If you own a business, the cost of reading this document is about 2 days (with consideration for googling terms). To disenfranchise a whole continent because you are inconvenienced is ridiculous.
Put it a different way: are you too busy to read docs/specs of the technology you are using or will you abandon it because specs are too dry?
American services are just busy because they are doing their best to keep the lights on. Within a week, the handful of companies will comply. They’re just cautious because they have to pay folks and don’t want to make a silly mistake that will shut down their business.
Edit: structure
I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.
If you make any amount of reasonable money, you need a lawyer to work with your devs (hope you didn't outsource the work!) on a lot of this. And your usual lawyer, if in the US, might not be qualified to deal with EU laws. It's a tough situation. For businesses that don't even target EU markets on purpose, well...
If you're a medium to large international business, then this is just business as usual: dealing with new laws popping up, small or large, is just something you do. It sucks, but hey: it increases the barrier for entry of your next competitor!!
Disclaimer: I think GDPR is fine, and in a few years when every new startup or mom and pop company and 3rd parties are all setup for it, it will be a no brainer, just like email (not many people running their own email servers these days!). But the transition is hard, especially on smaller players.
See https://ec.europa.eu/info/law/law-topic/data-protection/refo...
> When the regulation does not apply
> ...
> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.
Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.
GDPR has more nuance then most other situations but just like PCI, you just deal with it.
What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.
Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?
Oh, please. To not offer a service or website or whatever to people half a world away is not to "disenfranchise" them. I don't think you have room to call anyone else's comments "silly".
When I was 20/21, I worked at PJ Clarke's on the Hudson, a restaurant in downtown Manhattan. Back then, the Merc was still staffed by traders on all floors (they switched to computerized trade desks, I believe, and there were less people there).
During one shift, I had a party of 10+ people and had to grab extra tables from other area. The tables had tops made from granite and heavy. As I was moving the table, the majority owner Phil Scotti jumped in and started helping me. I said something like "I got it" and he looked me in the eye and said "Anything for a buck".
That quote might not be popular but I what I realized is that work is work and money is money. If a multi-millionaire could move tables and his wife (in custom, expensive, suits) can bus tables, then yes...Disenfranchising, or not servicing a bunch of folks, because you don't feel like it is fucking stupid.
I apologize for calling it silly.
This regulation calls for legal expertise, trusting google to save on fees seems risky for a business. In all seriousness, biz owners should shell out for expert advice for compliance, or stop doing business in the EU.
Google and Fb have already seen litigious groups claim $9.3B in fines on the first day[1]. There will certainly be a cottage industry of lawyers going after online businesses that have erred with GDPR.
[1] https://www.cnet.com/news/gdpr-google-and-facebook-face-up-t...
People can refer an issue to the regulators claiming that the GPDR has been violated. The regulators will determine if they believe the regulations have been violated and whether it's a large enough violation to enforce. If fines are levied they go to the government and are intended to be punitive, hence the percentage of revenue as the max fine so that you can't just ignore the regulation by being rich.
No individual or group other than the government is going to make money off of this, and the government has to balance the loss in taxes and cost to enforce against any gain from a fine.
This whole kerfuffle about the GPDR has just shown that american companies will lose their fucking mind if they have to follow anyone else's rules and can't just lobby the US government to force their laws on everyone else.
Incorrect. They are civil right groups, which filed complaints with the authorities. Even if the complaints were fully accepted and the offenders fined to the maximum possible amount the groups would not "earn" a cent.
The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.
This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.
Lets swap GDPR for PCI compliance, which has a new standard (or fully implemented standard, if you may) coming soon. PCI deals with credit card information.
My relevant background allows me to make a few assumptions: 1. If you are in the US.
2. AND you have visited a Quick Service restaurant in the last five years (think Subways, Chipotle, etc.)
3. AND they use one of the major POS (point of sale) providers.
That your credit card, name, expiration date, and CVV is in plain text.
You may know the GPDR very well, as it is your job and you are most likely very qualified for it. And yes, there are probably lots of nuances to this law. However, thats every single law there is, every standard, guidelines, etc.
I'm not entitled. I am, however, a realist that understands that you just have to comply. Taking two days to read the 88 page PDF will make you more familiar then most. It might not make you an expert but for a small to medium sized business, it would give you the necessary tools to comply with majority of the law.
Quite frankly, I don't have a bunch of lawyers and I do have to implement GDPR. Will there be an official review? YES. There will be folks who know more then I and are professionals to double check my work. But I can't tell my stakeholders "Sorry, We can't do that because its just too tough". That seems entitled...
It’s like complying with 99% of securities laws and forgetting to comply with the insider trading laws. That’s not a defense.
Umm, no, I won't read them?
I seriously cannot remember the past time so ever went and read all the official docs for a new tech.
Instead I learning by doing, and reading stack overflow.
If I have to read through 50 pages of docs to use something, I seriously am just going to use something else.
These same arguments could be applied to just dumping waste from manufacturing in the rivers. Does "If I have to spend 50 days disposing of my waste in a way that doesn't harm others I'm not gonna do it. I'm just gonna dump it somewhere else" sound acceptable?
Modern society has mostly decided it's not
If the EU doesn't wants these services, then hopefully these services will decide to leave, and the EU citizens can decide if it was all worth it.
I am certainly going to block EU customers on all my future side projects. It really isn't worth the bother for something that I just made for fun, and isn't making many money. Easier to just block this small market wholesale.
I even found a way to block them with a single line of frontend code!
In my opinion you absolutely hit the nail on the head with this:
"If you own a business, the cost of reading this document is about 2 days"
I agree with you in everything though, everyone should be reading and following the law!
