[pembrook]

Ughhh here we go again.

Every time GDPR is brought up on HN, the same "it's super simple to comply, just read it yourself!" religious incantation gets repeated ad-nauseam.

I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.

Almost nobody on this forum has ever talked to a lawyer about this, and even less people have followed the actual court rulings that have determined what GDPR actually means in practice.

My favorite example, under GDPR over the last 5 years, regardless of whether you follow the spirit of GDPR to the letter...due to the various schrems rulings, back-and-forth on SCCs, data-transfers, and EU-US political spats...there's been multi-year periods where if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything), it's been a violation that exposed you to massive fines should any EU resident have filed a complaint against you. This was recently resolved again, but will continue to go back and forth if GDPR remains as-is.

And this is just one of many weird situations the law has created for anyone running a business more complex than "a personal blog."

[graemep]

As with many laws people think its what is sold as.

There are a lot of good ideas in the GDPR, but once you start looking into implementation it gets a lot more complex.

Its not just business. A community organisation (like my local amateur theatre, or a sports club, or a parish church etc.) is subject to pretty complex rules. Often things run by volunteers that keep very little data. Here is the guidance for UK GDPR (which is still pretty much identical to the EU version) compliance for small organisations:

https://ico.org.uk/for-organisations/advice-for-small-organi...

Read it all, and tell me its simple for an organisation with a limited budget, or for someone without either a technical or legal background to understand.

[MangoToupe]

> I think it's because people love the idea of what they think GDPR actually represents (the fuzzy abstract idea of "privacy"), without ever diving into any of the implementation details.

I've implemented it like a half-dozen times. Why do you think I'm so confident? It's truly not very difficult, particularly if you don't have to retrofit some hell-app that uses a billion cookies. For the most part, collecting PII is already a liability and you don't want to do this anyway outside of critical information (e.g., email).

[SiempreViernes]

I mean, if your domestic legislation makes it impossible for you to ensure the privacy of your customers, why do you insist could be responsible custodians?

[imperfect_blue]

Imagine you're asked with building, say, a train network within your country. Domestic regulations demand that, because other countries are not certified up to your country's safety standards, you're not allowed to import any foreign technology from outside your country.

So - in order for you to build that train - you'd need to wait for industries to set up to build every single component up to local standards. And if nobody sets these industries up to manufacture the components you need, you'll have to build it yourself, somehow.

You'd rightfully call this out as protectionism. And the worst part is not even the protectionism - the worst part is that you'll likely get no trains, because in practice nobody except a huge incumbent company can build all the components they need themselves, and huge incumbent companies often have no incentive or no agility to do so.

[SiempreViernes]

So you start by asking me to assume the EU can't create IT technology and then give no further argument, much wow! That's was even less persuasive than I expected. BRB, gonna go tell tell Open Office and KDE they don't exist because Europe can't create software.

[troupo]

> but will continue to go back and forth if GDPR remains as-is.

Yes, it should remain as is and enforced. Yes, storing your users' data in the US is extremely problematic because the US really couldn't give two shits about privacy, or user data.

[hnbad]

It's funny that the President of the United States literally stated that the European Union's raison d'etre is inherently hostile to the US - pretty much as close as you can get to calling us an enemy - and yet EU politicians still desperately cling to holding the doors open for US corporations which continue flaunting our laws and are inherently incapable of abiding by them because of the US's publicly stated and demonstrated intent to commit warrantless surveillance under the use of gag orders.

Given how much Russian political influence tanked after the economic ties were forcibly severed (or at least had to become more discreet and indirect as in the case of Russian gas imports - though those will allegedly further decrease in the near future) it seems reasonable to assume that a lot of these weirdly pro-US anti-EU stances held by European politicians are linked to the economic ties to the US. But of course I'd never dare to accuse any EU politicians of taking bribes - us Westerners have far more sophisticated methods of giving politicians money to do what benefits us than the profane bribery of Russian cops being handed money to look the other way.

[pembrook]

I get it, it's fun to take wildly impractical ideological stances on things and ignore reality.

However, this generation is beginning to learn the lesson every generation learns: one has to deal with the world as it is, not as one wishes it were. Scarcity exists.

Unfortunately, in globalized economic reality, you will have to transfer data to other countries to conduct business.

Unfortunately, in fossil fuel driven reality, you can't just go off fossil fuels by switching to paper straws, you have to actually build viable alternatives first.

Unfortunately, in non-world-peace reality, you can't just stop having a military and become pacifist. Turns out you still need missiles and tanks.

Unfortunately, in low-birth and low-economic-growth reality, you cannot let people retire at 62 and draw inflation-pegged pensions until death.

Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.

Etc. Etc.

[troupo]

> However, this generation is beginning to learn

"This generation" lol. I'm 45.

What I'm learning that this generation will find way to justify any and all activity by any and all industries using any number of logical leaps and non-sequiturs, and will fight any way to make the world even a slightly better place because "low-birth and non-0 interest rate" or something. Or that 15000 invasive trackers have to keep my precise geolocation data for 12 years because "scarcity".

[MangoToupe]

None of this is really true, though (except the paper straw thing which... obviously)

> Unfortunately, in non-0 interest rate reality, governments can't keep deficit spending to prop up a broken socialist economic model.

Governments have deficit spending because we subsidize private inefficiency at a social level and refuse to run them efficiently. It's insisting on letting private entities run things that is clearly not working.

[vladms]

You don't give any reference that we can look up regarding the problems you mention (ref: "if you're using any service touching data in any part of your business even remotely connected to the US or any non-EU country (so, almost everything"). They might be very reasonable, but seems we miss the point if we don't talk a bit more detailed.

What services are you talking about? AWS? Microsoft? Some small startup? Gmail? What data? etc.

[pembrook]

Literally everything.

The fundamental issue is the EU doesn't like that US intelligence agencies have the ability to subpoena any server associated with US firms or companies that use US firms. However, the vast majority of the entire tech industry touches the US in some way.

Here's a good primer: https://trustarc.com/resource/schrems-ii-decision-changed-pr...

Last year the EU and the Biden administration came to an agreement (the second of these after the last was shot down). The current one may not stand either.

If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation (even if Notion is otherwise GDPR compliant, the US gov can subpoena them and look at their data, meaning they can be declared defacto non-compliant).

This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.

[vladms]

Yes, using USA based services with user data is against GDPR.

But sorry, saying "literally everything" is a gross exaggeration. Debugging a program with the help of ChatGPT is not using user data. Editing a logo is not using user data. Storing code on a web platform is not using user data. And others...

And even then, for some of the services (like mail, communication, erp, etc.) there are alternatives companies in Europe that work just fine.

I think GDPR is not perfect, but I do welcome measures to prevent over-collection of data by whomever.

[troupo]

> If it doesn't, and you're an EU company who has an employee using something as trivial as Notion, you're already in violation

There are only two possible interpretations of this sentence:

1. You have just confessed to a crime. Do your engineers store user data in Notion?

2. You have just confessed to not having even a single clue about GDPR and what it entails. Your engineers using Notion will not make your company liable for GDPR unless bullet point 1.

> This is further complicated by the fact that, as it turns out, having access to US intelligence isn't so bad in the context of Russia-Ukraine.

Ah yes. Your shitty company selling user data left and right to "our privacy-preserving partners" is the same as "access to US intelligence in the context of Russia-Ukraine"

[pembrook]

Ah, you again! I see you’ve looked up all my comments to respond with vitriol to all of them. Doesn’t help to undermine my point that this has become a topic of religious dogma here.

No, I am not selling user data, nor is the vast vast majority of companies affected by GDPR. Please do not assume bad faith as it ends useful discussion (and is against HN guidelines).

So you believe GDPR and the ePrivacy directive (which people here unknowingly conflate) are the most perfect words ever put on paper and there is nothing that could be improved?

[tick_tock_tick]

The EU nations can't even get their own government's running on non US software/clouds. If GDPR was actually enforced like that you might as well just dissolve the EU and let each nation apply to join the USA for all the relevancy the EU will have on the world afterwords.