[matthewmacleod]

I found this regulation put too much burden on small businesses.

It's not. You are wrong.

What if this law will be abused as a tactic to attack business competitions?

Why would that happen?

How do you understand this "security appropriateness" of the above text? How can you be sure your understanding is correct?

You use your knowledge or regulation to read and make decisions. If you don't have the required experience, you hire a consultant or a lawyer. Just like you do when complying with any other piece of legislation.

[evervevdww221]

What if this law will be abused as a tactic to attack business competitions? Why would that happen?

> For example, Business A has a competitor startup B who has less resources to hire security consultant. Business A hence hired person C to register the service provided by B with a weak password and hire D to breach C's account. C claims that he has been hacked, so he brings startup B to court. B goes bankrupt because it runs out of money to hire lawyers.

You use your knowledge or regulation to read and make decisions. If you don't have the required experience,

> How do I know I have required experience (what experience is required is not said in the regulation text)? I know md5 is insecure and you need salting on password. I'm self learned, garage based entrepreneur with $1000 in my bank to either buy food or hire a consultant, is that required experience?

[matthewmacleod]

B goes bankrupt because it runs out of money to hire lawyers.

Right, that's like any other malicious lawsuit – i.e. this is totally irrelevant.

I'm self learned, garage based entrepreneur with $1000 in my bank to either buy food or hire a consultant, is that required experience?

Yes. If you don't have the knowledge or resources to correctly comply with appropriate regulation, then you should not be operating in a space. "I didn't know that I needed to keep raw and cooked meat separate" would not be a valid excuse in food prep; why would "I didn't know I needed to use a secure hash" a valid excuse for an engineer?

[closeparen]

Food safety standards are a concrete set of rules that are trivially captured in training for low-wage, low-literacy, high-turnover workers. Restaurants do not need to hire specialist lawyers to guess at how the courts might interpret them. This analogy is completely inappropriate.

[TheCoelacanth]

Food safety standards are actually a good example of how laws don't include specifics like "keep raw and cooked meat separate".

For example, the FDA Food Safety and Modernization Act[1] doesn't include specifics about how food should be handled. It specifies some areas where the FDA is supposed to issue rules and then the FDA makes rules based on the authority that the law gives it.

GDPR has Data Protection Offices that issue more specific guidance about how to comply. For instance, the UK Data Protection Office issued this guidance[2] about how to prepare for GDPR.

[1] https://www.fda.gov/NewsEvents/PublicHealthFocus/ucm239907.h...

[2] https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-s...

[zanny]

So just set the bar of compliance to start any company at several hundred thousand dollars (which is pretty much where it is) and you get the lovely contemporary effect of 40 year lows in new business creation[1][2].

There are active, observable, and semi-quantifiable costs to society when lawmakers create arcane, incomprehensible laws meant to prevent entry into markets by making the barrier of compliance too high for most people to afford to compete.

[1] http://money.cnn.com/2016/09/08/news/economy/us-startups-nea...

[2] https://www.washingtonpost.com/news/on-small-business/wp/201...

[matthewmacleod]

The GDPR is not arcane or incomprehensible. It’s quite simple, there are a million explanations out there about how to comply, and even in the case you don’t get it right regulators will invariably give you the benefit of the doubt.

Many things might cause low levels of business creation. I am entirely unconvinced that the cost of regulation is one of them.

[kitsunesoba]

The hiring a consultant/lawyer thing has potential to be troublesome for a lot of solo devs. Such services are not cheap and it’s not uncommon for independent devs to be very much cash-strapped.

I wonder if this means we’ll start to see sites/services start out as US only and only become available in Europe once finances are no longer an issue.