> How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
How is that different from a US law like HIPAA? The structures of the law seem largely the same, in that they give you guidelines to follow, but provide no clarity about what specifically is required by it and what isn't.
Understanding HIPAA has largely come from companies doing their best to comply with their understanding, and clarifications tend to come from courts when there's an actual dispute in progress.
Then, the US (through it's various district courts, circuit courts, the supreme court, and regulatory bodies) acts as the "judge, jury, and executioner".
HIPAA and other mega-regulations like them have the same problems. And they do cause people to just give up rather than deal with the risk. I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.
> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.
> HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)
As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.
I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.
I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.
Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.
Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.
The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.
Legislating from the bench is not a bad thing, to the extent it doesn't contradict a fully valid statute. Indeed, most law in the US is judicially created, and always has been, dating back to the English common law system from which we inherited ours.
American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.
I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.
The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.
Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.
If GDPR analogously has a chilling effect, reducing the proliferation of "social" products, I'd consider that a positive outcome. I don't really buy that any of these are "making the world a better place" as Zuck loves to say, though you might have a better case with the health products.
1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court
2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.
>The rules are so vague that any firm could be argued to be in violation.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
If the text of is too specific you could have the opposite effect of companies weaseling through.
It is not a tax. It's pretty clear that the EU expects companies to treat private user data with respect. If your company cannot operate without exploiting this info, than maybe the world is better off without it anyway.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
Most EU countries follow civil law, and precedence has a much more limited role than in common law countries. So it actually matters that the statutes be written clearly.
Why have any law at all, by your logic? Just have a single law that says "Whatever we decide, is final" and make up all rulings and fines on the fly. No 'weaselling' is possible then. Only problem is, it's totalitarian. Nobody knows what is or is not allowed, there is no such thing as justice.
Law is meant to be precise. If it's not, then ignorance of the law does become an excuse and law loses its moral authority.
Unfortunately the EU does seem rather keen on laws so vague that they're impossible to understand - it's rule by law, not rule of law.
Somewhat ironically, as it's the--presumably soon without the UK--EU we're talking about, but you're basically objecting to a Common Law system. Admittedly, in modern times, there's a lot less practical distinction between civil and common law jurisdictions than there once was, but nonetheless common law is "the part of English law that is derived from custom and judicial precedent rather than statutes."
As mentioned in another reply, the actual laws will have to be implemented by the member states anyway. So the text for each country can vary and can be more specific.
As for your strawman that I somehow argued to abandon all law: I won't deal with that.
No, they actually won't. The Data Protection Directive needed to be implemented by national legislators into national law, but the GDPR is a regulation which means it is directly binding law.
Only a few technical, minor points need to be spelled out in national regulations or laws.
That’s true only if you regard he EU as a single entity. Laws made via the EU will be turned into national law, and independent judges will judge all cases, up to the EU high court. By the same right you could call the US judge, jury and executioner on all laws and rules made and enforced by the US government (FACTA anyone?)
No. That's not how the EU works. That's how a national government would work but not the EU.
The GDPR is not a directive so it does not have to be translated into national law. It is directly binding and applies immediately everywhere.
Fines have to be paid up front, before appeals are exhausted. Appeals can of course take years.
The EU courts have judges appointed by the same people who control the rest of the EU, and are ideologically aligned as such. They have a long history of legislating from the bench and making shocking and nonsensical decisions: consider the case where they simply voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK. The court simply decided it didn't like that bit of the treaty and so it did not apply. I do not regard the ECJ as a robust court. It will rule in whatever way is most favourable to the European project.
No, the enforcement is through the national "supervisory authorities" such as the ICO. Most of the enforcement process is through national courts and the ECJ is only for the final layer of appeal. This very article says "German Court rules ..."
> voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK.
[citation needed]; did you read this in the UK press?
In the section "Wasn’t the UK supposed to get an opt-out from EU human rights laws?"
The summary is, when the Treaty of Lisbon awarded the EU new human rights powers the UK and Poland negotiated an opt out which was written in the treaty. It was a part of convincing the UK government to accept the new treaty without granting a referendum on it, as they had previously promised.
The opt out is very clear, really as clear as lawyers can make such things. It says:
The charter does not extend the ability of the CJEU, or any court or tribunal of… the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of… the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms
and
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law
In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
A few years later the ECJ decided that the opt out was meaningless and voided it, under a new interpretation that they claimed meant they'd actually always had these powers, and therefore the treaty did not "extend" them, and so the opt out didn't "work" despite its apparently clear wording. They then began overturning UK laws.
It's unclear why the treaty had anything new in it at all if the courts had always had these powers of course, but this is how things go in the EU - no matter how plainly something seems to be written, no matter how clear the assurances seem to be at the time, the moment it becomes politically inconvenient to the project the rules are tossed out under bizarre and kafkaesque re-interpretations.
Same thing happened to Ireland with corporation tax. They were promised the EU wouldn't interfere with their tax policies. Then the EU decided low taxes were "state aid" and awarded itself the power to control Irish tax policy. Nobody had previously interpreted the state aid clauses that way.
>consider the case where they simply voided the UK's opt out of new human rights related legislation
Erm...you are aware that this case has nothing to do with the ECJ, but with the ECHR, which isn't even an institution of the EU, but of the Council of Europe* , which is an entity completely separate from (and older than) the EU.
* not to be confused with the European Council or the Council of the European Union. Yeah, it's a bit silly.
I think that this source suggests that this idea may have been a mis-representation by Michael Gove [0] during the course of a referendum (I was interested, as I wasn't aware of any such decision).
Then again, all's fair in love, war and referendums :)
Now, now, you make it sound like a single human actually endorses those three roles. Any state (or group of states) is judge, jury, and executioner. I also write and dictates laws…
The real world is very complicated. As time goes on, there will be lots of court cases which set a precedent.
Even though I dislike em, I think the laws surrounding fair use and copyright are another example. Due to its nature, it's incredibly difficult to provide exhaustive guidelines.
As long as these large enterprises engage in a good faith attempt at complying with the law they shouldn't end up receiving huge fines.
> The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
I'm feeling a huge cultural gap in the discussions in this thread.
Americans seem to have a different tolerance for privacy abuse and draw the line elsewhere.
And I suppose that's okay, live and let live etc. However, so far it's really been mainly US tech companies pushing their views on privacy (read: less of it) in the EU market (kind of poisoning the field for EU companies as well, because obviously you can make more profit that way).
I don't see the (EU) public making a huge fuss about EU businesses taken to court over privacy violations (which happens), because we see it as justice as usual.
Now that the EU(/Germany) pushes back against a huge US corporation (ok multinational, technically), it's considered really harsh, from a US point of view. Some arguments going even as far as attacking our legal system (which is a bit much, coming from the US, IMHO. Americans themselves flat out admit justice is a matter of financial resources and consider that justice as usual). Apparently we have different values.
Personally, I agree it doesn't go far enough even though I'm very happy with the German ruling and hope other countries will follow suit.
GDPR is reasonable. How Facebook handles user data is not.
I'm sure, they'll mostly ignore the law at first, and if they get sued, they'll claim having a legitimate interest [1], but that will be their strategy, because actually complying with the law voluntarily would likely cost them more.
And yes, especially Germany already had a very similar law in place, but Facebook did not actually need to keep to it most of the time, because they were operating from Ireland. GDPR does not care where you're operating from. The fines would have also not been much more than operational costs for Facebook (the highest fine placed in Germany for privacy violations so far is at 300,000€).
Ignoring the court order of which they were duly informed and which contains time to comply is a felony. Including a huge fine in this case, which will likely be calculated per German user. Think something closer to 30 M€.
With "ignore the law", I meant not (fully) implementing the requirements that the GDPR imposes. If a judge actually rules that they did not properly implement the GDPR requirements, then yeah, they will correct that.
But until someone sues them and that court case concludes, there's going to be a lot of time, in which they can probably make enough money by not properly implementing the GDPR requirements to easily recover however high that fine is in the end.
If somebody says "X has money and an army of lawyers" the implication is they are going to beat the case, Microsoft didn't, they were slapped with the largest fine ever at the time ($794 million USD). They are fine despite the inability of lawyers and prep time to deliver victory, not because of it. No guarantees FB will fare better (or worse).
The problem with the GDPR isn't that it is too far-reaching. The problem is that it isn't clear what companies have to do to comply with the new regulation.
Large companies will simply pay their lawyers to deal with this. Small companies basically will have to do their best and hope they don't get sued.
As I wrote already in another comment: all these regulations will end up doing is strengthen the market position of the established players and cripple any competition from new incumbents :(
It’s the end of an era...not too long ago anyone could compete with the big players...soon nobody will
given the feedback loop of social networks there wasn't much of a reason for viable competitors to emerge in the first place.
The lack of competitors here is structural, not everything is an issue of 'we must remove the red tape!' That would do nothing because nobody is voluntarily going to switch away from an established social network monopolist. It's a nash equilibrium of sorts.
Myspace was pretty much dead the moment facebook arrived. It's true that companies like Facebook can be replaced, but they almost never coexist or directly compete. Chat services usually split geographically. Wechat in China, Whatsapp outside of the US, snapchat in the US.
Anecdotally I know very few people who simultaneously use multiple messenger apps or switch around a lot. (For the reason outlined in the post before, you lose your network).
> Facebook will do just fine, they had years to prepare and an army of lawyers.
They won't do fine. Don't want to go into details but their actual products/required architectures for their products just can't be GDPR compliant. And they didn't prepare anything. You confuse them with Google--they prepared GDPR but FB?
Btw, one of GDPR's key motivation was to take FB down.
A grandiose claim offering nothing better than "don't want to go into details" counts as unsubstantive and flamebait, two qualities that are deprecated here. In the future, could you please either make a comment like this substantive, or just not post?
Dang, no need to get aggressive. I was on mobile and had not the time explain why all products around Facebook—which need to collect user's behavioural data to target ads etc.—can't ever get compliant with the strict GDPR. I guess you are not informed about GDPR. If you were my prior message with a "don't want to go into details" would be have been super clear.
So, this is a misunderstanding and again your aggressive tone is for somebody who is representing YC just sad.
Besides, thanks that you gave my profile more gravity when posting comments. Now my comments drop so quickly (first seconds after posting) and people with 0 karma move above me.
Without a citation, I doubt this claim and wonder if you have any personal investment in or relation to Facebook or a similar company whose profit is generated by selling or buying personal data.
No, but I have to comply with the GDPR. The first thing to understand about the GDPR is much of it is quite vague, and is essentially a framework for rule making for 30+ privacy regulators. See eg legitimate interests where you are supposed to conduct a balancing test between competing interests with very limited guidance on what a reasonable balancing test is. Second, these lazy morons haven't issued final guidance approximately three months out from the deadline. Now, there is some guidance, but there's no hard cap on the distance between working and final guidance. How they expect companies to comply with that is obvious: they don't, and will use the opportunity to fine them. The ICO has been quite explicit about this; I don't have quotes on this laptop but one of their senior staff basically said that grace periods are not part of their regulatory strategy. Grace periods are apparently only for the regulators. And that's the ICO, one of the more reasonable regulators! The french regulators, who aren't particularly reasonable, are no doubt anticipating the influx of cash.
So if you're a company that is relying on some mix of legitimate interests and consent to service your customers, market, and perform outbound, it's very difficult to understand what the rules are. And this is worse if you are an American company and therefore probably don't have a lead regulator and will have to attempt to comply with the (almost certainly) conflicting rules as decided upon by every privacy regulator instead of just one.
Much of the GDPR is quite reasonable (besides the DPOs, ie employment program for EU lawyers) -- privacy dashboards, the ability to delete data, SARs, etc. But it's wildly unreasonable to not have final regulations in place.
> Btw, one of GDPR's key motivation was to take FB down.
this all seems very similar to the new VAT scheme, in that it was designed to target a foreign giant (Amazon), which was barely affected as a result, and instead ended up hurting the competitiveness of the EU's own small businesses
the EU Commission's response to small business concerns about that new VAT scheme? "we'll allocate some time to talk about that in 5 years"
That's not entirely true - MOSS actually works quite well, and preparing a sales report grouped by country should be trivial no matter what infrastructure you're using.
No matter what infrastructure you're using? You won't believe how many payment systems out there are not very MOSS friendly. If you are a developer and cannot use VAT MOSS logic as e.g. plugin you basically have to get IP country code, add country VAT tax and adjust the payment plan. Yeah... all really really trivial if the payment system is not used to dynamic pricing on different country of customers! I hope you see the irony. This is all very unpleasant for small businesses!
Do you have to actually change the retail price? The way we do it is to keep the price constant for the customer. If their country has a lower VAT rate, they have to pay more. I'm not sure most even know/care how much VAT they pay, but they do care about the total price - and this doesn't change no matter if you change IP/user VPN etc. It also removes any incentives to cheat.
This is all stupid if you sell a really small amount of digital goods online. It all starts with 1€ (and less) on a ebook and in comparison: On normal goods there is a threshold of roughly ~100,000€ depending on country sales.
Well, it's not that - before that law was introduced, you could simply ignore the country, since it's about digital downloads. If all you cared for was getting a payment, it was not unusual to have the transaction list in the forms of e-mails. Now you need much more information.
That's not the hard part of the VAT rules. If it was just asking the user what country they're in and then submitting sales figures by country, that'd be easy.
There are two hard parts to what the EU did, for businesses.
The first is you have to charge variable VAT rates and remit the collected tax. However VAT rates do vary not only by country but in some cases within countries too, and they do change, so you have to make sure you have a really up to date list of tax rates and geographies where they apply. Including varying rates down to the city levels.
But the real kicker is that you can't trust the user's claim about where they are. Users are financially incentivised to lie about their location because these are digital downloads. So if they claim to live in a low VAT region they pay less, but download the same files. Simple as that.
As a consequence the VAT regulations have a LOT of complicated edge cases and "guidance" in them about how to figure out where the user really is, not where they say they are. This is hard of course, the user may be using VPNs and so on. There is specific guidance on how to handle users who are on ships sailing between VAT regions, or planes that are in the air when a purchase is made. So you've got a really complex pile of logic to start with, and then you're also in an adversarial situation where the users are all trying to screw you over by forging their location. And if they succeed, you can suffer big fines.
Oh and finally of course, you can't use any technical tricks to figure out where the user actually is, because then you'd violate EU privacy laws ... have fun with all of this! In practice it has to all be outsourced, it is too much work to implement in house for all but the largest of firms.
A while ago VAT rules for digital goods were changed. Before, the VAT of the country where the company was located applied, after the VAT of the customers country. Amazon, Apple, ... exploited that by officially making the sale in a low-VAT country and pocketing the difference.
Many small businesses were concerned that they would have to register for VAT in all EU countries and deal with individual VAT laws, but the implementation for small businesses allows you to basically register at your home countries tax authority and provide them with a list of sales broken down by country. (MOSS in the UK, iirc) The initial hubbub has largely died down.
This is grossly simplified, but captures the gist. No tax advice, yadda, yadda.
my solution was to stop selling into the EU, though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
whereas this is from 2015. I was confused by language where you described it as a law to target Amazon. Now I see that was just an opinion.
> my solution was to stop selling into the EU
Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
> though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT. This was a response to my question about the catastrophic cashflow impact that losing the VAT rules on imports would have to UK businesses. He told me not to worry, as VAT alignment was simply a necessity.
There is no legal way around ignoring EU VAT rules and selling to EU customers (no matter where you or your company is located). If you do business with EU end customers you have to comply to EU VAT rules. Just telling you how it works in theory.
This was quite a hit to small companies, because now they have to manage collecting and remitting taxes to every country their consumer customers reside in. Previously they only had to collect and remit taxes to their own home country.
The GDPR is beautiful and an example of the best outcomes democracy can produce. The winners are pretty much everyone. It's sad that the US can't implement public policy like this.
We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones. As much talk as there has been about the effects of GDPR on huge companies, the fact is, they're not too concerned: they have enough lawyers to throw at the legal issues and enough engineers to throw at the technical issues. Smaller companies without these resources are going to see their lives get harder.
This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".
Why do you equate technology startups with startups that finance themselves with private data (mis)use?
Instead of taking profit out of private data one has, it's possible to charge for the service. Alternatively, one can use the data to finance the business but also follow the rules and regulations. I don't see the big issue here.
Why do you equate startups with startups that finance themselves with private data?
Every piece of regulation is another headache for a business.
Take for example the combination of GDPR + backups.
If you have enough technical manpower, you can change the backups.
If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.
If you have neither you have a headache.
Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?
I see zero chance for the argument that it be unreasonable to adjust backups. Either they are adjusted, or they violate the law, period.
Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.
How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.
Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.
> If you are a small company not focused on handling private data
I'll repeat myself a little bit: IP addresses and user names are also private data.
Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.
I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
> continuously work on compliance
That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.
> We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones.
Or it may be a great opportunity for them to differentiate developing not privacy invading business models protected from being undercut by "free" (because we sell your data) competitors.
Well that's ... kind of the point, isn't it? If they're not going to be compliant and respect our privacy, or even if they kind of would like to be sort of privacy-respecting in a sense except that their business model precludes them from actually being able to be compliant however since business models are rather subject to change especially with the SV "get venture capital and break stuff" mentality, such that even the "in a sense" part is exceedingly likely to become unjustifiably cost-inefficient as soon as the business gets big enough to believe they can get away with it (like, you know, Facebook, Google, etc), ... then, good riddance, right?
I mean, just because a company believes they can claim to "respect your privacy" without actually being compliant to the EU regulations specifying they should do such, let's call it a cultural difference then.
You don't know that yet. There is not a great track record anywhere for implementing radical reform without significant unintended consequences.
It's totally reasonable to be cautiously optimistic, but when people are only barely not frothing around the mouth at the prospect of landing a punch on Goliath, I'd err on the side of caution, at least until we see how the chips fell.
I'm with this sentiment too. I think there are plenty of laws with good intentions and unforeseen side effects which range from harmful to annoying and inconsequential (Prop 65 warnings, EU cookie law, south korea Internet Explorer mandate). They all seemed good at the time I'm sure.
Then the problem with technology laws is we have to live with them far beyond their usefulness since the tech evolves so quickly.
only real freedom is financial. Americans don't usually like to preemptively create rules and regulations that could hinder innovation or hurt businesses.
It's pretty good, actually. I prefer being poor in the EU over being poor in the US. Privacy is just one of the many benefits. I've been saying "maybe we have different values" a lot in this thread, but in this case, I suggest you ask poor people in the US what they prefer. Because I get the sense that you're not poor (in a strictly financial sense, that is, because even as a poor EU-citizen I probably get more affordable healthcare :p).
It is good that they are protecting their citizens from exploitation by US companies but this is not uncommon that it is easier to regulate a large company that is not your constituent.
The EU has not done so well on regulating diesel autos for instance but the US is knocking that one of the park.
Your comparison is not correct. The practices of FB are not universally considered bad, many people are OK with them. The diesel scandal was a deliberate scheme to cheat everybody - you can't find anyone who considers what they did as good. And the Germans finally started arresting people, too - although the USA gave a good example.
> The practices of FB are not universally considered bad, many people are OK with them
Really. Please point me at these people.
People that simply "don't care, yolo" do not count. People that have a stake in this because they have an interest in the tech business and fear that any decisions in this matter might negatively impact their business, also do not count (because a very specific yet vocal slice of the tech sector is hardly representative of what is "universally" considered right or wrong).
If you think that's too restrictive, and those are the only two groups you can point at, that's okay. I don't really believe those two groups (ignorance and business interest) should be considered representative of what is universally considered right or wrong. If you believe otherwise we'll have to agree to have a different view on ethics (which is a bit of a long discussion I'm not up for right now).
Everybody else I hear about this (I said "almost everybody" at first, but I can't think of anyone), DOES think it's bad, but admit that "what can you do, if everyone uses it" (hence the need for EU regulations!!) and because "it's really useful to keep in touch with long-distance friends and family, also to plan events etc", the latter being a reasonable point except there's nothing unique about FB's capability providing this service, and it's really easy enough to do it without violating privacy, if it weren't for FB dominating the social network sphere and forcing the privacy violations on the general public.
> Wait until GDPR is in place in May and German and other EU courts will rule FB to death.
If indeed GDPR will enable those courts to "rule FB to death", and not, as repeatedly promised, be entirely reasonable to comply with, including for Facebook, obviously Facebook will shut down in Europe (and so will a good number of other popular services), and tell their millions of former users why. Here's a quick, free lesson in politics: that will not end well for the GDPR.
If they do this, traditional TV will likely bang our heads over how deceptive these companies are. They will point out the fine prints in the EULA with the most outraged tone possible. They will conflate the issue with US spying on everyone ("NSA" and "Snowden" will be uttered repeatedly).
Because doing so is in the interest of EU corporate powers: let's drive away, or at least hinder, US companies on our soil, so we can develop our own. Even if the initial intent was not to put up a trade barrier, it will be used as such. Not that would be a bad thing: from what I have heard, the GDPR seems fine, as well as quite defensible.
> the GDPR seems fine, as well as quite defensible.
So, that's the thing. Either, it's fine and defensible, and the Facebooks of the world will just comply, and so won't be a trade barrier, or it's not. It can't be both.
And also, don't wish for a "trade barrier" for this purpose, import substitution has been demonstrated over and over again to be really just awful policy.
I was hypothesising Facebook being unreasonable. And their business model could very well be incompatible with GDPR. They're an ad company that feeds on personal data. I'm not sure they can get the informed consent of most of their users for this.
Simply put, GDPR could be reasonable and sue Facebook to death (at least within its borders).
But that would not be a politically acceptable outcome. There will be so unbelievably many free votes for the "Bring Facebook back" party that they will barely need to campaign.
Also, by the way, this won't bring about the development of "our own" alternatives. Being European doesn't confer any particular skills required to build a GDPR-compatible Facebook, if Facebook itself can't even build it themselves.
> There will be so unbelievably many free votes for the "Bring Facebook back" party that they will barely need to campaign.
Hence my predicting that traditional media would gang up against Facebook. It wouldn't be the first time there's a disconnect between television and the people. (Who's right is a separate issue.)
> And also, don't wish for a "trade barrier" for this purpose, import substitution has been demonstrated over and over again to be really just awful policy.
That's a very different kind of "trade barrier" than is being discussed here.
The barrier being thrown up here is in fact not so much about trade but about privacy values. I see that as a very different thing, if a business wants to draw the line for privacy ethics elsewhere, but that line happens to be subject to regulations which reflect our values, then that is indeed a barrier, but I don't see much wrong with it. Unless you want to argue that US values on privacy are somehow more right than the ones we decide on in the EU.
If FB gives up on the EU market, then they've opened a massive weak spot for themselves. Social networks benefit from the more connections between people.
If FB leave the EU, then some EU company can copy the software (we know what kind of features people want), and this company will be able to operate in EU and USA, but FB will not be able to operate in EU, giving this EU company a massive benefit and safe harbor.
Point is that the UK government already has a tax regime. It has no incentive to fine Facebook so much there's a risk of it leaving. The ICO already said that it doesn't intend to use its big new fining powers under GDPR anyway, as there's no need.
The rest of the EU is a bigger question. The EU is desperate for cash. It faces a huge budget shortfall, member states that don't want to pay more and it can't raise a corporation tax itself by treaty. Repeatedly fining tech firms looks like a nice way out for them.
But that said, hopefully the UK will repeal GDPR eventually along with associated EU nonsense like the cookie law.
> Point is that the UK government already has a tax regime. It has no incentive to fine Facebook so much there's a risk of it leaving.
Do Facebook have a presence in the UK? I thought they were headquartered in Dublin? Do Facebook pay tax in the UK? News to me.
> The ICO already said that it doesn't intend to use its big new fining powers under GDPR anyway, as there's no need.
Citation very much needed. The ICO will follow the law. The ICO is using it's DPA powers already. The
> The EU is desperate for cash
The EU organisation is handing rebates back to members at the moment...The UK just got one. Or perhaps you mean countries in the EU. Germany has a budget surplus, so I don't know what you could mean? you sound bitter?
> But that said, hopefully the UK will repeal GDPR eventually a
It seems extremely unlikely that the UK wont retain 'regulatory alignment'. This is actually part of the agreement over NI border? This will also be a prerequisite for a trade deal, and the UK will cintinue to make CE marked goods or they would not be able to sell them
> long with associated EU nonsense like the cookie law.
The EU is already on this one[0] What other 'nonsense' consumer protection law do you want undone?
> You can see how few people ICO impose fines on already, and that they have never imposed the maximum fine
Why would they have to impose the maximum to be effective?
The maximum sentence for arson in the UK is life imprisonment, something you are unlikely to see imposed. That doesn't mean that everybody is going to start torching their houses for the insurance.
> UK regulators really do take a light touch approach, aiming to get companies to change behaviour.
Maybe the German ones did too, but Facebook chose to ignore them?
Here is a recent DPA case against a non US company btw[0].
Leaving the EU would have very strong network effects and is IMO not an option for Facebook. The entry barrier to social networks is so low now that this could trigger a mass exodus in the rest of the world.
They are doing ok AFAIK, but are almost two orders of magnitude smaller than FB, user wise. I don‘t think Xing is even doing that well, they have started very aggressive monetization tactics recently, like forcing people to purchase a pro account in order to view incoming friend requests.
I don't know about _strong_ network effects, but part of the appeal of Facebook (for me) is that it's universal - visitors to the country (e.g. exchange students) and people I've met overseas (holidays) are all in one place. Further, it doesn't result in you being introduced to (possibly better) Facebook alternatives in those situations. It may not a strong effect, but there is definitely small cross-country effects IMO.
Leaving doesn't mean erasing all the profiles. It just means shutting down local corporate presences. It'd suck for the employees but Facebook can run things out of Palo Alto just fine.
I'm not sure what it'd involve for contracts and payments. But many EU firms have US legal presences too. They could easily buy ads on Facebook through their US presence. Multi-nationalism works both ways.
The GDPR does not allow international players to store data on EU citizens without conforming to the rules. So if FB leaves in order to avoid conformance, then they have to delete all EU citizen data.
You are right, this might be the case, someday.. but as long as they have their tax-free money parked in the EU, removing all legal entities from the EU will be very expensive..
From the perspective of the US company, then it's not them getting fined so not their problem. And if the EU wants to fine its own companies for buying adverts, they can go right ahead and do that. Doesn't seem very practical for the local economy though.
That assumes that the more people Facebook has in a country the more important that country is. I think the wealth of people in a country / block plays an important role in that consideration. And EU countries are far richer than most other countries.
> IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
By limiting their use of personal data, according to the law? And by requesting informed consent from users, instead of silently opting them into all their anti-privacy features? And by not hiding this two thirds of the way through a 100 page TOS?
It's not like it's impossible to make a good faith attempt at all those things. Facebook isn't even trying.
When they make a good faith attempt, and get sued out of existance, you may have a point. They haven't, though.
I wonder. In my opinion more rules only means bigger hurdles for newcomers. The big companies might have a setback but will survive one way or another because they have the knowledge and money (lawyers, lobbyists) to adapt.
A good example is the VAT law of Europe. No problem for big companies, but small companies struggle to comply (its a returning subject on HN). Or the net neutrality law in the US: it will become harder for a startup to disrupt YouTube.
Europe is too concerned wrestling with large US tech companies to understand that more regulations will only exacerbate the very thing they are trying to get away from.
> IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
The worst case? I think that's the best case, actually.
You do realize there's nothing special about Facebook at all, except for currently being the most popular and biggest social network. The major features I hear people repeat again and again for not leaving Facebook (keeping in touch with family and friends, planning events) also happen to the most basic, easily reproducible features. It's just getting the userbase that is hard.
So yeah, Facebook withdrawing from EU markets? PLEASE DO! I predict within no time, we'll have a whole bunch of replacement social networks (they already exist even), with better features, better privacy and hopefully interoperability.
It's not hard to switch at all, not even to the general public. They'll just register for whatever their friends are using. The only thing holding them hostage is that "everyone is on it". In fact teenagers already want to be on social networks their parents aren't on.
They might lose their timeline, comments, posts, memories, pictures? Guess who they'll blame.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
Here's an excellent introduction:
https://ico.org.uk/for-organisations/guide-to-the-general-da...