This law has been in application since 1978 [1]. And in 2018, we have adtech companies like Criteo. [2] I have one of my best friend who started his adtech startup in France. Everything is good.
There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) The only things you have to do: know which data you collect and give the ability to people to update/delete their data. That's all.
I don't understand the fear. I don't understand what is "vague" about it. It's so simple and low barrier that Microsoft decided to make it the rule for all of their users. But thanks to the hysteria, they made a PR stunt out of it.
--
[1] https://en.wikipedia.org/w/index.php?title=Data_ownership&ol...
Given the EU assertion of global jurisdiction, the GDPR seems like a bit of a trade war and it's surprising more commentators aren't treating it as such.
The US should be inspired by this and give online retailers the opportunity to collect and remit sales taxes.
I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
When making an application that collect data, you just have to make a form/button to give the ability to update/delete data. It's no more different that when you make an adult website, you have to make a page "Are you above 18?"
Sometimes, it sounds to me that people on HN don't have a problem with the law X or Y. They rather have a problem with the concept of regulation in general. (See the comments on all the posts about Germany requiring Uber drivers to have a car insurance with a higher liability.)
But if you want to give an analogy to normal business, a more suitable one would be: "Giving people the option to delete their data is a bit like allowing customers to get their money back on their gift card they purchased 2 years ago"
How is that unfair?
You're not understanding the analogy. What does a user get out of using Google's services? They get access to a suite of products (search, email, cloud storage, online productivity apps, videos, and so on) that are maintained by a rather expensive group of employees and run on a rather expensive collection of hardware. When you use those services you pay for them by letting Google collect information about your use of those services. The value you get from those services is often intangible (you watched a cat video or looked through a photo gallery of your sister's new kid), though sometimes monetary (you don't have to pay an ISP for an email address if you use gmail.) When you choose to no longer use the services and demand that Google delete all the data they have gathered are you going to return that intangible value and pay them for the money you saved by using their systems? How would you do return the experience of watching a stupid cat video? It's exactly like eating a meal but insisting the restaurant give up the value, i.e. the money, that they got from you.
The irony here is that American users are so used to being endlessly surveiled without consequence that they are genuinely shocked that the rest of the world refuses to put up with this bullshit. This is completely normal to them.
The GDPR is just another step in a global fight by people all over the world to regain their data sovereignty and protect themselves from endless surveillance. The momentum at the international level is very clearly for data sovereignty. Russia and many Asian countries are following closely behind. And while everybody was freaking out about the GDPR nobody seemed to notice that China passed even stricter online privacy laws [1] earlier this month. Singapore [3] and Malaysia [4] are up to speed and even Thailand [2] will likely soon require minimum standards. (Edited to add more links.)
The end result is like so many other things: American companies will end up blocking everybody but American users who they know they can exploit without consequence. American users will celebrate their exploitation as freedom from Big Government. Everybody else will move on and just shake their heads.
[1] https://www.csis.org/analysis/new-china-data-privacy-standar...
[2] https://www.bangkokpost.com/business/news/1455534/new-data-l...
[3] https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-...
Also it's hilarious to claim China has better privacy when that government tracks everyone using facial regulation with real-time threat scoring and national social rankings called a "citizen score". A late payment on a single bill gets your face and contact info on a giant billboard so go ahead and try complaining about your data over there and see how far that goes.
If folks find ambiguity in the GDPR, do NOT get into American Fintech. Here's a great question: what are the technical requirements mandated by the US government to become a bank?
Get this: not everybody is consumed by paranoid fantasies concerning their government. And while your shallow understanding of China based off a few western-oriented articles here and there may validate your own biases do understand they have no real relation to reality. In reality, there are no extraordinary consequences for missing a single bill. On the other hand if you're sued in court over a debt the judge -- not unlike American judges (!) -- can use public humiliation to try to modify your behavior.
I see this "not clear" repeated here. Can you cite a section that you find not clear, so we understand what you mean?
The difference is that France is insignificant in the adtech market. The real money is in the US and spread out across Europe, with Asia soon to overtake. The existing rules you point to weren't affecting global operations where Criteo and others made their money.
It's strange that you think the business models are going to fly in Asia. China and many Asian countries are laying out privacy regimes that are even more strict than the GDPR. Take a look at China [1] or Thailand [2]. Pretty soon it will be the case only in America that adtech companies can collect and sell endless personal information without consequence.
[2] https://www.bangkokpost.com/business/news/1455534/new-data-l...
Ok, spend all your time going after the ad company and ignore the government which is 1000x worse and will control your life or toss you in a cell. Good luck with that.
Second... I don't see how valuation matters. Did they loose money? Went out of business? No. VW lost valuation during the whole diesel gate scandal. Did that make VW a less relevant? No.
And the last thing that I wanted to mention: I said "this is just an implementation of an old French law into the European Level". And I was mentioning the French law itself, not the European Law.
The cookie issue that you're mentioning is related to the ePrivacy directive, which is solely European Law, that was passed one or two years before the whole lost of valuation. My point was just that the GDPR doesn't affect anybody.
Do you know that they are a publicly traded company? Losing money is exactly what happens when the stock price falls. When you lose more than half of your value, going out of business is a serious risk.
There are also extra procedures you have to follow that could be really complicated depending on the business. This is even worse for small businesses. I can definitely understand those people who want to just wash their hands of it, especially if they don't get much business from Europe.
As I said other comments, I'm not sure if people on HN have a problem with the GDPR, or just with the concept of regulation itself.
Also, when I read about "complicated rules for small businesses". It reminds me about American republican politicians explaining how taxes on the rich will affect the average joe's taxes.
The reality is that many rules only apply to big businesses. And small businesses are exempt of many rules. My favorite one is the "Data Protection Officer", everybody on the internet™ says that you need one. The reality? Most small business won't. The article 37 explains that the Data Protection Officer is when a business is "collecting data on a large scale" [1] Second of all, people interpret that as "Hiring somebody", you don't. It's just a role, take your CEO, and now he's your "Data Protection Officer", ...
--
Congratulations, you're uncompliant. Thanks for playing "GDPR is easy".
> (5) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Perhaps in early stage of a startup a founder will take the title to save cost, but he/she will want to lose that responsibility as soon as possible.
AIUI that's one of the main changes, that explicit consent is now needed to retain data and specific details of how it will be secured, who it might be passed to, must be given. Also that if the service being offered doesn't need the data, that the company offering the service can't insist on having it.
It is a big thing for micro-businesses and SMEs in the UK - despite having data protection laws already - it does change the complexion of how one handles PII and the embedded assumptions. We're talking about businesses many of whom have paper bookings diaries - the diary apparently needs to now be secured, whilst it's always sat on the counter before; that's a costly structural/workflow change (unlock the diary for every phone call!).
It is a blocker that slows down your efforts to work on the next feature. It is not hacker friendly. It is a huge pain in the ass.
Edit: btw, I don’t really blame the EU. Google and Facebook got us into this mess.
