[tquinn]

I feel the EU regulators could stand to learn something. If EU citizens are small portion of your users, and your tasked with parsing this document http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

just blocking them doesn't seem like that bad of an idea, especially with the fines involved.

I think the things that bother me is:

1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.

3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?

[takeitto]

> It's a foreign requirement that feels like a violation of sovereignty.

Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.

[agensaequivocum]

>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?

Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?

>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.

[geocar]

> If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?

You don't.

If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.

> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?

It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].

[1]: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

[eli]

What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.

[askmike]

Most websites are products nowadays. If you have a simple blog without trackers and ads this is really not going to effect you that much.

> The internet doesn't know political boundaries

Tell that to this US law the whole world has to comply with to called DMCA.

[eli]

Even my simple blog with no ads has google analytics on it. I don't feel like I was doing anything wrong or abusive, but I guess there's a case to be made.

I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.

[AnaniasAnanas]

> Even my simple blog with no ads has google analytics on it.

I would suggest that you remove google analytics then. It only causes harm.

[ForHackernews]

Maybe you aren't, but Google probably is. You're helping Google monitor individuals everywhere they go online.

[cm2187]

DMCA is only one example. In the financial world, the extra-territoriality of US laws is widespread, such that for example even securities sold outside of the US, to non US customers, by non-US institutions, issued by non-US entities have long US laws compliance sections in their documentation. Non US banks outside of the US are reluctant to take US clients because of these laws (not dissimilar to the discussion on blocking EU IPs here).

[Lev1a]

I even read somewhere a while ago that the US claims jurisdiction on any financial transaction in the world as long as it's done using USD... Talk about overreach.

[guelo]

A simple blog without ads still collects IP addresses. It's as if the EU is trying to legislate that the web needs to behave like Tor.

[Sir_Substance]

IP addresses are not PII unless you also have timestamps and a legal avenue for querying the ISP records to see which account and thus person was behind the IP address at that time.

As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.

The reasons large organizations are fretting about IP addresses are thus:

a) They have IP/timestamp records going back years, maybe decades

b) They may have ISPs willing to talk to them about who had the IP address at a specific time

c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records

d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them

So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.

You can read more here: https://www.whitecase.com/publications/alert/court-confirms-...

[eli]

Doesn't point (d) apply equally to organizations of all sizes?

[pilsetnieks]

> still collects IP addresses

It doesn't have to.

[manfredo]

> Tell that to this US law the whole world has to comply to called DMCA.

If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.

[isostatic]

With the DMCA, if a US judge determines that a foreign company has broken the law, and someone associated with the company ever visits the US, that person is at a high risk of being orange-jump-suited in a barbaric punishment system.

It's been this way for nearly 20 years.

[manfredo]

This is outside the scope of my previous comment. If someone visits the US then they have a physical presence in the US.

I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*

* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.

[takeitto]

The internet doesn't know, but e-commerce/data business pretty darn well knows where their customers/users are situated.

The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.

[eli]

Odds are whatever you were using on the old web to measure visitors would be a data processing activity under GDPR.

[ForHackernews]

If you aren't collecting and storing PII, you have nothing to fear from the GDPR. Even if you are, you're fine as long as you only collect what you legitimately need to offer your services.

[brassattax]

including targeted advertising campaigns?

[meko]

I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.

[JBSay]

Aww that's cute!

[ajuc]

1. when you open a restaurant nobody cares you're a collage student. You have to have all the checks and permits to serve people food. It's not because somebody hates small businesses, it's because the right not to be poisoned is more important than the right to do business hassle-free. Why should internet be different?

2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.

3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.

[SimbaOnSteroids]

Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.

[pilsetnieks]

So? Projects like that aren't forbidden now that the GDPR is in force. Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.

When corporations like Equifax or Cambridge Analytica have engaged in identity theft to the tune of basically half the continent of North America, you want to repeal one of the few laws fighting against it with an argument about kids in dorm rooms? It's basically the tech equivalent of "won't somebody think of the children?"

[electrograv]

> Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.

Oops, seems you’ve forgotten about the “right to be forgotten”, and several other requirements. Better prepare yourself for those >$20 million fines — how dare you negligently handle personal data, college software engineering student!

I’m all for strengthening privacy protections and punishing bad actors in this domain, but designing strong regulations that don’t have seriously bad unintended consequences, is a really really difficult task. I’m not necessarily saying it shouldn’t be done; just that I don’t envy the jobs of those trying their best to do good for the world via regulations without accidentally destroying some really good things.

It may turn out that GDPR has few unintended negative consequences, or it may turn out the harmful side effects are far more severe than anyone predicted. Only time will tell, I suppose.

Personally, I wish there were a technical solution to privacy concerns — something akin to DRM, but applied to each individual’s personal data to prevent it from being used in unauthorized ways. That’s about the only kind of DRM I think I could really get excited about :)

[ajuc]

It is very good that I can delete my e-mail from a website.

[electrograv]

I agree. My point wasn’t that the right to be forgotten is bad or wrong, but that the parent post ironically said “just add a checkbox and you’re good!” about GDPR compliance, and was not just wrong — but $20 million wrong!

Those kind of fines are simply not compatible with low quality advise like “Just add an opt-in checkbox, and you’re good to go for GDPR! What’s the big deal?”.

Overall, I like GDPR a lot (though as a disclaimer, I should say I haven’t read all ~80 pages yet).

Still, I am not as confident as many here that GDPR will have no serious unintended side effects.

Imagine for example if Google, Microsoft, Facebook, etc. all get hit with huge fines despite genuine best attempts by them to be compliant, after which they decide to cut their losses and exit the EU market entirely. Stock markets could crash globally, a new recession would occur, etc.

I very much doubt anything like that would happen, of course. But until things settle post-GDPR, I don’t think anyone can say for certain how this will economically affect the EU, and the world.

[infinite8s]

How are they going to collect those fines?

[ajuc]

Most of the time there will be no poisoning. Most of the time they will only collect e-mail address.

The law is designed to cover pessimistic case. You can get sick because of food poisoning, you can be robbed because your identity was stolen.

I don't think my comparison was dishonest.

[hk__2]

> Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.

Nobody’s saying both are treated equally under the GDPR. The law stays the same, the way it’s enforced is adapted to the case, like any juridiction. Whatever the situation, you always get a warning before being fined.

[lopmotr]

While I agree with your point 2 (remember CAN SPAM and DMCA!), that's called "whataboutism" which is usually seen as a bad argument. I wonder if it's only called a bad argument because people are on the receiving end of it or whether it really is faulty in some way.

[viraptor]

I don't get the complaints about how hard GDPR is and having to understand it all. If you're based in the US, have you read the actual DMCA document? CFAA? California S.B. 1386? TWEA? ADA? Or at least any interpretations of them and validated that you comply?

If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.

[themacguffinman]

Who are you arguing with that thinks DMCA was a great idea but GDPR isn't?

[viraptor]

Not saying anyone thinks it's a good idea. I'm saying I haven't seen that many comments, annoyed people, and general discussion about other laws, which actually impact US people and can be enforced there.

I'm guessing they also ignore those laws, because of posts like this one. If you're running a business complying with regulations, you likely already know how to block a country. I mean, you keep track of the current embargoes and block relevant countries, right?

[themacguffinman]

Because this is a thread about GDPR, and the GDPR is not the same as the DMCA in either impact or scope. Take your whataboutism elsewhere.

[andrepd]

You are speaking as if the European Union spit out this legal document and nothing else, when in fact loads of supplementary material have been released, for consumers as well as for enterprises. Of course, the actual act must be written in formal legal language.

EDIT: Example: https://ec.europa.eu/justice/smedataprotect/index_en.htm

[takeda]

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.

If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.

The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.

[manfredo]

If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.

I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.

[viraptor]

> they have to have a data protection officer

DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.

> build a system to get user consent

It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)

[manfredo]

Article 37 1.a and 1.b are extremely vauge. Hiring a DPO becomes necessary once your service "requires regular and systematic monitoring of data subjects on a large scale", or processing personal info specified in article 9 "on a large scale".

However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.

Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.

Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.

I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.

[viraptor]

They only apply if it's your core activity though. If dank memes are your core activity, you're not "processing personal data" on a large scale, regardless of how many memes you store.

[manfredo]

Again, only if you assume that these memes aren't covered by article 9. You might be able to infer a lot about someone from their authored or favorites memes. Article 9 doesn't just cover the personal data itself, it covers personal data revealing ethnicity, political opinion, etc. If I look at a user's list of authored memes, and it's full of pro gay rights memes have these memes revealed their political opinion? Many would argue yes, and processing memes is definitely the core activity of our hypothetical site.

[hk__2]

> If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data

No, because that website doesn’t collect personal information.

> and build a system to get user consent, etc.

You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).

[manfredo]

> No, because that website doesn’t collect personal information.

Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.

> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).

Again, I specified a meme generator site that has at least some user specific personalization.

[nelsntk]

>they have to have a data protection officer

Themselves

> build a system to purge user data

SELECT * from users, memes, usermemes where userid = #####

[spookthesunset]

What about all the comments on those memes? Do those go too? What about the people who hot-linked to those memes? Do you just nuke the images and break all the content people linked to?

You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.

It really isn't as "simple" as a DELETE statement that some people argue it is.

[takeda]

You are just making s*it up. Meme is something you publicly posted it is not your personal info, you possibly agreed to transfer copyright to the site, if you still own it, of course you have right to delete it.

As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.

[manfredo]

> Meme is something you publicly posted it is not your personal info,

Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.

[tchock23]

You’re not allowed to have the DPO be yourself due to potential conflicts of interest.

[strken]

I can easily see small websites just ignoring GDPR and hoping they fly under the radar.

This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?

[spullara]

Web servers are non-compliant out of the box because they all by default log and store IP addresses of visitors.

[oneplane]

There is nothing non-compliant about that. You seem to misunderstand essential vs. data hoarding for advertisement purposes. If you were to keep that data forever, sell it to third parties or profile users based on that logging data, not tell them about it, then yeah, you'd be violating the GDPR.

For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.

[Semiapies]

Which is the answer I see all of 50% of the time. Then, I see "Well, actually it is non-compliant because yadda yadda". My company isn't going to hire international compliance experts to review the operations of every public website we run, and we don't have any that need European visitors. So, best to just block them.

[oneplane]

But what about national compliance experts, do you hire those? Because you have a lot more national compliance on your plate than international...

[Semiapies]

That just emphasises how worthless it would be to spend effort to make sure we're compliant with GDPR. We have better things to do.

[spullara]

Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.

Do you disagree with this TLDR of the regulation?

https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-d...

Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.

[ajuc]

So the defaults will be changed.

It's called software cause it can be changed easily.

[hk__2]

A quick Google search leads to this, for example: https://blog.flyingcircus.io/2018/02/05/new-default-truncate...

[takeda]

I'm finding this: https://law.stackexchange.com/questions/28603/how-to-satisfy...

[black_puppydog]

> It's a foreign requirement that feels like a violation of sovereignty.

It must feel horrible, now that the US is on the receiving end of this for a change... ;)

[ShroudedNight]

Notwithstanding any opinions of the contents of the directive itself, as Canadian citizen, the schadenfreude of the United States getting its comeuppance is not nearly worth another foreign federal government imposing its will on our domestic activities.

[geocar]

> I think the things that bother me is:

>

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.

> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.

This one I can appreciate, but perhaps look at it from our point of view:

You're violating our laws that protect our citizens.

Why would we possibly have any sympathy for that?

> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?

The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.

https://ico.org.uk/for-organisations/business/

[oliv__]

"You're violating our laws that protect our citizens. Why would we possibly have any sympathy for that?"

No one forced your citizens to come to my website.

[geocar]

And in the situation that it’s no more complicated than a EU citizen visiting a website that doesn’t sell to European businesses, that’s probably fine.

But when you want to trade with Europe, you have to abide by our standards for human rights.

[oneplane]

> " It's a foreign requirement that feels like a violation of sovereignty."

How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.

[philipodonnell]

> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.

[baryphonic]

My understanding (I could be wrong - IANAL and I haven't read the 80 pages) is that GDPR takes a somewhat countervailing view. SSN data breaches would be treated the same way as, say, whether someone likes the Beatles. The problem with GDPR from my perspective is its Draconianism.

This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.

GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.

[cm2187]

A college student working on a side project probably shouldn’t hoard personal information if it doesn’t care to protect it.

[Sangermaine]

>1) A College student working on a side project with no revenue are treated the same as some massive multi-national.

If the side project uses personal user data, then there is no reason to treat them differently.

[Tomte]

> A College student working on a side project with no revenue are treated the same as some massive multi-national.

And why not? The result/harm is the same.

It doesn't matter a bit whether a company's web site is handing its visitors' data over to Facebook or a "private site" does.

The side project or the private site always have the option of not participating in the adtech frenzy.

But of course they want to participate (free money!), even if they find out much later that almost no money is coming their way.

[manigandham]

No, it's not the same. The lack of proportionality is precisely why the UK/EU is such a hard place to conduct business.

These rules don't stop anything about ads, they just make them less targeted. Not a big deal, but it will increase the costs of serving users and thus decrease the total amount of commercial projects started.

[Tomte]

I find it funny to claim that the US could be more proportionate than the EU.

Less targeted ads are exactly what we need. That's what the regulation aims for!

Your argument is like claiming that unfortunately, due to car dafety regulations, we cannot enjoy as many fatal accidents as we once did.

And to make my point of view clear: not all businesses deserve to exist. We as society decide which business models and behaviours are okay. "Decrease the total amount of commercial businesses started" cannot ever be a persuasive argument.

[manigandham]

This issue isnt about privacy...

Nobody reasonable is arguing that it's a bad idea to let customers control their data. The actual issue is that the rules are vague and thus create a lot of confusion and waste that affects all companies, while not providing any real protection against the massive conglomerates that abuse data in the first place.

[knuththetruth]

>The #1 complaint about ads is that they are not relevant, so this does nothing but increase that problem.

The #1 complaint about advertising is that in 2018, it has evolved into a shadowy, insecure brokerage of surveillance data that it obtains using all kinds of under-handed tactics. If the GDPR curbs this in the slightest, it will be a net positive for people of Europe.

[manigandham]

It will not curb it. Facebook and Google who control 90% of the ad industry will already have consent from billions of people by the end of the day, and the increased regulation will only increase their market share as the safe and reliable avenue for advertisers and further strengthen their monopolies and data activities.

[solomatov]

>Less targeted ads are exactly what we need. That's what the regulation aims for!

I have nothing against targeted ads. I am against targeting ads and collecting/distributing my data without my explicit consent. E.g. mobile companies selling my real time location because there's some obscure sentence in their 90 page terms of service.

[ajuc]

> I am against targeting ads and collecting/distributing my data without my explicit consent.

Which is exactly what GDPR is designed to stop. You're welcome - the rest of the world.

[takeda]

And this is exactly what GDPR does, you then have an option to opt-in.

I wish regulation like GDPR would also be implemented in US, but really unlikely.

[dennisgorelik]

Please learn from the experience of dealing with side effects of GDPR in EU first, before trying to push it to the US.

The side effects would include:

1) Reduced number of services available to EU customers.

2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.

[solomatov]

>And this is exactly what GDPR does, you then have an option to opt-in.

I mostly like GDPR. Ability to opt-in and being of charge of your data, i.e. removing it from a service if you want to, and the right to export and move it to another service are great and long due.

What I don't like is that it's a principle based regulation and thus it can be applied arbitrarily and selectively.

[ajuc]

> UK/EU is such a hard place to conduct business

is it though? According to https://en.wikipedia.org/wiki/Ease_of_doing_business_index#R...

USA is 3 positions behind Denmark which is in EU, and just one ahead of UK.

[solomatov]

It's not the same. There're companies which intentionally collect and exploit private data. There're companies which are just behaving negligently with users data. There should be different penalty for intentional and negligent violation.

[askmike]

And there is! The law applies to all but fines/punishment are handled on a case by case basis.

[solomatov]

And there's a lot of room for choosing the fine/punishment. There should be some rules, i.e. fines for intentionally violating privacy of millions of people should be very different from fines for unintentional violation of privacy of 10 people.