[Spooky23]

I don’t know GDPR inside and out, but I have worked at places (not military) where I could be held criminally liable for misuse or negligent disclosure of PII.

The answer to “How do you handle...” is that you get your shit together. Separation of duties, build and configuration standards, no customer data on random laptops.

When I was in high school, I worked at a sandwich/coffee shop. The precious commodity in that store was cash. We didn’t leave cash on a counter, or on a roll in our pockets it was in a locked register. When there was more than $500, we withdrew down to $250 and put the cash in a safe. At the end of the night, we put the cash in a locked pouch and two of us walked to the bank and put it in a dropbox.

Data is no different, just more complex.

[fanzhang]

And if getting your "act together" is a substantial cost for small companies, no matter?

The word choice almost presumes the conclusion, that data privacy rules are obvious, and cheap, and akin to just washing hands after using the toilet.

Every regulation has costs and benefits. I also would love to have better worldwide privacy at no or little cost, but the fact that people are blocking the EU shows that some companies just don't see this to be the case. And they're voting with their feet.

EU citizens should accept the fact that if they support the law, they will further data privacy protections, which are good, and they will face the music if some innovation leaves or whatever compliance costs may come with it.

[TeMPOraL]

> And if getting your "act together" is a substantial cost for small companies, no matter?

Yes, no matter. Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

This reaction is pretty much textbook psychological reactance[0]. People doing business had some freedoms wrt. user data, but it turned out in practice that they should never have them in the first place. Now that those excess freedoms are being removed, businesses cry foul.

--

[0] - https://en.wikipedia.org/wiki/Reactance_(psychology)

[dTal]

Exactly. It's very sad that reasonable privacy measures present such a technical challenge, but nobody promised being responsible was easy. That's why we have regulations - to force businesses to place the common good ahead of profits, where applicable.

[Mirioron]

>Should small companies also get free pass on food safety laws? Health inspections are a PITA for restaurants too.

But if you look at how reality works, then you'll see that small companies often do not implement the proper food safety standards. This causes all sorts of problems, because if a company already does one shady thing, then doing one more isn't as much of a problem anymore.

[pjmlp]

And then they get closed down when a food inspection takes place.

[Mirioron]

Yep, that's exactly the case, but another one of these opens up somewhere else at the same time. We've had inspections like this happen for many years, but it's still happening. And these companies that don't adhere to the law could outcompete those that do by saving in some costs.

[pjmlp]

Yes, it is unfortunate that the authorities lack resources to track down all misbehaviors, but that doesn't make crime acceptable.

[Spooky23]

Data privacy isn’t trivial, but the core concepts are pretty straightforward. Like cash, data is both an asset and liability. The business model of tech insulates the investors completely from liability, so there is no incentive to self-police.

The contempt shown for us collectively as users and people is what triggered the regulatory backlash.

The 2016 electron demonstrated that better than anything why this is important.

[closeparen]

The internet's role in the 2016 election was primarily its ability to connect like-minded people and capture their attention in a venue where advertising can be purchased cheaply and casually. Data may have helped with ad targeting, but was basically incidental. The insufficiently regulated thing there was speech, not data, and there are good reasons we don't really regulate speech.

[fanzhang]

I agree that the Facebook/Cambridge Analytica debacle should have been prevented. I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

As mentioned before, size limits is probably good for compliance costs; if the problem is political influence, make that a key part of the law. Making part of the law liability per privacy breach can be useful too (to deter companies from lax security that end up with them hacked).

[sequoia]

> I'm not totally sure what's the best legislation to have helped that while having the minimum side effects.

Legislators don't have the luxury of saying "I'm not totally sure what's the best legislation" to fix this issue; they are forced to propose an actual fix. If you don't have a better alternative on hand, I'd urge you to consider that which legislators have arrived upon after months or years of consideration.

[ethbro]

The problem with carving out exceptions for small companies is that larger ones would simply subcontract out all their data handling.

Like encryption, data privacy is either all or nothing.

And personally? I'd rather live in a world without tracking-enabled Google and Facebook business models than the one we're currently in.

Holding personally identifiable data is a toxic externality: Experian simply exposed a clear case.

If you want to do so, you should have to bear that cost. Or design your business model differently so that you don't.

[fanzhang]

For size limits, as logicians, we would think that companies would just split infinitely but that doesn't seem to be the case.

For example ACA 2012 (Obamacare) applies the most onerous terms on companies greater than 50, but not a lot of 100 person companies split into two groups of 50 to dodge it.

I think privacy is indeed along a spectrum and not binary. I certainly think that EU citizens are more concerned with Facebook and the vast trove of data they have and political irresponsibility with it than with GarethsFirstApp in the Android store handling user data well.

[ethbro]

Splitting core business functionality and siloing data handling to a contractor are apples and oranges.

And I'd point out that the latest Facebook media privacy outrage was caused by a smaller (1 person?) third party company.

GarethsFirstApp isn't so innocent when it's providing Facebook with data they can no longer collect themselves (given a hypothetical "You're small, so we'll let you get away with it" GDPR).

[_o_]

Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.

[gerdesj]

"The answer to “How do you handle...” is that you get your shit together."

Yes it is