Ask HN: Non-Eu Developers how do you plan to handle users from GDPR countries?

14 points by rotrux ↗ HN
"The EU's General Data Protection Regulation is going to be implemented in May next year."*

Multinationals operating in GDPR-compliant countries will face MASSIVE fines if a request to delete PII isn't fulfilled within some time-frame. In addition, proof needs to be provided.

Given that data-sprawl is an insufficient term to describe the organizational-complexity of consumer-data within large firms, what's the plan???

* - Inspired-by/stolen-from: https://news.ycombinator.com/item?id=15932232

15 comments

[ 2.0 ms ] story [ 22.0 ms ] thread
By doing nothing. Either it will be found to be totally unworkable or they will fine me and I will wait for the EU to come and collect their fine with their army. EUFU.
My plan is to ban EU residents in my TOS and not bother enforcing it.
Not that it is likely to matter, but legally this is not much of a defence - you are not the first person who hasn't tried to get around a law by doing something similar. The courts don't look kindly on these sort of actions.
He can just block EU residents from registering to his service, obviously explaining why.
Yes this would be a defence, it is the non-enforcement that is not.
Why not just fulfill the request?
Principle. The idea that a country that you have no relationship with can apply their laws to you as they wish and you have to comply is insane. What if North Korea passes a law that says 99.9% of your income has to be given to the DPRK? Are you going to comply with this? EUFU.
What principle. So you will not comply with a user who wants to remove his personal data from your service by his request just because of principle?

In theory any person should be able to ask a service to remove all his personal data if he wishes. EU just makes this a law which, IMO is very good.

It's funny how people praise privacy and at the same time don't want to do anything about it for their userbase.

The principle that a country can apply its laws over me despite me neither being a citizen, resident, or in anyway connected with that country.

If a user asked me to remove their data I would, but I don't want to do this because some entity on the other side of the world decides to apply their laws to me. Allowing this sort of activity is only going to end in tears.

Whatever principles you have, laws apply in every country you operate. You're free to operate or not in a certain country, but if you do, you need to abide the laws protecting your users.
I don't operate in the EU, but that does not stop the EU passing laws that they claim apply to me. I can't believe that anyone thinks this is a good idea.
Companies under 250 employees can avoid most of the impact of the law. I think it's kind-of well designed, because it affects the companies who can afford the compliance work.
If data sprawl is your issue, fix your company processes and the problem will be solved.

GDPR mainly resolves flaws in how companies relying on IT use their customers data. Blocking EU customers is just delaying the inevitable since GDPR equivalents will be established in US or whatever too.

Same way I deal with their silly cookie laws: don't sabotage my site's user experience for somebody else's poorly thought out laws.

I still get the occasional angry user complaining that my website deleted something of his after he clicked the delete button and the confirm button. So I make his day by flipping .IsActive back to 1.

If you really don't want something to be on the internet, don't upload it to the internet.

If you need a way to identify EU users then you can do so via our IP Geolocation API (ipdata.co) that returns an `is_eu` flag. Then do whatever you like.