I would like to hear your opinions and discuss them in this thread, and would also very much appreciate if you could spare 5 minutes to respond to a survey: https://forms.office.com/e/E37CdBAC8s
Thank you!
Like a starter kit for startups that aren't really interested in doing anything with people's personal data, but where it's just an accidental complexity of doing business with people. Maybe a pre-written terms of service, a code of conduct and a checklist for features your product needs to have for people to correct or delete their data themselves, which you don't want to waste time doing manually anyway.
At a certain point most companies are going to want to do some more advanced analytics on the personal data, but by then they have probably already grown to a scale where it doesn't hurt as much to hire a legal counsel to write a new ToS for their specific use case.
It might make sense for VCs to chip in and hire a law firm to make such a starter kit, to be distributed under a Creative Commons or similar license. Just like creative commons itself is a legal starter kit for creators who don't need a bespoke solution to ease up on a little on their copyrights.
ehh... are they? If you're in Europe (or even the UK), the most noticeable change is the proliferation of cookie banners, most of which don't even comply with GPDR (the single "reject all" button almost never works as you'd expect). Another notable change is that a bunch of local US news sites are now inaccessible.
The only obviously visible benefit to consumers is data portability ("Google Takeout," etc.) However, even that is a double-edged sword, because it also makes it easy for someone who hacks your account, or law enforcement, to get a nicely formatted dump of all your data.
Beyond these changes, I'm skeptical that the regulations caused any meaningful change in what companies do with your data behind closed doors.
Smaller companies often lack the resources to employ costly lawyers to guide them through the complex regulatory landscape, which ultimately allows only big companies to thrive. This gives big corporations a distinct advantage within the system.
While I don't oppose the GDPR itself, as an independent developer, it deters me from a lot of ideas, even though I have no intention of engaging in questionable activities. The fear of inadvertently making an error and being hit with a massive fine is quite daunting. So in the end I just don't do it.
The law is complex and I feel the EU is massively putting small companies at a disadvantage. Big companies can easily afford to hire experts that will guide them through all this, but small companies can barely afford to keep afloat.
It would be different if the EU at least had some sort of free legal help for small and medium enterprises. They already have funds to helo EU companies getting a trademark, why not GDPR?
https://euipo.europa.eu/ohimportal/en/online-services/sme-fu...
Thanks for sharing your thoughts!
I'm sorry to break it to you, but the EU doesn't care about entrepreneurship and small businesses. Anything EU politicians and representatives like to say to the contrary is mere lip service. By and large, the EU is an environment that's hostile towards entrepreneurship.
I don’t understand that sentiment. The text is almost self-contained and easy to read relative to lots of other legal things such as tax laws that you have to know if you start a business.
The GDPR basically boils down to “guard your user’s data, keep only what you need, and tell them what you do with it”.
For the typical “we keep user email addresses so that we can send them bills and credit card info so that we can charge them” use case it’s not hard to comply with the GDPR.
And, nitpick: the GDPR is not a law.
It's easy as a casual observer to opine on what a law "boils down to," but take my word for it, the stakes are higher as the person legally obliged to interpret and implement -every single letter- of the law in their own business.
GDPR fines are measured in millions of Euros. I'm just an ordinary guy with a family to feed.
That's how GDPR is commonly advertised, but for those who actually have to implement it, i.e. small to medium-sized businesses (large companies basically go scot-free, because a. they can afford legal departments to deal with GDPR how they see fit and b. local authorities can't be arsed to investigate the privacy violations routinely committed by companies such as Facebook or Google), the picture is much more complex, to the extent GDPR becomes an existential risk even to ordinary businesses that don't do anything unexpected or untoward with their users' data, for instance:
- In certain larger EU countries you're not even allowed to record a website visitor's IP address (because some court has decided those count as PII) and consequently have to jump through a ridiculous amount of hoops to make sure it isn't.
- You have to make sure that any service provider you're working with complies with GDPR.
- Currently, due to an ECJ case ruling informally known as Schrems II (https://www.gdprsummary.com/schrems-ii/ ), you're not allowed to store any user data with a company affiliated with a US company in any way, which boils down to virtually every business and the economy as whole being in violation of GDPR.
Now, it's often argued that the EU and GDPR aren't to blame for this because it's the US CLOUD Act that created this issue. Technically, this is true and the CLOUD Act indeed is hugely problematic, to say the least.
However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.
gdpr.fyi if it wasn’t already taken/expensive ;-)
