> The legal teams...and the sheer amount of horsepower put behind finding an interpretation we believed and were confident in was staggering
You shouldn't be getting down voted. I just went through a GDPR compliance review. We have a service model which is incredibly serious about customer confidentiality. We don't sell ads and, to my recollection, have never even bought them. Still required an army of lawyers. Two top London law firms ended up agreeing to disagree on major points, ultimately concluding the Polish data regulator would probably rule one way and the French the other.
Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
>ultimately concluding the Polish data regulator would probably rule one way and the French the other
Wait, this is being handled on the national level??? I thought you guys had some singular EU court thing for this, not a clusterF of the different countries' justice systems.
Yup, each of the EU's twenty-eight member states have a national data regular who is responsible for interpreting the law. One can appeal to EU courts. But the local context must be considered.
it's worse.
in germany the dsvgo (german gdpr) will be regulated by the states of germany, i.e. every state has his own regulation administration.
which means that there will be even more room for interpretation.
in the end the gdpr is more about opening new jobs.
also sites like:
http://www.spiegel.de/
or
https://www.bild.de/
do not care about the gdpr/dsvgo... so it won't happen that there will be many groundbreaking changes on how the governments will see privacy issues. at the end they just wanted to scare of the silicion valley.
These companies were in violation of the Bundesdatenschutzgesetz. It mandates information minimization which many fail to adhere to. The problem is more with enforcement, which was (is) weak. GDPR in fact is seen more lax (by our privacy prtection authorities) than the Bundesdatenschutzgesetz but it has more teeth.
A business that operate in, say, Germany, reports to the German authority.
A business that operates in 10 EU countries, can declare which one is the major country for them, and they have to deal only with the authority in that one country.
That's not how my lawyer explained it to me. They said that I was liable for violating privacy laws, or the opinion of the regulator, in any German state, even though I am a US company. And it doesn't matter if I have an EU subsidiary and I declare a major country. Maybe your lawyer has a different opinion, but they tell me I shouldn't go hire the lawyer that says what I want to hear.
And in some countries that agency employs a dozen to two dozen people total. In other words, it's entirely possible to get screwed because somebody doesn't like you.
The whole point of EU is to garner trade advantage by negotiating as a block instead of as small countries when they saw large countries like US, USSR and China get negotiating power. It is also to not have any tarrifs and free movement of labor internally. Everything else has been iffy at best. EU is not a federal nation like US or India
There is a EU law(such GDRP) that all member states must transpose into their state legislation. A citizen of a "foreign" member state enjoys the same rights as the "local" citizen.
The point if EU is/was to achieve an "ever closer union" so that war between European states would never happen again. It's not just an economic bloc.
Btw the immigration is the main issue which has nothing to do with trading.
The GDPR does remove variation between countries, before the GDPR each of the 28 member states would have had their own data protection laws and while you wouldn't have had to comply with all of them the only law you generally have to comply with under the GDPR is... the GDPR, plus or minus some minor opt-in or opt-outs that some member states may choose. It's one piece of legislation that is a hell of a lot more navigable and accessible than 28 different pieces of legislation.
What the poster above is lamenting over is that each member state is in charge of their own investigatory authority, and this makes a lot of sense, if you have a data leak that affects only Spanish citizens you wouldn't want the investigation being carried out by a country like Sweden or even by the EU itself. However if a data leak affects multiple member state citizens each of those member states are invited to and can enter a joint investigation. The issue they believe is that France may have a stricter interpretation of the law than a country like Poland which may make cooperating with the law more difficult as you don't know how strict to be, and while this certainly is going to be the case it's not so different from any other facet of life - In the US you may favour a certain state to be prosecuted in, you may prefer to have a different prosecutor or judge, etc.
The European Court of Justice has the final say. As far as I know the local(supreme) courts ask the ECJ for an opinion if they think their local law could be incompatible the the EU law. The EU laws such GDRP must be transposed by the menber states but they may have slight variations(i.e. the amount of fines)
The EU court sets binding precedents across the Union, but the law is still enforced at a national level and discrepancies can arise and take time to be cleared up. There's also the fact that Union law is not perfectly uniform in any case, there are national differences where they go beyond the minimum requirements of Union law.
HN as a community is so defensive about the wisdom and necessity of the spirit of the law (which isn't an unreasonably position) that a lot of commenters reflexively reject any claim that the implementation may leave something to be desired (just see the top comment in this thread). It's entirely unsurprising to me that the EU implemented this sloppily, for the simple reason that legislators all over the world are shitty at understanding tech, and sweeping changes have a high prior likelihood of being poorly implemented.
> Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.
I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet, rather than the spirit.
Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
> I've never understood why people try to comply with the text of a new law that doesn't have case-law under it yet
Continental Europe uses civil law [1]. Case law is less relevant than it is in the U.K. or United States.
More broadly, people try to "comply with the text of a new law" to avoid becoming the precedent. (Even if you prevail, it's distracting and expensive.)
> Surely, the first time anyone gets sued for noncompliance of the text of GDPR, when they are compliant with the spirit under which GDPR was issued, case-law will be created that "bends" the interpretation of the text more toward the spirit?
Surely? Based on what? For anyone with material revenue, that basis will be legal advice.
We're all over Europe and the U.S. It was pretty painless. Our business does not rely on the ignorance of users or the abuse of their privacy. What "army of lawyers" did you have and why was the spirit of the law not enough? We had several different business units get through compliance without any problems.
This isn't a hard thing to address at the end of the day (so long as your entire business doesn't depend on it). I just can't help but feel a few ways A) You didn't understand what the law says B) what your lawyers were actually worried about or C) this story is just made up.
What specifically were the discrepancies in the interpretation of the law between various countries that caused two "top" tier law firms to be unable to come to a clean consensus?
why was this downvoted? as far as I can see the claims of excessive burden have been equally vage, I don't see how this comment will lead into trolling
I'm pro GDPR, but I get tired of the immense amounts of shade some pro GDPR people throw the way of some who complain about it.
These arguments tend to be very circular. It goes something like this: GDPR is reasonable and easy to understand; if you're having trouble with it you are probably user hostile/don't understand it; you're having trouble with it which means you are user hostile/don't understand it; therefore your complaints are not legitimate; therefore GDPR is reasonable and easy to understand.
Let me just respond to this in short: No. They're not circular.
The same vague claims keep getting repeated, with absolutely nothing to back them up. Not even a "here's the problem with the law in our case" super fuzzy high level overview. It's always about the effort of adhering to the law without any discussion about why these companies are facing difficulties in the first place. Not the actual difficulty with implementing the law, just the vague effort they've put up with.
Hundreds of thousands of businesses have not had issue with the law. Suddenly some guy on HN with two "top tier" law firms at his back faces this unimaginably heavy burden and extreme obstacles when trying to adhere to the law. Sounds like a nightmare, in the sense that it never happened.
OP's post and the many others like it are just typical American business favoritism against any kind of regulation masquerading as a personal True Story (TM). I still remember when cookie warnings were "hard" to do and businesses actively implemented them in obviously shit ways, in bad faith with the regulations. It's so obviously contrived for a particular audience it's kind of absurd it immediately doesn't get flagged.
Are you basically asking "Why does no one want to share specific details of their company's difficulty complying with a giant new regulatory framework?"?
Surely the issue is harmless, and has nothing to do with the stuff GDPR is legislating against, right? Why not just share a general, fuzzy overview?
I am pretty sure that's what they're asking for. I didn't see a request for specific details. Just some high level details, rather than "we've had to spend so much money/time => clearly bad".
We’re told not to talk about any details (even high level) of this sort by legal because anything we put on the internet could be used against the company in court even if it seems harmless to us. If you want to find out about the difficulties just find an engineer working at a major company and ask them about it in person.
Maybe because some subset of the audience on HN seems to have a habit of downvoting facts they don't like, or data points that counter their narratives.
I can't count the number of times I've posted factual, verifiable information — with sources — and been downvoted (or, often enough, downvoted, then voted back up, then down again, and so on) for my troubles, or the number of times I've seen such comments from others treated the same.
The most plausible explanation I can come up with is, "Your facts dispute my narrative, and we can't have that!"
EDIT: I'm not saying that's what's happening here, and I'm certainly not saying there's brigading or shilling going on (indeed, I think it's purely individual action), but this is a clear pattern, which I've reliably observed happening for years.
It doesn't even have to be on a controversial topic; I once linked to an explanation of a nuance of copyright law, of which the other participants in the thread were demonstrably ignorant. The extent of the response? Downvotes.
Oh lord speaking of copyright law, trying to rationally discuss Copyright law during the Oracle vs Google case on this site was basically an exercise in how much mental pain you were wiling to take. Comments that only contained direct quotes from the case to negate what the OP was stating were downvoted. The Google fanaticism was insane.
I'm going to guess what's happening here is a good amount of developers work for companies where GDPR would directly impact their revenue directly or indirectly (and most likely jobs as a whole). This is especially true for smaller "middle man" analytic firms and general web agencies. It pays to be anti-GDPR.
Never underestimate the kind of mess lawyers can think up. I know of a big organisation providing all kinds of services. I was involved from the sidelines in GDPRing a small part of a very unimportant and almost forgotten service of them.
My personal guess was they wouldn't need consent, as it was a clear-cut case where all requested data was clearly needed to provide the service. And asking for consent to use the data a customer just typed in the site for requesting the service seems a sure-fire way to annoy them without any upside.
Then the GDPR lawyers came.
It turns out, if you interpret the company charter in a very nasty but still legal way, there might be a very rare edge cases where a service was provided to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here, sorry about that.
To be clear: No real-life example was found now or in the 10+ year history records of the service, both the almost-but-not-quite customer and the company would have to do insane things, and service delivered in the case was almost non-existant, but theoretically, on paper, it was possible. I'm pretty sure nobody would care if it happened, either.
People keep going to consent, but I'm pretty sure in many cases they're wrong to do so.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
and the ICO guidance is
> Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Even when consent is given, the users interests still have to be considered during processing, so it's not like it's a do-whatever-you-like card. Just because a user says they consent to you doing something with their data, doesn't necessarily mean you can if that thing is obviously not in their interests.
I wish the fact that consent is only a weak basis under GDPR were made more clear, since if we just end up with an internet that requires consent on every site then the law has just made things worse and made nothing better.
This sort of thing seems to happen a lot. Legal departments are responsible for making sure the company doesn't get sued, and are not really responsible for working towards company success. So Legal's arse gets covered by denying absolutely everything that they don't believe is guaranteed legal, and the company loses business because things become unreasonable. I think legal should instead be more risk management, working for the benefit of the company to manage the legal risk rather than minimize it, and stay within ethical boundaries. It already is risk management, since all legal departments have to work with are their opinions and not facts about how future rulings will go, so it is just a case of accepting it. In the above example, it seems like that didn't happen, with lawyers creating a wall of red tape costing money and annoying customers, instead of realizing the risk was minimal, and if they were at all competent they could easily argue their case even if the low risk event occurred.
And it is even more insane blindly accepting this sort of advice with GDPR, worrying about getting sued for for theoretical edge cases when the first round of warnings haven't even gone out to the worst offenders yet.
It doesn't matter if you need the data to provide the service, you still need to ask for consent for any personal data - and personal data is defined extremely broadly.
To understand that, I think you'd need to be a lawyer who worked in european law. The point is that each country has their own regulators who often enforce the laws differently. So what might be "perfectly clear" to you, could be interpreted completely differently where a different body of law and precedent has been set.
GDPR is not a prohibition on selling personal data. It’s a prohibition on having and using personal data, unless the specific data and usage can be justified under one of the lawful bases. An army of lawyers is required to assess whether each code path and business process is truly covered under one of those bases, given how specific regulators are likely to interpret the subjective judgement calls embedded in the definitions of those bases (necessary, legitimate, reasonable, balanced, etc).
Defining what those simple statements like "customer data is secure" means in the context of hundreds or thousands of use cases throughout a complex organization.
You shouldn't be getting down voted. I just went through a GDPR compliance review. We have a service model which is incredibly serious about customer confidentiality. We don't sell ads and, to my recollection, have never even bought them. Still required an army of lawyers. Two top London law firms ended up agreeing to disagree on major points, ultimately concluding the Polish data regulator would probably rule one way and the French the other.
Complying with the spirit of a law doesn't mean complying with the statue of it. With GDPR, it's the latter that's a pain in the ass.