[guildenstern]

We (people who operate online services) are exposed to legal action already, but we aren’t worried about it because realistically there’s such little risk of being targeted. The same is true of the GDPR, the organisations responsible for ensuring GDPR compliance are going to have their hands full for years and years to come, by the time the little guys have anything to worry about the situation will be much better defined. I cannot see a scenario in which I’m going to be pursued because of accidental non-compliance with my revenueless service when there are so many large companies that can afford million dollar fines who can’t even store passwords properly.

if you’re so risk averse that any minuscule chance of GDPR noncompliance precludes you from running an online service... aren’t you already not running anything because of existing legal risk?

[pdimitar]

GDPR simply reminds me of the other possible legal venues small owners can be sued over. So you might be right on your final point.

Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though? You are claiming they will be safe for years but what if bigger players want to make an example out of 5-10 smaller players and just report / sue them to hell and back?

I know I am reaching but this possibility can't be dismissed just like that. Historically, bigger players have exhausted smaller competition with legal fees and effectively drove them out of market. We cannot in good conscience claim GDPR won't ever be used like that.

I'll be happy to be proven wrong in several years time from now, but right now I am simply not sure if GDPR is gonna be used for or against the free market (competition). Not claiming either way, just saying the risk wouldn't be worth it for me for now.

[going_to_800]

Not biggest players, but your competitors to make your life a hell. I already have competitors that are butthurt and spread shit about me since their clients come to me and they lose business.

That's what I'm afraid of, not getting randomly picked by the regulators.

[latk]

But would another company even have standing to sue? The GDPR is about personal data of natural persons. Such data subjects can sue under Art. 79 if their rights are violated. The most another company could do would be to “incentivize” a natural person to get their rights violated by you and then sue.

[BlackFly]

> Can we just flat out assume the GDPR won't indeed be abused to scare away smaller players though?

The language of the GDPR makes frequent references to the scope of the processing activity and to its frequency. The law purposefully applies less to smaller controllers. The authorities have made their job harder for going after smaller controllers.

Moreover, the GDPR is done in the scope of the EU, which is not very litigious. Bigger players are unable to bring legal claims against smaller players in any way. The only way for them to game this system would be to fraudulently lodge complaints at the data protection authorities who would have to not notice what is going on and actually bring action against the smaller players.