[cbeach]

I had a couple of personal projects with a few hundred users. Both could have become startups, but I shut them both down because of GDPR. The definition of the law is complex. I wasn’t doing anything underhand, but I don’t have the legal expertise to ensure I am 100% compliant with all parts of the law, and I don’t have the resources to hire lawyers. I cannot afford the punitive fines, and I have to consider the financial safety of my family. GDPR presents an unacceptable risk to me.

[eeturunen]

Yours is exactly the kind of scenario I find very interesting and will evaluate in my research. While it's important to protect individual right to privacy, it's also very important for the EU to make entrepreneurship as approachable as possible to truly boost economic growth.

Thanks for sharing your thoughts!

[BjoernKW]

> While it's important to protect individual right to privacy, it's also very important for the EU to make entrepreneurship as approachable as possible to truly boost economic growth.

I'm sorry to break it to you, but the EU doesn't care about entrepreneurship and small businesses. Anything EU politicians and representatives like to say to the contrary is mere lip service. By and large, the EU is an environment that's hostile towards entrepreneurship.

[drakonka]

Not sure if there is some overarching hostility I just haven't seen, but there are so many startups, especially tech startups, where I live in the EU. I hear of someone I know starting their own studio or other business very regularly, and there is very much a general "vibe" of entrepreneurship in the cities I've lived in. Luckily this hostile environment doesn't seem to be much of a deterrent around here at least.

[Someone]

> The definition of the law is complex

I don’t understand that sentiment. The text is almost self-contained and easy to read relative to lots of other legal things such as tax laws that you have to know if you start a business.

The GDPR basically boils down to “guard your user’s data, keep only what you need, and tell them what you do with it”.

For the typical “we keep user email addresses so that we can send them bills and credit card info so that we can charge them” use case it’s not hard to comply with the GDPR.

And, nitpick: the GDPR is not a law.

[cbeach]

> "The GDPR basically boils down to..."

It's easy as a casual observer to opine on what a law "boils down to," but take my word for it, the stakes are higher as the person legally obliged to interpret and implement -every single letter- of the law in their own business.

GDPR fines are measured in millions of Euros. I'm just an ordinary guy with a family to feed.

[BjoernKW]

> The GDPR basically boils down to “guard your user’s data, keep only what you need, and tell them what you do with it”.

That's how GDPR is commonly advertised, but for those who actually have to implement it, i.e. small to medium-sized businesses (large companies basically go scot-free, because a. they can afford legal departments to deal with GDPR how they see fit and b. local authorities can't be arsed to investigate the privacy violations routinely committed by companies such as Facebook or Google), the picture is much more complex, to the extent GDPR becomes an existential risk even to ordinary businesses that don't do anything unexpected or untoward with their users' data, for instance:

- In certain larger EU countries you're not even allowed to record a website visitor's IP address (because some court has decided those count as PII) and consequently have to jump through a ridiculous amount of hoops to make sure it isn't.

- You have to make sure that any service provider you're working with complies with GDPR.

- Currently, due to an ECJ case ruling informally known as Schrems II (https://www.gdprsummary.com/schrems-ii/ ), you're not allowed to store any user data with a company affiliated with a US company in any way, which boils down to virtually every business and the economy as whole being in violation of GDPR.

Now, it's often argued that the EU and GDPR aren't to blame for this because it's the US CLOUD Act that created this issue. Technically, this is true and the CLOUD Act indeed is hugely problematic, to say the least.

However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.

[Someone]

> In certain larger EU countries you're not even allowed to record a website visitor's IP address (because some court has decided those count as PII)

You’re not allowed to do that without reason. If you have a reason, and tell your users, there’s nothing wrong with it.

Some anecdata that proves that:

https://gdpr.eu/privacy-policy/:

“IP and browser user agent string: this data is collected when you leave a comment.”

https://commission.europa.eu/privacy-policy-websites-managed...:

“In addition, IP addresses and device IDs might be saved for one year in the log files of the Directorate-General for Informatics operational environment for security or other purposes (see DPR-EC-02886 DIGIT IT security operations and services for more information).”

[BjoernKW]

> If you have a reason, and tell your users, there’s nothing wrong with it.

That's still for the courts to decide. Specifically, the German federal court for example didn't define what constitutes a legitimate reason for storing IP addresses.

This is precisely the problem with GPDR: While maybe well-intentioned, that regulation has been kept intentionally vague, which has local authorities interpret the rules how they see fit (or how it suits their purpose), since there's no clearly defined ruleset to depend upon.

> "for security or other purposes"

"other purposes" is about as vague as it gets. According to GDPR, a legitimate interest has to be specific and the specific reason that constitutes such an interest has to be communicated to the user.

This is not surprising at all. The EU itself is hilariously non-compliant with GDPR. After all, why would they comply with GDPR? Public authorities are largely exempt from GDPR anyway.

[eeturunen]

What do you mean by "the GDPR is not a law"? That statement is simply not correct.

[Am4TIfIsER0ppos]

He means that due to the inanity of the eu the gdpr is a directive to the actual countries to pass a law (or laws) that match or exceed it.

[eeturunen]

But that's not true. The GDPR is enforceable as law in each member country.

[Am4TIfIsER0ppos]

Really? I guess we're both wrong.

[eeturunen]

Yup. The GDPR is literally a regulation, not a directive. A directive is implemented into national law while a regulation is enforced as is and supersedes national legislation.