[cdevs]

I think the ridiculous thing is every mom and pop site and blog and website needs to be gdpr compliant? insane. If the true intent was to make sure large players have their system in check then they should have simply said if you have 50,000 or more users giving you data a month or something to protect anyone interested in software from being afraid of having 2 users because now they need to read every international law. I know someone will fire back at this but what stop the United States from coming up with some law as well on the internet against how logins should be and then filing a lawsuit against every other country company that doesn’t comply. A business should follow the laws of based on the owners location and if other countries don’t like it then that’s for allies to group up and ask that minority country for change. gdpr to me is of reaching on the internet in a scary way.

[mrtksn]

So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?

It's common theme here on HN to think that users are just some kind of resource and the regulations are anti-climactic things that slows down the party.

Seriosly, As a user, I don't want my information to be sold to random people that I have no information about even if the seller is a tiny business because my feelings are not against the business but against the practice. The size of the violator is irrelevant to me.

If not breaching my privacy and my rights makes your business unprofitable, then simply you don't have a business.

Users are people, not just pageviews or hits or goals - despite what your analytcs software says.

[ascar]

It's not just small businesses. The serious effort to fullfil this legislation and the constant threat that you still don't is simply too much for small non-profit organizations and personal websites. A lot of one person blogs that are inactive but a valueable source of information have been taken down because of that.

I also stopped hosting demos of my side-projects (just for github or cv links), because following this law for this kind of service is just unreasonable. And I do not even have to cause any kind of harm to be fineable in Germany.

[dorfcakeling]

If your demos required storing or using someone else's personal information, taking them down was the right thing to do (assuming you weren't going to put effort in to become compliant). If they didn't, you panicked and took down potentially valuable data of your own volition.

[ascar]

Just adding a legally correct data protection and privacy policy is often too much of a burden. Even for otherwise fully GDPR compliant websites. Especially as I can not be sure if it is legally correct without consulting a lawyer (that's one of the big pain points for non-profit and private websites).

One of my demos required multiple roles for the service and hence had authorization and authentication build in. I.e. it was storing email addresses (though I happily handed out prepared near full-admin accounts to everyone interested). It was on a subdomain with robots.txt set to disallow, so very little chance someone would find it by accident. Still making this GDPR compliant without consulting a lawyer was too much effort and risk for me.

I'm not even sure without consulting a lawyer, if a fully static pure html website would be DSGVO (the German GDPR) compliant without adding a privacy policy to it. After all I could still be tracking users by HTTP/TCP/cookies and would have to inform the visitor, if I do or don't.

[gcthomas]

The Information Commissioner's Office (the regulatory body in the UK) says:

Who needs to document their processing activities?

There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that: are not occasional; or could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.

GDPR is designed to be easy for small organisations to adhere to. No documentation needed if you have only small, non-sensitive data flows. IANOL, of course.

[jackhack]

And, just like that, the tech world suddenly understands the stifling burden of overregulation that affects nearly every other industry.

[moosey]

Just as the world learns the horrible reality of practically criminal underregulation that the tech world has been operating under.

[dvfjsdhgfv]

Well, it depends. If you only enable access to the demo without storing any personal information, there is no prblem whatsoever.

If, in order to access the demo, you need to give your e-mail address, and you are harvesting e-mail addresses in this way, you need to inform the users you are doing so, and provide a separate unchecked box "Subscribe to the Newsletter". In this way you are honest with the users, with how you are using their data, and you stick to the letter and the spirit of the law.

[JumpCrisscross]

> So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?

One of these has systemic effects, the other does not.

(I don't think small businesses should be totally unregulated. But the administrative burden should be considered, to prevent discouraging new entrants and promoting incumbency bias. GDPR does not take this into account.)

[mrtksn]

This argument is disturbing for two reasons

1) You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy. If it is, well, tough life!

2) It devalues the individual, it's ridiculous. Small restaurants need to follow hygiene standards just as the big chains, despite the fact that your local burger shop won't cause health problems on the same scale of McDonald's. Do you know why? Because individuals matter too. Can't be bothered to clean your kitchen? Don't run a restaurant. Can't be bothered to take care of your visitor's data? Don't run an online business. The society or any individual doesn't owe you a profit or a business.

[JumpCrisscross]

> You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy

Have you ever dealt with a regulatory enquiry? Even if you have done nothing wrong, they are harrowing, time-consuming and--occasionally--costly.

> Small restaurants need to follow hygiene standards just as the big chains

Look at the food codes in most large cities. Multi-location chains have stricter standards than single-venue restaurants. This is because (a) multi-location complexity introduces new vectors for harm (and lets it scale faster) and (b) people are willing to accept greater risks from small purveyors.

[kazinator]

> people are willing to accept greater risks from small purveyors.

No they aren't, WTF?

[JumpCrisscross]

> No they aren't

Everyone isn't. But most people accept home-cooked meals without demanding municipal inspection.

Furthermore, the presence of looser food codes--in the U.S. and Europe--for small-batch and single-location vendors, in comparison to chains, supports the hypothesis that many people see the added risk worth taking for more variety.

[mrtksn]

I know right? But on the other hand, people are fine to ingest pills sold by a dude that barely can spell his name but will totally freak out if someone opens a hospital with fake doctors :)

[mrtksn]

How did you manage to deal with a GDPR enquiry? It's been less than a Week since it's introduction.

Something tells me that your reaction is not based on facts but pure ideology, an ideology that assumes that regulations are always bad the businesses will take care of the consumers if left to their own devices.

[JumpCrisscross]

> How did you manage to deal with a GDPR enquiry?

Pardon me, I did not mean to imply I have dealt with a GDPR enquiry. I was asking if you had dealt with any regulatory enquiry.

> an ideology that assumes that regulations are always bad

Quite the contrary. I like American and European securities regulation. I regularly call my Congresswoman for more privacy protections. (I had some luck getting a law I helped draft through committee in Albany. No further.) I've also consistently been of the position that Facebook should be broken up on antitrust grounds. My opposition to GDPR is purely on the way it is administrated.

[vmarsy]

> You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy. If it is, well, tough life!

There's something I don't get in your argument: How having a business model not based on invasion of privacy is protecting your business from receiving GDPR Subject Access requests requests, the legal fees a small business needed to spend to take care of those, and the handling of those?

In your food example it'd be more like as if a law required you to have an employee meeting with a health inspector daily. And that employee must not be a cook/staff. This seems easier for a big chain to comply than a small business.

Here, to monitor all their email, each social media pages, etc and spend time figuring out if each tweet/post is a subject access request is going to be much easier to scale for a big company compared to a small business.

Also one thing a bit off topic that's not clear to me is if suddenly a business needs to start handling and archiving sensitive information because of GDPR letters (for each request, there must be a proof of identity such as ID, passport scan, etc). You now risk having potentially non compliant businesses handle those. That seems like exposing yourself more to identity theft for each GDPR request you make.

(See "how do we recognize a request" in https://ico.org.uk/for-organisations/guide-to-the-general-da... )

[kazinator]

Would you say shoplifting is okay, too?

Damn it, the law shouldn't apply all the way down to individuals, over trifling matters and quantities!

If you're harmed by a privacy leak, do you care whether that was perpetrated by a site that has 50 users, or 500,000?

Oh, it was a small mom and pop site that passed on your personal info, so that made it okay; sorry! Next time, only deal with a big time operator.

[JamesBarney]

If you die in a fire or building collapse it's equally bad whether that building was a large commerical building or a single family.

But we have two sets of building code rules because the regulatory burden is very different. The cost of complying with lots of regulation are fixed, and don't necessarily scale linearly with the size of the company. So to prevent these laws from wiping out small businesses they usually phase on these rules with increasing size.

[organsnyder]

Which locality are you talking about? Building codes vary quite a bit from one region to another. I'm pretty sure my municipality (Grand Rapids, MI, US) does not have differing commercial building codes based on the size of the organization utilizing the space.

[JamesBarney]

Not the size of the organization using the building but the size of the building.

[JamesBarney]

I wrote organization but I meant to write building

[rdlecler1]

False equivalency.

[JamesBarney]

Explaining why it's a false equivalency would be more helpful and create better discussion.

[Matticus_Rex]

>If not breaching my privacy and my rights

You can respect everyone's rights and privacy and still be noncompliant, because most of the work of complying with the GDPR for most businesses is in the documentation, customer misinformation, and legal CYA work.

[rdlecler1]

Okay, so add one more caveat—the business has more than 50,000 users OR it sells your data. Perhaps the vast majority of businesses affected by GDPR are not selling your data.

[iaml]

For me, main problem is not the compliance itself, but the legal part of it. If GDPR had clearly stated it ok to dismiss all these "nightmare letters" unless they come a set of official emails that handle it, and if/when such official letters come it would only be required from me to point to my legal pages and/or give access to the code/db to show I'm compliant, it would all be a-okay.

[stunt]

That is exactly the way it should be. people should stop storing user data because they don't do anything to protect it for you.

Keeping user information just became so normal in the past few years. it is not just about ads but also security.

You have all your information all over internet. Websites without minimum security requirements store everything just because it is cheap to do it and they just believe they should store it even they don't need it because maybe they need it in the future.

Hackers can do way more than you can imagine with your data if they want.

Storing user data should be expensive. Companies should only store it, if they accept and understand the responsibility and they must feel accountable for it.

[swat535]

I think the issue here is that GDPR is really broad.

We have had our legal team review it to perform a cost/benefit analysis on whether we should comply with GDPR or block the EU region for the time being.

At the end, while we all agreed that the idea behind this law is reasonable, it would benefit us to ignore the EU region. (We reviewed our database to ensure we don't have any EU users currently on the system before doing this)

That being said, we branched out and started to slowly implement some GDPR requirements that can benefit our existing users privacy and we will certainly remove the EU blockage when the scope of this law becomes more apparent to our legal team.

I strongly believe software is due for some serious regulation, just like all other branches of engineering, we need to take responsibility for the systems we create and I feel like this is a sign that our industry is maturing from it's infancy stage.

Kudos to EU for making an attempt to keep Europeans safe.

[lightbyte]

>I think the ridiculous thing is every mom and pop site and blog and website needs to be gdpr compliant? insane.

The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

[manfredo]

> The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

You are writing as though not abusing people's privacy is all that is necessary to comply with GDPR. This is incorrect. GDPR has specific requirements for any company handling certain types of data, and extra requirements if it's handling this data "at scale" (though it doesn't actually define what this means). Any data revealing any of the following is considered protected by GDPR:

> racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

So, basically any user uploaded images or text can be argued to fall under this category since users might reveal their political, religious, or philosophical beliefs in this text. How about something as innocuous as a heart rate monitor? Well, apparently people have correlated 15-30 minute spikes in heart rates in the evenings to figure out people's sex lives so that's restricted by GDPR.

I could go on. The point is, it's not enough to just not abuse your user's data and cross your fingers to be GDPR compliant.

[kazinator]

You would have to go out of your way to collect any of that data.

> basically any user uploaded images or text can be argued to fall under this category

If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

[manfredo]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Yes it is what GDPR is about, the fact that people voluntarily share this information on a public forum doesn't nullify GDPR. Otherwise, Facebook wouldn't be under so much heat. Much of the data they collect comes from posts, comments, etc. all happening on a public forum.

> Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

Say your mom & pop site has a comment section, where users can talk about blog posts they liked or disliked. Now all of a sudden you have to dedicate resources towards GDPR support.

[Too]

Facebook is under a lot if heat because they actively try to encourage the user to enter PII and even have policies such as no aliases and all accounts should belong to one person. Can't remember if I even needed a phone nr confirmation or if that was Microsoft. The sole purpose of a Facebook account is to be a one to one mapping to a person, and everything posted or visited is obviously tied to such an account.

Not like hacker news where you don't even need an email address to sign up, creating a throwaway account if you want to post something private takes one minute. Good luck with that on Facebook.

[kazinator]

The problem with forums is this: I'm upset with Jane Doe because she dumped me. I make an account called Jane Doe, from which I post some personal things about Jane Doe.

There is no way to police this stuff short of a total clamp-down on free expression.

The site operators must suspect every account is fake, and whatever that account says about itself is actually about someone else.

Since the protected information is extends to areas like political or philosophical beliefs and whatnot, nobody can discuss politics or philosophy.

[kazinator]

Whereas before this GDPR thing hit, you had to do no monitoring of the forum all?

[manfredo]

Probably not. Definitely not any proactive monitoring. A small website could get away with waiting for users to report posts, and then following up with manual inspection.

[dragonwriter]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

The GDPR has explicit provisions for how covered information that is explicitly made public by its subject is treated (for instance, separate consent is not needed for processing such information); outside of those explicit rules for particular effects, though, such information is treated exactly like other personal information of the same subject matter under the GDPR.

[JumpCrisscross]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Nothing. Doesn't mean they have nothing better to do than respond to letters and regulatory enquiries. (To be clear, I'm not disparaging regulators asking questions. I'm simply observing that such questioning-and-answering has a cost. That cost is reasonable for a large company. It may not balance favorably for something smaller.)

[zentiggr]

Like TFA describes pretty in depth, that response burden, for sites that have no saved data and process nothing personal can be as simple as a form letter response pointing to a properly detailed GDPR statement.

Or might have to be expanded on a bit, point is the response cost can be scaled as well.

[gcthomas]

It will likely be years before any small business gets a routine regulatory enquiry, unless there is a complaint. And that is how it should be, isn't it?

[dorgo]

So, a pragmatic approach then. Everybody violates the laws a little (maybe without knowing) and regulators pick big violations first. Software developers like to handle each edge case up front - which is not possible on this scale I guess.

[Fradow]

GDPR impose a few things to do as soon as you have a single PII, as well as doing this a certain way (opt-out are a no-go, you must be able to prove consent, you probably need a DPO and a DPA), and things that were just not done in practice until now (right to be forgotten for example is not exercised, and thus there is no tool to exercise it).

Just because you absolutely respect the spirit of the law (don't do shitty things with PII) doesn't mean you are GDPR compliant, unfortunately.

I very much agree with GP that small business should have more relaxed obligations, and more proportional fines (the minimum fine exceed the total revenue of non-negligible percent of small business).

[gcthomas]

Consent is usually not needed, since there are plenty of other lawful reasons for processing data. Small businesses will not usually need a DPO, and neither will many large ones. Small businesses will have proportionate fines, and probably no fines at all for accidental breaches of the law.

And no, there is no minimum fine set by GDPR, only maximum fines. Most companies will just get a warning to sort themselves out, if the past behaviour of the regulatory authorities is anything to go by — their emphasis is on getting compliance, so only egregious failures will attract fines, with others directed to carry out specified improvements to their processes.

[ggg9990]

The even more ridiculous thing in my opinion is comments like this that conflate a truth and proof of that truth. It’s the difference between saying that every even number greater than 5 is the sum of two primes, and being able to prove it.

[zeveb]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Storing their HTTP logs on archived CD-ROMS would be a violation of the GDPR, unless that same mom-and-pop operation offered users a way to request that CDs be replaced with new versions at will.

I don't think that counts as an abuse of privacy, but it is a violation of the GDPR, which makes immutable logs which contain IP addresses illegal.

[gcthomas]

There is no violation of the GDPR in just holding data, especially data for which you have a legitimate business reason to process. It is probably PII, so look after it as you would other PII.

The GDPR give a number of reasons where the right to be forgotten does not apply, including for archival purposes, or when the controller was not relying on consent for the processing.

[Turing_Machine]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Perhaps they're busy running their business and don't have time to comply with baroque EU regulations, regardless of whether they're actually "abusing their user's privacy" or not.

Regulatory costs are a thing. Even if you're not violating the regulation, filing the forms or whatever to assure some bureaucrat that you're not violating it takes time and energy.

There's a reason why the startup scene in Europe is onlly a fraction of what it is in the U.S.

[blub]

The intent is to give people a way to control the information which will be used to influence their lives instead of being at the mercy of every corporation, start-up or mom & pop operation which is trying to make a buck.

Private life is such an essential part of human nature and our societies, no matter what the "nothing to hide" camp will say. There will be collateral damage and that's unfortunate yet tolerable, given the extensive abuses.

[JumpCrisscross]

> A business should follow the laws of based on the owners location

This cuts against centuries of sovereign tradition and precedent. GDPR's constraint to users in Europe is reasonable. (As is refusing to do business in Europe by blocking the continent.)

[riquito]

GDPR Art. 2 par 2

This Regulation does not apply to the processing of personal data ... by a natural person in the course of a purely personal or household activity

[dorgo]

So I am allowed to collect and store personal data for my toy project without consent?

[riquito]

IANAL As long as there's no connection to a professional or commercial activity it should be outside of the scope of GDPR. This is identical to the previous legislation, directive 95/46 art. 3.2.

Note that any external service processing the data must still abide by GDPR.

[taysic]

I also think the requirement to provide the same service 'without detriment' if a user doesn't want personalized ads - should only apply to companies over 500,000 users. It should only apply to companies that are ubiquitous that people feel they can't live without.

[budu3]

We as the collective tech community brought this onto ourselves. We did not self regulate ourselves. We did not take out customer's privacy serious enough. Therefore, big government stepped in and regulated us.

[Bromskloss]

Equal before the law.

[crankylinuxuser]

Sigh, you don't get it, do you?

In software, if you want to skirt the law, its easy to do so with small team/companies. Just spin up shell companies under the limit and use that to skirt the law.

It certainly defeats the spirit, but this is capitalism.. No holds barred, and do illegal moves till you get caught.