This is an 88 page document with extremely dry language. Just confirming your assertion will be time consuming. No wonder many American services would rather shut out EU users than comply.
This is a silly and downright crude comment. My mortgage contract was 56 “dry” pages and I found time to read/understand it, to the best of my ability.
If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.
Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?
American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.
> If you own a business, the cost of reading this document is about 2 days
I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.
If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...
If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!
Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.
This boils down to relying on each of the EU's twenty-eight data regulators interpreting "specifically target" favorably into perpetuity. One of them takes an unusual view, once, at any time in the future, and you lose 4% of your global revenues.
> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.
I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.
Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.
GDPR has more nuance then most other situations but just like PCI, you just deal with it.
What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.
Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?
The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.
There was still a pretty easy line between "I take credit cards" and "I don't take credit cards". The rules for PCI drastically vary between company size too, in that compliance for small companies is pretty easy, and your responsibilities increase as you go. To this day, there are companies that don't take credit cards too (though usually its not to avoid PCI, heh).
But yes, once there's an industry of GDPR auditors, precedents in lawsuits, and the threshold for "Do not market explicitly to europeans" is obvious and well understood, this will be much easier.
And still, until the end of time, there will be companies that aren't GDPR compliant and don't work with EU customers. Maybe with the goal of doing so once they have more time and resources.
It's basically a checklist, and you're either compliant or you're not. It includes various levels with actual numbers and explicit requirements, there's very little interpretation needed.
If anything, it should've served as the model for GDPR.
The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.
This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.
Your comment came off a bit combative against me vs. the idea I'm trying to argue. Perhaps I didn't make my point very well.
Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.
My relevant background allows me to make a few assumptions:
1. If you are in the US.
2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)
3. AND they use one of the major POS (point of sale) providers.
That your credit card, name, expiration date, and CVV is in plain text.
You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.
I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.
Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...
Remember that this is EU, not USA where anyone can sue you for anything. If you feel a company is not complying with the law you can complain to your national agency who will follow it up. If the company don't comply after getting a warning the agency can bring the case to court and the company get on trial
The problem with selective enforcement is you may be treated nicely until e.g. your founder takes a political view a European politician disagrees with.
To disenfranchise a whole continent because you are inconvenienced is ridiculous
Oh, please. To not offer a service or website or whatever to people half a world away is not to "disenfranchise" them. I don't think you have room to call anyone else's comments "silly".
I would like to share an anecdote with you, which might highlights the difference in mindset some folks have.
When I was 20/21, I worked at PJ Clarke's on the Hudson, a restaurant in downtown Manhattan. Back then, the Merc was still staffed by traders on all floors (they switched to computerized trade desks, I believe, and there were less people there).
During one shift, I had a party of 10+ people and had to grab extra tables from other area. The tables had tops made from granite and heavy. As I was moving the table, the majority owner Phil Scotti jumped in and started helping me. I said something like "I got it" and he looked me in the eye and said "Anything for a buck".
That quote might not be popular but I what I realized is that work is work and money is money. If a multi-millionaire could move tables and his wife (in custom, expensive, suits) can bus tables, then yes...Disenfranchising, or not servicing a bunch of folks, because you don't feel like it is fucking stupid.
I dunno what the point of this anecdote was, but the parent poster was right to mock the word "disenfranchise". If the American business doesn't want the buck, they don't want the buck. If they do want the buck, they do want the buck. Their call, not disenfranchising anyone.
Ha, I actually thought the comment was relevant for an article on blocking EU users with Cloudflare.
This regulation calls for legal expertise, trusting google to save on fees seems risky for a business. In all seriousness, biz owners should shell out for expert advice for compliance, or stop doing business in the EU.
Google and Fb have already seen litigious groups claim $9.3B in fines on the first day[1]. There will certainly be a cottage industry of lawyers going after online businesses that have erred with GDPR.
Those groups don't get to keep the fine money? What is with all the disinformation about people sueing companies for GPDR violations like it's a civil court issue and one side gets damages?
People can refer an issue to the regulators claiming that the GPDR has been violated. The regulators will determine if they believe the regulations have been violated and whether it's a large enough violation to enforce. If fines are levied they go to the government and are intended to be punitive, hence the percentage of revenue as the max fine so that you can't just ignore the regulation by being rich.
No individual or group other than the government is going to make money off of this, and the government has to balance the loss in taxes and cost to enforce against any gain from a fine.
This whole kerfuffle about the GPDR has just shown that american companies will lose their fucking mind if they have to follow anyone else's rules and can't just lobby the US government to force their laws on everyone else.
Irrespective of who gets to keep the fine money, it will cost money and time (and likely lawyers) to handle any regulator inquiries. These complaints barely a day after the law came into force clearly shows that this law has come as a bonanza invitation for "activists" to impose legal costs on whatever target catches their fancy. I wouldn't be surprised with anti competitive targeting. Large corporations will write off the risk and the cost. Small business will choose not to do business and avoid the risk.
The law has been in effect for 2 years and the regulatora have given everyone that much time to implement their GPDR compliance. These large companies have not done so. We're people supposed to just ignore them forever because they didn't feel like getting around to following the law?
Incorrect. They are civil right groups, which filed complaints with the authorities. Even if the complaints were fully accepted and the offenders fined to the maximum possible amount the groups would not "earn" a cent.
"This is a silly and downright crude comment" - easy mate. My ISO 27001 docs are a bit dry as well and I wrote the bloody things as well as the sob ISO 9001 ones.
In my opinion you absolutely hit the nail on the head with this:
"If you own a business, the cost of reading this document is about 2 days"
That's fine when you only hurt yourself but when you are dealing with personal data you can hurt others because you want to take the quickest path.
These same arguments could be applied to just dumping waste from manufacturing in the rivers. Does "If I have to spend 50 days disposing of my waste in a way that doesn't harm others I'm not gonna do it. I'm just gonna dump it somewhere else" sound acceptable?
I am not advocating that people break privacy laws. I am instead advocating that US internet businesses simply stop doing business with EU customers.
If the EU doesn't wants these services, then hopefully these services will decide to leave, and the EU citizens can decide if it was all worth it.
I am certainly going to block EU customers on all my future side projects. It really isn't worth the bother for something that I just made for fun, and isn't making many money. Easier to just block this small market wholesale.
I even found a way to block them with a single line of frontend code!
That seems perfectly fine. You'll have to watch out if you have assets/money flowing through the EU jurisdictions still as they can still fine you and take your stuff I'd you violate the GPDR.
I'd you are completely outside their jurisdiction though, there's no much they can so to you without starting a war or convincing your own government that the GPDR should be enforced.
I do think it's leaving money on the table though. The EU is 500 million people, 2/3rds more than the US and with a bigger aggregate economy. The US also has regulations that have a cost to implement so it's not like you are avoiding the issue just by focusing there
Small sidenote here. I'm the creator of https://documentation.agency/ and I've seen quite a few devs actually choose their tech/libraries based on the quality of the documentation.
I agree with you in everything though, everyone should be reading and following the law!
"This is an 88 page document with extremely dry language"
It starts along these lines after the usual intro:
"The processing of personal data should be designed to serve mankind The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality"
I'll grant you that lacks a certain something but the language is compatible with another well respected charter of rights that you should be more familiar with.
Don't forget the brilliant and deeply meaningful paragraph 37:
"A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the
controlling undertaking should be the undertaking which can exert a dominant influence over the other
undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the
power to have personal data protection rules implemented. An undertaking which controls the processing of
personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of
undertakings."
If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.
Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?
American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.
Edit: structure