[danishSuri1994]

I sympathize with the startup argument: heavy compliance costs can stifle early innovation. But the solution shouldn’t be “weaker rules.” It should be smarter rules, clearer safe harbors for small actors, browser-level consent primitives for users, and stronger enforcement against dark-pattern CMPs. That keeps privacy meaningful without killing small businesses.

[clickety_clack]

So “smart rules” only means “more rules”?

Smart rule making includes reducing the regulatory burden when it overreaches. The weight of regulation around tech in the EU is creating an environment such that the only companies that can operate in a space are the ones who can afford massive compliance overhead. That leaves you with the very same big tech firms that people are writing these rules to protect themselves from in the first place.

[array_key_first]

Right, but it's obviously not overreaching, because user's data is taken:

1. Without their consent,

2. Without their knowledge and,

3. Cannot be taken back or denied in a simple way.

There is a problem space here, in which there is zero solution. There is absolutely nothing, _NOTHING_, consumers can do if they want to protect their privacy. And before I hear 'well just don't use...' no - uh uh, that doesn't count. That's not a solution.

So, we need some kind of regulation. And, to be clear, it doesn't need to make violating privacy illegal. It doesn't, and the GPDR doesn't either. It just needs to make it possible for consumers to choose.

A free market is built on consumer choice, that is the core of a free market. It might seem counterintuitive, but regulation that protect consumer choice actually bolster the free market, not impede it.

The "reason" the EU is "struggling" isn't because only big dogs can compete. It's because US companies, which need not follow the rules, exist, and will slurp up the competition.

It's hard to compete with Google because they are cheaters. It's hard to compete with Meta because they are cheaters. They make literally hundreds of billions of dollars off of dark patterns, lies, stealing data, and privacy violations. If you even try to be honest, not even be good, just be honest, you will lose. Because they are not honest.

[pas]

cheaters or not there's no EU tech scene. of course it's hard to compete with a very successful capital-breeding flywheel that's ongoing for about a hundred years.

[slow_typist]

The answer is to force them to adhere to rules. Not to loosen the rules.

[cael450]

Well, yeah, they were written to prevent at least some of the privacy abuse from those big tech companies, not to get rid of them. Sometimes the answer is more rules, such as rules protecting smaller businesses while continuing to place regulatory burdens on the tech giants, who are responsible for the most egregious invasions of privacy.

[marcosdumay]

Yes, the solution is clearer rules. What drives compliance costs up is rarely the compliance itself, it's usually the uncertainty about your being in compliance or not.

That's also true for tax laws, labor laws, environment laws, almost every safety code out there, building zoning...

[sothatsit]

Exactly this. As a recent example, the documents for the new Online Safety Act in the UK are over 2400 pages long! That means that even small businesses that want to comply have no reasonable option other than relying on summaries, and the regulator and big businesses will probably just negotiate on what the details actually mean in practice anyway.

I understand that there's nuance when dealing with all the edge cases to regulations. But it seems that the answer should not be extending the regulations to insane lengths to try to cover everything. That way lies insanity.

[mlyle]

Well, compliance itself is costly, but the cost is stuff that society decided it wanted to spend money on.

But uncertainty in compliance and time spent navigating compliance is nearly pure waste.

[a4isms]

To continue a conversation from another thread on another post, uncertainty, complexity, ambiguity, and out-of-band context required are all costs that just happen to act as moats for entrenched incumbents. And no surprise, such incumbents often have so much influence over politics that they literally write the laws that regulate them.

The folksy aphorism goes, The more wild cards and crazy rules, the greater the expert's advantage.

[marcosdumay]

I'm not sure.

Complexity is clearly hired by lobbyists all the time, but uncertainty and ambiguity seem to me to be mostly caused by incompetence. It's not even clear if uncertainty benefits incumbents more; it can just as likely destroy a market or benefit new entrants, and you can't predict which will happen at the time you create it (otherwise it's not uncertain).

Legislative houses need technocratic QA. And that QA needs to be independent from the law-writing process.

[mlyle]

Yes-- I think most of us are familiar with regulatory capture. But the solution to regulatory capture isn't "no regulation."

[a4isms]

Wild cards and crazy rules versus no regulation is a false dichotomy.

[zelphirkalt]

Easy to not play the card game, by only collecting the data needed for your service.

[ergocoder]

And the answer should be self-served, ideally, with an automated authoritative self-served approval. It could have a lag time of a few days or even a week for a person to approve.

Apple App Store review is a nightmare but still better than these regulations. They say yes or no clearly.

These EU regulations are more like: if you fuck up, you wouldn't know until the sentence might be really really high.

[oblio]

I keep hearing that, but do we actually have stories about small European companies being ruined?

[zelphirkalt]

I bet we don't, unless they ruined themselves due to being very negligent or unwilling to implement even after being reported and found out.

The reason is that in the EU fines are usually wrist slaps, compared to the size of the company, not threatening existence. We see this with big tech, who consider violating the law cost of business.

[moooo99]

I totally agree with this view!

I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.

But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?

I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.

[zelphirkalt]

IP addresses are PII. This has long been determined.

[einsteinx2]

This is a perfect example of uncertainty causing compliance overhead.

You say IP addresses are PII and this has long been determined.

Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:

> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/

So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.

[zelphirkalt]

They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.

[moooo99]

> They are of course, like everything else context-dependent legitimate interest,

Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)

I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

[closeparen]

You could simply ban targeted advertising, since that's what everyone is actually upset about, and not create insane collateral damage for non-adtech operators who happen to have network services and databases.

[abigail95]

Everyone is upset about that except the people clicking on it, which seems to be a lot of people given the amount of revenue and how much people will bid for placement.

So it's not everyone, is it even most people? I'm not sure.

I do feel for you if you happen to live in the EU, but you get what you vote for. I don't live there, none of my businesses operate there, so I'm free to ignore it. The GDPR ends where the EU does, and cross-border enforcement of laws requires a bilateral agreement, that I would have to vote for.

I think there are many people who are fine with targeted advertising and also fine leading a private life in non-GDPR jurisdictions. I think that covers most people in the world.

Given the amount of ad-revenue services I get access to, it's a very good tradeoff for me, please don't kill it, and if you do kill it, stick to your own jurisdiction please.

[Gareth321]

I agree in theory but in practise, this just results in even more regulations. There are very few or no real world examples of stricter regulations being written in clearer terms. The reasons are numerous, but a big one is that people often have a financial incentive to circumvent these regulations. They attack the edge cases and the ambiguity between each word. If the regulations are not written sufficiently prescriptively, courts are swamped with cases and eventually a precedent is set which nullifies much or most of the intended purpose of the regulations. So regulators go to painstaking lengths to write clear and verbose regulations, but ensuring compliance with tens of thousands of pages of regulations are expensive, and this results in an economies of scale barrier for small businesses.

There are workarounds like exemptions for small businesses, but this creates all kinds of new issues like a regulatory ceiling, which results in enormous new costs on some arbitrary day for a business once it crosses some kind of user or revenue threshold. Ramp-ups are difficult or impossible to legislate in this context. Further, two or multi-tiered regulatory systems are highly inefficient and arguably unfair. They're very difficult for everyone to navigate. Generally speaking, from countless examples around the world, rules should apply to everyone.

Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.

[fsflover]

> Ultimately this means fewer regulations generally are good for startups - and larger businesses.

Yeah, forcing companies to write food ingredients on the package is bad for business. And I don't care about business more than about the well-being of society and myself. Same with tracking.

[Gareth321]

I think that when I wrote that fewer regulations help small businesses, but that there are costs for this, you read, "all regulations are bad and I think they should all be removed." Since you didn't read my whole comment, I'm going to paste the important sentence again now:

> Ultimately this means fewer regulations generally are good for startups - and larger businesses. But there are also social and consumer costs for this. There is no perfect balance to be found. Just competing ideological beliefs and positions.

[SamDc73]

The real issue with regulation isn’t the rules themselves; it’s who ends up writing them. And it’s almost always one of two groups:

Politicians, who usually aren’t experts in the field.

Industry leaders, who have every incentive to make the rules tougher for everyone.

[zenmac]

Small company and business should be treated differently than big corp. And the fine and punishment should be adjusted accordingly.

[moooo99]

While I generally agree, just differentiating the fines is not sufficient.

Small businesses in particular do not have staff or the capacity to to deal with a large amount of compliance overhead. The biggest help for small businesses (and large businesses alike) would probably be if the GDPR would be less vague on the rules surrounding typically collected data

[btreesOfSpring]

A shorter and consistent iteration cycle by meaningful working groups on the legislation until a long term workable legal framework is enacted from the lessons gathered. Something like, every four months, X working group will present updates to legal recommendations and they will be voted on at that time. Allow for public input throughout the process. Mistakes will be made but can be short lived with the correction cycle. They are trying to tightrope walk complex legislation for tech. Might as well take on a tech release cycle to get out of beta and into release version 1.0 of these laws.

[ljm]

Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.

Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”

Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.

[slow_typist]

European startups will not profit if this deregulation goes through. US and Chinese corporations will.

While everyone talks about souvereign data processing in the EU, both the commission as well as the governments of its member states completely failed in pampering a domestic cloud industry during the last 15 years. Mercy killing.

[ernst_klim]

At this point I think it's utopic. Meta has an army of lawyers, they will optimize and adapt.

But it's really hard to tinker as a single hacker when a German legal troll firm can come for you for linking Google fonts on your web page (i.e. transferring IPs so breaching privacy)

[YetAnotherNick]

Smarter rules and clear rules are kind of contradictory. GDPR is smart but not clear(as it operates on intent). Tax laws are clear, but not smart(as the interpretation is literate and there are multiple loopholes).

[shadowgovt]

Browser level consent primitives would be a significant improvement on the status quo.

[d-lisp]

I second this; I have never been "into" these problematics and as a user I generally just disallow everything I can, which can be a pain (I mean I do want to often don't store anything when I'm browsing the web, which leads to meeting a lot of "cookie banners"). While there are probably browser extensions that can perform the automatic opt-out, it would be nice if browsers provided an API as an unified and centralized way to communicate consentment as a set of privilege access to different browser features and APIs (you could e.g. forbid the use of canvas, or even JS entirely).

But that's only a small part of a huge legal frame, and as I said I don't know much about these problematics.

[recursive]

Do Not Track was a spectacular failure.

You can still turn cookies off in your user agent though.

[lenerdenator]

It was a spectacular failure because the people who thought of it didn't stick to it.

[recursive]

I don't think so. It was conceived on the user agent side AFAIK. The publishers decided not to honor it. At that point, there's not much point to keeping it on the UA side.

[bigfatkitten]

In no small part because the people who thought of it (the browser makers) had a powerful commercial incentive to ditch it, because they are funded by advertising.

[pseudalopex]

Microsoft enabled Do Not Track by default. Advertisers said they would ignore it for this reason. Most of them never respected it. Apple removed it from Safari years later because it was used for tracking. Mozilla removed it from Firefox years after Safari. Chrome has it even now.

[shadowgovt]

> Advertisers said they would ignore it for this reason

That was the missed opportunity. Had the EU stepped in and said "I'm sorry, the user expressed explicit intent to not be tracked and you're planning to ignore that? How about that's a fine?" it would have survived.

But they weren't prepped to take action yet.

[edarchis]

There is no certification to pass or anything. You just have to keep it in mind when creating your business. It's too easy to just abuse data and then claim that it's too late to fix.

I've been through several startups after GDPR went into effect, it's really not a problem.

[OWaz]

I've worked for startups and established industry giants and being compliant with GDPR did not stifle us in any way at all. It's really not that hard unless the business model depends on profiting off of user data. No good will come from this for the EU.

[MangoToupe]

Innovation isn't worth it for innovation's sake, though. Europe could easily profit watching others innovate and taking what makes sense for europe. I don't see anything about GDPR that would harm innovation or long-term success for europe.

[jedberg]

> I don't see anything about GDPR that would harm innovation or long-term success for europe.

It's the same thing as any other regulation -- regulatory burden. Laws aren't code, they need interpretation. That means you need your own lawyer to tell you an interpretation that they feel they can defend in front of a judge.

There is a cost to that. In both time and money. I am the CEO of a startup who is subject to GDPR. The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.

You can wing it and say "this looks easy, I can do this on my own!" and maybe you can. For a while. But no serious business is going to try to DIY any regulations.

[troupo]

> The amount of time and money we've spent just making sure we are in compliance is quite high, and we barely operate in Europe and don't collect PII.

So either you're lying or your lawyers are lying to you.

In 9 years you could've finally read and understood the rather small law yourself.

[jedberg]

I have read and believe I understand it. That does not matter. What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.

[troupo]

Before you get to a judge you will get plenty of warnings and anple time to fix whatever it is you're doing wrong.

For the absolute vast majority of companies GDPR compliance is trivial.

For the absolute vast majority of remaining companies GDPR compliance is simple.

There are a few companies which may have to double-check their legal obligations and legitimate interests (e.g. by law banks must retain data for much longer than GDPR assumes).

I highly doubt that your startup which builds orchestration workflows requires 23 marketing cookies to "display relevant ads across sites" or "7 unclassified cookies" etc. especially since you claim you don't collect much information except the absolutely necessary: https://www.dbos.dev/privacy

No wonder you have "trouble complying with GDPR".

[jedberg]

I never said we were having trouble complying. I said it cost time and money.

[hnbad]

> What matters is can your decisions be defended in front of a judge. I am not qualified to figure that out, and unless you're a lawyer, neither are you.

It's not a lawyer's job to answer that question because the answer is necessarily "yes" unless you intentionally did the illegal thing (i.e. intentionally did what the law explicitly tells you not to do) - and even then you might be able to defend it somehow.

The question is whether you have a good enough case for a ruling in your favor. And again, lawyers can't answer that because the question is always "it depends" - they're not in the business of fortune telling.

If you ask a lawyer for legal advice, it's their job to give you sufficiently good and accurate enough advice that if you tried to sue them over giving you bad or inaccurate advice they'd have a good enough chance of winning that lawsuit. How much they're willing to speculate about things like what's good enough for you and how high they'll set the bar depends on a variety of factors again.

There's literally no guarantee you can successfully defend something in front of a judge. The law is the law and the facts are the facts. If you end up in court, it helps if you have solid paperwork and a solid papertrail you can use to demonstrate you did everything correctly and in good faith - this is about creating facts that can be used to your advantage.

But the amount of expense required to do literally everything perfectly to the letter of the law and reliably document that you did so would make running a profitable operation impossible regardless of what laws we're talking about, so you necessarily have to strike a balance. And where you strike that balance is a business decision because it's about managing the risk of doing business. And that's not something your lawyer can decide for you - that's something you have to decide for yourself if you run the business. Because at the end of the day it's about your personal liability - whether through financial risk if your business is held liable or direct liability if you get personally held liable for your actions.

But this is not legal advice, I'm not a lawyer. I just know enough about (EU privacy and general German) law to be dangerous and accidentally trick actual lawyers into thinking I have a law degree.

By the way, that's also where that line comes from: it's saying "you can't hold me liable for decisions you make based on what I told you" - even when what a lawyer says is perfectly reasonable and sound to them they'll likely tell you it's "not legal advice" unless you are willing to pay the price tag of being able to hold them liable for what they said.

[sensanaty]

I keep hearing this argument that it stifles small businesses, but how is that exactly? I've worked for a variety of small startups in NL and GDPR has never, not once, been a real issue or blocker.

Yes, it forced these small businesses to think about how they're handling personal data, but that should be the fucking point, I don't care if a company is Facebook or if it's a 2 person startup, neither should be collecting and redistributing personal data and tracking people.

[port11]

This would require politicians and policy-makers that think long-term, know what they're regulating, and maybe have been in the field. I don't think Law school Eurocrats can do any of the 3 items above, at least not well enough. This is either a way to chop at the (poorly designed and already watered down) GDPR or true, unapologetic lack of care.

I'm hoping to go for my 3rd startup and ‘compliance costs’ have never been stifling; it's just more expensive to run a business here and there's far, far less funding available. That's really it.

Belgium's tax haven will make some people willing to give you 10k in post-seed. Wow. We hunted VCs for 1.5 years to negotiate one million-ish euros after showing market traction. We just aren't on the same level as the US, and that's kinda okay. Grants might work, but I mostly see grants for things that won't compete well in the current market.

AI nonsense won't make us more competitive — but hey, we'll arrive late to the bubble. We need to be building the kind of core, dependable infrastructure that would honour privacy, make us more independent. Backing off on privacy protections won't yield a mobile OS, an independent browser, better cloud options, etc.

It's just… lazy. “Slap AI on it”-level policy. Ugh.

[Retric]

Politicians don’t need to know the details, they need to be advised by competent people with the best interests of the public in mind. Which may sound straightforward while being really difficult to get right.

[port11]

Well… I had friends working in research or drafting advice that ends up in the hands of policy-makers. And while these people are motivated and want to do their job well, I disagree that they're providing the best advice.

Politicians don't need to know the details but should know understand the wider, larger brushstrokes of the painting. That would be worlds easier if tech people listened to Bruce Schneier and started getting into policy.

Someone who's had a career in tech can probably tell good from bad advice when it comes to the best interests of the public in mind. And perhaps they'd be less corruptible by the best interests of the wealthy.

[franga2000]

What actual innovation is stifled by data protection laws? What small business is unable to operate because of the GDPR?

Compliance costs almost nothing. If you collect data, explain why and what for. If people ask you to delete it, do that. If you want to share data with others, ask first (or just, you know, don't).

[graemep]

I always felt applying the same rules to everyone was a big problem with GDPR.

Not just small business, but even non-profits that just keep a list of people involved with them are subject to the same rules, even if they only use the information internally and do not buy or sell any personal information.

Its not just cookies and websites, its any personal information stored electronically.

[MangoToupe]

I just don't see the issue. The GDPR isn't exactly difficult to comply with, nor does it hamper any of the clear successes of the last 25 years outside of the ad industry. What's the benefit of backing out on it? Is this just an effort to make a homegrown surveillance network?

[graemep]

I am not saying privacy laws should be repealed (if you look at my other comments, quite the opposite).

I am saying that the same regulations are both too easy for big business to evade (or ignore and treat fines as a cost of doing business) AND too burdensome on small organisations that do not trade information. Something as simple as a membership list can draw you in.

[pembrook]

Ughhh here we go again.

Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.

I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.

Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.

My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.

And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."

[graemep]

As with many laws people think its what is sold as.

There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.

Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:

https://ico.org.uk/for-organisations/advice-for-small-organi...

Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.

[MangoToupe]

> I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.

I've implemented it like a half-dozen times. Why do you think I'm so confident? It's truly not very difficult, particularly if you don't have to retrofit some hell-app that uses a billion cookies. For the most part, collecting PII is already a liability and you don't want to do this anyway outside of critical information (e.g., email).

[SiempreViernes]

I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?

[imperfect_blue]

Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.

So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.

You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.

[SiempreViernes]

So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.

[troupo]

> but will continue to go back and forth if GDPR remains as-is.

Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.

[hnbad]

It's funny that the President of the United States literally stated that the European Union's raison d'etre is inherently hostile to the US - pretty much as close as you can get to calling us an enemy - and yet EU politicians still desperately cling to holding the doors open for US corporations which continue flaunting our laws and are inherently incapable of abiding by them because of the US's publicly stated and demonstrated intent to commit warrantless surveillance under the use of gag orders.

Given how much Russian political influence tanked after the economic ties were forcibly severed (or at least had to become more discreet and indirect as in the case of Russian gas imports - though those will allegedly further decrease in the near future) it seems reasonable to assume that a lot of these weirdly pro-US anti-EU stances held by European politicians are linked to the economic ties to the US. But of course I'd never dare to accuse any EU politicians of taking bribes - us Westerners have far more sophisticated methods of giving politicians money to do what benefits us than the profane bribery of Russian cops being handed money to look the other way.

[pembrook]

I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.

However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.

Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.

Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.

Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.

Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.

Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.

Etc. Etc.

[troupo]

> However, this generation is beginning to learn

"This generation" lol. I'm 45.

What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".

[MangoToupe]

None of this is really true, though (except the paper straw thing which... obviously)

> Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.

Governments have deficit spending because we subsidize private inefficiency at a social level and refuse to run them efficiently. It's insisting on letting private entities run things that is clearly not working.

[vladms]

You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.

What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.

[tick_tock_tick]

The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.

[abigail95]

Schrems? - if you think that this legislation is easy to comply with why did all of that happen? The EU can't even agree with itself on how to interpret its own law or what it does.

How the hell do you expect everyone else to?

[jdasdf]

> clearer safe harbors for small actors

Different rules for different people huh?

Just because you like the group you're benefiting and dislike the group you're harming doesn't mean that is good policy.

[Swenrekcah]

Not different rules for different people.

You would be subject to one rule for your small company and another rule as it grows.

This is everywhere in society, from expectation difference between babies, kids, teenagers, adults and seniors and to tax bracket structures.

[rat9988]

This is different for different people said differently. Why would small companies have access to things not allowed to big companies?

[alwa]

Yes, it is—gp’s point being we do that all the time and often agree that it makes sense.

A baby doesn’t catch a sex pest charge for running around naked, but it also can’t get a gun license. A mom-n-pop doesn’t have to hire an auditor and file with the SEC, but it also can’t sell shares of itself to the public.

Why? The bigger you are, the more responsibility you bear: the bigger the impact of your mistakes, the subtler the complexities of your operation, the greater your sophistication relative to individual customers/citizens—and the greater your relative capacity to self-regulate.

[Swenrekcah]

Corporations are not people. This is not different rules for different people.

In the traditionally implied sense of different rules for different social classes.

[kelseyfrog]

Because quantity is a quality of its own.

[Levitz]

Because their conditions and abilities are different.

[rat9988]

But the conditions aren't here to annoy big companies but because we want to shape society in a specific way. Why would I allow small companies to disrespct author rights and steal, or gather more private information about citizens?

[kazinator]

The problem is that an intellectually consistent position of being against "different rules for different people" means everywhere, in everything.

For instance, poor people should not have any tax breaks: everyone should pay exactly the same percentage of their income, like 15% all across the board or whatever.

Such ideas often have regressive effects.

However, I get it. When it comes to handling personal information, you simply can't say that the "little guys" don't have to follow all the rules, and can cheerfully mishandle personal information in some way.

Small operators have simpler structures and information systems; it should be easier for them to comply and show compliance, you would think (and maybe some of the requirements in the area can be simplified rather than rules waived.)

[47282847]

Almost any corporate rule I am aware of has differences in how they apply depending on the size of the company. And as an entrepreneur and startup consultant I think that is a good principle. I don’t even see how society could function without it.

[andrepd]

In literally no place in the world are the rules the same for running a multinational or running a lemonade stand. I feel this should be obvious.

[veltas]

In almost every developed country the rules are exactly the same. No hairnet, no licence? Lemonade Stand Ltd can and will be shut down. The main difference is lenience in punishment which tends to tail off and disappear at the lemonade stand scale, and be stricter for large multinationals.

I wish you were right though.

[hobs]

Seen house building regulations recently? Most countries will let the home owner do things they'd never let a contractor do without a permit. There's a lot of different laws for home or very small scale selling of various goods, brewing, canning, single person doing business as companies, etc.

[no-name-here]

> home owner

But in this analogy, we aren’t talking about a person doing coding at home only for their own use, are we? Isn’t this about small companies - I.e. whether there should be different applicable laws if you hire a small construction company vs a large one to rewire your kitchen, etc?

[Spivak]

Yep, a single person contractor business is no more able to work on a home without a license and permit than a giant corporation.

[vouwfietsman]

I'm not sure how you got to this conclusion. The answer is a simple google away: smaller companies face lower taxes, lower standards of documentation on health & safety, don't need work councils, less reporting on workspace/financials, etc etc etc.

[veltas]

My point is these societies have the rule of law, and the vast majority of laws don't have a "unless you have 50 employees or less" or "unless your revenue is under $1 mil" qualifier. The difference in treatment is often a complex precedent of leniency in enforcement or punishment, but ultimately the rules are the same for everyone, even if you have to upset the 8 year old selling lemonade.

https://www.independent.co.uk/news/world/americas/asa-baker-...

[cess11]

I think most people agree that the state should be subject to harsher rules than you are, because it is large and powerful.

But you would actually prefer to be subject to the same rules as the state? I.e. typically nothing which isn't explicitly allowed is forbidden for you to do, you are forced to hand out copies of documents you produce, and so on?

[ivan_gammel]

>Different rules for different people huh?

That’s how efficient market works. The bigger are the players, the higher are the chances they will distort the market. You need to apply the force proportional to size to return market back to equilibrium at maximum performance. We have anti-trust laws for this reason, so nothing new, nothing special.

[veltas]

Regulation is a moat designed by and benefitting big corporations. Removing it for small businesses specifically would actually be fair.

[shadowgovt]

It could, however, be good policy independent of personal preference.

I like folks who have to work for a living and dislike billionaires relaxing on yachts bought on their generational wealth, but in addition sociology metrics of the United States in the past 100 years suggest that the highest levels of happiness correlated pretty heavily with marginal tax rates as high as 100% based on wealth.

[JumpCrisscross]

> Different rules for different people huh?

Compliance has fixed costs. And smaller operations have a smaller blast radius when things go wrong. Reducing requirements for smaller operators makes sense.

[pants2]

Why did you use an LLM to write a comment?

[eitland]

In my case it is rarely that I use LLM to write comments but rather I frequently use an LLM on my finished comment to fix things I miss as a non native speaker.

The content of the comment is my unique opinion and my unique writing and I mostly also make sure to remove stupid things like directional quotation marks.

But yes, it is possible to be very much human but also trigger certain peoples AI detectors.

[gruez]

What makes you think it's LLM generated?

[stronglikedan]

colons and directional quotation marks scare folks who don't know how to use them properly

[pants2]

Brand new account with 4 rapid & likely LLM comments, directional quotation marks, and common ChatGPT-isms such as "that does X without doing Y"

[barrkel]

The structure of what it wrote, and the banality of the point.

[marknutter]

The double quotes perhaps?

[seanmcdirmid]

AI should also be seen as an opportunity for small actors to actually understand and follow numerous complex rules. You don't need a huge legal and compliance team anymore, you just need to feed chatgpt the right amount of legal and ruling documentation, and then consult it on how you can actually comply.

[noitpmeder]

HAHAHAHA good joke. Oh wait. You're serious. Oh god please no.

[thfuran]

But 60% of the time, it works every time.

[int_19h]

We're already at the point where lawyers are submitting AI-generated videos as court evidence, so...

[thfuran]

We really should be at the point where those are former lawyers.