The GDPR is beautiful and an example of the best outcomes democracy can produce. The winners are pretty much everyone. It's sad that the US can't implement public policy like this.
We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones. As much talk as there has been about the effects of GDPR on huge companies, the fact is, they're not too concerned: they have enough lawyers to throw at the legal issues and enough engineers to throw at the technical issues. Smaller companies without these resources are going to see their lives get harder.
This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".
Why do you equate technology startups with startups that finance themselves with private data (mis)use?
Instead of taking profit out of private data one has, it's possible to charge for the service. Alternatively, one can use the data to finance the business but also follow the rules and regulations. I don't see the big issue here.
Why do you equate startups with startups that finance themselves with private data?
Every piece of regulation is another headache for a business.
Take for example the combination of GDPR + backups.
If you have enough technical manpower, you can change the backups.
If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.
If you have neither you have a headache.
Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?
I see zero chance for the argument that it be unreasonable to adjust backups. Either they are adjusted, or they violate the law, period.
Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.
How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.
Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.
> If you are a small company not focused on handling private data
I'll repeat myself a little bit: IP addresses and user names are also private data.
Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.
I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
> continuously work on compliance
That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.
Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.
What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?
> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?
Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.
Data is not just a resource, it is also a liability.
> We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones.
Or it may be a great opportunity for them to differentiate developing not privacy invading business models protected from being undercut by "free" (because we sell your data) competitors.
Well that's ... kind of the point, isn't it? If they're not going to be compliant and respect our privacy, or even if they kind of would like to be sort of privacy-respecting in a sense except that their business model precludes them from actually being able to be compliant however since business models are rather subject to change especially with the SV "get venture capital and break stuff" mentality, such that even the "in a sense" part is exceedingly likely to become unjustifiably cost-inefficient as soon as the business gets big enough to believe they can get away with it (like, you know, Facebook, Google, etc), ... then, good riddance, right?
I mean, just because a company believes they can claim to "respect your privacy" without actually being compliant to the EU regulations specifying they should do such, let's call it a cultural difference then.
You don't know that yet. There is not a great track record anywhere for implementing radical reform without significant unintended consequences.
It's totally reasonable to be cautiously optimistic, but when people are only barely not frothing around the mouth at the prospect of landing a punch on Goliath, I'd err on the side of caution, at least until we see how the chips fell.
I'm with this sentiment too. I think there are plenty of laws with good intentions and unforeseen side effects which range from harmful to annoying and inconsequential (Prop 65 warnings, EU cookie law, south korea Internet Explorer mandate). They all seemed good at the time I'm sure.
Then the problem with technology laws is we have to live with them far beyond their usefulness since the tech evolves so quickly.
only real freedom is financial. Americans don't usually like to preemptively create rules and regulations that could hinder innovation or hurt businesses.
It's pretty good, actually. I prefer being poor in the EU over being poor in the US. Privacy is just one of the many benefits. I've been saying "maybe we have different values" a lot in this thread, but in this case, I suggest you ask poor people in the US what they prefer. Because I get the sense that you're not poor (in a strictly financial sense, that is, because even as a poor EU-citizen I probably get more affordable healthcare :p).
It is good that they are protecting their citizens from exploitation by US companies but this is not uncommon that it is easier to regulate a large company that is not your constituent.
The EU has not done so well on regulating diesel autos for instance but the US is knocking that one of the park.
Your comparison is not correct. The practices of FB are not universally considered bad, many people are OK with them. The diesel scandal was a deliberate scheme to cheat everybody - you can't find anyone who considers what they did as good. And the Germans finally started arresting people, too - although the USA gave a good example.
> The practices of FB are not universally considered bad, many people are OK with them
Really. Please point me at these people.
People that simply "don't care, yolo" do not count. People that have a stake in this because they have an interest in the tech business and fear that any decisions in this matter might negatively impact their business, also do not count (because a very specific yet vocal slice of the tech sector is hardly representative of what is "universally" considered right or wrong).
If you think that's too restrictive, and those are the only two groups you can point at, that's okay. I don't really believe those two groups (ignorance and business interest) should be considered representative of what is universally considered right or wrong. If you believe otherwise we'll have to agree to have a different view on ethics (which is a bit of a long discussion I'm not up for right now).
Everybody else I hear about this (I said "almost everybody" at first, but I can't think of anyone), DOES think it's bad, but admit that "what can you do, if everyone uses it" (hence the need for EU regulations!!) and because "it's really useful to keep in touch with long-distance friends and family, also to plan events etc", the latter being a reasonable point except there's nothing unique about FB's capability providing this service, and it's really easy enough to do it without violating privacy, if it weren't for FB dominating the social network sphere and forcing the privacy violations on the general public.
This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".