[danpalmer]

I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.

From what I can tell from various legal advice that I’ve read, as long as you’re working on implementing the changes, and have been following security best practices, nothing really changes on May 25th, and you’ll be able to take your time to become fully compliant, as long as you can demonstrate that’s what’s happening. In other words, good faith and best practice will get you far.

Your current reaction seems like a huge and unnecessary over reaction that is just harming your users, and unlikely to have any material impact to your legal risk.

[pembrook]

Instapaper is owned by Pinterest. Pinterest is a large high profile company with millions of European users and would be a potential target of regulators looking to establish precedents of enforcement with a big name.

I highly doubt this decision was made lightly and was probably informed by actual legal professionals with knowledge of the regulators in question and not the 3rd party opinion of some guy on the internet who "feels like its not that big of a deal."

[jacquesm]

But he's spot on about contacting the regulators because they already know they won't be in compliance.

Now would be a good time to do just that, and if the actual legal professionals thought it was a good idea to ban EU citizens but keep their data then maybe they should get better lawyers because that certainly won't work.

[Normal_gaussian]

hmmm...

If I had an instapaper account it would be interesting to submit a GDPR request tomorrow, and see what kind of reply I got. Now I don't, but I'm sure there are plenty of other interested people around.

[danpalmer]

In all likelihood, the answer from most companies would be "sorry we don't yet have the ability to provide that data, it's on the roadmap, you'll have to wait".

[oldcynic]

At which point the data subject can report them to the regulator. Hopefully everyone receiving such a response will do so. Companies have had 2 years warning.

For most small business and startups this is no big deal as 1 or 2 reports to the regulator isn't going to trigger anything. For those companies of a certain size, the regulator might take note of 1,000 reports in the first week. I imagine some of those will have the regulator check if they have had a self-report from the company for non-compliance. Maybe then an email to colleagues at other ICOs across Europe.

[smueller1234]

I keep reading the "two years warning" notion on HN. While that might be technically correct, the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators) and so to this day, its practical implementation will to no small part depend on the iterative conclusions and learning various implementors (eg. companies) made in an arduous process since.

In other words, the first to think they were GDPR compliant might have had to redo a ton of work to adjust to more recent interpretations.

And let's not forget, for large orgs with complex infrastructure, this is a behemoth of an effort. There's been year long projects in the two large tech companies I've had insight to since.

And while I'm at it, let me comment on the frequently expressed notion of "if you've respected your users in the past, you'll be fine!". Just to pick one counter argument: the right to be forgotten. That can only be implemented thoroughly and in the way the users expect it to work (ie. delete everything but what you're legally required to retain) by finding a way to connect all user data so you know what to drop if need be. That is exactly the kind of action that's caused public outrage at big tech to begin with and it's not only potentially a huge effort, it also increases risk of abuse.

This all being said, I still think GDPR is a good idea at least in principle. And believe it or not, while everyone around me is really of compliance work, GDPR seems widely considered a good idea in principle across engineering in big tech.

[krageon]

Anything that doesn't say "We will do just that! It might take up to 30 days" and asks for up to two extensions afterwards is not compliant, so this would be an exceptionally dumb response.

[slededit]

This is ridiculous, its not like they didn't have notice.

[Grollicus]

But that's the reality. At least they're working on it and the fact that a lot of companies massively overreact means they at least take data protection serious now.

[grey-area]

Most other companies haven't made the same decision, what's different about Instapaper?

Do they share reading habits with multiple third parties perhaps?

[danpalmer]

This is increasingly my suspicion. I'd expect that they could have solved any technical issues around disabling tracking or letting users opt-in/out by now, which leads me to suspect that they have their business model based on being able to share certain data. It's very possible that they've A/B tested GDPR compliant flows/messaging, and found that their metrics/revenue dropped enough that they feel they have to do something more drastic. Although the argument against that is the fact they have literally just disabled access for European users.

[matwood]

GDPR has basically turned the lights on all of the companies doing questionable things with user data. Shutting down or turning off the EU is a huge red flag.

[ggg9990]

No it’s not. The way big companies are dealing with the GDPR is to ask their lawyers what to do. The lawyers define compliance very expansively since they’re not the ones doing the work and they are the ones who will be blamed if the EU comes after the company. So they say, “every single trace of anything related to user data must be purged.” So the company asks every engineering team to fill out a 200 point checklist about what they are doing with user data.

So, unless you’re saying that “Pinterest’s site reliability team can’t answer question 192 about how user data is deleted from the incident management system logs when an event is traced” is a “huge red flag” then you are exaggerating the issue.

[celticninja]

Probably worth reading this.

https://jacquesmattheij.com/gdpr-hysteria

EU agencies would prefer compliance over fines and would work with businesses to help them. As the article suggests, prosecution/fines will come when all other avenues are exhausted not the starting point.

[downandout]

Says some random dude on the Internet that seems to be a tremendous fan of GDPR. I prefer to base my understanding of laws on the text of the law. This one says that no warnings are required and that fines can be up to 20M EUR.

[YeGoblynQueenne]

>> Says some random dude on the Internet that seems to be a tremendous fan of GDPR.

Let's be a little self-conscious here, shall we?

Of all the articles on HN that discuss the GDPR that I've read, I've found one that you didn't contribute to and your contributions never show an "understanding of laws based on the text of the law". For instance, you have consistently claimed that there will be 28 (btw, not 27) different interpretations of the law, completely disregarding entire articles devoted to the consistent application of the Regulation- which, as a regulation, does not need to be made into local law and is applicable across the bloc.

You are clearly on a warpath against the GDPR, which is perfectly fine of course; yet at the same time you accuse jacquesm of being a "tremendous fan of the GDPR". If you can express your opinion despite having an agenda, so can he - and he seems to be much better informed of the law than you are.

Edit: Just to clarify, I don't have some axe to grind against you. You're one of the few users whose handle I recognise because your comments in GDPR threads stand out so much in their fervour and because there are so many of them.

[downandout]

I’m not on the warpath, but I will consistently dispute rosy predictions about the “good natured enforcers” (a direct quote from Jacques) of GDPR. No law or regulation this easy to violate, with fines this large, that claims extraterritorial powers, has ever not been abused, and this will be no exception.

With regard to your claim that it will not be subject to unique interpretations in each country within the EU, that simply isn’t true. Each country will have its own enforcement agencies. They’ll enforce it in different ways, and to different degrees. Since this regulation is so vague, it simply isn’t possible that they will all interpret and enforce it in the same way.

You seem to be in Jacque’s corner, claiming that our new self-appointed privacy overlords will be perfectly coordinated and “good natured”. As someone with quite a bit of experience dealing with government agencies, I can tell you that few of those that seek out relatively low-paying government jobs where the primary perk is having power over other people are “good natured”. There will be abuses.

The good news is that D-Day is here, and now we can all stop arguing and watch to see whose predictions come true.

[ggg9990]

Neither of you are right. The EU is not going to go out guns blazing with $20m fines for small companies. They’re also not going to host a drum circle for companies to harmoniously join the movement towards better user privacy. They’re going to get some big fines out there on big companies (who doesn’t love free money) and also go after smaller companies actively doing bad things with user data. Yes, they could, but in the same way that the person standing at the bus with you could punch you in the face. It might happen, but realistically, it probably won’t, and you’re probably not actively prepping for it.

[tluyben2]

As Jacques and me as well have said; that simply means panic and it is not needed. You maybe do not live in the EU but the letter of the law is not such a thing here as it might be in the US (and although punishment is harsher and often far harsher than it is here, US also looks at intent). The EU is not going to punish any company that has the intent to offer its users privacy under this law, but made some mistakes or forgot things. They made this especially vague simply because a) we know they are not going to blanket destroy all violators anyway (we have many crazy vague laws for many decades; no one cares) b) if someone is clearly violating (and I am looking at you, obfuscating user tracking ad companies who, until now, got around pervious regulations by moving servers to other countries and other tricks) they want to be able to enforce, no matter what. This is all very clearly based on user intent, not letter of the law. It might be incredibly hard for litigious country citizens to understand, but we have been living all our lives (and it differs per country as well) with this.

[guelo]

That's the recipe for political enforcement of draconian laws. It's especially dangerous for big foreign american companies which are perfect for politicians to demagogue about. I would not bet the business on any extra-legal grace from their beuracracy.

[olivierduval]

"political enforcement of draconian laws"... like: how the US use their extra-territorial law to fine US Business's competitors (banks, industry...) ? ;-) It's funny to see how the US way of mixing law and business is terrifying when others may use it too, no? Anyway: it hasn't been how Europe worked until now, so relax. French Regulator said, for example, that it won't enforce strictly the regulation ... because... well... EU companies aren't more ready than US ones. And they'll have to.

[vertex-four]

Under existing law companies can be fined somewhat ridiculous amounts for data breaches and essentially never are, so why exactly would the enforcement strategy change for the GDPR? Maximum sentences just aren’t an EU thing, nobody gets them unless they’re wilfully causing damage to people and this isn’t their first time. I don’t know if America does things differently, but based on what I know, it doesn’t - maximum fines and sentences are essentially never passed out there either.

[celticninja]

Where do you see the "no warnings are required"?

Article 58 says that fines can be issued along with, or in place of, other enforcement action. That isn't "no warnings". Plus if you read the text of the law you would note that it is very clear that the size of the fine is dependent on 11 factors, many of which revolve around future compliance and efforts made by the business to resolve the breach and showing willingness to conply.

[danpalmer]

My "feels like its not that big of a deal" is based on my own companies approach, legal advice I've seen, and internal training.

I realise that Pinterest is large and I'm sure they have sought legal advice, but that doesn't stop this coming across as an overreaction, if one assumes that they _aren't_ using the data in ways that explicitly violate the rights granted by the GDPR.

Now if they are explicitly violating those rights, that's another story! I'd rather attribute it to ignorance than malice though.

[merinowool]

> would be a potential target of regulators looking to establish precedents of enforcement with a big name.

Shouldn't law apply equally to everyone? One could have thought that setting an example "to show them!" wouldn't have occurred in a civilised country.

[bearcobra]

In a world of limited resources, it makes sense that regulators would pursue enforcement against entities that impact a large number of people.

[kodablah]

In such a world, it would make more sense to limit the scope of the law until enforcement can catch up. Minimally enforced laws that are enforced subjectively are problematic regardless of why.

[Tyrek]

Are you suggesting that the US government suspend income tax while they hire enough people in the IRS to go through every individual's tax return?

[kodablah]

No, I'm suggesting they don't add any more compliance rules with new punishments unless they staff up.

[xevb3k]

Minimal enforcement can be used to make everyone a criminal. You then selectively apply the law against people you don’t like.

Taxation (I would hope) is not minimally enforced.

[YeGoblynQueenne]

It's a union, not a country and it definitely won't go after big players with any kind of prejudice. It will go after those who flaunt the regulation, big and small.

Because it's the EU and not some other Union.

[s73v3r_]

Regulators only have so many hours in the day. Prioritizing high visibility infringers can persuade lower visibility infringers to get into compliance.

[merinowool]

Not sure how they could persuade if they won't go after lower visibility infringers? I can't follow your logic.

[EpicEng]

No one said "they won't go after small timers". Hitting the big players hard makes everyone wary of violating and they will absolutely catch some small fish as well.

It's just silly to expect any enforcement body to go after everyone equally. It doesn't even make sense; company A has data on 1.5B people, company B has data on 27 people and the owner's mother. Why would you go after B before A?

[danpalmer]

They have said this.

a) they have said they don't want to punish companies for the sake of it, they want to use it as an incentive to fundamentally change the approach to the handling of user data. This means not suing tiny companies for more money than they are worth.

b) they have said that the standards will roughly increase with the size of the company and resources it has. A company with 27 users (and few employees) would not be expected to have a data protection officer, or many of the control processes that a company with data on 1.5B people.

[s73v3r_]

I never said they wouldn't. But showing that they're willing to go after infringers is easier when you use high visibility cases to do it.

[celticninja]

https://jacquesmattheij.com/gdpr-hysteria

Setting an example is how the US regulators work, not so much the EU.

[downandout]

I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.

Seeing this completely false sentiment repeated over and over again is getting exhausting. Only a tiny fraction of the companies avoiding EU traffic due to GDPR have any intention of “doing shady stuff with your data”.

GDPR is highly complex, and as of tomorrow, allowing EU traffic invites massive liabilities that most companies outside the EU won’t be willing to take on. While Instapaper likely will eventually relaunch in the EU because of its footprint there, the reality is that EU residents are going to be blocked from a large percentage of the world’s websites. The liability is just too great and the rewards too small for most companies outside the EU. You guys chose to make your traffic radioactive. These are the consequences.

[drusepth]

>I feel like you’re making a bigger deal out of this than necessary, unless you’re doing some shady stuff with our data.

This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.

Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.

Not to mention a little reminiscent of the problems that occur with other "bans" (which, this effectively is). When you put heavy legal restrictions on doing X (where, in this case, X is storing and processing data that you assumedly use to provide a service for users), you're effectively hurting the legitimate businesses most (_especially_ small ones) while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law. There might be some value in-between, but I doubt there's much.

[jdietrich]

>This sentiment and the hilariously large fines (regardless of company size, even) on relatively-ill-defined requirements make the whole GDPR process feel like it was designed to bully businesses into compliance.

>Some pieces of GDPR are definitely for the benefit of the end-user (at the expense of companies, who happen to be providing those users other benefits). It all feels really heavy-handed, though.

The GDPR isn't vastly different to the old Data Protection Directive, which has been in force since 1997. The panic over GDPR suggests that a lot of companies had simply been ignoring the DPD. If a bit of bullying is required to get businesses to obey the law, then so be it.

[noncoml]

> “bully businesses into compliance“

I am not sure I understand this sentence. That’s what laws do. “Bully” you into compliance. I think you might have meant something else?

[guitarbill]

> while the real "bad guys" that are actually doing bad things with our data are going to continue ignoring the law.

This is already happening without the GDPR (carders, dumps, etc), so I don't buy it. The black-market analogy (e.g. illegal drugs) also doesn't hold when applied to companies.

> the hilariously large fines (regardless of company size, even)

Oh no, proportional fines! How socialist!

The whole point is to make it somewhat independent of the company size, so bigger companies won't just swallow the fines. This is typically what Google et al do, they just factor it in to the cost of business. The GDPR wasn't written in a vacuum.

[drusepth]

>The whole point is to make it somewhat independent of the company size, so bigger companies won't just swallow the fines.

Ironically, it's the bigger companies that can still just swallow the fines and the little companies that just effectively vanish into bankruptcy.

[a3_nm]

> You guys chose to make your traffic radioactive

Er. I vote in an EU country, but I don't feel like I "chose" anything. GDPR was mostly developed by institutions (Council of Europe, European Commission) formed of people that were not directly elected by European voters. In any case, given that personal data management issues are not a prominent part of the political discourse (even in the EU), I'd be surprised if any of the people in charge were elected because of their position on data protection.

It so happens that European institutions have come up with GDPR, but I don't think it is fair to see it as a conscious choice from EU voters.

> the reality is that EU residents are going to be blocked from a large percentage of the world’s websites

I'd be interested in seeing supporting evidence for this rather surprising claim. I'd conjecture that the "vast majority" is the long tail of small websites who haven't heard about GDPR or don't care about it; so I'm not too worried.

[sambe]

Let's stop peddling the misconception that the EU operates significantly differently than any other Western democracy. The civil servants answer ultimately to the MEPs, who are elected. Most people either do not vote or do not engage, as is the case to a lesser extent in their national elections. You can still lobby your MEP when an issue was not part of their platform.

[s73v3r_]

"Only a tiny fraction of the companies avoiding EU traffic due to GDPR have any intention of “doing shady stuff with your data”."

Says who? If they weren't doing shady stuff, they wouldn't be pulling out of the EU. The excuses of being complex are just that, excuses.

[downandout]

Says who?

Says anyone with common sense. What percentage of sites do you think employ data scientists or would even know where to go to sell your data? Most sites do nothing more than throw GA on their website, and maybe some Adsense. You people decided to paint that as something evil.

That’s your decision to make, but just understand that most of the rest of the world wants no part of $20M potential fines and will simply take their ball and go home. This law will have the net effect of creating two Internets - one for the EU and one for the rest of us.

[eveningcoffee]

>Most sites do nothing more than throw GA on their website, and maybe some Adsense

That actually is a problem. GA is a clear violation of everyone privacy.

[s73v3r_]

"Says anyone with common sense."

Where "common sense" means "agrees with downandout, not the more traditional definition of "common sense".

[mort96]

Well, Instapaper is owned by Pinterest. Pinterest strikes me as a company of such a size that they'd have no problem finding some way to monetize the data gathered from their users.

[rcxdude]

Have you seen some of the lists of where your data goes that some sites have posted? It's frankly frightening how far your data gets dispersed after signing up for just one website.

[mikekchar]

If you get a request today, you've got a month to comply, so in a way you're right. However, it really depends on how big your company is and how little you have prepared. Your absolute minimum is to have a statement that says that you are going to use the data you gather for contract purposes and to list the 3rd parties that you need to send that data to for contract purposes.

But then, if you are using data for other purposes, it's a bit complicated because you'll have to refrain from doing so until you are compliant. It doesn't necessarily have to be shady stuff. Even if you aren't sure if what you are doing is contract basis or not, it can be a pain. It's not necessarily massively difficult, but if you woke up yesterday and thought "OMG! We haven't done GDPR! What are we going to do?", then I can see this.

I've written earlier about how the company I'm working for now has changed what it is doing with data, even though I don't think they were doing anything shady previously. But it's more like, "Do we really want to list a lot of things and piss off the customer?" So now there are heated discussions of what 3 (or whatever other small number) of things we might collect data for because we believe that's the kind of limit that the customer will tolerate.

All of these discussions take time -- especially in a large organisation. And you can see in discussions on HN, there is going to be a large backlash of "Why do we have to do this anyway? Can't we just ignore it?" which wastes a lot more time.

Sounds like they want to be compliant, but are just not ready yet. A miss on their part, but hopefully they will get things in order quickly.

[justboxing]

> Your current reaction seems like a huge and unnecessary

It's most likely action based on what their suits (Lawyers) recommended, and not a reaction.

[danpalmer]

Possibly, although other lawyers are saying other things, and my understanding of the official guidance suggests this is an overreaction.

[programmarchy]

You seem to be presuming guilt before innocence. Most strong advocates of GDPR seem to have this attitude. Perhaps the regulators will, too.

Using that line of reasoning, Pinterest is making a very prudent decision.