[lightbyte]

>I think the ridiculous thing is every mom and pop site and blog and website needs to be gdpr compliant? insane.

The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

[manfredo]

> The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

You are writing as though not abusing people's privacy is all that is necessary to comply with GDPR. This is incorrect. GDPR has specific requirements for any company handling certain types of data, and extra requirements if it's handling this data "at scale" (though it doesn't actually define what this means). Any data revealing any of the following is considered protected by GDPR:

> racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

So, basically any user uploaded images or text can be argued to fall under this category since users might reveal their political, religious, or philosophical beliefs in this text. How about something as innocuous as a heart rate monitor? Well, apparently people have correlated 15-30 minute spikes in heart rates in the evenings to figure out people's sex lives so that's restricted by GDPR.

I could go on. The point is, it's not enough to just not abuse your user's data and cross your fingers to be GDPR compliant.

[kazinator]

You would have to go out of your way to collect any of that data.

> basically any user uploaded images or text can be argued to fall under this category

If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

[manfredo]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Yes it is what GDPR is about, the fact that people voluntarily share this information on a public forum doesn't nullify GDPR. Otherwise, Facebook wouldn't be under so much heat. Much of the data they collect comes from posts, comments, etc. all happening on a public forum.

> Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

Say your mom & pop site has a comment section, where users can talk about blog posts they liked or disliked. Now all of a sudden you have to dedicate resources towards GDPR support.

[Too]

Facebook is under a lot if heat because they actively try to encourage the user to enter PII and even have policies such as no aliases and all accounts should belong to one person. Can't remember if I even needed a phone nr confirmation or if that was Microsoft. The sole purpose of a Facebook account is to be a one to one mapping to a person, and everything posted or visited is obviously tied to such an account.

Not like hacker news where you don't even need an email address to sign up, creating a throwaway account if you want to post something private takes one minute. Good luck with that on Facebook.

[kazinator]

The problem with forums is this: I'm upset with Jane Doe because she dumped me. I make an account called Jane Doe, from which I post some personal things about Jane Doe.

There is no way to police this stuff short of a total clamp-down on free expression.

The site operators must suspect every account is fake, and whatever that account says about itself is actually about someone else.

Since the protected information is extends to areas like political or philosophical beliefs and whatnot, nobody can discuss politics or philosophy.

[kazinator]

Whereas before this GDPR thing hit, you had to do no monitoring of the forum all?

[manfredo]

Probably not. Definitely not any proactive monitoring. A small website could get away with waiting for users to report posts, and then following up with manual inspection.

[dragonwriter]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

The GDPR has explicit provisions for how covered information that is explicitly made public by its subject is treated (for instance, separate consent is not needed for processing such information); outside of those explicit rules for particular effects, though, such information is treated exactly like other personal information of the same subject matter under the GDPR.

[JumpCrisscross]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Nothing. Doesn't mean they have nothing better to do than respond to letters and regulatory enquiries. (To be clear, I'm not disparaging regulators asking questions. I'm simply observing that such questioning-and-answering has a cost. That cost is reasonable for a large company. It may not balance favorably for something smaller.)

[zentiggr]

Like TFA describes pretty in depth, that response burden, for sites that have no saved data and process nothing personal can be as simple as a form letter response pointing to a properly detailed GDPR statement.

Or might have to be expanded on a bit, point is the response cost can be scaled as well.

[gcthomas]

It will likely be years before any small business gets a routine regulatory enquiry, unless there is a complaint. And that is how it should be, isn't it?

[dorgo]

So, a pragmatic approach then. Everybody violates the laws a little (maybe without knowing) and regulators pick big violations first. Software developers like to handle each edge case up front - which is not possible on this scale I guess.

[Fradow]

GDPR impose a few things to do as soon as you have a single PII, as well as doing this a certain way (opt-out are a no-go, you must be able to prove consent, you probably need a DPO and a DPA), and things that were just not done in practice until now (right to be forgotten for example is not exercised, and thus there is no tool to exercise it).

Just because you absolutely respect the spirit of the law (don't do shitty things with PII) doesn't mean you are GDPR compliant, unfortunately.

I very much agree with GP that small business should have more relaxed obligations, and more proportional fines (the minimum fine exceed the total revenue of non-negligible percent of small business).

[gcthomas]

Consent is usually not needed, since there are plenty of other lawful reasons for processing data. Small businesses will not usually need a DPO, and neither will many large ones. Small businesses will have proportionate fines, and probably no fines at all for accidental breaches of the law.

And no, there is no minimum fine set by GDPR, only maximum fines. Most companies will just get a warning to sort themselves out, if the past behaviour of the regulatory authorities is anything to go by — their emphasis is on getting compliance, so only egregious failures will attract fines, with others directed to carry out specified improvements to their processes.

[ggg9990]

The even more ridiculous thing in my opinion is comments like this that conflate a truth and proof of that truth. It’s the difference between saying that every even number greater than 5 is the sum of two primes, and being able to prove it.

[zeveb]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Storing their HTTP logs on archived CD-ROMS would be a violation of the GDPR, unless that same mom-and-pop operation offered users a way to request that CDs be replaced with new versions at will.

I don't think that counts as an abuse of privacy, but it is a violation of the GDPR, which makes immutable logs which contain IP addresses illegal.

[gcthomas]

There is no violation of the GDPR in just holding data, especially data for which you have a legitimate business reason to process. It is probably PII, so look after it as you would other PII.

The GDPR give a number of reasons where the right to be forgotten does not apply, including for archival purposes, or when the controller was not relying on consent for the processing.

[Turing_Machine]

> What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

Perhaps they're busy running their business and don't have time to comply with baroque EU regulations, regardless of whether they're actually "abusing their user's privacy" or not.

Regulatory costs are a thing. Even if you're not violating the regulation, filing the forms or whatever to assure some bureaucrat that you're not violating it takes time and energy.

There's a reason why the startup scene in Europe is onlly a fraction of what it is in the U.S.