[tw04]

When a law is “vague” in that it intentionally tries to be overly broad in protecting the average citizen from corporations, that’s a good thing. GDPR is very much meant to scare the facebooks of the world whose default modus operandi is: your privacy means nothing, I have a revenue number to hit and I don’t care if it ruins your life in the future.

I WANT it to be difficult for AI companies to steal other people’s hard work just like I WANT Facebook to have to spend millions of dollars on lawyers to make sure whatever data they’re collecting and sharing about me doesn’t violate my rights.

[miohtama]

The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.

- Nothing has changed in Facebook and Google data collection practices, who with other bug corps account for > 90% of data collection

- Many mid tier competitors lost market share, focusing power to Google

- EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance with little tangible benefits to the EU citizens.

It's called unintended consequences. We all want Zuckerberg to collect less data, but how GDPR was implemented is that it mostly hurt small businesses disproportionately. E.g. you now need to hire a lawyer to analyse if you can collect an IP address and for what purposes, as discussed here.

[verzali]

I will be honest, I am always very skeptical of these claims that the big tech companies are fine but small business is hurting. Many of them seem to originate with the big tech companies themselves and I highly doubt they really have the interests of small business in mind. Plus, I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...

[miohtama]

Here

> The main burden falls on SMEs, which experienced an average decline in profits of 8.5 percent. In the IT sector, profits of small firms fell by 12.5 percent on average. Large firms, too, are affected, with profits declining by 7.9 percent on average. Curiously, large firms in the IT sector saw the smallest decline in profits, of “only” 4.6 percent. Specifically, the authors find “no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales,” putting to bed the myth that U.S. technology firms are the enemy of regulation because it hits their bottom lines.

https://datainnovation.org/2022/04/a-new-study-lays-bare-the...

[huijzer]

That is typically the problem with regulations. It’s usually easier for large companies to comply. It’s called regulatory caption.

[_joel]

> It’s called regulatory caption.

Regulatory Capture, no?

[bigfudge]

that's right, although that isn't quite the same concept. Regulatory capture implies the large companies have helped draft the regulations to their own advantage (and SME's disadvantage in this case).

[xp84]

You can be skeptical but I’ve worked at multiple small businesses since GDPR and CCPA came to be, and each of them has zero interest in “selling your data” - everyone just wants to run ads and track which ones work. And yet complying with GDPR has been onerous and costly in every one of them. And did nothing to benefit our customers or website visitors. The only winners are the lawyers and firms that specialize in selling “compliance as a service” basically.

[metalman]

zackly right. two words ,in this case "unacceptable risk", which is absolutely impossible to define, so then, ha ha!, there needs to be deciders, whole heaping flocks of deciders, who them imediatly throw up a paper screen of "privacy concerns", and with luck the holey grail of beurocrats "national security" and then they can get to work destroying there budget, so they can seek further grants, and invent internal auditing procedures that have ancient bizantines crawling from there graves to see such wonders. smaller sub beurocracys can be built on one word, such as "saftey", and of course there is no upper limit, but two well placed words, and zam!, your in!

[raron]

The ever biggest GDPR fine was against Facebook, and it was less than 0.3% of their revenue. That is just a let us ignore GDPR tax. I don't know about small businesses, but big tech from US is fine.

> I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...

AFAIK those parts of that law was changed somewhat

[giancarlostoro]

We saw a bunch of small side project type of sites from the EU close down all over HN after GDPR became a thing. The risk for someone small is too high. The minimum fines are in the millions.

[jimmaswell]

Something has gone horribly wrong with your governance when you can 1. get fined a million euro under GDPR and 2. arrested for hate crimes, for 1. hosting a default Apache server with logs and 2. putting a joke video of your dog doing a "Hitler salute" on it.

[giancarlostoro]

Hey, Count Dankula is funny, maybe its not for everyone, but he really should not have been arrested for what his dog did. His youtube has really fascinating content on it.

[cccbbbaaa]

No, the minimum fines are in the hundreds, and that’s on the unlikely event where you actually get a fine. Fines over a million are definitely not the norm. See GDPR article 83 and https://www.enforcementtracker.com/

[guappa]

[citazione necessaria]

[guappa]

> EU small software companies pay estimated extra 400 EUR/year

[citation needed]

[tw04]

> The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.

This is just laughably incorrect. Literally every Fortune 500 that I work with who has operations in Europe has an entire team that owns GDPR compliance. It is one of the most successful projects to curtail businesses treating private data like poker chips since HIPAA.

[mavhc]

Is their job to reduce private data to the minimum needed, or the maximum allowed?

[raron]

Probably to find loopholes and questionable interpretations.

[red_phone]

Would you consider GDPR a failure if businesses collected the maximum allowed under the law?

[47282847]

A requirement to minimize data collection is part of it.

[raron]

It would really hard to believe that Google and Facebook do comply with the (spirit of the) GDPR and deletes all personal data when it is no longer necessary. That would simply go against their business model.

Anyways, GDPR doesn't protect your data, it just specifies how companies can use it. So all my name, address, phone number, etc. will still be stored by every webshop for 10 years or so just waiting to be breached (because some tax laws).

[fxtentacle]

"Nothing has changed in Facebook and Google data collection practices"

https://noyb.eu/en

Facebook and Google got sued, paid fines, and changed their behavior. I can do an easy export of all of my FB and G data, thanks to the GDPR.

"EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance"

WTF? no! I work with several small companies and it's super easy to just NOT store anyone's birthday (why would you need that for e-commerce?) and to anonymize IPs (Google provides a plugin for GA). And, basically, that's it. Right now, I can't even find an example of how the GDPR has created any costs. It's more like people changed their behavior and procedures once GDPR was announced and that's "good enough" to comply.

[everforward]

400 Eur is pretty small, it rings true to me. Maybe not in literal costs, but 400 Euro of employee salaries is pretty low. Figuring out how to not store IPs but also be able to block malicious IPs probably costs at least 400 Euro in employee salaries.

At 40k EUR / year in salary, that's about 1.6 hours a month dealing with GDPR. That sounds about right; it's like 5 hours a quarter deploying anonymizers or updating code to export the data you have on people. I honestly expected it to be higher; I would have thought it was in the realm of 40 hours a quarter just doing mundane things. Auditing to make sure PII didn't sneak in somewhere, updating anonymizer code/deployments and reviewing the same.