In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).
A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)
You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
I think the unfortunate thing is that, when the previous/existing incarnations of these protection laws were/remain unenforced, many assumed it was because of lack of "teeth". But those of us familiar with how these principles-based regulatory bodies work know that it's more about confusion and regulator apathy. Nobody here is watching the watchers. Instead, there's a bunch of people foaming at the mouth with pitchforks asking for more laws and dismissing alternative concerns as hysteria or not understanding how laws work. We should be discussing how to solve the problem, yet we continually devolve to discussing the government-led solution presumably because we feel helpless and can't consider better options.
Every time these GDPR discussions come up, someone is always quick to say the US is worse, US is getting a taste of its own medicine, that dissenters must want surreptitious data collection, and on and on. Oddly enough, bringing it full circle, the tendencies for humans to argue in these directions instead of stay focused on the issue at hand make me glad to have more strict boundaries that are less subject to the whims of idle thought. Obviously this can't be absolute, so we should craft our rules to limit their scope at least from the outset. It's not about one country/continent vs another, it's about the goals and how they are achieved. Some believe and/or have experienced difficulties conforming to all sorts of government rules, it is a human thing not a location one. IMO, we need to stop deflecting and we need to stop being so absolute. People that are feeling pain of impending laws are not hysterical and laws are not magically OK because other forms/interpretations have downsides.
It's true, I do think that a more principles-based approach is usually preferable. (And I will happily marshal anecdata to that end!)
But it's naive to think that any approach comes without a cost. Even the PayPal example I mentioned above could be coloured the other way: A company makes a major investment in a foreign market, only to find the rules changed underneath them by a capricious government agency! (Someone brought up IR35 down-thread, and that's an excellent example too.) Is that an acceptable cost for the outcome? I'd look at the overall state of (eg) consumer financial protections in the US vs the UK and say "yes"; but I'm open to evidence-based disagreement.
But in essence people are missing the bigger context.
The EU’s digital commissioner said in 2015 that the EU should use regulation to "replace today’s Web search engines, operating systems and social networks" with EU companies.[1]
And they've passed or proposed ridiculous laws like cookie warnings and link taxes. We have reason to be suspicious of their intentions.
1: https://www.wsj.com/articles/eu-digital-chief-urges-regulati...
As for the link tax: I would blame the publishers pushing for it, not the EU.
Unfortunately, so might students of history. Ask anyone in the UK who was working in the freelance or contract world when IR35 was introduced.
In that case, too, the principle was reasonable enough: there was a loophole in tax law where you could decide you're a contractor instead of an employee and pay less money despite for all other practical purposes still being an employee, and this was being actively exploited by some people.
In that case, too, the reality was that most people working in the sector probably wouldn't be challenged by the authorities, not least because the enforcers had limited resources.
But in that case, too, a given individual's status was often unclear. While some of those who were deterred or subsequently received penalties really were engaging in obvious tax avoidance, other reports described crippling penalties for people whose arrangements appeared to have been quite reasonable but to have fallen foul of someone in government's dubious interpretation.
This led to substantial amounts of time and money being collectively spent by the freelance and contractor community incorporating new legalese into contracts and paying for advice and taking out insurance policies. An entire trade body was formed primarily to deal with this threat. Even today, those of us who take on any sort of individual contract or freelance work from time to time have to be careful not to say or do certain otherwise reasonable things, or to allow others to do so, for fear of tipping the balance or giving any appearance that might be subject to challenge.
And the irony is that while the law arguably had some effect initially in getting contractors to go back to being permies if they were just using it as a tax dodge, overall it appears that IR35 has raised very little extra tax revenue for the government. It turns out that the vast majority of contractors and freelancers were operating in that fashion legitimately and continue to do so, and most enforcement actions appear to fail to the extent that the government even tries any more. Nevertheless, the rules still hang like a sword of Damocles above the whole sector.
Which we know is definitely NOT the case for companies storing your data correctly.
This is a good point, but many people seem to forget that most misdemeanor criminal offenses in the US are punishable by fine and/or up to 30+ days in jail. People do not often get the jail time so most don't even think about it, but it is available as an option to the judge for things like repeat offenders.
Given that description, after a couple decades working in some and dealing daily with the acts of other agencies who which issue and apply regulations on the US, let me assure you that the regulatory system in the US is nothing at all like “rule-based” as you have described it.
Or you can just disengage with Europe all together, which is an obvious choice for many small to medium sized companies, given the risks and costs involved.
Or, you're fine with a competitor who isn't afraid of entirely reasonable international laws coming in and eating your lunch.
We also considered all the additional liability we’d be taking on, and with that alone it was barely worth it based on the current EU customer base we have.
We’d also be very happy if one of our competitors started investing in the EU market. It’s worth about 10 times less than the US market in our industry, so having them chasing peanuts in Europe (and investing in compliance with European - absolutely not international - regulations) would be a truely fantastic outcome for us.
my company OTOH is choosing to apply gdpr principles globally.
Did you think about this before typing?
Clue: how many countries does an EU-wide law directly apply to? One? Or many?
Then they'll try to come back... after their EU user-base was kicked out and forced to find alternatives.
If the original business couldn’t, its unlikely the competitor could.
I know in my business I’m shutting off EU sales.
https://gdpr-info.eu/recitals/no-23/
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
By blocking EU IPs the service is very clearly, unambiguously, not targetting EU residents.
The ruling was that this was a hate crime, because it was "menacing, anti-Semitic and racist". I have trouble seeing how a Nazi pug that responds to "gas the jews" is anything other than silly bit of absurd comedy. I can't realistically see this video actually advancing any legitimate hatred, or having any negative consequences other than some people laughing at how silly it is, and some people just thinking it's kind of stupid.
Maybe they are trying a kind of best of both worlds approach?
The problem with this approach is if you run a large or small company or are a sole proprietorship or simply have a hobby site, you can't write off legitimate fears of heavy handed enforcement. No one wants to be the example.
In the former cases, if your company is how people are feeding and clothing their children, do you want to be the person who says "Oh well we tanked the company this year because weren't worried. Someone on the internet told us they'd be gentle! How could we have known they'd be serious about levying the maximum penalty!?"
If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
I'm on my company's GDPA compliance team and it is serious business. Our European footprint is small but not insignificant. If we were an unreasonable bunch, we'd just shut the whole thing down and move on. The very expensive very well versed German legal counsel we're paying to help us do this right completely disagrees with what many are saying here. We have no reason to not believe them as they have a lot of experience with the German laws the GDPR is based on. We're paying them far more than the fines we'd see because we believe in doing the right thing. Ergo, we must take the "hard" regulator view rather than your "kid glove" view. Our lawyer's underlying point in every discussion is that this is really really serious business and that they're not fooling around. Adding to that is a GDPR like law is likely to be implemented in Canada and other jurisdictions in the future. We must be ready for that as well.
I think GDPR is great for consumers. I think we'd actually be in a better/easier place if it were a requirement in the US since everyone would have to follow the same rules. The problem is that implementing it takes time and effort to do well at scale. To not loose your competitive edge against other large competitors that do not serve the EU and can operate under only US law. These are real concerns that have nothing to do with the regulators and whatever their whims are.
So even if you're right, these are the real costs. You're going to be held accountable to the people you let down if you put your company in peril. You're going to be held accountable if you loose marketshare because you got this wrong and an unencumbered competitor outmaneuvers you. And most of all, you simply cannot assume the best case, kid glove, approach is what is going to happen. THIS is what people are frustrated with.
I do hope that the EU is fair and equitable (which is my belief) but it would be irresponsible for me to act as if that is the only possibility.
As for this part of your comment:
> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.
Consider, for example, how every major social issue devolves into a Constitutional litigation. Whereas in Europe people just vote on stuff.
And as to regulatory approaches I think you’d be surprised. European regulation is often quite conservative.
Well lets say it wouldn't work with the current ruling class mindset where everyone they employ is stupid and unable to think critically.
