[qwsxyh]

That's because on HN there's five general types of people against the GDPR:

1) People who think any sort of government regulation is pure evil

2) People who read the opinions of the first group and assume that because it was said on HN it's correct

3) Adtech startup devs

4) People who really hate not being able to hoard personal data for no reason

5) People who think money is significantly more important than privacy

[novok]

No it’s because we are working at companies that implement this and understand that it creates a large compliance moat for google and facebook. If it had proper carveouts for small business then it would be more positive. But the EU wants to put its hands in its ears and pretend they don’t exist.

There is a difference between a 5 person biz like bear notes who would be totally cool in deleting your login info on request / sending whatever small amount of data they have on you, and what they actually have to do be properly compliant with GDPR. They are probably not and they, like many small EU software business, are a liability waiting to happen.

[solarkraft]

What kinds of carveouts are you proposing? Should small companies be allowed to abuse personal data however they want?

[novok]

I would exempt small businesses from GDPR requirements outright unless the business model is a surveillance capitalism one. Like small adtech startups.

Defining a surveillance capitalist company without BS is difficult although, so in the end, I would probably just wholesale exempt private small businesses that are not subsidiaries of larger ones. The small businesses would need to be arms length from larger ones too.

A lot of the danger of surveillance capitalism come from concentrated power, and many small businesses are by definition the opposite of that.

[solarkraft]

Small companies can sell their data. Almost all of the data collected by all those small companies mentioned in those GDPR popups will end up in the hands of a few large entities.

The data is the same, regardless of who collects it. Leaking it is equally dangerous.

[ed]

GDPR does make exceptions for companies with fewer than 250 employees. https://gdpr.algolia.com/gdpr-article-30#section-15

Also this kind of legal DOS is almost definitely against the spirit of the law and I’d be surprised to see any real company use significant resources to respond.

[Silhouette]

That's one small exception to one small part of the compliance burden, though.

Small businesses are still, for example, subject to abusive SARs of the kind used for illustration here. They're still required to write documentation like privacy policies according to the new standards. And unlike large organisations, where there is the 4% cap on fines, a small organisation faces an existential threat if regulators decide to impose heavy fines, which they have considerable powers to do.

[citilife]

5) People like myself who are annoyed that people think GDPR is enforceable to non-EU entities.

It's not... You cannot enforce GDPR on any person / company who doesn't have a presence in the EU.

That annoys me, because _although I'm willing and do comply_ many people reach out to me regarding their personal data with a lot of arrogance. However, my company isn't based on the EU and I don't have to comply (which I cleared with a lawyer already). Their method of their approach makes me not want to comply.

[kyriakos]

I understand your problem with arrogance but as long as you service users in EU you are still liable. There are legal ways they can get to you and at best you may avoid fines but be banned from offering your service to EU citizens. Of course that's an option you already have I.e stop servicing EU

[citilife]

> as long as you service users in EU you are still liable.

Not true, I am not required to not offer to EU citizens. They simply can choose to visit my U.S. servers and use U.S. dollars.

Laws aren't global. Laws are based on jurisdiction. EU doesn't have said jurisdiction, unless I am hosting services or have a presence in the EU. Customers from the EU effectively travel to the U.S. (via the internet) to get to said service. The U.S. could force us to follow EU laws, then sure. However, that's not the case today.

You can think of it as: if I call a vendor in China to purchase some widgets. The vendor in China is not required to validate you're following the laws of your land - that's your job. The Chinese vendor just needs to make sure they are following China's laws.

[kyriakos]

Laws are not global but US has agreements with EU about personal data.

Read this article for more details http://www.mjilonline.org/fines-under-eu-gdpr-in-non-eu-juri...

[CompanionCuuube]

I've seen comments on GDPR topic here where arrogant posters complained of sites that just banned EU visitors rather than take on the increased resource burden.