I would say that no company or person is immune to arbitrary legal attacks. Complaining 100% with law is difficult if not impossible for companies or people with few resources. Laws could ge contradictory and/or inconsistent if you dig deeper.
That is why it is important to have sandboxes and/or laws that are based on size, number of consumers, etc. one thing is to ask for a full GDPR compliance to a bank and much different is for small companies.
I agree. GDPR doesn't explicitly state that companies above certain size are exempt for many nuances of compliance or the 'little guy' gets a pass. Yet, almost all small companies ignore full GDPR compliance. Just because no one cares/sues small companies, doesn't mean that they're immune - the letter of the law and its enforcement should be absolute so that shitty laws don't pass the mustard.
Do you really think it is easy to be much smarter than law makers and lawyers when it comes to laws?
There is an intersection here, but basically this - in my mind - isn't about bad laws but about big businesses fighting for their lives (or at least the lives of whole branches in their organizations) against these laws.
They'll do most things they'll come up with and think they can get away with: misrepresent, plead, beg, threaten to leave, willfully misunderstand even very clear laws etc as long as their lawyers and business people think the risk/reward ratio is favorable.
GDPR isn't that hard, technically.
It just gets extremely hard to comply with without letting go of abusive but highly lucrative business practices.
Except that this has never happened before, especially to small businesses that are obviously trying to comply with the law.
You have much, much bigger things to worry about as a small company. You could have your bank cut you off because you’re suddenly deemed too risky - happens every day. You could run into a contractual dispute that drags out for years and costs you tens of thousands of euros. You could violate a patent you never knew about. Your supplier goes bust just after you’ve spent weeks negotiating a large order, and now you don’t have enough inventory. You could perform some action or inaction that results in injury to someone, and your insurance could refuse to pay out. It turns out that one of the products you sell kills people, and the Government decides to take you to court over it. Your customers might fail to make good on any credit you give them. One of your key employees could develop a chronic, life-changing illness. You didn’t realise that some tax or other applied to you, and now you’re not making enough money to stay afloat. As a business owner, have you worried about any of these things as much as the GDPR?
And it's always people with the same arguments - small companies, getting sued, crazy money for lawyers, etc.
One of those things is not like the others.
I have no idea where the meme about exploitative lawyers looking for minor non-compliance came from, because the primary means of enforcement under the GDPR is regulatory action. The whole strategy of threatening legal action to prompt a profitable out of court settlement is much less viable under typical EU legal systems than in the US anyway.
However, GDPR definitely can cause significant compliance overheads for small organisations, including those who have done nothing wrong. The official guidance is still terrible, and just the uncertainty around several key points is a problem for reasons we've previously discussed at length on HN.
Trusting in regulators to do the right thing is also a risky strategy. I write this as someone whose business really did receive a crippling demand for monies never owed direct from an EU government tax office after the VAT changes, with very scary accompanying threats and impossibly short timescales to respond, and there were many thousands of other small businesses similarly attacked just in the incidents I'm personally aware of.
From a pragmatic point of view, the regulator in my country is well known to be under-funded and under-staffed, but even that doesn't necessarily help because as with other issues within their remit, it makes smaller organisations easier targets than those with big legal departments to fight back.
The same goes for any other kind of regulatory compliance.
No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.
There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business). The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.
The GDPR doesn't allow people to start lawsuits. The law is upheld by government agencies, which usually give small companies a chance to fall in line before starting a lawsuit. They're also mostly focused on European businesses and most likely won't act until they receive enough complaints.
When it comes to lawyer fees, governments seem to have quite a pool of money when it comes to enforcing the law.
Have you ever ran a business that, uh, intended to scale beyond one employee and a hobby website? I've never seen a company be threatened with some form of legal attack and not get lawyers involved. Especially with such a new law like the GDPR that has no judicial precedences upon which to build business processes. I've been in companies as small as 4 people, and we still had lawyers on retainer for stuff like this (copyright violations in user hosted content was a big one before GDPR).
If you can completely distill a binder of a legal framework down to an "if this then that else this" sentence, you don't understand it, and your hubris is going to kill your company. If you think the correct response is "don't respond, wait until it escalates", you don't understand it and your hubris is going to kill your company. If you're doing anything worthwhile you're going to be bumping up against some law or another, and you can't just ignore it and you can't afford to not understand it. That's why you pay lawyers.
You say "anti-business", I say "consumer rights" (and more importantly "human rights").
As a small business you can comply with the GDPR fairly easily unless you have no regard for anyone's privacy to begin with. And even if you're not 100% compliant you won't be insta-sued to bankruptcy, you'll only be reported and the relevant data protection agency will check on you. The GDPR encourages data protection agencies to help businesses fix their problems and only use fines as a last resort for gross violations and wilful negligence.
Unless you're storing/processing information that has special protections (e.g. religion, sexual orientation, medical data) the bureaucracy is also fairly tame, especially for small businesses, especially for businesses that aren't at their core based on processing personal information (e.g. not online dating startups).
Compare this with the "upload filter" as it has been interpreted in the media so far: allegedly every website that allows users to upload content would have to implement their own Content ID database and sign deals with publishing companies or license filtering services.
Or, the law works just fine and "hey, I want to steal user data without any consequences" is just not a good business model. Millions of small companies work just fine and have zero problems with GDPR. Only a very specific subset (mostly web companies that don't want to ask people for money, but instead sell their data) have real problems and cry loud.
The problem is not that companies with large legal departments can't follow the law, but rather that some of such companies are pathological choosing to break the law. They think they can get away with it because few breaches are prosecuted, and based on highly dubious legal interpretations concocted by their large legal departments.
GDPR is not difficult to follow (or indeed "mental"), and is a huge boon for consumers. In a way it's even a boon for businesses - it can reduce their legal risk by encouraging them to only collect PII when they have a good reason to do so.
'European' - e.g., EU - culture is still quite new in this regard, and plenty of companies have gotten very large fines for gross non compliance of other regulations/directives.
Since GDPR compliance is enforced by EU members, many small companies are exposed to (have customers in) most or all EU jurisdictions, and the EU is very heterogeneous when it comes to regulatory enforcement by member states, I think that they're correct to be worried about the ambiguity around the GDPR.
I'm not arguing against the GDPR - I'm in favor of data protection - but the if/ands/and buts (e.g., speculation) about who is going to get fined, and for how much, is uncomfortable.
It isnt. Being GDPR ready is not that hard. It just takes time and resources, but following the law always takes that. And leave it to businesses to complain about anything and everything.
As for GDPR: at least in Germany it's problematic. Our system typically relies on competitors to enforce law abidance in companies (so called "Abmahnungen" based on the "Gesetz gegen den unlauteren Wettbewerb", UWG for short, a set of laws regarding unlawful competition). One court recently ruled that GDPR violations don't fall under those laws (https://www.datenschutzbeauftragter-info.de/landgericht-stut...).
That leaves us with:
- reporting violations to the officials. They are chronically understaffed, have little technical expertise and it takes months to years for them to act. They are very hesitant to hand out fines, but theoretically can.
- individual citizens suing a company to force them to abide by the law. This is rare because the citizen will have to cough up the money to go to court, and even if he wins, the company will only be forced to abide by the laws regarding this citizen, not in general.
- publicly shaming companies into compliance.
A higher court might have different opinions, and I very much hope they will, because GDPR quickly becomes meaningless without enforcement.
Edit: I have literally no idea why this is downvoted. Unless it's just because you personally don't like me, please leave a comment explaining what is incorrect.
I've never had any real problems with this (as a developer). The GDPR isn't that hard to deal with, mostly its quite intuitive and obvious. The spirit of the law is simple, you need a good reason to have data on your customer, and the customer needs to know and consent to you having it, and remain in control in the sense that you must delete it on request. That is the core, which is very reasonable.
Of course, there is tons and tons of legalese, edge cases, interpretations etc. But if you abide by and implement these basic principles, especially as a small company, you can be quite confident you won't run into any real problems.
If you kind of cared about your customer data in the first place as part of your company culture, its not that hard to adapt. Maybe some really careless companies had a hard time. There must have been some kafkaesque situations killing small companies no doubt, but honestly I haven't heard of them. I only hear Americans complain about it.
I'm a small business owner and this is my concern at all. What stops a competitor to just pay a lawyer to sue you or report you to GDPR authorities. Even if you are 100% compliant(which I doubt), you'll still have lots of issues, stress and wasted time with the audit.
The problem with these laws is that while they're mainly targeted at large corporations - because frankly that's all regulators and politicians usually know or care about - small companies bear the brunt of complying with them right now.
Many of the questions the owners of these companies are facing right now haven't even been considered by legislative bodies. These are questions such as:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider turning off their websites completely and - of all things - only use a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- How exactly does a privacy policy have to be worded so I don't get sued on day 1 (in some EU countries this is a very real problem already with legal notice requirements for websites)?
- In which way will I still be able to store data for contacting my existing B2B customers (such as email addresses and phone numbers)?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
Dismissing these very real concerns by very real people as FUD or even suggesting a foreign power might be trying to undermine the EU is nothing but a preposterous conspiracy theory.
I'm running a small startup and finding GDPR compliance is small beans compared to the tax code and employment law, both of which we have no trouble complying with.
That is why it is important to have sandboxes and/or laws that are based on size, number of consumers, etc. one thing is to ask for a full GDPR compliance to a bank and much different is for small companies.
reply