I'm just glad it is based on revenue instead of profits. I think corporate taxes should be the same way.
I imagine the four percent had to be large enough to motivate compliance without scaring people away and further fueling anti-EU sentiment? I'm just speculating.
What anti-EU sentiment? The only anti-EU sentiment inside the EU comes from populist politicians and the people who vote for them, who have no idea how the EU works. And what non-EU entities think is, frankly, irrelevant.
It's kind of hard to dismiss as easily as you did when it passed a popular vote and is being implemented as law.
Saying "besides Brexit, what anti-EU sentiment are you talking about" is like saying "besides oxygen, what gasses do you inhale in order to survive". Sure other gasses may exist... but you're kinda missing a big one.
That must be why almost any time an EU related thing was put up for a popular vote it was rejected by the people. I can think of Maastricht, the EU „Constitution“, which was rejected and then rebranded and simply put up for vote 2 years later, the Bailouts and Austerity („elections can‘t change economic policy“, according to Dr. Schäuble), most recently Brexit. Allegedly it is always populists that ruin everything, but at least in the case of the EU constitution and the Bailouts there was legitimate criticism that was largely surpressed and ignored.
That posits that you can have a legitimate vote on something as complex as an EU treaty. Voting on a one off decision in any sensible way requires that people understand what they are voting about really well which is essentially impossible.
Voting for a government doesn't require that level of in depth knowledge because you are voting on wether you feel the direction of the country is right and you can then change that decision in a few years time.
I think it was a balancing act. Currently in the UK, the Information Commissioner's Office can fine up to a maximum of £500,000. The concern was that for larger organisations, the cost of compliance with the Data Protection Act (1998) was higher than any potential fine handed out by the ICO. So by placing the limit at 20m Euro, or 4% of annual revenue, they give the legislation adequate 'bite' to persuade boards that investing in systems and people to ensure data privacy is upheld is worth it. However, the EU doesn't want to drive business away entirely, so the figure was selected to ensure that it was punitive, but not to the point where organisations would seriously consider shutting down in Europe, or restricting services to European consumers.
Do consider that they can also shut down whatever operations they consider to be in violation.
For example, if you're in e-commerce like my previous employer, then having your website/app channels shut down while you implement some bizarre scheme can cost you even more than 4% of your annual revenue. For a big, established company with byzantine operations and large code bases, being caught entirely unprepared can mean a mountain of effort - months - to become compliant.
(And I haven't checked but I imagine it's past year's revenue that is used for the calculation so the double whammy doesn't even get reduced by being shut down.)
In what way? Genuinely curious - what sort of technical work needs to be done that requires actually knowing the regulation? I'm asking because I got my law degree with the idea that I would combine tech skills with knowledge of the law, but I never really found an angle to make that work.
Sounds like with your two skillsets, compliance and/or internal audit would be a good job for you. These jobs often rely on reading legal-ish documents such as HIPAA, PCI, and GDPR and interpreting them for your company's unique situation, then either overseeing the implementation of IT policies or actually implementing the IT policies yourself to control the IT systems appropriately.
With internal audit you're generally overseeing the compliance folks (from a distance), as a compliance person you're more often implementing the technology yourself. Another role to look into is risk management. All of them are a small step back from "hard" IT like sysadmin or programming and getting more into the people and process side of the IT house.
Spot on! I moved from infrastructure engineer to risk management (governance, risk, compliance). You need the technical experience to translate compliance and governance requirements into technical requirements.
Highly recommend the move for anyone who doesn’t want to be on call or carry a pager anymore.
In the UK a consultant with a moderate amount of experience and a GDPR Practitioner qualification can make between £500 and £800 a day in the City. That kind of work is largely going to be working as part of a team to survey the policy and process landscape of the organisation and suggest/make changes in accordance with the changes in the law.
But with regards to your point about having a law degree - I'm not sure where you're based but a qualified solicitor with a specialism in cyber law and data protection here in the UK will be set for a while. The GDPR enforcement date is a cash cow for consultants, but for lawyers this is just the beginning.
Edit: After seeing what freehunter posted at the same time as me - If you don't want to go through the hassle of becoming a qualified solicitor, then compliance is definitely a way to go. GDPR sets out a requirement for organisations to employ 'Data Protection Officers' so if compliance/risk management is of interest to you then the compliance ladder is pretty solid.
Reviewing systems and business processes to ensure compliance, specifying internal workflows to meet requirements, and all sorts!
It's not just GDPR, but lots of other EU regulations this year that are having large impacts on tech systems (e.g. in the financial world), and being across those is valuable.
Perhaps you won't get your hands dirty on actual code, but technical implementation of regulation is a lucrative field (or, at least, this phase of "oh shit we need to do something" is).
Maybe a false-positive of the spam detector. If you go to the comment's own page ( https://news.ycombinator.com/item?id=16257086 ) you can vouch for it. (There might be a karma threshold for that, I'm not sure.)
Banks, especially, are inundated with regulations (high-level, abstract) that necessitate technical (low-level, concrete) implementations or adaptations. Often, there are great legal minds at work on the one side, and great technical minds on the other side, with a large gap and significant barriers communication in between.
Being proficient in both of these matters can enable one to bridge that gap.
All data now collected directly or indirectly that can identify an individual or is linked to an identified individual now needs careful consideration - do you have explicit consent to collect and use that data for that specific purpose? How is that data stored? Who has access to that data? Can the individual view it, correct it, delete it?
For example your data scientist can't now look at the raw data and decide to feed it into some new machine learning process to identify fraudulent transactions if when the data was collected explicit consent wasn't obtained to do that.
Technical people now need to understand what data is 'protected' by GDPR and what consents have been given for the processing of that data. And that for example linking an IP address to a piece of data can suddenly transform it into personal data now protected by GDPR.
So does this mean certain countries (non EU) are shut out of EU completely? Thinking of some Asian titans that share everything with their governments.
If they do know business in the EU then this rule is effectively toothless. But most companies that do more than the bare minimum of business in the EU will have a local office and if that is the case then they will follow it.
I'm wondering how big an opportunity it is for privacy-preserving companies in Europe to take over. I'm thinking of Snips (https://snips.ai) for instance, and its "Private by design" voice assistant solution.
My guess is that it gives them a good attack angle, but big players like Google an Amazon will comply eventually.
Not one. At least not privacy-preserving. It may be an opportunity for European companies to take over in some narrow segments but that would be due to ordinary protectionism.
The GDPR is not really a law in the conventional sense. It's better understood as a political maneuver. I've been researching it lately as it may affect the company I work for (which has a presence in the EU, well UK, but EU for now).
First problem - the GDPR is so vague that it's impossible to know what it really says, what it bans and what it allows. With just months to go before enforcement begins there are still 50/50 splits amongst legal professionals about basic things like how it affects backup strategies. For instance if someone invokes their "right to be forgotten", do you have to restore and rewrite all backup tapes? Or can you filter out their data at restore time? If not then what if you start getting a constant stream of forget-me requests - do your backups have to be now constantly rewritten and if so, are they still really backups? What about if someone emails you from Europe. You now hold their "personal data", so what if they ask you to delete it? Do you have to erase not just their email but any email that quotes or forwards that email? If so, how exactly can you do that given that no email software supports such a feature? What if you're hosting email and someone emails one of your users, then demands to be forgotten - do you erase their email right out of your users inbox? These are just a few obvious questions of hundreds.
Second problem - the new regulator being set up does not issue binding decisions except in case of cross-border disputes. If you want clarification you're meant to ask local data protection agencies, or the new regulator, but the answers you get back might be wrong, or too vague to be useful, and there's nothing you can do.
Third problem - the potential fines are so vast they could instantly bankrupt most companies. So not only is there a law you can't ever be sure you're in compliance with, because it's so badly written, but if the EU decides you are in violation, that can be the end of your firm.
The cynic in me looks at this terrible low quality law and frankly doesn't see a law at all. He sees a political project - namely a clever way to sidestep the EU treaty's ban on the EU levying a corporation tax. With increasing euroscepticism across the continent the chance of the EU being given direct tax raising powers is now very low, but the EU is stuffed with true believers who want to turn it into a new country ("Europe") that replaces the existing countries. To become the new de-facto government of Europe the EU must be able to fund itself and not rely on member states or their pesky votes .... being able to fund itself by "fining" i.e. taxing foreign tech firms for endless violations of a law they cannot ever hope to understand is an ideal way to do this.
At first glance this seems like a solely pro privacy development but it's really a further effort to go after US tech companies with some nasty side effects:
>Among their provisions, the rules enshrine the so-called right to be forgotten into European law
Codifying a terrible ruling into law.
>The rules also require anyone under 16 to obtain parental consent before using popular digital services
It's like COPA but at least an order of magnitude worse.
>... the company unveiled a program that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the program to users in Europe... The social network has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.*
It hinders innovation, and these examples are probably the least of it.
It is very much apparent that these rules were meant for US companies but they will very likely hinder the growth and even the formation of smaller companies that in turn will have to dedicate non trivial resources to insure compliance. Inadvertently or not the EU have introduced a huge barrier to entry.
> The rules are not different for US companies so how can it be an attack on them?
That seems like a disingenuous question, the companies that are mainly impacted by these laws are US companies. It might theoretically apply to all companies but in reality they had a handful of US companies in mind when they wrote theses regulations.
As for the impeded innovation question, yes I feel that something is lost when a "cool" and useful feature is prevented from materializing.
The GDPR is in favor of "opt in". It doesn't eliminate the option either, it just makes sure that people are allowed to make informed decisions about their data.
>the companies that are mainly impacted by these laws are US companies.
Any company who handles personal data is impacted. Facebook and Google are not the only ones which do. European online shops and banks also have to comply.
Just because Facebook and Google generate the most press on this issue doesn't mean it is an attack on them in particular. Privacy and data concerns are real societal issues. Tackling them is absolutely necessary and the EU is doing a good job by ruling that we own our data.
Hindering the kind of innovation that violates the citizen's privacy is pretty much the point of the law. A company having a database of my mental health status is incredibly creepy to me. As is the facial recognition thing.
There is a lot of good that can come out of a database on the mental health of a large population. I think you should be able to opt out of such collection but I'm not in favor of banning such collection altogether.
Realistically, the benefits are better ad targeting and improved addictiveness of the platform. Iotw, no benefit for me.
Sure in the best case you can do a lot of good with such data. But that would probably need the data to be open to researchers, not in some corporate silo somewhere.
And in the worst case, pervasive surveillance data can do a lot of harm. Just ask yourself what an organization like the Stasi could have done with that kind of data.
I don't think this is a very well through out opinion of GDPR. GDPR applies equally to all companies that trade in Europe, not just US companies. So it's difficult to describe it as an attack on US companies.
Additionally GDPR simply enshrines some pretty basic social norms around informed consent and transparency. It doesn't prevent anyone doing anything that's privacy invasive, it just requires that:
1) You tell people what you are doing with their data (in plain English)
2) You get their informed consent and give them the option to opt-out (additionally you can't bundle multiple "purposes" together).
Both of those things seem pretty fair to me, and it certainly a standard that we apply to other aspects of life (with sex being the most obvious example).
So Facebook could train their self-harm detecting AI in the EU, and it can deploy it there. It just needs to ask and get consent from people first, and honour their personal choices.
Equally they could train and deploy their face recognition technology in the EU as well. But again they need to get informed consent, and they can't coerce people by only offering their self-harm technology if they also opt into their face recognition technology (they can't bundle multiple "purposes").
Altogether I think that this is pretty simple and fair, and really technology companies are only suffering because in the past they have collected personal data indiscriminately on the basis that it might be useful some day. And for companies that rely on tricking people into handing over personal data, I don't think the world will suffer without them.
As I've commented below it's disingenuous to say that GDPR applies equally to all companies when it was conceived with US tech companies in mind and is designed to alter their business models.
1) Some of the ideas in there are welcome.
2) When you put roadblocks in front of every data point it's difficult to develop a half decent pattern matching system. A consent prompt upon joining ought to suffice.
> technology companies are only suffering because in the past they have collected personal data indiscriminately on the basis that it might be useful some day
Perhaps, but the "might be useful someday" part is a route for many an innovation that I want to preserve.
I think this law will force people building AI's and ML systems to innovate more and be more thoughtful of how they use peoples data.
Companies like DeepMind are already showing that collecting every data point under the sun is unnecessary, and that ML systems can be built with privacy in mind. Anyone that can't be bothered to put the effort in can, quite frankly, die at the hands of the market.
I don't think that's disingenuous at all. Incidentally, most of the big tech companies are in the US. But there's some in Europe that are hit equally hard by this regulation. Examples: Booking.com (Dutch, but American owned, pays taxes primarily in the Netherlands): between 60 and 90 billion USD worth; Spotify (Swedish) purportedly worth 30ish billion USD.
In other words: I really doubt that this is a targeted attack on the US/US companies.
Finally, I think a lot of GDPR is at least as hard to implement for non tech companies as it is in tech/information type companies. The latter at least have lots of in house expertise in both tech and usually tech related law. It's just really expensive for them. More traditional companies that run some crazy IT system built by an outsourcer 20 years ago might have a bigger problem.
Disclaimer and source: implemented several GDPR components when working at Booking.com.
On the one hand this may help certain companies that focus on limited use of customer data thrive in Europe. On the other hand it’s one more tick against Europe for global companies deciding where to invest so expect to see some big downside for the region too as companies and investors focus elsewhere.
> On the one hand this may help certain companies that focus on limited use of customer data thrive in Europe. On the other hand it’s one more tick against Europe for global companies deciding where to invest so expect to see some big downside for the region too as companies and investors focus elsewhere.
What global tech company can really afford not to be in Europe? Google? Facebook? Twitter?
Don't forget the EU represents the worlds largest economic area [1], with a population of over 740 million (compared to the US's 320 million). Although it's small compared to China's ~1.4 billion.
And the of course the big advantage that the EU has over other clusters of countries is the (mostly) unified legal and regulatory system. Which makes it easy to target every country in the EU at the same time.
I think the EU has had a lot of soft-power for a very long time, and we are finally starting to see it flexing that power to protect it's citizens.
Sounds like an advertising problem. "Our company chose to be based in the EU because we comply with all their customer privacy protection laws. Not sure why our competitors chose a country without such laws...."
As a resident of Europe (now looking rather shaky unfortunately) I'm happy about regulations that force companies to be more responsible with my data.
As a programmer who has to make sure my code and business conform to these regulations it will mean more effort.
Taken together I'd rather have the data protections for me and my family, so on balance I'm happy with the data protection laws in Europe, and the strengthening of them these rules bring in.
54 comments
[ 3.4 ms ] story [ 96.0 ms ] threadI am curious on how did they arrive at the 4% cap?
I imagine the four percent had to be large enough to motivate compliance without scaring people away and further fueling anti-EU sentiment? I'm just speculating.
Allow me to introduce you to https://en.wikipedia.org/wiki/Brexit
Already noted.
Saying "besides Brexit, what anti-EU sentiment are you talking about" is like saying "besides oxygen, what gasses do you inhale in order to survive". Sure other gasses may exist... but you're kinda missing a big one.
Voting for a government doesn't require that level of in depth knowledge because you are voting on wether you feel the direction of the country is right and you can then change that decision in a few years time.
This would be a value-added tax levied at every step in the supply chain. It's a bad idea because it favors large, vertically integrated companies.
For example, if you're in e-commerce like my previous employer, then having your website/app channels shut down while you implement some bizarre scheme can cost you even more than 4% of your annual revenue. For a big, established company with byzantine operations and large code bases, being caught entirely unprepared can mean a mountain of effort - months - to become compliant.
(And I haven't checked but I imagine it's past year's revenue that is used for the calculation so the double whammy doesn't even get reduced by being shut down.)
With internal audit you're generally overseeing the compliance folks (from a distance), as a compliance person you're more often implementing the technology yourself. Another role to look into is risk management. All of them are a small step back from "hard" IT like sysadmin or programming and getting more into the people and process side of the IT house.
Highly recommend the move for anyone who doesn’t want to be on call or carry a pager anymore.
But with regards to your point about having a law degree - I'm not sure where you're based but a qualified solicitor with a specialism in cyber law and data protection here in the UK will be set for a while. The GDPR enforcement date is a cash cow for consultants, but for lawyers this is just the beginning.
Edit: After seeing what freehunter posted at the same time as me - If you don't want to go through the hassle of becoming a qualified solicitor, then compliance is definitely a way to go. GDPR sets out a requirement for organisations to employ 'Data Protection Officers' so if compliance/risk management is of interest to you then the compliance ladder is pretty solid.
It's not just GDPR, but lots of other EU regulations this year that are having large impacts on tech systems (e.g. in the financial world), and being across those is valuable.
Perhaps you won't get your hands dirty on actual code, but technical implementation of regulation is a lucrative field (or, at least, this phase of "oh shit we need to do something" is).
Banks, especially, are inundated with regulations (high-level, abstract) that necessitate technical (low-level, concrete) implementations or adaptations. Often, there are great legal minds at work on the one side, and great technical minds on the other side, with a large gap and significant barriers communication in between.
Being proficient in both of these matters can enable one to bridge that gap.
European banks are scrambling to patch software to purge older records. Backup strategies have to be changed to accommodate this as well.
For example your data scientist can't now look at the raw data and decide to feed it into some new machine learning process to identify fraudulent transactions if when the data was collected explicit consent wasn't obtained to do that.
Technical people now need to understand what data is 'protected' by GDPR and what consents have been given for the processing of that data. And that for example linking an IP address to a piece of data can suddenly transform it into personal data now protected by GDPR.
Now I wonder what might happen if a company says it's not sharing then their data is found somewhere (yes, I'm thinking about the Asian companies)
I think the biggest thing about the GDPR might be encouraging companies to not hoard data and not ask for lots of personal data "just because"
The GDPR is not really a law in the conventional sense. It's better understood as a political maneuver. I've been researching it lately as it may affect the company I work for (which has a presence in the EU, well UK, but EU for now).
First problem - the GDPR is so vague that it's impossible to know what it really says, what it bans and what it allows. With just months to go before enforcement begins there are still 50/50 splits amongst legal professionals about basic things like how it affects backup strategies. For instance if someone invokes their "right to be forgotten", do you have to restore and rewrite all backup tapes? Or can you filter out their data at restore time? If not then what if you start getting a constant stream of forget-me requests - do your backups have to be now constantly rewritten and if so, are they still really backups? What about if someone emails you from Europe. You now hold their "personal data", so what if they ask you to delete it? Do you have to erase not just their email but any email that quotes or forwards that email? If so, how exactly can you do that given that no email software supports such a feature? What if you're hosting email and someone emails one of your users, then demands to be forgotten - do you erase their email right out of your users inbox? These are just a few obvious questions of hundreds.
Second problem - the new regulator being set up does not issue binding decisions except in case of cross-border disputes. If you want clarification you're meant to ask local data protection agencies, or the new regulator, but the answers you get back might be wrong, or too vague to be useful, and there's nothing you can do.
Third problem - the potential fines are so vast they could instantly bankrupt most companies. So not only is there a law you can't ever be sure you're in compliance with, because it's so badly written, but if the EU decides you are in violation, that can be the end of your firm.
The cynic in me looks at this terrible low quality law and frankly doesn't see a law at all. He sees a political project - namely a clever way to sidestep the EU treaty's ban on the EU levying a corporation tax. With increasing euroscepticism across the continent the chance of the EU being given direct tax raising powers is now very low, but the EU is stuffed with true believers who want to turn it into a new country ("Europe") that replaces the existing countries. To become the new de-facto government of Europe the EU must be able to fund itself and not rely on member states or their pesky votes .... being able to fund itself by "fining" i.e. taxing foreign tech firms for endless violations of a law they cannot ever hope to understand is an ideal way to do this.
>Among their provisions, the rules enshrine the so-called right to be forgotten into European law
Codifying a terrible ruling into law.
>The rules also require anyone under 16 to obtain parental consent before using popular digital services
It's like COPA but at least an order of magnitude worse.
>... the company unveiled a program that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the program to users in Europe... The social network has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.*
It hinders innovation, and these examples are probably the least of it.
It is very much apparent that these rules were meant for US companies but they will very likely hinder the growth and even the formation of smaller companies that in turn will have to dedicate non trivial resources to insure compliance. Inadvertently or not the EU have introduced a huge barrier to entry.
That makes no sense. The rules are not different for US companies so how can it be an attack on them?
>The social network has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.
Are you sad about this? If so, why?
That seems like a disingenuous question, the companies that are mainly impacted by these laws are US companies. It might theoretically apply to all companies but in reality they had a handful of US companies in mind when they wrote theses regulations.
As for the impeded innovation question, yes I feel that something is lost when a "cool" and useful feature is prevented from materializing.
Any company who handles personal data is impacted. Facebook and Google are not the only ones which do. European online shops and banks also have to comply.
Just because Facebook and Google generate the most press on this issue doesn't mean it is an attack on them in particular. Privacy and data concerns are real societal issues. Tackling them is absolutely necessary and the EU is doing a good job by ruling that we own our data.
Sure in the best case you can do a lot of good with such data. But that would probably need the data to be open to researchers, not in some corporate silo somewhere.
And in the worst case, pervasive surveillance data can do a lot of harm. Just ask yourself what an organization like the Stasi could have done with that kind of data.
Additionally GDPR simply enshrines some pretty basic social norms around informed consent and transparency. It doesn't prevent anyone doing anything that's privacy invasive, it just requires that:
1) You tell people what you are doing with their data (in plain English)
2) You get their informed consent and give them the option to opt-out (additionally you can't bundle multiple "purposes" together).
Both of those things seem pretty fair to me, and it certainly a standard that we apply to other aspects of life (with sex being the most obvious example).
So Facebook could train their self-harm detecting AI in the EU, and it can deploy it there. It just needs to ask and get consent from people first, and honour their personal choices.
Equally they could train and deploy their face recognition technology in the EU as well. But again they need to get informed consent, and they can't coerce people by only offering their self-harm technology if they also opt into their face recognition technology (they can't bundle multiple "purposes").
Altogether I think that this is pretty simple and fair, and really technology companies are only suffering because in the past they have collected personal data indiscriminately on the basis that it might be useful some day. And for companies that rely on tricking people into handing over personal data, I don't think the world will suffer without them.
1) Some of the ideas in there are welcome.
2) When you put roadblocks in front of every data point it's difficult to develop a half decent pattern matching system. A consent prompt upon joining ought to suffice.
> technology companies are only suffering because in the past they have collected personal data indiscriminately on the basis that it might be useful some day
Perhaps, but the "might be useful someday" part is a route for many an innovation that I want to preserve.
Companies like DeepMind are already showing that collecting every data point under the sun is unnecessary, and that ML systems can be built with privacy in mind. Anyone that can't be bothered to put the effort in can, quite frankly, die at the hands of the market.
In other words: I really doubt that this is a targeted attack on the US/US companies.
Finally, I think a lot of GDPR is at least as hard to implement for non tech companies as it is in tech/information type companies. The latter at least have lots of in house expertise in both tech and usually tech related law. It's just really expensive for them. More traditional companies that run some crazy IT system built by an outsourcer 20 years ago might have a bigger problem.
Disclaimer and source: implemented several GDPR components when working at Booking.com.
Care to elaborate?
What global tech company can really afford not to be in Europe? Google? Facebook? Twitter?
And the of course the big advantage that the EU has over other clusters of countries is the (mostly) unified legal and regulatory system. Which makes it easy to target every country in the EU at the same time.
I think the EU has had a lot of soft-power for a very long time, and we are finally starting to see it flexing that power to protect it's citizens.
[1]. http://ec.europa.eu/trade/policy/eu-position-in-world-trade/...
As a programmer who has to make sure my code and business conform to these regulations it will mean more effort.
Taken together I'd rather have the data protections for me and my family, so on balance I'm happy with the data protection laws in Europe, and the strengthening of them these rules bring in.