[49bc]

Don't look at GDPR and see it as some kind of slap in the face to Facebook or Google. The reality is that regulation like this invariably benefit the companies large enough to hire the lawyers to abide by the regulation. Similar story for tax-law complexity.

Large corporations thrive in highly regulated environments without fear of competition.

[oblio]

The other side of the coin is that for a lot of things we do need regulation. Look up the history of banking or healthcare before it was regulated.

[Mirioron]

Banking has arguably got worse since banking regulation, because regulation allows for fractional reserve banking and doesn't allow individual banks that aren't part of the system. This means that if the government doesn't keep exactly on top of their regulation then bad things can happen, because the government basically insures the banks and won't let them fail (since the system becomes too big to allow to fail).

It doesn't help when the government gives out bad guidelines either. Eg the lending guidelines given by the Community Reinvestment Act. Suing banks for having too strict guidelines for lending out money coupled with easy money ended up in the 2007/8 financial crisis.

Would it have been better with less regulation? Maybe, maybe not. But it's definitely hard to say that banking would be unworkable with less regulation.

[AnthonyMouse]

> Look up the history of banking or healthcare before it was regulated.

Look at the history of banking or healthcare after it was regulated. Costs spiraling out of control, people dying of preventable diseases because they can't afford health insurance, the housing bubble, too big to fail, etc.

[pgeorgi]

> Costs spiraling out of control, people dying of preventable diseases because they can't afford health insurance

And yet compared to that, many industrialized countries with "socialized medicine" get by rather well, even though that's the epitome of regulation.

[AnthonyMouse]

> And yet compared to that, many industrialized countries with "socialized medicine" get by rather well, even though that's the epitome of regulation.

Full socialization is very different from regulatory capture. Regulatory capture looks like what western corporations have traditionally done to third world countries. Full socialization looks like the USSR. They're both terrible, but in very different ways.

[Mirioron]

They also tend to have tax burdens that are 50-100% greater than what the US has. The main problem with US healthcare is that prices have gone out of control because there aren't market forces to keep it in check nor does the government keep it in check. This means that prices can soar.

On the other hand, when somebody has a rare disease or wants the absolute best healthcare then they are likely going to the US.

[welterde]

Aren't the insurance companies private in the US? Why don't they keep the prices in check?

And the US isn't the only destination for such medical tourism (anymore)..

[AnthonyMouse]

> Aren't the insurance companies private in the US? Why don't they keep the prices in check?

The entire US system is a disaster. There are major tax incentives for employers to provide health insurance, so they do. But then it's corporate executives choosing the insurance policy, and the one they choose affects themselves and their families, and is tax-deductible compensation, but they're spending the shareholders' money instead of their own. Meanwhile the insurance company is happy to sell a policy that covers more stuff for higher premiums. And everybody hates it when the insurance doesn't cover something -- it's bad PR for the insurance company, bad employee relations for the company who chose that policy and bad for the employee who is sick and denied coverage.

So all the incentives line up for there to be very expensive insurance policies that cover everything no matter the cost. And once you have a policy like that, the patient has no reason to decline unnecessary tests or choose lower priced alternatives because the insurance is paying for everything.

The insurance company can try to negotiate prices, but that only works in a competitive market. Many things are patented and there is only one supplier, who knows the insurers are captive buyers. Even when there are multiple suppliers, they all have to pass on the same regulatory compliance costs. And the insurance company itself imposes a large amount of bureaucratic overhead on medical providers to try to prevent insurance fraud, but the cost of that overhead then gets built into the price. Plus the cost of the insurance fraud itself, which is hard to detect when the provider and the patient are both in on it.

The way to make health insurance work is for it to actually be insurance, i.e. it only covers major catastrophes with a multi-thousand dollar deductible and everything else is out of pocket. Then the insurance would cost less than half what it does now and the amount paid out of pocket for substantially everyone would be less than the difference in insurance premiums. People would then have the right incentives to compare prices and refuse unnecessary procedures, none of the routine medicine would have to involve insurance paperwork, and less insurance coverage would mean less insurance fraud.

But everything in the US regulatory environment is configured to prevent that from happening.

[OldSchoolJohnny]

You don't need a lawyer to abide by GDPR, it's pretty straightforward stuff.

[fixermark]

Nothing about data storage and manipulation is straightforward.

Is the web server software you're using logging network requests? Are those requests possibly considered PII? Congratulations, you now have to care about the GDPR.

https://www.ctrl.blog/entry/gdpr-web-server-logs

[PuffinBlue]

Which is to say you don't have to care much at all, seeing as you do NOT need to inform or obtain consent from users to keep web logs that serve a 'legitimate interest' such as fraud, security or spam prevention.

Obviously if you were in the business of leaving such data insecure for anyone to obtain or merrily selling it on to reap as much dollar from your visitors as possible then you may be in for a bad time.

Otherwise it's just best practice to do what GDPR says anyway in the example you provide.

[fixermark]

From the top of https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

""" “Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. """

It's going to be up to individual companies and orgs how much risk they want to absorb trying to sort this dimension themselves rather than hiring a professional; I suspect we agree on that. But I suspect quite a few companies will want to soak the cost of having a professional review this stuff rather than trust their own common sense (especially if their common sense is not European-originated but they plan to have European users).

[krageon]

It is not risk. If your relevant regulatory body decides that your reasons are not legitimate (and if you definitely are using them to prevent service degradation and don't keep them around forever, I don't see why they would) then they will tell you so you can alter it.

[fixermark]

Companies hate building business models and practices around "Well, if the regulator's cool with it, then..." That's the very sound risk makes.

[mywittyname]

This is one of the aspects of GDPR that gets blown out of proportion. You can keep IP addresses in your server logs if you can demonstrate that it's important to your business.

If you can't demonstrate that it's important to your business, then you can mask the IP addresses. This was a very common thing to do even before GDPR.

In other words, compliance in this respect is dead simple. If you need IP address information for a specific reason, then keep them. If you don't need it, then change your log format to omit them or turn on IP masking.

[Matticus_Rex]

In a few fairly uncomplicated businesses, sure. For everyone else, there's a reason why the privacy professionals listserv I'm on is a constant debate about vagueness in the law.

[jgforbes]

Funnily enough, GDPR explicitly requires you to have a representative (which for many companies will take the form of a lawyer).

https://gdpr-info.eu/art-27-gdpr/

[taysic]

The level of expected implementation will only be clear after a year or so.