| HN Mirror

parts of GDPR could be a little ambiguous

This is a massive understatement. There's a lot of comments here by people who clearly want to like and support GDPR but have never actually tried to "comply" with it in a large business. GDPR is a textbook example of how not to write law (unless of course you're actually trying to create a despotic regime). It has so many problems when viewed from a law engineering perspective that it's really quite expected that a lot of companies will just give up, because the only plausible explanation for the way it's written is to be able to arbitrarily fine certain types of companies on demand.

1. Absolutely everything is maximally vague and subjective. Whoever wrote it never wanted to have to justify any decision made under its authority. Everything is defined with terms like "legitimate", "disproportionate", "significant", "likelihood", and the perennial favorite "reasonable effort". If you believe you have a legitimate need or made a reasonable effort and a regulator doesn't, or that your users are giving consent and then someone else claims it isn't explicit enough, who can say who's right? There are no standards on which to judge anything so it turns into a pure difference of arbitrary opinion. Merely being conservative is no use at all because you don't even have any idea, based on reading the law, whether what you're doing would be considered conservative or aggressively non-compliant. Nor does anyone else.

2. Compliance is basically impossible for any large institution. The EU Commission was itself non-compliant on the day GDPR came into effect, which was noticed immediately, and their response was that they had written themselves (and nobody else) an exception into the law so that they had more time to comply with it. When the government that writes a law acknowledges an inability to follow it by the deadline they set for everyone else, you know a law has problems.

3. Because the law is written so badly you can find plenty of people interpreting it in ways that would imply Amazon is doing nothing wrong, like this page [1] which purports to be busting GDPR myths and states that "processing is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalization of offerings".

4. GDPR theoretically requires every company in the world to comply, or does it? It's triggered by "offering" services to people in the EU, but what counts as "offering" is left undefined and like everything else, could be interpreted in dozens of different ways. Is having a website sufficient? Nobody knows. Here's PriceWaterhouseCoopers' advice on GDPR compliance for Switzerland [2] which starts by saying "My company is only Swiss-based, does it have to comply with GDPR? Alas, there is no simple answer to this.".

The fact that so many results when searching for GDPR are articles that claim to be debunking myths about it, and that so many such pages directly contradict each other, is indicative of the massive level of confusion this law has justifiably generated. It can be interpreted in any way any government wants to justify almost any level of fine imaginable, and governments are directly incentivized to do exactly that. Cynicism about GDPR and its motives will not go away by simply having lots of EU-loyal HN posters tell Americans that compliance is easy when it so obviously isn't.

[1] https://www.vischer.com/en/knowledge/blog/the-gdpr-and-switz...

[2] https://www.pwc.ch/en/insights/tax/gdpr-swiss-based-companie...