I actually like this but there are a lot of similar services that make it easy to send GDPR requests with less such biased framing and without the abusive intent.
The arguments brought forwards against GDPR tell you probably more about the author than the regulation if Jerre's only concern is with the potential costs for businesses. That may be news to some, but the maximization of company's profits is not a value in itself or should be the goal of our societies. Otherwise, we wouldn't have safety/labor/product standards regulations, such as OSHA. Instead, ensuring human rights, such as privacy and data rights, (and a high quality of life) should be our concern - and that can cost companies - slavery would've been a lot cheaper too.
It speaks to a certain discourse prevalent in Silicon Valley and among business owners. The main source has been pretty well counter-argued in the original thread [1] but the author rather parrots that misleading information.
+1 to this. Author is primarily concerned about financial costs without taking into account all other externalities that such hoarding such data causes.
Total amount fined vs total amount spent complying aren't comparable numbers. One side has orders of magnitude more organizations comprising its number than the other.
We need a median amount fined to non-complying organizations vs. median amount spent complying by complying organizations.
I don't know about any actual research, but some people are doing that to the software patent system in the US. Current wait for a patent to be approved (or rejected) is 3+ years iirc (and it keeps getting longer). And I definitely know some people irl who think the whole software patent system is a load of bs, which is why they keep filing patents (90%+ of which won't be approved) for even the most minutiae stuff.
That is the point of this page, if you see lower down the author is against the regs and this is an attempt to undermine them.
Honestly, it's crazy—HN is the only place I see this kind of anti-GDPR stuff. Everyone I have talked to about it sees it as a huge positive. I include myself in that by the way—being able to get (and delete) my data from providers reliably is a huge positive, and it has clearly improved the way my data gets handled a lot of the time. The cost is relatively small.
Indeed, I will never stop being amused by the hysteria over the GDPR.
You know what makes it really easy to comply with the GDPR?
Stop spying on your users.
Just stop.
It infuriates people precisely because it threatens the ad surveillance economy this whole website and most of its users have come to rely on. Consistently, the sites I've gone to with the most intrusive and aggressive complaints and reactions to GDPR ... are also the sites that are riddled with spyware and tracking.
It is very much a case of "methinks thou dost protest too much."
No it’s because we are working at companies that implement this and understand that it creates a large compliance moat for google and facebook. If it had proper carveouts for small business then it would be more positive. But the EU wants to put its hands in its ears and pretend they don’t exist.
There is a difference between a 5 person biz like bear notes who would be totally cool in deleting your login info on request / sending whatever small amount of data they have on you, and what they actually have to do be properly compliant with GDPR. They are probably not and they, like many small EU software business, are a liability waiting to happen.
I would exempt small businesses from GDPR requirements outright unless the business model is a surveillance capitalism one. Like small adtech startups.
Defining a surveillance capitalist company without BS is difficult although, so in the end, I would probably just wholesale exempt private small businesses that are not subsidiaries of larger ones. The small businesses would need to be arms length from larger ones too.
A lot of the danger of surveillance capitalism come from concentrated power, and many small businesses are by definition the opposite of that.
Also this kind of legal DOS is almost definitely against the spirit of the law and I’d be surprised to see any real company use significant resources to respond.
That's one small exception to one small part of the compliance burden, though.
Small businesses are still, for example, subject to abusive SARs of the kind used for illustration here. They're still required to write documentation like privacy policies according to the new standards. And unlike large organisations, where there is the 4% cap on fines, a small organisation faces an existential threat if regulators decide to impose heavy fines, which they have considerable powers to do.
5) People like myself who are annoyed that people think GDPR is enforceable to non-EU entities.
It's not... You cannot enforce GDPR on any person / company who doesn't have a presence in the EU.
That annoys me, because _although I'm willing and do comply_ many people reach out to me regarding their personal data with a lot of arrogance. However, my company isn't based on the EU and I don't have to comply (which I cleared with a lawyer already). Their method of their approach makes me not want to comply.
I understand your problem with arrogance but as long as you service users in EU you are still liable. There are legal ways they can get to you and at best you may avoid fines but be banned from offering your service to EU citizens. Of course that's an option you already have I.e stop servicing EU
> as long as you service users in EU you are still liable.
Not true, I am not required to not offer to EU citizens. They simply can choose to visit my U.S. servers and use U.S. dollars.
Laws aren't global. Laws are based on jurisdiction. EU doesn't have said jurisdiction, unless I am hosting services or have a presence in the EU. Customers from the EU effectively travel to the U.S. (via the internet) to get to said service. The U.S. could force us to follow EU laws, then sure. However, that's not the case today.
You can think of it as: if I call a vendor in China to purchase some widgets. The vendor in China is not required to validate you're following the laws of your land - that's your job. The Chinese vendor just needs to make sure they are following China's laws.
I've seen comments on GDPR topic here where arrogant posters complained of sites that just banned EU visitors rather than take on the increased resource burden.
Unless you are the incumbent banking on it like Big Media with the DMCA. The amount of fake / mass DMCA Takedowns that happen on YouTube on a daily basis is astounding.
I noticed it asked if you hate your government, government agencies do not have as stringent requirements as non-governmental because damn if they did there is a particular agency I would be screwing with daily.
But... Wouldn't the end result just be that your tax dollars get spent responding to bogus requests that waste a lot of time?
If you are dissatisfied with a government agency, it seems counterproductive to deliberately make them operate less efficiently. This attitude seems like it would just reinforce an endless cycle of inefficiency and dissatisfaction
Since the only real interactions I've had with this agency is them screwing me over I don't care that much about its efficiency, and I couldn't be more dissatisfied.
On the other hand you are right in that it helps do other stuff that does benefit me, I just don't notice the benefits as much as the harm because the harm is direct and the benefits are societal.
Isn't it kinda pointless because it will only work once per "enemy"? Sure, the first time it will waste a bunch of their time, but the second email will just get the same canned response.
I suppose you could make it a bit worse by asking to see the information collected - then simple copy-paste will be insufficient, they will have to run a script as well.
The truly malevolent thing to do would be to run a programme offering their customers a payout for sending in a GDPR request. Bonus malefactor points for using targeted ads to reach those customers.
No personal data is captured or stored. The form fields are pure front-end (VueJS), immediately outputting the values you enter into the preview box. There is no backend that stores anything. The only tracker currently installed is GA, which doesn't capture inputs either.
> To show that GDPR is fucking stupid. Really, have a look at these crazy stats after 1 yr of GDPR:
~$60m in fines
compliance costs for US firms estimated at $150b (2500x fine amount!)
small co's hurt more than large. GOOG actually benefits!
VC $ invested in EU startups drops significantly
Is it redundant to say that this characterisation seriously misses the point of the legislation, and that this is a lot of trouble to go to just make a childish nuisance?
In my opinion, regulation is better judged on the facts and not on it's intent.
For example, draconian drug laws have great intent but horrible externalities - so much so, that even though I'm vehemently opposed to recreational drug use, I'm now sympathetic to treating it as an illness and not as a crime.
This very much reminds me of people using Freedom of Information Requests to inconvenience the government, because they have some beef with them.
That does not make the right to such requests stupid, and it's annoying that there are people that abuse it and risk getting it watered down, thereby removing all positive effects. (Such as the effects those fines and compliance costs have on civil liberties.)
Most of the criticism of the GDPR isn't about its apparent intent, it's about its actual implementation, particularly with regard to ambiguity and proportionality.
I'm a critic of the GDPR, yet I'm also a big advocate of stronger privacy protections. I see no conflict here, because my criticism isn't about what the GDPR is trying to do, it's about what it actually does.
The targets will still need to spend time (and thus, indirectly, money) to demonstrate that such a letter is such an "undue burden".
This assumes they can even do so; if there are national regulators who hold the same opinions that some HN posters do about Google and Facebook, there may be no definition of "undue burden" they are willing to accept.
This is a really cool application. I like that you are advocating for internet privacy. To add on to this, it would be cool if you made a .onion version of the site for even better privacy. Then google isn't collecting my data while I am on the site.
EU-enabled DDoS attacks. Expect automation developments on both the attack and the mitigation side to grow until it's cost prohibitive to do business with those in the EU and companies simply stop offering services to its members.
Well abusing privacy is a punishable crime here, so according to our courts - do you say you don't trust the courts of a western, functioning, EU member country? The figure is definitely way higher than I said since only a handful of website operators have been found guilty ever since the law is active. The law is not an exhaustive list btw.
> Do you have a list of said sites?
You are the one who claimed that all sites required to implement GDPR are privacy abusers. Do you have a list? In my country we adhere to the concept of "innocent until proven guilty" and we don't keep lists of innocent websites.
Or companies might just make the effort to take their governance of user data seriously. Once you've complied once, you should be able to comply for everyone else automatically. See Google takeout.
> Once you've complied once, you should be able to comply for everyone else automatically.
How do you automatically comply with a free-form letter sent via e-mail or, even worse, snail mail? You need one or more humans in the loop to identify these requests, even if it is just to send a canned response back.
Yes, but the balance of power is in the favor of the company.
You can have thousands of people send GDPR requests. Each person will take at least half an hour to print, compose, wrap and send letter. And someone at the company will take under a minute to reply to each one, because all they'd need to do is a quick scan of the letter, then send a pre-printed response.
> Each person will take at least half an hour to print, compose, wrap and send letter.
The point of this site is that there is no composition. Just print, address, and send if you want to snail mail. If that takes you half an hour, I don't know what to tell you.
> And someone at the company will take under a minute to reply to each one, because all they'd need to do is a quick scan of the letter, then send a pre-printed response.
Under a minute to 1) identify the letter and the sender; 2) pull the correct pre-printed response; 3) address and send the response? How does your hypothetical employee do this so much faster than your hypothetical private citizen?
I don't even have a mailbox and now I need to have one, and actually read the mail - which I'm unable to even reach as I'm often thousands of kilometers far. Will you do it for me? I just wanted to have comments on my site...
Not all websites are ran by huge companies. Actually, most are not.
It's not startups you should be worried about as finding data for them is difficult unless they already have a widely used product, use open data or have a partner.
The real ones to be worried about are the usual 'do no evil' suspects. They already have all the data.
Google will have no problem complying with this request. They already have the systems in place to do so without much effort. Many people have already requested data from Google.
Small companies dealing with their first request likely have (at best) a manual process that will take many hours of someone's time to process.
Whilst their processes might be superior (although that's debatable), they very much aren't up to speed with GDPR https://www.bbc.co.uk/news/technology-46944696 (even if the fine is small fry to them and it's financially more attractive to flaunt the rules)
That's a completely different issue from their ability to respond to data requests like the one linked. I'd assume the incremental cost for Google to send you the data it has on you is close to zero.
The arguments brought forwards against GDPR tell you probably more about the author than the regulation if Jerre's only concern is with the potential costs for businesses. That may be news to some, but the maximization of company's profits is not a value in itself or should be the goal of our societies. Otherwise, we wouldn't have safety/labor/product standards regulations, such as OSHA. Instead, ensuring human rights, such as privacy and data rights, (and a high quality of life) should be our concern - and that can cost companies - slavery would've been a lot cheaper too.
It speaks to a certain discourse prevalent in Silicon Valley and among business owners. The main source has been pretty well counter-argued in the original thread [1] but the author rather parrots that misleading information.
[1] https://news.ycombinator.com/item?id=20009017