Hacker News new | ask | show | jobs
by miohtama 498 days ago
The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.

- Nothing has changed in Facebook and Google data collection practices, who with other bug corps account for > 90% of data collection

- Many mid tier competitors lost market share, focusing power to Google

- EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance with little tangible benefits to the EU citizens.

It's called unintended consequences. We all want Zuckerberg to collect less data, but how GDPR was implemented is that it mostly hurt small businesses disproportionately. E.g. you now need to hire a lawyer to analyse if you can collect an IP address and for what purposes, as discussed here.
4 comments
verzali 498 days ago
I will be honest, I am always very skeptical of these claims that the big tech companies are fine but small business is hurting. Many of them seem to originate with the big tech companies themselves and I highly doubt they really have the interests of small business in mind. Plus, I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...
link
miohtama 498 days ago
Here

> The main burden falls on SMEs, which experienced an average decline in profits of 8.5 percent. In the IT sector, profits of small firms fell by 12.5 percent on average. Large firms, too, are affected, with profits declining by 7.9 percent on average. Curiously, large firms in the IT sector saw the smallest decline in profits, of “only” 4.6 percent. Specifically, the authors find “no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales,” putting to bed the myth that U.S. technology firms are the enemy of regulation because it hits their bottom lines.

https://datainnovation.org/2022/04/a-new-study-lays-bare-the...

link
huijzer 498 days ago
That is typically the problem with regulations. It’s usually easier for large companies to comply. It’s called regulatory caption.
link
_joel 498 days ago
> It’s called regulatory caption.

Regulatory Capture, no?

link
bigfudge 498 days ago
that's right, although that isn't quite the same concept. Regulatory capture implies the large companies have helped draft the regulations to their own advantage (and SME's disadvantage in this case).
link
xp84 496 days ago
You can be skeptical but I’ve worked at multiple small businesses since GDPR and CCPA came to be, and each of them has zero interest in “selling your data” - everyone just wants to run ads and track which ones work. And yet complying with GDPR has been onerous and costly in every one of them. And did nothing to benefit our customers or website visitors. The only winners are the lawyers and firms that specialize in selling “compliance as a service” basically.
link
metalman 493 days ago
zackly right. two words ,in this case "unacceptable risk", which is absolutely impossible to define, so then, ha ha!, there needs to be deciders, whole heaping flocks of deciders, who them imediatly throw up a paper screen of "privacy concerns", and with luck the holey grail of beurocrats "national security" and then they can get to work destroying there budget, so they can seek further grants, and invent internal auditing procedures that have ancient bizantines crawling from there graves to see such wonders. smaller sub beurocracys can be built on one word, such as "saftey", and of course there is no upper limit, but two well placed words, and zam!, your in!
link
raron 497 days ago
The ever biggest GDPR fine was against Facebook, and it was less than 0.3% of their revenue. That is just a let us ignore GDPR tax. I don't know about small businesses, but big tech from US is fine.

> I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...

AFAIK those parts of that law was changed somewhat

link
giancarlostoro 498 days ago
We saw a bunch of small side project type of sites from the EU close down all over HN after GDPR became a thing. The risk for someone small is too high. The minimum fines are in the millions.
link
jimmaswell 498 days ago
Something has gone horribly wrong with your governance when you can 1. get fined a million euro under GDPR and 2. arrested for hate crimes, for 1. hosting a default Apache server with logs and 2. putting a joke video of your dog doing a "Hitler salute" on it.
link
giancarlostoro 498 days ago
Hey, Count Dankula is funny, maybe its not for everyone, but he really should not have been arrested for what his dog did. His youtube has really fascinating content on it.
link
cccbbbaaa 498 days ago
No, the minimum fines are in the hundreds, and that’s on the unlikely event where you actually get a fine. Fines over a million are definitely not the norm. See GDPR article 83 and https://www.enforcementtracker.com/
link
guappa 497 days ago
[citazione necessaria]
link
guappa 498 days ago
> EU small software companies pay estimated extra 400 EUR/year

[citation needed]

link
tw04 498 days ago
> The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.

This is just laughably incorrect. Literally every Fortune 500 that I work with who has operations in Europe has an entire team that owns GDPR compliance. It is one of the most successful projects to curtail businesses treating private data like poker chips since HIPAA.

link
mavhc 498 days ago
Is their job to reduce private data to the minimum needed, or the maximum allowed?
link
raron 497 days ago
Probably to find loopholes and questionable interpretations.
link
red_phone 498 days ago
Would you consider GDPR a failure if businesses collected the maximum allowed under the law?
link
47282847 498 days ago
A requirement to minimize data collection is part of it.
link
raron 497 days ago
It would really hard to believe that Google and Facebook do comply with the (spirit of the) GDPR and deletes all personal data when it is no longer necessary. That would simply go against their business model.

Anyways, GDPR doesn't protect your data, it just specifies how companies can use it. So all my name, address, phone number, etc. will still be stored by every webshop for 10 years or so just waiting to be breached (because some tax laws).

link
fxtentacle 498 days ago
"Nothing has changed in Facebook and Google data collection practices"

https://noyb.eu/en

Facebook and Google got sued, paid fines, and changed their behavior. I can do an easy export of all of my FB and G data, thanks to the GDPR.

"EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance"

WTF? no! I work with several small companies and it's super easy to just NOT store anyone's birthday (why would you need that for e-commerce?) and to anonymize IPs (Google provides a plugin for GA). And, basically, that's it. Right now, I can't even find an example of how the GDPR has created any costs. It's more like people changed their behavior and procedures once GDPR was announced and that's "good enough" to comply.

link
everforward 497 days ago
400 Eur is pretty small, it rings true to me. Maybe not in literal costs, but 400 Euro of employee salaries is pretty low. Figuring out how to not store IPs but also be able to block malicious IPs probably costs at least 400 Euro in employee salaries.

At 40k EUR / year in salary, that's about 1.6 hours a month dealing with GDPR. That sounds about right; it's like 5 hours a quarter deploying anonymizers or updating code to export the data you have on people. I honestly expected it to be higher; I would have thought it was in the realm of 40 hours a quarter just doing mundane things. Auditing to make sure PII didn't sneak in somewhere, updating anonymizer code/deployments and reviewing the same.

link