Not necessarily. Even if you comply with the law, doing so and demonstrating that you're complying costs money. This cost doesn't scale much with usage (it's not O(1), but probably closer to O(log(n)) than to O(n)), i.e. it costs the big players much less in terms of "percentage of revenue".
Is it? Really? It’s only when you get to data centre scale that this kind of policy becomes harder to implement... sure even when I create storage instances “in the cloud” I can say where I want the data located.
And you won't have to build one storage instances for the US, one for the EU, one for China, and one for every single country that decide that their privacy regulation are superior than others countries...?
Facebook can have a pretty big team to engineer that kind of infrastructure, while the startup won't have that luxury. It's even worse when you need to go through a lawyer to make sure every single regulations are followed to the letter.
So what? Like I said, it’s literally zero hassle to create new instances. What makes you think you’re entitled to mix all your users into one database anyway. If you’ve a hundred users in one country it’s worth your while having an instance just for them.
Lawyers will oversubscribe for everything it is up to you to familiarise yourself with the legal aspects and get your engineers to design within these constraints. You didn’t think engineering was just programming did you?
And you still fail to see how all of this make this much more easier to apply for Facebook than any startup?
> If you’ve a hundred users in one country it’s worth your while having an instance just for them.
What? No. We are on the web, you forgot that what made Facebook a billion dollar industry was that they could get pennies out of billions of users every month?
If you can get hundred of paying users, sure, but then to me that has nothing to do with the web, that's simply selling a product. The web is more than selling, it's about allowing access, which sadly, is more than selling.
Startups aren't going to be targeted for regulatory action unless they are doing something particularly egregious. If you look at what other companies in the industry are doing and do something no worse than what the average company is doing, then you're going to be fine.
Facebook is a juicy enough target that they need to worry about regulations even if they are doing exactly what every other company in the industry is doing.
A lot of bushy-tailed entrepreneurs don't realize that you don't need to give one flying fuck about compliance until you're in the billion dollar valuation territory.
Semi true. Most GDPR regulators are extremely understaffed, and so they only act reactively, when either a company's practices become part of a large public debate or when there is a complaint filed.
It is logistically impossible for them to go and proactively inspect other cases