Do you think that some open source project running a bunch of servers to have people use a free and open social networking thing outside of Facebook have the skills and resources to comply with the regulation?
Yes, because from my experience (I’m running a few small open services, which do comply with it) it’s been quite easy. To comply with German privacy law I already anonymize IPs in most logs (the rest will be changed by the end of next week), and I don’t collect any analytics or tracking data. The only data I have is that which users submitted themselves, and users can not only view and delete it through the software, I also wrote a small tool to easily export all data for a user as PDF, so if a user sends a “nightmare letter”, I can quickly respond per letter/fax with all data.
I don’t use any external APIs or services in my software unless the user explicitly opts in, which means no data is shared with third parties, also making compliance easy.
In general, it seems to me like the only people that have to worry about the GDPR are the a*holes that are stuffing their sites with analytics, tracking, ads, and selling userdata.
Disclaimer: I’ve worked on building GDPR tooling for a company but I’m not a legal or economic expert.
I don’t find the “but what about startups” argument very compelling for a few reasons:
Without a counter suggestion the author just seems to be saying we should let them collect whatever information they want. Something like GDPR is a reflection of the values of a society: privacy is more important than anyone being able to succeed. I don’t know if this is a good analogy but I see it kind of like health standards at restaurants. Oh but what about the poor corner restaurant that cannot afford to keep up to spec? Well, we’ve decided that not getting food poisoning is more important than anyone being able to cook and serve food. I’m sure that analogy is full of holes.
Currently companies just collect any data they can because they can, with this they’ll have to think about what data they want to collect and get value out of it. I like that.
Infrastructure builds around these things anyways. Already AWS and GCP are building tools to help their customers operate within GDPR.
I’m sure there are problems in GDPR and I think the author makes some good points. Maybe time will show my concern about startups is incorrect.
Sounds a little like FUD when it talks about press and blogs, since press freedom and free speech are part of the Constitutions of many European states.
And you know, Constitutions win over ordinary laws.
The point of GDPR is to protect people, not to punish companies for their misbehaviors: their users should punish them if they want.
Indeed every company, small and large, is welcome in Europe, as long as they obey the law and properly pay taxes.
It’s nice to read that Google and Facebook are going to comply, and it’s sad to read that other U.S. startups might have problems with the rights of their European users.
But all in all, I think the GDPR could be a good starting point for any state that cares about the privacy of its people more than the private profits of its companies.
Constitutions do not necessarily win over ordinary laws. In e.g. the Netherlands the constitution (Grondwet) does not in fact have force of law, but every new law passed is supposed to be checked against the constitution by the Eerste Kamer. This leads to the interesting situation that several constitutional rights can only be defended by appealing to EU laws that do have force of law.
So, yeah, this is slightly FUDdy, but not entirely, and the concerns are valid, especially in certain eastern european states; just look at freedom house’s reports on Hungary and Poland.
I said “many European states” exactly because I know that exceptions exists but I’m not an expert… so thanks for pointing out them.
Still, the point of GDPR is to protect people.
Can it be improved? Surely!
How? You could for example impose full data tracking: if someone send you a mail or call your phone for marketing she must be able to tell you exactly how they get your address/phone number, exposing the full path of your data from the consent to the call/mail.
AFAIK, this is not yet part of GDPR and it’s a pity.
This way you can write everybody in the various step to remove your data and not share them anymore.
Please consider to add this if you are going to improve it in the U.S.A.!
Yes, because from my experience (I’m running a few small open services, which do comply with it) it’s been quite easy. To comply with German privacy law I already anonymize IPs in most logs (the rest will be changed by the end of next week), and I don’t collect any analytics or tracking data. The only data I have is that which users submitted themselves, and users can not only view and delete it through the software, I also wrote a small tool to easily export all data for a user as PDF, so if a user sends a “nightmare letter”, I can quickly respond per letter/fax with all data.
I don’t use any external APIs or services in my software unless the user explicitly opts in, which means no data is shared with third parties, also making compliance easy.
In general, it seems to me like the only people that have to worry about the GDPR are the a*holes that are stuffing their sites with analytics, tracking, ads, and selling userdata.
Well said!
What are you liable for if you’ve made a mistake?
Up to 4% of global revenue, or 20 million EUR, whatever is higher.
But I trust that the courts will act reasonably if I’m being cooperative and focus on privacy from the get go.
Disclaimer: I’ve worked on building GDPR tooling for a company but I’m not a legal or economic expert.
I don’t find the “but what about startups” argument very compelling for a few reasons:
I’m sure there are problems in GDPR and I think the author makes some good points. Maybe time will show my concern about startups is incorrect.
Interesting perspective.
Sounds a little like FUD when it talks about press and blogs, since press freedom and free speech are part of the Constitutions of many European states. And you know, Constitutions win over ordinary laws.
The point of GDPR is to protect people, not to punish companies for their misbehaviors: their users should punish them if they want.
Indeed every company, small and large, is welcome in Europe, as long as they obey the law and properly pay taxes.
It’s nice to read that Google and Facebook are going to comply, and it’s sad to read that other U.S. startups might have problems with the rights of their European users.
But all in all, I think the GDPR could be a good starting point for any state that cares about the privacy of its people more than the private profits of its companies.
Constitutions do not necessarily win over ordinary laws. In e.g. the Netherlands the constitution (Grondwet) does not in fact have force of law, but every new law passed is supposed to be checked against the constitution by the Eerste Kamer. This leads to the interesting situation that several constitutional rights can only be defended by appealing to EU laws that do have force of law.
So, yeah, this is slightly FUDdy, but not entirely, and the concerns are valid, especially in certain eastern european states; just look at freedom house’s reports on Hungary and Poland.
I said “many European states” exactly because I know that exceptions exists but I’m not an expert… so thanks for pointing out them.
Still, the point of GDPR is to protect people.
Can it be improved? Surely!
How? You could for example impose full data tracking: if someone send you a mail or call your phone for marketing she must be able to tell you exactly how they get your address/phone number, exposing the full path of your data from the consent to the call/mail.
AFAIK, this is not yet part of GDPR and it’s a pity.
This way you can write everybody in the various step to remove your data and not share them anymore.
Please consider to add this if you are going to improve it in the U.S.A.!