[lajhsdfkl]

> Yes, this is really little different from shutting down a whole forum because you received a single DMCA request.

Completely unrelated. Not only are DMCA requests easier to handle than data access requests, the fines for not complying with GDPR are disproportionately larger for violating DMCA.

Work required for complying with a DMCA request: delete the offending material, a basic feature implemented on every single piece of forum software

Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.

Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.

I agree however that they are both horrible laws. So if your argument was to show that GDPR is just as bad as the DMCA I agree. GDPR is a horrible law and it is not obvious to me that the law wasn't created specifically to target non European business.

[ascorbic]

Except this forum software does provide a tool that lets the user export their own data, as well as a tool that lets an admin strip all identifying data.

The only way this targets non-European businesses is because the litigious nature of US culture seems to lead to this sort of overreaction.

I'm also not sure how a malevolent user is any more incentivised to abuse this than DMCA. The DMCA lets them issue actual legal threats and action. This just allows requests.

The DMCA helps big business at the expense of the general public. This does the reverse. It's no wonder there's been so much noise and scaremongering.

[zeth___]

A lot of the US over reaction to the GDPR probably stems from the fact that they assume that Europe has a system where parties sue each other, the jury system, as opposed to the state suing parties, the inquisitorial system.

Getting sued in Europe is a huge deal, getting sued in the US is part of doing business.

[derReineke]

Yeah from what I have heard the main reason for this law is to stop obvious abuses to people's privacy. It seems that most overreactions are due to ignorance of the system behind the law or to make some kind of political statement.

[chx]

As a proponent of North American small businesses to just stop doing business with the EU my motivation doesn't stem from the ignorance of the system rather the knowledge if it: the fines will be issued by the relevant authorities of each and every EU state according to their own interpretation. Certain countries might see this as a neat little cash grab opportunity.

[derReineke]

I just don't see the EU giving fines to American small businesses. What kind of money could they expect to get out of them? I'm curious though, what EU countries do you think are so desperate for money that they would basically extort American small businesses?

[chx]

Hungary for sure! (I'm a dual Canadian-Hungarian citizen.)

[zeth___]

This is exactly what I mean. Europe has functioning government that can't be fathomed on the other side of the Atlantic.

[wooter]

seriously? spain, italy, and greece don't have malfunctioning governments?

[geocar]

Incorporating in the UK is a great way to stop this.

The ICO is extremely reasonable and personable in my experience.

[chx]

Ever heard of Brexit?

[LamaOfRuin]

I'm in favor of GDPR, but this is how it can be trivially used to target non-EU companies. EU regulators can be pressured to more aggressively pursue dominant foreign companies (or lay off important domestic companies) which many people already believe they do in various industries (banking/finance especially, as well as tech, automotive, aerospace, pharma...).

[lajhsdfkl]

>Except this forum software does provide a tool that lets the user export their own data, as well as a tool that lets an admin strip all identifying data.

Completely besides the point, there are hundreds of different pieces of forum software that may not have that feature implemented.

>The only way this targets non-European businesses is because the litigious nature of US culture seems to lead to this sort of overreaction.

Did I ever bring up litigation? What is your point here?

[ascorbic]

You brought up it targeting non-European business. That was the main way it seems to have disproportionately affected them.

[lajhsdfkl]

How about you try answering this question I posed to you

What is your point here? What is your point when you say that the EU is not litigious? Are you saying that I shouldn't expect to receive a fine for violating GDPR? Are you saying that I should just ignore GDPR data access requests if I am operating in a supposedly ethical manner and I am not selling user information?

[ascorbic]

I didn't see any question in there. My answer though is: respond to the request (which shouldn't be as hard as some are making out), but don't worry about fines unless you've been misusing the data or repeatedly ignoring warnings.

[taysic]

That's not how laws work. Someone has to prove they are innocent if another person claims they aren't to regulators. There is a cost to that. There is no way the law can know perfectly who is 'misusing data' beforehand.

[lajhsdfkl]

Then wtf is the point of GDPR if nobody will be sued for violating it?

[DanBC]

> there are hundreds of different pieces of forum software that may not have that feature implemented.

"Can I have all my data?" is not new to GDPR. It has existed in previous data protection law. How did people cope before?

[geocar]

> Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.

People send fake DCMA takedowns all the time.

If someone sends you a GDPR data request, you can ask for administrative costs. You can even ask it to be mailed to you via post. If someone sends you a bogus and unreasonable GDPR data request, you can ask them to pay you a further reasonable fee.

This can almost be an auto-response. Trolls will get bored.

> Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.

This is not true. Recital 62[1] says you don't have to give them any data they already have, and Recital 57[2] says you aren't obliged to determine which of your data identifies them if you aren't going to do it anyway.

[1]: http://www.privacy-regulation.eu/en/recital-62-GDPR.htm

[2]: http://www.privacy-regulation.eu/en/recital-57-GDPR.htm

> I agree however that they are both horrible laws.

I like the GDPR a great deal, and I think it'll be good for companies big and small in the long run. Disclaimer though: I'm doing some GDPR consulting, so you might prefer to think I'm getting paid to like the GDPR.

The scary bit seems to be for companies that approach compliance from the point-of-view of centralising understanding, and minimising the impact and costs of that compliance. They're looking for someone to tell them "this is enough effort", but the point is that Europeans don't want people playing chicken with their data[3].

As soon as companies realise that embracing the spirit of the GDPR is cheaper, it starts becoming a real opportunity for them.

[3]: https://www.sec.gov/Archives/edgar/data/33185/00011931251815...

[sameyolo]

I felt the regulation text itself was clear that the first request is free.

"1 - The controller shall provide a copy of the personal data undergoing processing. 2- For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs."

https://gdpr-info.eu/art-15-gdpr/

[geocar]

The ICO says that the fee must be based on the administrative cost of providing the information which seems consistent.

Since you're allowed to respond to the first request with a list of the types of information you control, you should be able to do this without a search (and without undue costs).