[pembrook]

Instapaper is owned by Pinterest. Pinterest is a large high profile company with millions of European users and would be a potential target of regulators looking to establish precedents of enforcement with a big name.

I highly doubt this decision was made lightly and was probably informed by actual legal professionals with knowledge of the regulators in question and not the 3rd party opinion of some guy on the internet who "feels like its not that big of a deal."

[jacquesm]

But he's spot on about contacting the regulators because they already know they won't be in compliance.

Now would be a good time to do just that, and if the actual legal professionals thought it was a good idea to ban EU citizens but keep their data then maybe they should get better lawyers because that certainly won't work.

[Normal_gaussian]

hmmm...

If I had an instapaper account it would be interesting to submit a GDPR request tomorrow, and see what kind of reply I got. Now I don't, but I'm sure there are plenty of other interested people around.

[danpalmer]

In all likelihood, the answer from most companies would be "sorry we don't yet have the ability to provide that data, it's on the roadmap, you'll have to wait".

[oldcynic]

At which point the data subject can report them to the regulator. Hopefully everyone receiving such a response will do so. Companies have had 2 years warning.

For most small business and startups this is no big deal as 1 or 2 reports to the regulator isn't going to trigger anything. For those companies of a certain size, the regulator might take note of 1,000 reports in the first week. I imagine some of those will have the regulator check if they have had a self-report from the company for non-compliance. Maybe then an email to colleagues at other ICOs across Europe.

[smueller1234]

I keep reading the "two years warning" notion on HN. While that might be technically correct, the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators) and so to this day, its practical implementation will to no small part depend on the iterative conclusions and learning various implementors (eg. companies) made in an arduous process since.

In other words, the first to think they were GDPR compliant might have had to redo a ton of work to adjust to more recent interpretations.

And let's not forget, for large orgs with complex infrastructure, this is a behemoth of an effort. There's been year long projects in the two large tech companies I've had insight to since.

And while I'm at it, let me comment on the frequently expressed notion of "if you've respected your users in the past, you'll be fine!". Just to pick one counter argument: the right to be forgotten. That can only be implemented thoroughly and in the way the users expect it to work (ie. delete everything but what you're legally required to retain) by finding a way to connect all user data so you know what to drop if need be. That is exactly the kind of action that's caused public outrage at big tech to begin with and it's not only potentially a huge effort, it also increases risk of abuse.

This all being said, I still think GDPR is a good idea at least in principle. And believe it or not, while everyone around me is really of compliance work, GDPR seems widely considered a good idea in principle across engineering in big tech.

[oldcynic]

> the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators

There we have to disagree. It's not like this is something new and untried.

GDPR is a development from long-standing, and now very well understood, Data Protection. The legislation seems mainly intended to modernise some of the definitions and scope (eg adding biometrics to PII), catch some newer practices, and make very plain and explicit that it doesn't just apply to EU companies.

In 1996 and 97 in the run up to the 1998 Data Protection Directive I recall a couple of common confusions and misunderstandings. Nothing like the ridiculously poor and simply incorrect reporting we have for this.

Any large org should have been fully compliant with DPA for years. They have to add extra mechanisms for explicit opt-in or deletion and get a little less time to retrieve full data and can't charge. That doesn't seem to need a "behemoth of effort", but not to say it's necessarily entirely trivial.

In other words they survived DPA with no apparent effect, yet it's >80% of GDPR with the same definitions. No one should be iteratively fumbling toward an unclear target at all. Even reading the UK ICO's old guide to 1998 Data Protection from a few years ago gets you most of the way there including understanding personal data.

[DanBC]

But there are not massive differences between the laws we've had for many years - for a UK example PECR and DPA implement EU regulations and contain many of the same principles around lawful basis, limiting the amount of data that's held and the length of time it's held for, etc.

[krageon]

Anything that doesn't say "We will do just that! It might take up to 30 days" and asks for up to two extensions afterwards is not compliant, so this would be an exceptionally dumb response.

[slededit]

This is ridiculous, its not like they didn't have notice.

[Grollicus]

But that's the reality. At least they're working on it and the fact that a lot of companies massively overreact means they at least take data protection serious now.

[slededit]

You don't ignore a law for 2 years and then just after it comes into force say "at least we're working on it". Honestly I thought the GDPR was a bit of an over reaction when it came out 2 years ago but seeing how little respect companies have for our data over the last few weeks I've been convinced it was necessary.

[grey-area]

Most other companies haven't made the same decision, what's different about Instapaper?

Do they share reading habits with multiple third parties perhaps?

[danpalmer]

This is increasingly my suspicion. I'd expect that they could have solved any technical issues around disabling tracking or letting users opt-in/out by now, which leads me to suspect that they have their business model based on being able to share certain data. It's very possible that they've A/B tested GDPR compliant flows/messaging, and found that their metrics/revenue dropped enough that they feel they have to do something more drastic. Although the argument against that is the fact they have literally just disabled access for European users.

[matwood]

GDPR has basically turned the lights on all of the companies doing questionable things with user data. Shutting down or turning off the EU is a huge red flag.

[ggg9990]

No it’s not. The way big companies are dealing with the GDPR is to ask their lawyers what to do. The lawyers define compliance very expansively since they’re not the ones doing the work and they are the ones who will be blamed if the EU comes after the company. So they say, “every single trace of anything related to user data must be purged.” So the company asks every engineering team to fill out a 200 point checklist about what they are doing with user data.

So, unless you’re saying that “Pinterest’s site reliability team can’t answer question 192 about how user data is deleted from the incident management system logs when an event is traced” is a “huge red flag” then you are exaggerating the issue.

[celticninja]

Probably worth reading this.

https://jacquesmattheij.com/gdpr-hysteria

EU agencies would prefer compliance over fines and would work with businesses to help them. As the article suggests, prosecution/fines will come when all other avenues are exhausted not the starting point.

[downandout]

Says some random dude on the Internet that seems to be a tremendous fan of GDPR. I prefer to base my understanding of laws on the text of the law. This one says that no warnings are required and that fines can be up to 20M EUR.

[YeGoblynQueenne]

>> Says some random dude on the Internet that seems to be a tremendous fan of GDPR.

Let's be a little self-conscious here, shall we?

Of all the articles on HN that discuss the GDPR that I've read, I've found one that you didn't contribute to and your contributions never show an "understanding of laws based on the text of the law". For instance, you have consistently claimed that there will be 28 (btw, not 27) different interpretations of the law, completely disregarding entire articles devoted to the consistent application of the Regulation- which, as a regulation, does not need to be made into local law and is applicable across the bloc.

You are clearly on a warpath against the GDPR, which is perfectly fine of course; yet at the same time you accuse jacquesm of being a "tremendous fan of the GDPR". If you can express your opinion despite having an agenda, so can he - and he seems to be much better informed of the law than you are.

Edit: Just to clarify, I don't have some axe to grind against you. You're one of the few users whose handle I recognise because your comments in GDPR threads stand out so much in their fervour and because there are so many of them.

[downandout]

I’m not on the warpath, but I will consistently dispute rosy predictions about the “good natured enforcers” (a direct quote from Jacques) of GDPR. No law or regulation this easy to violate, with fines this large, that claims extraterritorial powers, has ever not been abused, and this will be no exception.

With regard to your claim that it will not be subject to unique interpretations in each country within the EU, that simply isn’t true. Each country will have its own enforcement agencies. They’ll enforce it in different ways, and to different degrees. Since this regulation is so vague, it simply isn’t possible that they will all interpret and enforce it in the same way.

You seem to be in Jacque’s corner, claiming that our new self-appointed privacy overlords will be perfectly coordinated and “good natured”. As someone with quite a bit of experience dealing with government agencies, I can tell you that few of those that seek out relatively low-paying government jobs where the primary perk is having power over other people are “good natured”. There will be abuses.

The good news is that D-Day is here, and now we can all stop arguing and watch to see whose predictions come true.

[ggg9990]

Neither of you are right. The EU is not going to go out guns blazing with $20m fines for small companies. They’re also not going to host a drum circle for companies to harmoniously join the movement towards better user privacy. They’re going to get some big fines out there on big companies (who doesn’t love free money) and also go after smaller companies actively doing bad things with user data. Yes, they could, but in the same way that the person standing at the bus with you could punch you in the face. It might happen, but realistically, it probably won’t, and you’re probably not actively prepping for it.

[tluyben2]

As Jacques and me as well have said; that simply means panic and it is not needed. You maybe do not live in the EU but the letter of the law is not such a thing here as it might be in the US (and although punishment is harsher and often far harsher than it is here, US also looks at intent). The EU is not going to punish any company that has the intent to offer its users privacy under this law, but made some mistakes or forgot things. They made this especially vague simply because a) we know they are not going to blanket destroy all violators anyway (we have many crazy vague laws for many decades; no one cares) b) if someone is clearly violating (and I am looking at you, obfuscating user tracking ad companies who, until now, got around pervious regulations by moving servers to other countries and other tricks) they want to be able to enforce, no matter what. This is all very clearly based on user intent, not letter of the law. It might be incredibly hard for litigious country citizens to understand, but we have been living all our lives (and it differs per country as well) with this.

[guelo]

That's the recipe for political enforcement of draconian laws. It's especially dangerous for big foreign american companies which are perfect for politicians to demagogue about. I would not bet the business on any extra-legal grace from their beuracracy.

[olivierduval]

"political enforcement of draconian laws"... like: how the US use their extra-territorial law to fine US Business's competitors (banks, industry...) ? ;-) It's funny to see how the US way of mixing law and business is terrifying when others may use it too, no? Anyway: it hasn't been how Europe worked until now, so relax. French Regulator said, for example, that it won't enforce strictly the regulation ... because... well... EU companies aren't more ready than US ones. And they'll have to.

[Chris_Jay]

The US paving the way for such practices is not exactly reassurance. If the laws are so complex nobody is capable of operating within them, the result is a police state. Being subject to arrest at any time because the law of the land explicitly gives the government that power or because it is so byzantine that nobody can know all of it works out to the same thing in the end.

Your argument seems to be that a police state where the authorities have a lighter touch is preferable. That's obviously true compared to a draconian police state, but it's a police state either way.

[vertex-four]

Under existing law companies can be fined somewhat ridiculous amounts for data breaches and essentially never are, so why exactly would the enforcement strategy change for the GDPR? Maximum sentences just aren’t an EU thing, nobody gets them unless they’re wilfully causing damage to people and this isn’t their first time. I don’t know if America does things differently, but based on what I know, it doesn’t - maximum fines and sentences are essentially never passed out there either.

[celticninja]

Where do you see the "no warnings are required"?

Article 58 says that fines can be issued along with, or in place of, other enforcement action. That isn't "no warnings". Plus if you read the text of the law you would note that it is very clear that the size of the fine is dependent on 11 factors, many of which revolve around future compliance and efforts made by the business to resolve the breach and showing willingness to conply.

[danpalmer]

My "feels like its not that big of a deal" is based on my own companies approach, legal advice I've seen, and internal training.

I realise that Pinterest is large and I'm sure they have sought legal advice, but that doesn't stop this coming across as an overreaction, if one assumes that they _aren't_ using the data in ways that explicitly violate the rights granted by the GDPR.

Now if they are explicitly violating those rights, that's another story! I'd rather attribute it to ignorance than malice though.

[merinowool]

> would be a potential target of regulators looking to establish precedents of enforcement with a big name.

Shouldn't law apply equally to everyone? One could have thought that setting an example "to show them!" wouldn't have occurred in a civilised country.

[bearcobra]

In a world of limited resources, it makes sense that regulators would pursue enforcement against entities that impact a large number of people.

[kodablah]

In such a world, it would make more sense to limit the scope of the law until enforcement can catch up. Minimally enforced laws that are enforced subjectively are problematic regardless of why.

[Tyrek]

Are you suggesting that the US government suspend income tax while they hire enough people in the IRS to go through every individual's tax return?

[kodablah]

No, I'm suggesting they don't add any more compliance rules with new punishments unless they staff up.

[xevb3k]

Minimal enforcement can be used to make everyone a criminal. You then selectively apply the law against people you don’t like.

Taxation (I would hope) is not minimally enforced.

[YeGoblynQueenne]

It's a union, not a country and it definitely won't go after big players with any kind of prejudice. It will go after those who flaunt the regulation, big and small.

Because it's the EU and not some other Union.

[s73v3r_]

Regulators only have so many hours in the day. Prioritizing high visibility infringers can persuade lower visibility infringers to get into compliance.

[merinowool]

Not sure how they could persuade if they won't go after lower visibility infringers? I can't follow your logic.

[EpicEng]

No one said "they won't go after small timers". Hitting the big players hard makes everyone wary of violating and they will absolutely catch some small fish as well.

It's just silly to expect any enforcement body to go after everyone equally. It doesn't even make sense; company A has data on 1.5B people, company B has data on 27 people and the owner's mother. Why would you go after B before A?

[danpalmer]

They have said this.

a) they have said they don't want to punish companies for the sake of it, they want to use it as an incentive to fundamentally change the approach to the handling of user data. This means not suing tiny companies for more money than they are worth.

b) they have said that the standards will roughly increase with the size of the company and resources it has. A company with 27 users (and few employees) would not be expected to have a data protection officer, or many of the control processes that a company with data on 1.5B people.

[zerostar07]

I think everyone is talking about the UK 's ICO, which is just 1 of the 28. We have heard nothing from others and its best not to make assumptions - the ICO may be following different rules in a year.

[merinowool]

> This means not suing tiny companies for more money than they are worth.

Which effectively kills that company even if court finds their violation was minimal.

[s73v3r_]

I never said they wouldn't. But showing that they're willing to go after infringers is easier when you use high visibility cases to do it.

[celticninja]

https://jacquesmattheij.com/gdpr-hysteria

Setting an example is how the US regulators work, not so much the EU.