[pclmulqdq]

The European crowd on HN in general is very much in favor of big government. I assume GDPR is very popular here despite making software development a huge pain, for example. Americans on HN (and ironically a lot of Germans on here) seem to be much more libertarian in their sensibility.

[thiht]

You guys are unbelievable. Of course GDPR makes some things harder. It’s the whole point. GDPR is probably one of the biggest pro-freedom laws of the last years. Not big corp freedom for sure, but people freedom, and that’s GOOD. But Americans with their skewed vision of freedom just can’t see it I guess.

Honestly if GDPR pisses off Americans, it probably means it hit on the nail.

[pclmulqdq]

We just define freedom differently than you do. I honestly think your version is weird and totalitarian, exactly the way you think mine is.

Here's mine: "Freedom" is what you have in the absence of coercion. The freest state of being is being the last person alive on Earth. Freedom gives you nothing, because if freedom gave you something then someone else would have been coerced into giving it to you. Freedom also gives you the chance to do everything you need to do to survive and thrive.

In a society, we necessarily give up some freedom because my freedom to have stuff is threatened by your freedom to take it when I'm not looking (you would not have had that freedom in isolation). In more recent times, we have started to give up freedom in exchange for security, too, and everyone thinks that is worthwhile, although we disagree on how far you should go. The US military budget and all the government healthcare programs in the world are this kind of trade.

That's what GDPR is: it's a trade of freedom for the security of European sovereignty and European business (notice how I didn't mention privacy or user security). It's not about the "little guy" vs the "big corporations," the big corporations have plenty of money and lawyers they can use to comply. The people that all of these laws hit are the startups and small companies. This philosophy is why there are no European unicorns. Europe as a whole has given up the freedom to "start up" without compliance with a huge number of rules and regulations (or money to pay bribes). Uniquely, GDPR goes a step further and tries to impose this burden on everyone in the world, not just people and companies that have signed up for the European project.

In the European worldview, there seem to be a lot of "rights" exemplified by the UN human rights charter. These include things that nobody had 25 years ago, like "the right to high-speed internet." These "rights" and "freedoms" really aren't freedom: someone has to pay to provide them at the end of the day. For those of us across the pond, these are weird trades: you voluntarily pay incredibly high tax rates and huge administrative burdens for these supposed "rights," some of which look like luxuries to us, and feel as though they don't make you any less free.

[thiht]

> Uniquely, GDPR goes a step further and tries to impose this burden on everyone in the world, not just people and companies that have signed up for the European project.

This is precious! The US has imposed their views on the internet for the past 30 years. How is GDPR unique? The difference is once again that GDPR is favorable to EU citizens (because yeah, GDPR only applies to EU citizens) and your laws (Cloud Act, DMCA, and basically all your copyright laws that stole us our fair use rights and allow for tech behemoths to grow and exist) just favor big companies, and only them. Don’t confuse freedom and extreme liberalism.

> Europe as a whole has given up the freedom to "start up" without compliance with a huge number of rules and regulations

Yes. This is a good thing. The end doesn’t justify the means. We still have unicorns and well doing companies.

> notice how I didn't mention privacy or user security).

Well, your mistake.

[pclmulqdq]

In the case of the cudgel that is the GDPR, distinct from EVERY other data governance rule, there are two unique things:

1. It applies to everyone, with no thought of company residency or size.

2. It applies to all forms of "personal information" and "processing," defined ridiculously broadly.

This means that the following things are technically illegal by the text of the law:

* Storing the email address of an EU-based customer of your consulting shop on a private server not in the EU, and (God forbid) using it to send a sales email to that person.

* Storing the IP address of an abusive user of a SaaS website (in order to block them) if that user happens to be in the EU and your server is not.

Should these be illegal?

[hypertele-Xii]

Yes, of course they should be illegal. Why should US companies have the right to harvest our private information for profit and cause damage by mishandling it without oversight?

[pclmulqdq]

So sending a single email to a single EU customer from a non-EU server amounts to "harvesting your private information for profit" and merits a $20 million fine?

I have no problem with the GDPR that you wish you had, by the way. My problem is with the one that exists. It neither stops the wholesale harvesting of information nor actually benefits privacy.

[rahen]

Not all Europeans thank goodness. Switzerland and Germany are usually careful with big government. Even France was the birthplace of libertarianism and has a healthy ancap scene. I only wish they weren't so quiet, because so many people give up their power to the state here.

[ls15]

GDPR - great

Digital Services Act - great

Chat control and all the other pushes for increased surveillance - terrible, don't these guys know history?

There is no need to applaud/reject them all.

> I assume GDPR is very popular here despite making software development a huge pain

If it creates a huge pain, then the data probably wasn't handled in a respectful way in the first place.

[pclmulqdq]

What's respectful about presenting you with a wall of text T&C document, giving you a checkbox to indicate you read it, and mining the crap out of your data on a server located in Europe? GDPR allows that - in fact, it assumes that you will want to mine the crap out of user data and specifies where.

GDPR has a few good ideas about encrypting data buried in its ~170 articles, but most companies were doing that already because data breaches are expensive.

The rest of GDPR is about (essentially) trade protectionism: they want you using European servers to store and process data. They want that data in easy reach of other EU laws and enforcement agencies.

[ls15]

Other websites like Github decided to comply in a way that does not require cookie banners. I think that the users appreciate it.

[pclmulqdq]

There are a lot of other clauses than just the cookie banners. In fact, the cookie banners are far from the most annoying part if you want to be compliant.

I would go so far as to say that most startups which don't do 100% of their compute within European borders are likely non-compliant with GDPR by the law as written.

Edit: To be clear, I would have no problem with the level of trade protectionism if it only applied to companies that do $X million of business in the EU. That's how every other data residency law is set up. If you want to force series E+ companies through weird hurdles, have fun.

[xxs]

>I would go so far as to say that most startups which don't do 100% of their compute within European borders are likely non-compliant with GDPR by the law as written.

What personal data do the startups require that's hard to rein?

[xxs]

GDPR is actually pretty damn decent to deal with. Saying that while the company has legal obligations to retain a lot of personal data - anonymize, encrypt, report (AML being a part, too), forget (incl. personal encryption keys) and what not.

So definitely - not pain.