[mrtksn]

So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?

It's common theme here on HN to think that users are just some kind of resource and the regulations are anti-climactic things that slows down the party.

Seriosly, As a user, I don't want my information to be sold to random people that I have no information about even if the seller is a tiny business because my feelings are not against the business but against the practice. The size of the violator is irrelevant to me.

If not breaching my privacy and my rights makes your business unprofitable, then simply you don't have a business.

Users are people, not just pageviews or hits or goals - despite what your analytcs software says.

[ascar]

It's not just small businesses. The serious effort to fullfil this legislation and the constant threat that you still don't is simply too much for small non-profit organizations and personal websites. A lot of one person blogs that are inactive but a valueable source of information have been taken down because of that.

I also stopped hosting demos of my side-projects (just for github or cv links), because following this law for this kind of service is just unreasonable. And I do not even have to cause any kind of harm to be fineable in Germany.

[dorfcakeling]

If your demos required storing or using someone else's personal information, taking them down was the right thing to do (assuming you weren't going to put effort in to become compliant). If they didn't, you panicked and took down potentially valuable data of your own volition.

[ascar]

Just adding a legally correct data protection and privacy policy is often too much of a burden. Even for otherwise fully GDPR compliant websites. Especially as I can not be sure if it is legally correct without consulting a lawyer (that's one of the big pain points for non-profit and private websites).

One of my demos required multiple roles for the service and hence had authorization and authentication build in. I.e. it was storing email addresses (though I happily handed out prepared near full-admin accounts to everyone interested). It was on a subdomain with robots.txt set to disallow, so very little chance someone would find it by accident. Still making this GDPR compliant without consulting a lawyer was too much effort and risk for me.

I'm not even sure without consulting a lawyer, if a fully static pure html website would be DSGVO (the German GDPR) compliant without adding a privacy policy to it. After all I could still be tracking users by HTTP/TCP/cookies and would have to inform the visitor, if I do or don't.

[gcthomas]

The Information Commissioner's Office (the regulatory body in the UK) says:

Who needs to document their processing activities?

There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that: are not occasional; or could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.

GDPR is designed to be easy for small organisations to adhere to. No documentation needed if you have only small, non-sensitive data flows. IANOL, of course.

[jackhack]

And, just like that, the tech world suddenly understands the stifling burden of overregulation that affects nearly every other industry.

[moosey]

Just as the world learns the horrible reality of practically criminal underregulation that the tech world has been operating under.

[dvfjsdhgfv]

Well, it depends. If you only enable access to the demo without storing any personal information, there is no prblem whatsoever.

If, in order to access the demo, you need to give your e-mail address, and you are harvesting e-mail addresses in this way, you need to inform the users you are doing so, and provide a separate unchecked box "Subscribe to the Newsletter". In this way you are honest with the users, with how you are using their data, and you stick to the letter and the spirit of the law.

[JumpCrisscross]

> So how exactly it's O.K. for customers if their privacy is breached by mom&pop businesses but not O.K. if it's breached by businesses that have 50K or more users?

One of these has systemic effects, the other does not.

(I don't think small businesses should be totally unregulated. But the administrative burden should be considered, to prevent discouraging new entrants and promoting incumbency bias. GDPR does not take this into account.)

[mrtksn]

This argument is disturbing for two reasons

1) You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy. If it is, well, tough life!

2) It devalues the individual, it's ridiculous. Small restaurants need to follow hygiene standards just as the big chains, despite the fact that your local burger shop won't cause health problems on the same scale of McDonald's. Do you know why? Because individuals matter too. Can't be bothered to clean your kitchen? Don't run a restaurant. Can't be bothered to take care of your visitor's data? Don't run an online business. The society or any individual doesn't owe you a profit or a business.

[JumpCrisscross]

> You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy

Have you ever dealt with a regulatory enquiry? Even if you have done nothing wrong, they are harrowing, time-consuming and--occasionally--costly.

> Small restaurants need to follow hygiene standards just as the big chains

Look at the food codes in most large cities. Multi-location chains have stricter standards than single-venue restaurants. This is because (a) multi-location complexity introduces new vectors for harm (and lets it scale faster) and (b) people are willing to accept greater risks from small purveyors.

[kazinator]

> people are willing to accept greater risks from small purveyors.

No they aren't, WTF?

[JumpCrisscross]

> No they aren't

Everyone isn't. But most people accept home-cooked meals without demanding municipal inspection.

Furthermore, the presence of looser food codes--in the U.S. and Europe--for small-batch and single-location vendors, in comparison to chains, supports the hypothesis that many people see the added risk worth taking for more variety.

[mrtksn]

Parents literally teach their kids to not accept food from strangers and women are often drugged by accepting drinks from strangers.

People accept food from people they know socially or from an organisations that they know.

EU won't go after you if you send a link of your non-complient code to your friend as long as your friend doesn't start a legal action against you.

You are freaking out for no good reason.

[kazinator]

> But most people accept home-cooked meals.

From "generally regarded as clean" friends and relatives.

[mrtksn]

I know right? But on the other hand, people are fine to ingest pills sold by a dude that barely can spell his name but will totally freak out if someone opens a hospital with fake doctors :)

[mrtksn]

How did you manage to deal with a GDPR enquiry? It's been less than a Week since it's introduction.

Something tells me that your reaction is not based on facts but pure ideology, an ideology that assumes that regulations are always bad the businesses will take care of the consumers if left to their own devices.

[JumpCrisscross]

> How did you manage to deal with a GDPR enquiry?

Pardon me, I did not mean to imply I have dealt with a GDPR enquiry. I was asking if you had dealt with any regulatory enquiry.

> an ideology that assumes that regulations are always bad

Quite the contrary. I like American and European securities regulation. I regularly call my Congresswoman for more privacy protections. (I had some luck getting a law I helped draft through committee in Albany. No further.) I've also consistently been of the position that Facebook should be broken up on antitrust grounds. My opposition to GDPR is purely on the way it is administrated.

[mrtksn]

Yes, I did, I had to comply with EU workspace regulations. Built a nice toilet marked the floor with yellow lines, paid a wage above the minimum wage, registered a company and the govt. people said it's all good.

It's really not that big of a deal.

I would have trouble only if I was doing illegal business, make people work in an unsafe and dirty environment, didn't provide the sanitary needs and paid them less than the national minimum wage.

[vmarsy]

> You claim that GDPR has a big administrative burden to small businesses but that's not the case as long as your business model is not based on invasion of privacy. If it is, well, tough life!

There's something I don't get in your argument: How having a business model not based on invasion of privacy is protecting your business from receiving GDPR Subject Access requests requests, the legal fees a small business needed to spend to take care of those, and the handling of those?

In your food example it'd be more like as if a law required you to have an employee meeting with a health inspector daily. And that employee must not be a cook/staff. This seems easier for a big chain to comply than a small business.

Here, to monitor all their email, each social media pages, etc and spend time figuring out if each tweet/post is a subject access request is going to be much easier to scale for a big company compared to a small business.

Also one thing a bit off topic that's not clear to me is if suddenly a business needs to start handling and archiving sensitive information because of GDPR letters (for each request, there must be a proof of identity such as ID, passport scan, etc). You now risk having potentially non compliant businesses handle those. That seems like exposing yourself more to identity theft for each GDPR request you make.

(See "how do we recognize a request" in https://ico.org.uk/for-organisations/guide-to-the-general-da... )

[kazinator]

Would you say shoplifting is okay, too?

Damn it, the law shouldn't apply all the way down to individuals, over trifling matters and quantities!

If you're harmed by a privacy leak, do you care whether that was perpetrated by a site that has 50 users, or 500,000?

Oh, it was a small mom and pop site that passed on your personal info, so that made it okay; sorry! Next time, only deal with a big time operator.

[JamesBarney]

If you die in a fire or building collapse it's equally bad whether that building was a large commerical building or a single family.

But we have two sets of building code rules because the regulatory burden is very different. The cost of complying with lots of regulation are fixed, and don't necessarily scale linearly with the size of the company. So to prevent these laws from wiping out small businesses they usually phase on these rules with increasing size.

[organsnyder]

Which locality are you talking about? Building codes vary quite a bit from one region to another. I'm pretty sure my municipality (Grand Rapids, MI, US) does not have differing commercial building codes based on the size of the organization utilizing the space.

[JamesBarney]

Not the size of the organization using the building but the size of the building.

[JamesBarney]

I wrote organization but I meant to write building

[rdlecler1]

False equivalency.

[JamesBarney]

Explaining why it's a false equivalency would be more helpful and create better discussion.

[Matticus_Rex]

>If not breaching my privacy and my rights

You can respect everyone's rights and privacy and still be noncompliant, because most of the work of complying with the GDPR for most businesses is in the documentation, customer misinformation, and legal CYA work.

[rdlecler1]

Okay, so add one more caveat—the business has more than 50,000 users OR it sells your data. Perhaps the vast majority of businesses affected by GDPR are not selling your data.

[iaml]

For me, main problem is not the compliance itself, but the legal part of it. If GDPR had clearly stated it ok to dismiss all these "nightmare letters" unless they come a set of official emails that handle it, and if/when such official letters come it would only be required from me to point to my legal pages and/or give access to the code/db to show I'm compliant, it would all be a-okay.