Hacker News new | ask | show | jobs
by JCWasmx86 1036 days ago
No, you just have to follow the regulations. It's no "war on US companies" or anything like that. They wrote some good law (Albeit it has a few weaknesses), and enforce it now. And if you want to do business in the EU, you have to follow them.

I would say it's more a problem of the US companies, if they can't do business without violating EU regulations.
2 comments
mrweasel 1035 days ago
If we're being a bit generous it's easier for the EU to make these rules, because it has very little impact on it's own companies. The majority of the large companies being impacted by these laws are US based.

Similarly you could argue that the companies are US based, simply because the US have pretty terrible privacy rules which makes it easy for them to get started with a fair amount of users/targets.

link
JohnFen 1033 days ago
> you could argue that the companies are US based, simply because the US have pretty terrible privacy rules

I do argue this. The state of privacy rules in the US is abominable.

link
nceqs3 1036 days ago
Have you read how vague the laws are. It's all designed to extract fines from US companies.
link
troupo 1036 days ago
No. Its all designed against the predators that modern companies have become.
link
FirmwareBurner 1036 days ago
The TL:DR of GDPR is "just don't drack your users without their consent". Why is that difficult for US corporations to follow? Even '90s web was by default GDPR complaint.
link
nceqs3 1036 days ago
Yes, the huge and profitable 90s web.
link
FirmwareBurner 1036 days ago
"Won't someone please think of the big-tech ad profits?" - You

Why should the web's profitability or lack thereof, be my problem as a user? That the SV elite can't buy platinum plating on their yachts? Are they sharing that wealth with me? Then, good riddance! My privacy is more important than your wealth.

There's been profitable SW companies and careers before user tracking became the norm. Remember when Windows came without any ads and blogs and forums had generic non-targeted ads?

Same how the big tobacco industry got kneecapped for our own health and the greater good, a similar tech industry correction is long overdue. Is this the world you want for your kids?

link
bigbillheck 1035 days ago
Plenty of people were making money off the internet in the 90s.
link
johndhi 1035 days ago
I've implemented gdpr. It's much more than that.
link
midasuni 1035 days ago
Don’t set cookies. Don’t capture Personal data. You’re 90% there.
link
cccbbbaaa 1035 days ago
Oh, no, there's more.

You must list all kinds of data processing you perform, find the appropriate legal basis (and data retention duration, etc.), make sure you only gather data you need (data minimization), know to who you transfer data, make your services secure by default, monitor for unauthorized access, and tell affected people when there is a breach. Perhaps make a risk assessment, but it depends on the processing you do.

Yes, it's work. But quite frankly, I'm cool with a law that expects anyone who processes personal data to secure their service, to properly inform people, and holds them accountable.

link
midasuni 1035 days ago
So you are choosing to capture personal data.
link
jahav 1035 days ago
Spoken like a person who never even touched it even on a small project.

No cookies... so no language preferences. That is a profile cookie.

Right to erasure. What about invoices and orders? When can it be anonymous and when is it old enough to anonymize.

Do I get away with replacing personal data random data? Do I replace references to real people with 'anonymous person'? Will my sql constraints still work?

When I restore data from backup and someone has been anonymized in the meantime, what mechanism will be used to anonymize the user after restore?

Right to data portability. How much of the database and in what format?

link
cccbbbaaa 1035 days ago
> Spoken like a person who never even touched it even on a small project.

You can find guidance or good advice online for all of your questions.

> No cookies... so no language preferences. That is a profile cookie.

This is one of the examples of “strictly necessary” cookies, which do not require consent. See section 3.6 here: https://ec.europa.eu/justice/article-29/documentation/opinio...

> Right to erasure. What about invoices and orders? When can it be anonymous and when is it old enough to anonymize.

Invoices should typically fall under the “legal obligation” legal basis (article 6(1)c). See for how long the law requires you to keep them. In my country, it's 10 years.

>Do I get away with replacing personal data random data?

Yes, see WP216.

>Do I replace references to real people with 'anonymous person'? Will my sql constraints still work?

How do you do when someone deletes their account?

>When I restore data from backup and someone has been anonymized in the meantime, what mechanism will be used to anonymize the user after restore?

It's up to you to decide.

>Right to data portability. How much of the database and in what format?

The same as for a DSAR. As for the format, it's up to you to decide, provided it is a commonly used format.

link
esperent 1035 days ago
I've also implemented GDPR. Of course it's complex, it's a continent wide law, how could it not be complicated?

But I still think that "don't track your users without their informed consent" is a good summary of the intention of the law.

And I would also say that's it's only really complex to implement if you were already tracking your users and now you need to change everything. If you weren't doing that, you'd probably find it remarkably easy to implement.

link
bee_rider 1035 days ago
How so?
link