[friendzis]

GDPR core is pretty simple: You cannot do stuff (process, store, transfer to third parties) with PII unless X condition is met. An internet site, on first visit (being genuine first visit or just cookieless visit) cannot do things with PII, because there is just no way to even tell if X is met, therefore not only data storage (IP address in Apache access logs included) is illegal, but moreso transfer to third party via CDNs and what not.

GDPR is ugly. The only thing it allows you to do before you get confirmation to process PII is to show static page requesting for permissions. That's basically it. You can't do any "cloudy" stuff prior.

[iso1631]

Storing IP addresses for technical requirements is legal (for example you need to keep the IP address in memory because you have an open TCP session). Likewise a session cookie is fine too.

Keeping those IP logs for security reasons is also legal (assuming you keep them safe for an applicable amount of time)

Using that data for analysis is not legal.

[kuschku]

How is GDPR ugly? It's easy to build websites, even interactive ones, that comply.

If you build a mobile app, you are also supposed to only ask for permissions once you actually need them.

Replace interactive embeds with a dumb replacement of the actual content and e.g., "we want to show you an embedded tweet here, [allow once] [allow always]".

Don't use CDNs for delivering assets, they've long stopped being useful anyway.

Don't use Google Analytics.

In general, build websites like we used to in the early 2000s.

And yes, you can even do cloud-y stuff like that. You can run k8s on your hetzner dedicated servers, you can run MinIO as your s3 store, none of that is stopped at all by these rules.

You can even run an interactive website like HN without any GDPR violation or cookie prompts at all.

[indrora]

> only ask for permissions once you actually need them

Hard on Android, where "did my wifi go away" means asking "can I have access to your phone's internal state including call logs and if you're in a call right now?"

> replace interactive embeds with a dumb replacement

Sucks when you depend on that content or the content has to be interactive under the TOS of the service you're using.

> [CDNs have] stopped being useful

Not at all. In many a corporate network as well as situations where you're paying for transit (e.g. AWS) they still make sense.

> build websites like we used to in the early 2000s

Ah yes with Flash for our interactivity, __Just throw an executable format that has a hard to render, proprietary ISA running unsupervised__, that worked for us then it should work fine today?

I'd say "Let's build more websites like we did in 2010". That's right around when Javascript peaked.

> Minio

due to their licensing change, a lot of legal departments have banned minio.

[BlueTemplar]

But Android itself is also threatened... (Unless maybe if you're running a Google-free version of AOSP ?)

Google is clearly a company that is in dire straits in the EU, both from its business model that relies so much on tracking people across the Internet, and from its ties to the US intelligence agencies.

As for the apps available on Google Play...

https://9to5google.com/2018/12/31/android-apps-facebook/

https://www.cnet.com/tech/mobile/some-popular-android-apps-a...

[luckylion]

> Don't use CDNs for delivering assets, they've long stopped being useful anyway.

How do you handle large DDOS? Your provider won't, they'll nullroute your IP because they don't want to waste their bandwidth on your issues and impact all their other customers.

Also, using a global CDN with edge caching speeds up loading your site significantly if the user isn't close to the DC.

Regarding Hetzner: what's the verdict on them having to comply with the CLOUD Act via their US subsidiary?

[kuschku]

Of course my provider will handle large DDoSes, as long as they're not hundreds of Gbps large. In which case there's not much anyone can do, frankly.

Regarding edge caching speed: we're in an age where your phone executing the shitty bloated JS is the bottleneck, not actual latency.

[oytis]

So no embeds, no CDNs, no analytics, lots of popups asking for permissions and going back to 2000s (just with cookie banners) in general. Isn't that ugly?

[kuschku]

Of course you can have embeds. Just replace them with a blurhash and make them click to load.

That also avoids pretty much all of the popups.

Sure, no CDNs and no analytics, but that's what I'd call an absolute win. Nothing of value was lost.

[allisdust]

GDPR is simple. It's a mechanism to keep foreign tech companies out of EU while not explicitly banning them (as it would result in reciprocal measures) by increasing the cost of doing business in EU. For those that do go all the way and try to follow the laws, periodic flaws found in implementation (which are inevitable given how complex these laws) are penalised heavy enough to make them think twice. If this is not there, software companies in EU which aren't competitive in general will be steamrolled by companies from other countries (but primarily from USA).

China also does this to ensure home grown tech eco system while at least being more truthful about.

[dmitriid]

> GDPR is ugly. The only thing it allows you to do before you get confirmation to process PII is to show static page requesting for permissions. That's basically it. You can't do any "cloudy" stuff prior.

No, GDPR is not ugly. Yes, you can do "cloudy stuff".

The bullshit narratives around GDPR need to stop, however people driving the narrative are extremely incentivized to siphon and sell all the data they can get your data, so the narrative is always bullshit.

[throwaway13337]

You're just incorrect here.

Part of the GDPR does good things against bad actors like ad/tracking companies. But most of these companies are so big that it just works as a moat to keep out small competitors in that space.

The more widely-affecting thing that the GDPR is doing is to make it impossible to legitimately run a business like the one that the article is talking about. An online shop that uses shopify which uses a CDN. A small online shop using a CDN is who is actually hurt with GDPR.

[tpxl]

> But most of these companies are so big that it just works as a moat to keep out small competitors in that space.

Google is among the biggest and Google Analytics is getting absolutely shredded in the EU. How's that moat coming along?

[dmitriid]

> You're just incorrect here.

I was expecting you to show where I'm incorrect.

And yet, it's the same emotionally-charged "omg moat, large companies, impossible to run a business".

Which doesn't disprove what I say, but further supports my case: the bullshit narrative around GDPR persists even if it has literally no basis in reality.

> A small online shop using a CDN is who is actually hurt with GDPR.

Most CDNs have GDPR-compliant services in the EU. Those listed in the article literally have separate pages specifically addressing compliance with GDPR.

There are banks in the EU handling sensitive customer data which use the very same CDNs and services under significantly stricter laws than GDPR.

But sure. Tell me how it's impossible to legitimately run a small business that operates under significantly fewer obligations, and retains significantly less customer data.

[throwaway13337]

Oddly this argument feels familiar - like we've sparred in the past over GDPR on another hacker news article.

I won't continue this as it seems like it's more a flame war where no side can convince the other.

I'll say this, though: please imagine who I am who feels so passionately about this. Likely, I am a small business that has been affected personally by the GDPR though I am not in advertising or tracking. Maybe I'm just a small business owner trying to navigate the uncertain waters created by these rules. That's what brings out the passion.

I imagine you are someone who is passionate about privacy and against adtech. As am I. We're probably ideologically similar. So please try to square why someone who is ideologically similar has such a strange idea. It might be that I am misinformed but it might be that you don't have the same experience as me.

[tpxl]

> Likely, I am a small business that has been affected personally by the GDPR though I am not in advertising or tracking. Maybe I'm just a small business owner trying to navigate the uncertain waters created by these rules.

Hey, I was a small business owner and the GDPR was a complete non-issue. The website was hosted by a small service provider in my country. No CDN required (static files, not that much traffic).

If you're a small business owner you're either not affected by GDPR, or you're doing something shady.

[thirdsun]

> No CDN required (static files, not that much traffic).

Shops with actual traffic might need a CDN.

> If you're a small business owner you're either not affected by GDPR, or you're doing something shady.

Well, apparently I can't use Shopify despite having no interest in tracking, ads or any kind of analytics.

[dmitriid]

> Oddly this argument feels familiar - like we've sparred in the past over GDPR on another hacker news article.

It's possible. Because every GDPR discussion is this: emotionally charged "gdpr is the devil" sold to gullible devs by advertisement industry vs. attempt to disprove at least the obvious lies.

> please imagine who I am who feels so passionately about this.

The less we imagine and the more we deal with facts, the better we, and the world we build, will be.

So let's reiterate facts vs imagination in my original reply:

- "GDPR is ugly."

It's an emotionally charged subjective statement. However, GDPR is no uglyt. As far as laws surrounding complex topics go, it's absolutely definitely emphatically not ugly.

- "The only thing it allows you to do before you get confirmation to process PII is to show static page requesting for permissions. That's basically it. You can't do any "cloudy" stuff prior."

This is 100% unadulterated lie.

The problem though, people keep mixing emotionally charged statements with lies and half-truths, and you get "GDPR is the devil" in the majority of HN comments.

[mattmcknight]

> Tell me how it's impossible to legitimately run a small business that operates under significantly fewer obligations

You make a strawman here, as that was not what was claimed is impossible. Tell us how it is possible to use Shopify to run a small shop in Germany.

[dmitriid]

> You make a strawman here, as that was not what was claimed is impossible. Tell us how it is possible to use Shopify

See this comment on who is responsible for user data and how it's relevant when chosing third parties for your business https://news.ycombinator.com/item?id=33566437

[tpxl]

> Most CDNs have GDPR-compliant services in the EU.

How can a US company have a GDPR compliant service in the EU? The US government can force them to give up any data they own, which isn't compliant.

[dmitriid]

When there's a will, there's a way.

Also, https://news.ycombinator.com/item?id=33566243

[tpxl]

I'm sorry, I don't understand your point.

[scarface74]

It’s a 99 section 11 chapter monstrosity. It is ugly.

[dmitriid]

It's a law that deals with privacy of data both online and offline. As a result it's only 11 chapters written in a surprisingly simple language.

As laws go, it's fine.

[scarface74]

Yet the author of the submission had a hard time deciphering how to follow it…

[dmitriid]

The author of the submission? Or the person claiming it's ugly?

"Human activity is a complex thing and no law can describe it with 100% accuracy, news at 11".

I doubt anyone arguing against GDPR read it. Or read recitals. Or read even high-level descriptions of the law, say, at gdpr.eu. Or read any laws in general, to compare.

[scarface74]

We can all see the results of it. It made the web experience worse for everyone and it’s so complicated it solidified the power of the few companies that either can comply with it or afford to ignore it and deal with the slap on the wrist.

Thought experiment: why didn’t any major ad tech company announce any harmful affects of the 99 section GDPR. But they did announce billions in revenues shortfall (ie Meta) when Apple made tracking opt in by one three line dialog box?