I respectfully disagree. And I write that not only as a very experienced developer but also as a director who has been legally responsible for GDPR compliance in more than one relatively small organisation.
The GDPR in its official format in English is 88 printed pages. It contains 173 introductory paragraphs followed by 99 specific Articles some of which span multiple pages by themselves. As is customary for legislation made at EU level a lot of the provisions are written more as statements of intent with considerable ambiguity about concrete implementation that is left to regulators or courts to clarify.
The specific legal basis of "legitimate interests" and the overarching obligations to collect and process data only where it is reasonably necessary are good examples of this openness to interpretation. And yet much of the data processing that most of us would probably agree is reasonable relies on the legitimate interests basis for its lawfulness. Several enforcement actions by regulators have already been brought against data controllers who apparently believed they were acting in compliance but were still found to be infringing the general principles around necessity and proportionality.
I contend that any legal document running to nearly 100 printed pages of densely printed text cannot credibly be described as "easy to understand". Indeed I must have read hundreds more pages of analysis and discussion by legal scholars, professional data protection officers and other experts and there have been plenty of disagreements over interpretation or sometimes outright contradictions between those papers.
Of course the only things that actually matter are the actions of the regulators or other official bodies that interpret the regulations and potentially sanction those who infringe them in specific cases. That means we also have to consider the stated opinions and actions to date of all the different national regulatory authorities and the outcomes of the cases that have been formally considered and resolved so far. And once again it is clear that even among the national regulators who are responsible for the interpretation and implementation of the rules there can be considerable disagreements about how the rules should be interpreted and sometimes which cases should be brought at all.
Now I don't necessarily disagree with some of those outcomes but I do think that if a data controller honestly believed their prohibited actions were in compliance and was subsequently penalised and required to make changes then evidently there is a problem with how accessible/understandable the rules are and those rules demonstrably failed to prevent the unwanted behaviours in those cases until the regulators did take action.
You have pointed me to the entire content of the GDPR. It's 11 chapters, with 99 articles. I'm unashamed to admit that I don't consider even skimming such a document "easy". I was imagining something more along the lines of a one pager with 4-8 bullet points, each of which was easy to address.
I think the misunderstandings about the GDPR (even many smart people don't get it) prove that designing and writing such a law is difficult and the result has to be complex.
IMO the GDPR is good. But… it is poorly understood by many affected people . IMO if a law is poorly understood by the people it affects, then one should assume the law to be at fault, not the people. IMO it's good but I'm not happy.
It's about the work needed to comply vs. the risk vs. the possible benefits.
1. Work to read an interpret legislation means lawyers. If you think you understand a law because it "seems" to be simple to understand you are fucking wrong. Words in law tend to mean different things and refer to other laws, precedents, principles and treaties.
2. The benefits are often small for international businesses. EU customers? Do you care? Probably not.
3. The risks are MASSIVE for breaking the GDPR.
So, in cost/benefit, it's a massive "I'm not touching that".
It's not hard to understand. It's only hard to understand if you've built your business around slurping people's data and using it without consent - something that's already mostly illegal in the EU.
A lot of GDPR is not new. It's just clarification of existing law.
This is a massive understatement. There's a lot of comments here by people who clearly want to like and support GDPR but have never actually tried to "comply" with it in a large business. GDPR is a textbook example of how not to write law (unless of course you're actually trying to create a despotic regime). It has so many problems when viewed from a law engineering perspective that it's really quite expected that a lot of companies will just give up, because the only plausible explanation for the way it's written is to be able to arbitrarily fine certain types of companies on demand.
1. Absolutely everything is maximally vague and subjective. Whoever wrote it never wanted to have to justify any decision made under its authority. Everything is defined with terms like "legitimate", "disproportionate", "significant", "likelihood", and the perennial favorite "reasonable effort". If you believe you have a legitimate need or made a reasonable effort and a regulator doesn't, or that your users are giving consent and then someone else claims it isn't explicit enough, who can say who's right? There are no standards on which to judge anything so it turns into a pure difference of arbitrary opinion. Merely being conservative is no use at all because you don't even have any idea, based on reading the law, whether what you're doing would be considered conservative or aggressively non-compliant. Nor does anyone else.
2. Compliance is basically impossible for any large institution. The EU Commission was itself non-compliant on the day GDPR came into effect, which was noticed immediately, and their response was that they had written themselves (and nobody else) an exception into the law so that they had more time to comply with it. When the government that writes a law acknowledges an inability to follow it by the deadline they set for everyone else, you know a law has problems.
3. Because the law is written so badly you can find plenty of people interpreting it in ways that would imply Amazon is doing nothing wrong, like this page [1] which purports to be busting GDPR myths and states that "processing is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalization of offerings".
4. GDPR theoretically requires every company in the world to comply, or does it? It's triggered by "offering" services to people in the EU, but what counts as "offering" is left undefined and like everything else, could be interpreted in dozens of different ways. Is having a website sufficient? Nobody knows. Here's PriceWaterhouseCoopers' advice on GDPR compliance for Switzerland [2] which starts by saying "My company is only Swiss-based, does it have to comply with GDPR? Alas, there is no simple answer to this.".
The fact that so many results when searching for GDPR are articles that claim to be debunking myths about it, and that so many such pages directly contradict each other, is indicative of the massive level of confusion this law has justifiably generated. It can be interpreted in any way any government wants to justify almost any level of fine imaginable, and governments are directly incentivized to do exactly that. Cynicism about GDPR and its motives will not go away by simply having lots of EU-loyal HN posters tell Americans that compliance is easy when it so obviously isn't.
You'd think that in the 6 years that GDPR has been in force people would actually read something about the law that isn't ad/tracking industry propaganda.
You could read the law itself, lazily, in an afternoon. It's neither big nor difficult.
The trouble with the GDPR is that there is so much ambiguity in even quite basic areas of the regulations and the official guidance so far that any formal opinion you get from lawyers, consultants, regulators and the like is riddled with vague terms like "reasonable", "legitimate", "proportionate" and "balanced". It's advice that doesn't actually answer any of the important questions like "Am I compliant?" or "What specific actions can I take to become compliant?".
The GDPR is about 68 to 90 pages depending on which language you're reading it in. It is trying to be futureproof by leaving measures defined in terms of 'current state of technology', 'reasonable security considering the risk' and other such ambiguous terms.
I run a small business and I like this. Just about anybody can read it and understand what rights and requirements are being set out in it.
The GDPR specifically refers to the concept of "micro, small and medium-sized enterprises" [GDPR 40p1 and 42p1 use this text; they direct member states about the spirit of the law, referring that the needs of such businesses need to be taken into account].
GDPR 58p2 sets out that regulatory bodies in a member state have the power to issue warnings. As in, if you mess up, unless the mess-up is malicious or excessively negligent, you get a written warning and reasonable time to fix the problem. My government (The Netherlands) has taken the effort, as have a significant number of third parties, of creating a legal document of 3 to 10 pages covering some details, and they generally set out more explicitly that you grant yourself a week or so to fix problems without penalty. Whilst the GDPR is intentionally ambiguous in order to try to be somewhat futureproof and remain short enough to read back to back in an afternoon, it's fairly clear this is perfectly fine.
The most strenuous sections of the GDPR involve requests from those whose data you store. If they ask you to supply what data you have of them, and whom you've shared it with, you have to comply. Within reasonable timeframes, and you cannot lie about it. If they ask that you delete this data, you must be capable of doing so, and you must do so within a reasonable timeframe. However, the GDPR is nice enough to grant you exceptions for reasonable measures which nevertheless make it hard to comply. Things like a backup tape are specifically called out. It's okay if data that's been requested to be removed, stays on those. You would have to show that this data is pseudonimized (GDPR-ese for encrypted, pretty much).
Any service which has a hard time supporting requests to explain what data you store and where you've stored it, or which cannot delete it from the main service on demand... should indeed just call it a day and shut down. I don't think a service like streetlend would have a hard time supporting such requests, however.
What makes you say that there's no agreement as to what it means? It feels like I see this sort of view expressed quite frequently.
One fundamental problem is that the GDPR, if interpreted literally and fully enforced to the letter, is absurdly onerous for any small organisation and allows for fines that pose an existential threat without any requirement for proportionality.
Defenders of the GDPR, including some of the official regulators, often argue that concerns are exaggerated and regulators are likely to take a more pragmatic approach, trying to educate those breaching the rules rather than coming in with crippling fines. Maybe that will turn out to be true, but in past instances of overly powerful or broad EU rules, there certainly have been cases of heavy-handedness by regulators and courts, so it is illogical to rely on another result this time.
In any case, pragmatic enforcement would not make the law itself any better. Those responsible for working with personal data still have to err on the side of going too far in their efforts to comply, and thus finding themselves at a disadvantage compared to their competition who do not, or not going far enough, and then risking a regulator dropping the sword of Damocles at any time, with no objective standard for "far enough".
I think part of the issue here is that a plain English reading of the GDPR implies such appalling totalitarian overreach that most people find it hard to believe that it can really be what's meant.
I mean, you've just agreed with my reading that the GDPR gives me the power to reach into your personal inbox and censor your records of communications with me. That sort of power for bad actors to carry out historical revisionism on what until now we'd've thought of as someone else's data is unprecedented and - at least to me - a pretty frightening threat to freedom of information and a culture of truth. And meanwhile we've got people running around Hacker News saying "GDPR is all wonderful, it's just common-sense privacy protections, and if your business isn't spying on users without their consent and selling their data you'll be fine".
You're clearly confident that the (to me, somewhat dystopian) interpretations we discussed just above will hold up in court. I'm not, even though they worry me and seem to me to be the most straightforward plain English reading of the bill. That doubt - and associated anger at the failure of the EU to bring greater clarity to these sorts of points before now - seem to me to be reasonable, and not a worthy target for condescension.
> GDPR really isn’t that complicated for most purposes
You're coming at it from a position of knowledge and confidence. The guide produced by the Information Commissioner's Office for organisations has 48 sections/pages [1] and features a toolkit with 7 different self assessment quizes [2], plus an extra one to help small businesses [3]. Even the "What is personal data?" section of the site alone contains dozens of pages [4]. And obviously the regulation itself is pretty verbose [5].
Given the legal ramifications, it's a bit dismissive to say it just boils down to three phrases. Whether or not GDPR is reasonable (and I agree that it is), it's perfectly understandable that sole traders and small businesses are concerned about the resources required to understand and implement it - especially when even many large organisations currently flout it (through ignorance or negligence).
I absolutely agree though, this argument is extremely weak, like a developer being asked to step outside their comfort zone locking up and declaring something unknowable levels of complexity so they don't even have to try.
The GDPR is extremely easy to understand. It's not always trivial to comply with, because we all know that enterprises are held together with instant glue, a networking VM in a basement nobody has logged in to for 10 years, at least 3 layers of management between a DPO and feature teams and one all-knowing employee everyone hopes will never leave or take too much vacation because things will slowly crumble in their absence. It's pretty hard to be absolutely compliant in that environment. But if you're a startup, or even solo? You can absolutely design your app to not have these issues in the first place.
It's really not rocket surgery to be compliant with the GDPR if your business model isn't to sell (or profit from) targeted advertisements.
It's not rocket surgery but it's also not trivial. Every time GDPR comes up on HN there are always people saying something very similar to "GDPR compliance is easy if you don't do dodgy stuff" and implying that anyone who thinks it's not a trivial matter must be doing something bad. This is dismissive and often seems to be based on wishful thinking about what these contributors wish the regulatory requirements said instead of what they actually do say.
The GDPR is nearly 100 pages long, in the standard English language printed version, just for the main document without all the supporting material or any additional material published by the individual regulators.
It contains ambiguities that invite broadly applicable questions like what "legitimate interests" actually means in practice.
It contains requirements to document various information and processes and to share that documentation with various parties under various conditions.
It contains provisions that could potentially conflict with other good practices (for example, the use of tamper-proof data structures for auditing or the use of diverse backup strategies for resilience) again with ambiguous if any guidance on how to reconcile competing good intentions. You can argue that this point is a stretch because it's unlikely any regulator would actually go after a data controller or data processor that was obviously doing reasonable things and trying to comply, but we are talking about legal obligations and the penalties that can be imposed are an existential threat to any small business so I think caution is fair here.
Ask a lawyer -- a real one who is an expert dealing with these kinds of regulatory compliance all the time -- how easy it is for any organisation to be sure it is fully compliant in this kind of environment, even if it has no interest in doing anything that anyone is actually likely to object to, and even if the people responsible for running it have nothing but good intentions. I doubt you're going to see the kind of one-sentence "It'll all be fine, just don't do anything dodgy" reaction we often see posted in HN discussions about the GDPR.
I will take your point, but I'd say you also need to account for how the GDPR has been enforced to this point. I regularly submit complaints to supervisory authorities and I've been employed by a few companies that regularly have meetings with their local SAs for guidance regarding potential pitfalls.
Most enforcement is directed towards total disregard of the GDPR. Data that hasn't been properly deleted after requests, requests that go unanswered, and entities like Meta who think their legitimate interest towers over protected categories of information (i.e. allowing microtargeting based on health). Companies also get away with a lot of easy to see violations (i.e. I've complained about Microsoft doing dark patterns to obscure whether agreeing to data collection is a requirement for a service to work).
Usually you'll be fine if you understand the basic framework and intent.
And I'm not sure how you get to 88 pages. It comes out to 68 pages with very generous margins and a line-height of 22pt on A4 for me.[1] (also, all EU law, including translated judgements, is canonical in all member state languages, FYI)
I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
The fact that the regulation is so vague around it in the first place is the whole problem. There are dozens of conflicting statements (from law firms, no less) about what exactly exposes you to GDPR.
Exactly. People try to explain to me how it is impossible to comply and usually it turns out that it would be easy. I think the problem most of time that people misunderstanding the requirements or not reading GDPR (not even TLDR versions).
The GDPR is most of my job right now, and I have a relevant background. To say that the cost of reading the document is two days clearly shows that you have very little idea of what the law means. I've been arguing with other privacy professionals about the details of this law and how to implement it likely for longer than you've known about it, and on a number of those questions there is still no consensus.
This is an incredibly expensive regulation to comply for most small and medium companies not because they're doing villainous things with the data, but because learning this law and then documenting your compliance for this law is ridiculously expensive for many types of businesses.
I respectfully disagree. And I write that not only as a very experienced developer but also as a director who has been legally responsible for GDPR compliance in more than one relatively small organisation.
The GDPR in its official format in English is 88 printed pages. It contains 173 introductory paragraphs followed by 99 specific Articles some of which span multiple pages by themselves. As is customary for legislation made at EU level a lot of the provisions are written more as statements of intent with considerable ambiguity about concrete implementation that is left to regulators or courts to clarify.
The specific legal basis of "legitimate interests" and the overarching obligations to collect and process data only where it is reasonably necessary are good examples of this openness to interpretation. And yet much of the data processing that most of us would probably agree is reasonable relies on the legitimate interests basis for its lawfulness. Several enforcement actions by regulators have already been brought against data controllers who apparently believed they were acting in compliance but were still found to be infringing the general principles around necessity and proportionality.
I contend that any legal document running to nearly 100 printed pages of densely printed text cannot credibly be described as "easy to understand". Indeed I must have read hundreds more pages of analysis and discussion by legal scholars, professional data protection officers and other experts and there have been plenty of disagreements over interpretation or sometimes outright contradictions between those papers.
Of course the only things that actually matter are the actions of the regulators or other official bodies that interpret the regulations and potentially sanction those who infringe them in specific cases. That means we also have to consider the stated opinions and actions to date of all the different national regulatory authorities and the outcomes of the cases that have been formally considered and resolved so far. And once again it is clear that even among the national regulators who are responsible for the interpretation and implementation of the rules there can be considerable disagreements about how the rules should be interpreted and sometimes which cases should be brought at all.
Now I don't necessarily disagree with some of those outcomes but I do think that if a data controller honestly believed their prohibited actions were in compliance and was subsequently penalised and required to make changes then evidently there is a problem with how accessible/understandable the rules are and those rules demonstrably failed to prevent the unwanted behaviours in those cases until the regulators did take action.
reply