[Mirioron]

You're right, but they probably can't afford to do it right. And since enforcement on this is lackluster it makes sense for the companies to just ignore it altogether, because if they get caught then it probably doesn't really matter if they took some steps to help privacy or none at all.

I think there should be some exceptions to it for small companies based on the impact of the PII. Eg if the company handles email addresses or first names then that should be far less strict than if a company handles medical information, home addresses or credit card information.

On the other side, we should have audits in companies to see how the personal data is handled. Particularly in ones that deal with sensitive information.

[goto11]

> can't afford to do it right

The simplest way to comply is to not obtain and store personally identifiable information at all. Luckily this is also the cheapest. So I don't really buy that you "cant afford to do it right".

If you want to obtain and store personally identifiable information, then you have to mange it properly, just like selling food, medicine, financial services etc. need to follow certain regulation.

Note that all the competitors in the space will have to follow the same regulation, so it is not like it put you at a disadvantage.

[im3w1l]

I don't want to live in a world where inviting people over for dinner is practically illegal because of food safety regulations. And I don't want to live in a world where I'm not allowed to write down my friends' birthdays and phone numbers.

I'm not sure if we have passed the line of too many regulations, but I know it's out there.

[beher]

The EU even considers an IP address as personally identifiable information...

[ikiris]

If you remove "IP" and it still seems like a bad idea... i just dont understand what your problem is.

[goto11]

Of course.

[phs318u]

> they probably can't afford to do it right

Two things occur to me here.

1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.

2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).

> here should be some exceptions to it for small companies

This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.

[Mirioron]

>1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.

Except that foreign companies won't have this same limitation. The end result is that all of your online services will be provided by foreign companies, which ironically is already the case in the EU.

A foreign company that's beyond the jurisdiction of the EU can abuse GDPR as much as they want. If they get caught then they'll just lose their business. The EU can't actually fine them, but that same company likely outcompeted EU companies for years.

>This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.

They can do the same thing with foreign companies though. If you can set up a system where you would use your small companies to escape regulation, then the same can be done with companies run by foreigners.

>2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).

And said business opportunity is additional inefficiency on businesses in the EU that their global competitors don't have to follow.

[lagadu]

You're getting downvoted because you're incorrect: it doesn't matter where a company is from, if they're conducting business with people in the EU, they're bound by it. Which is why several non-EU companies have paid fines and plenty are implementing GDPR-based privacy measures (and I speak from experience here).

[Mirioron]

Foreign companies paid fines because they still wish to operate in the EU. If they were willing to give up on that then they wouldn't have to pay anything. Eg a Chinese company could collect and abuse as much data as they wanted. Once they get caught the EU can levy fines on them, but the company can just choose not to pay, because the EU can't reach into China.

The EU can't force a foreign company to pay, just like China can't force an American company to pay. Or am I mistaken and there's some international agreement that allows the EU to force them to pay up?

[phs318u]

I recently did a stint as a contractor at one of Australia's "big 4" banks. I can assure you that they are so active in the privacy space, and foresee more and more GDPR-like regulations, that they've created their own privacy framework based on GDPR plus likely similar frameworks to come in other jurisdictions. It is one of the biggest funded projects in that bank (it helps that Australia recently had a negative spotlight on the banks' behaviour. Thanks Royal Commission!).

The point I'm trying to make is that if you have European customers, then the GDPR applies. Therefore, "foreign companies" competing for EU customers, definitely do have this limitation. Fines have been issued for companies that don't comply, and the sizes vary immensely (e.g. over 200 million euro for British Airways down to 118 euros (not millions, 118) for the Data Protection Authority of Saarland).

http://enforcementtracker.com/

[Mirioron]

GDPR might apply and the EU can levy fines on foreign companies, but that doesn't mean that a foreign company has to pay like a European one. The EU can't force a Chinese company to pay if they are willing to give up their EU business. That's the problem - you can't enforce it where you have no legal jurisdiction.

Or do I have it wrong and that there is an enforcement mechanism that can make a Chinese company do things the EU says?