99 comments

[ 3.5 ms ] story [ 154 ms ] thread
Any cost that has a high fixed component and a lower variable component leads to increasing returns to scale for enterprises.

We see with regulation all the time, e.g. Dodd-Frank made it harder for small banks to raise capital.

Smaller firms can add "compliance officer" or "privacy officer" to the list of job duties someone does. But yes bigger firms can more easily afford bigger compliance/legal/auditing/lobbying departments.
That's the thing, though -- it doesn't scale like that. If a 100-person company has a DPO, you can't have someone who spends 20% of their time as a DPO in a 20-person company, because just keeping up with what you need to know takes a large amount of time.
Neither one needs a DPO. A DPO is a requirement for companies with 250 more more employees.
I was using it as a stand-in for privacy officer (and the argument is true in either case), since the WP guidance has indicated that in many cases in smaller companies, they're treating a role that looks like a DPO as a DPO. There's also significant vagueness around what it means to be a large-scale processor (which also triggers the DPO requirement), and recent guidance suggests that a lot of companies that thought they didn't need a "DPO" really do need a DPO.
Most successful compliance regimes balance the need for regulation against incumbency bias by making the regulation more stringent for larger firms. Restaurants, for example. If GDPR had envisioned a €1 million global revenue floor for everything but the civil liability components, it would have been successful.
The GDPR seems to be been designed to do the opposite of this by imposing a maximum cap on fees that could total many multiples of revenue for a small business but which will never be greater than a 1/25 the revenue of a large business.
Revenue is not profit or the money available to a business.

1/25th of revenue sounds small but if you have a profit margin of 30% that's already 13% of your profit just gone. At 10% margin it's 40% of your profit.

I think large business still very much cares when 40% of annual profit just goes poof.

Yes, but if you’re a small business, it could be 40,000% of your profit. Goodbye business, goodbye employees.

Meanwhile the large company grudgingly pays their fine and rolls on.

EU regulators don't do that, mostly because in the EU there is a right to a proportional punishment, meaning you must be able to pay it, atleast if you're a corporation.

The EU has no interest in bankrupting anyone, there are guidelines setup by the EU for the regulators for this.

I’d really like to see a source that regulators are not allowed by law to levy a fine that would force a corporation into bankruptcy. I’m quite skeptical you can provide one :)
GDPR Art 83, §1

Effective, proportionate and dissuasive fines are widely understood under common EU law that the fine may not bankcrupt a corporation, if it does for whatever reason because it's too high, you can seek legal remedies against the authority as per GDPR Art. 78

And that is only the GDPR, there are similar provisions in all EU member countries.

The exception will be, of course, if you caused economic damage to users or others, in which case you'll have a case at the regulator and a court case will be opened too, both of which are independent and the court case can certainly bankcrupt you if the damages far exceed what your company has in assets (in which case your company will be forcefully dissolved and that's that)

Yeah, so as I suspected, it’s “widely understood”, which means discretionary and up to the whims of regulators in 28 different countries. But don’t worry! When they bankrupt you, you can just challenge in court! Of course, that’s hardly novel for any country with the rule of law, nor is it cheap or likely to succeed.

This is yet another example of: “the EU regulators are our friends! You can trust them!”

I’ll pass.

You seem to be moving the goal posts a bit here, from 'please show any evidence of X' to 'prove X is without potential flaws'.

I mean, is there any sensible way to prevent regulators from bankrupting a company without some level of discretion and case-by-case consideration?

Moving everything into the legal system also has issues, as you point out.

HN never ceases to amaze. The GDPR is not even a week in full force, and already people call it unsuccessful.
Some people are desperate for it to go away, or are just pissing and moaning. Treat it like a UI change on a major site, realize that in a month or two the rage will die down and acceptance will emerge. After a year, assuming it works as intended, broad acceptance.

For now all of the benefits are hypothetical, and some people think they’re feeling the pain, so we’re at the peak of a whining asymptote. This is buoyed by the fact that some people resent regulations on ideological grounds, and others resent anything that in any way restrains their freedom to “hustle” by screwing over people for money.

> it would have been successful

What are you talking about, it's great.

> Any cost that has a high fixed component and a lower variable component leads to increasing returns to scale for enterprises.

It's not just fixed costs. Any increase in overhead will have a higher impact on smaller businesses.

If a variable cost increase is passed onto customers it results in lower sales volume. If it isn't it results in lower margins per unit. In either case it can push a smaller business past the point that it can no longer cover its fixed costs, even if the fixed cost amount hasn't changed.

Did you ever noticed that when it comes to protect a public official, for example a cop killing someone, all the State pieces work in perfect synchrony? I mean, everyone, from lawmakers, judges and the lowest of clerks suddently learn how to make exceptions and interpret the laws in new ways.

Yet, I have to believe that lawmakers aren't able to stop billionaires from screwing up the small guy without making complex regulations that impede progress and innovation, regulations that in the end make the rich and the bureaucrats a lot of money and sink hopes for the honest entrepeneur. I have to believe they're making the laws in good faith because they really have no alternative. Of course. I totally believe it.

Regulations are written by very big companies in that space of the market. The EU isn't immune to this, and our government in the US definitely isn't. I know this seems counter intuitive to people not familiar with barriers to entry in industry, but big companies easily absorb costs in regulatory frameworks that are legally put into place. They normally lobby and ensure that whatever goes into effect is either something they are actively doing, or can do at minimal cost to them, while being a large cost to others.

A great example recently in the United States was in the Consumer Product Safety Improvement Act passed in 2008. It was in response to large toy makers using lead paint in their toys coming from China. It wasn't small toy makers doing this, it was the Mattels. As a result of what these large companies did with their disregard to product safety, a regulatory safety framework was put into place that Mattel could easily absorb into their operating costs, while small mom and pop makers suddenly had a very expensive process to go through, even if they were not the cause of how this law came into effect.

We can all agree on respecting privacy, toy safety, etc. It's a good thing. But just remember that usually these things are passed to protect large companies, not necessarily for the benefit of the consumer, and definitely not for young competitive companies trying to break into a market space that now has a huge initial cost that may be insurmountable. The result sold to the consumer is normally just a side effect used to promote it.

Is that a great example? If you gave Mattel the choice between absorbing a regulatory framework and just having extra money would they really have chosen the former?

You can pay for safety explicitly with regulation or implicitly with poisoned children. Regulation hits small businesses harder; rather than concluding that regulation sucks, maybe we should try something else like providing some publicly-funded office to provide compliance help to small businesses.

You will never get anywhere close to mitigating the harm that regulation does to innovation through something like that. Approach this from the perspective of UX design. The more barriers a user has to overcome the less likely they are to actually try the product. In this case the user would be a small entrepreneur trying something small. But a lot of businesses start out as something small. If they work then they grow, if they don't they go back to the drawing board. If you put barriers on the way of these people they often won't even try.

That doesn't mean it's impossible to start a business, but it does mean you'll get a lot less of them. A lot less of them also means less successful ones and less jobs.

Or just allow the free market and our courts to punish the offenders when they do bad things. If Google and Facebook violate privacy, sue them. If Mattel caused harm, sue them. Get the information out there that the service is bad or the toy is unsafe and they will either fix the behavior or go away.

Regulations may or may not be necessary for certain things, but to fold everything in the market under some kind of regulatory framework where you need to go to government to get approval and navigate a burdensome bureacratic process basically just ensures that you will harm innovation, destroy small business, and protect legacy companies in the space.

Part of the problem is that we have been running a trade deficit for decades in the first place.
Don't look at GDPR and see it as some kind of slap in the face to Facebook or Google. The reality is that regulation like this invariably benefit the companies large enough to hire the lawyers to abide by the regulation. Similar story for tax-law complexity.

Large corporations thrive in highly regulated environments without fear of competition.

The other side of the coin is that for a lot of things we do need regulation. Look up the history of banking or healthcare before it was regulated.
> Look up the history of banking or healthcare before it was regulated.

Look at the history of banking or healthcare after it was regulated. Costs spiraling out of control, people dying of preventable diseases because they can't afford health insurance, the housing bubble, too big to fail, etc.

> Costs spiraling out of control, people dying of preventable diseases because they can't afford health insurance

And yet compared to that, many industrialized countries with "socialized medicine" get by rather well, even though that's the epitome of regulation.

They also tend to have tax burdens that are 50-100% greater than what the US has. The main problem with US healthcare is that prices have gone out of control because there aren't market forces to keep it in check nor does the government keep it in check. This means that prices can soar.

On the other hand, when somebody has a rare disease or wants the absolute best healthcare then they are likely going to the US.

Aren't the insurance companies private in the US? Why don't they keep the prices in check?

And the US isn't the only destination for such medical tourism (anymore)..

> Aren't the insurance companies private in the US? Why don't they keep the prices in check?

The entire US system is a disaster. There are major tax incentives for employers to provide health insurance, so they do. But then it's corporate executives choosing the insurance policy, and the one they choose affects themselves and their families, and is tax-deductible compensation, but they're spending the shareholders' money instead of their own. Meanwhile the insurance company is happy to sell a policy that covers more stuff for higher premiums. And everybody hates it when the insurance doesn't cover something -- it's bad PR for the insurance company, bad employee relations for the company who chose that policy and bad for the employee who is sick and denied coverage.

So all the incentives line up for there to be very expensive insurance policies that cover everything no matter the cost. And once you have a policy like that, the patient has no reason to decline unnecessary tests or choose lower priced alternatives because the insurance is paying for everything.

The insurance company can try to negotiate prices, but that only works in a competitive market. Many things are patented and there is only one supplier, who knows the insurers are captive buyers. Even when there are multiple suppliers, they all have to pass on the same regulatory compliance costs. And the insurance company itself imposes a large amount of bureaucratic overhead on medical providers to try to prevent insurance fraud, but the cost of that overhead then gets built into the price. Plus the cost of the insurance fraud itself, which is hard to detect when the provider and the patient are both in on it.

The way to make health insurance work is for it to actually be insurance, i.e. it only covers major catastrophes with a multi-thousand dollar deductible and everything else is out of pocket. Then the insurance would cost less than half what it does now and the amount paid out of pocket for substantially everyone would be less than the difference in insurance premiums. People would then have the right incentives to compare prices and refuse unnecessary procedures, none of the routine medicine would have to involve insurance paperwork, and less insurance coverage would mean less insurance fraud.

But everything in the US regulatory environment is configured to prevent that from happening.

> The way to make health insurance work is for it to actually be insurance, i.e. it only covers major catastrophes with a multi-thousand dollar deductible and everything else is out of pocket.

Health insurance is also cheaper if certain preventative measures are taken, so it's in their best self-interest to cover those, too (and also to make being up to date on them attractive).

For example, German insurance covers annual dental checks and reduces the copay on dental work if you have been up to date on those checks for a number of years because that's cheaper than dealing with the fall-out.

> And yet compared to that, many industrialized countries with "socialized medicine" get by rather well, even though that's the epitome of regulation.

Full socialization is very different from regulatory capture. Regulatory capture looks like what western corporations have traditionally done to third world countries. Full socialization looks like the USSR. They're both terrible, but in very different ways.

Banking has arguably got worse since banking regulation, because regulation allows for fractional reserve banking and doesn't allow individual banks that aren't part of the system. This means that if the government doesn't keep exactly on top of their regulation then bad things can happen, because the government basically insures the banks and won't let them fail (since the system becomes too big to allow to fail).

It doesn't help when the government gives out bad guidelines either. Eg the lending guidelines given by the Community Reinvestment Act. Suing banks for having too strict guidelines for lending out money coupled with easy money ended up in the 2007/8 financial crisis.

Would it have been better with less regulation? Maybe, maybe not. But it's definitely hard to say that banking would be unworkable with less regulation.

You don't need a lawyer to abide by GDPR, it's pretty straightforward stuff.
Nothing about data storage and manipulation is straightforward.

Is the web server software you're using logging network requests? Are those requests possibly considered PII? Congratulations, you now have to care about the GDPR.

https://www.ctrl.blog/entry/gdpr-web-server-logs

Which is to say you don't have to care much at all, seeing as you do NOT need to inform or obtain consent from users to keep web logs that serve a 'legitimate interest' such as fraud, security or spam prevention.

Obviously if you were in the business of leaving such data insecure for anyone to obtain or merrily selling it on to reap as much dollar from your visitors as possible then you may be in for a bad time.

Otherwise it's just best practice to do what GDPR says anyway in the example you provide.

From the top of https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

""" “Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. """

It's going to be up to individual companies and orgs how much risk they want to absorb trying to sort this dimension themselves rather than hiring a professional; I suspect we agree on that. But I suspect quite a few companies will want to soak the cost of having a professional review this stuff rather than trust their own common sense (especially if their common sense is not European-originated but they plan to have European users).

It is not risk. If your relevant regulatory body decides that your reasons are not legitimate (and if you definitely are using them to prevent service degradation and don't keep them around forever, I don't see why they would) then they will tell you so you can alter it.
Companies hate building business models and practices around "Well, if the regulator's cool with it, then..." That's the very sound risk makes.
This is one of the aspects of GDPR that gets blown out of proportion. You can keep IP addresses in your server logs if you can demonstrate that it's important to your business.

If you can't demonstrate that it's important to your business, then you can mask the IP addresses. This was a very common thing to do even before GDPR.

In other words, compliance in this respect is dead simple. If you need IP address information for a specific reason, then keep them. If you don't need it, then change your log format to omit them or turn on IP masking.

The level of expected implementation will only be clear after a year or so.
In a few fairly uncomplicated businesses, sure. For everyone else, there's a reason why the privacy professionals listserv I'm on is a constant debate about vagueness in the law.
I find such reasoning to be bullshit.

Example: DuckDuckGo had no issues in ensuring people’s privacy for years and I’m fairly sure that they have zero problems with GDPR. And they are not and have never been at Google’s scale.

What happens actually is that privacy-violating companies are trying to keep doing whatever it was they were doing, but then discovering that no sane individual would opt-in to being tracked, without having access blocked of course, which then leads to lost revenue anyway.

So they are trying to game the system, which gets expensive of course. Now you need lawyers and experts in dark patterns. But when your entire business model depends on people's ignorance, you really can't claim the high moral ground.

Such articles are engaging in sponsored FUD.

DuckDuckGo is a single company operating in a single vertical and their entire purpose was to provide a certain type of privacy-preserving service.

The vast majority of companies aren't violating privacy in any meaningful way, and the GDPR still imposes large costs on them.

the second paragraph is just not true. every popular website without privacy as a selling point has dozens of trackers. journalism and social media have been tilted heavily towards clickbait because ads are perceived as the only way to make money. the only companies that will get to continue doing what they do without much hassle are widely liked services like netflix and spotify.
"meaningful"

The idea that every tracker and targeted ad is some sort of meaningful privacy violation is pretty silly.

As it turns out not everyone agrees with you. That doesn't make it silly, that makes it a difference of opinion.

And in any case, the point is that together all those little violations are a meaningful violation of your privacy.

> I’m fairly sure that they have zero problems with GDPR

My understanding, from a friend there, is GDPR imposes significant costs on their operations. The problem isn’t the intent of the law. It’s its implementation. The administrative burdens imposed by the mandated bureaucracy is massive.

How big is the team at DDG? I handled GDPR compliance for a company big enough to have probably helped draft the law and it wasn't that bad at all. Many of the systems were already in place because they've been industry best-practices for a while (encryption, de-identification, internal access guards).

The two things that needed to be developed were systems around rights of erasure & access. Both of these are pretty straight-forward systems -- it's a REST API for getting user details from a system, and deleting user details from the system.

I believe people are making GDPR out to be a much worse than it is.

> deleting user details from the system.

What are you considering 'user details' ?

Primarily data that can be used to identify the user and these have a pretty good definition.

If you have a database with users in it, that's basically the row in the Users table, along with everything in the database that has a user_id, which depending on the data you're talking about, might be enough to just set the user_id to `null`, but if unsure and if possible, then cascade delete is the safe choice.

Basically that's nothing that a normal RDBMS doesn't do efficiently already. If you are using a RDBMS, you should have had a sane deletion policy on your foreign keys already.

It gets more complicated with NoSQL databases of course, but you knew already that by using a NoSQL that's essentially technical debt you're postponing. But having worked on many such systems in the past, it's not a tragedy and certainly not something that couldn't be solved in the last 2 years since the GDPR was adopted.

Honestly, GDPR was adopted 2 years ago and people now act all surprised that it came into effect.

> these have a pretty good definition

thank you for your response. I've been trying to find this in GDPR docs but i can't seem to find a clear definition. Can you link me to the definition if you have it handy by any chance.

I can tell you couple of examples where simple delete from database is not enough.

One example is a analytics pdf report that was sent to management with geo diagram with number of purchases dotsizes/zipcode in a city.

DuckDuckGo is a search engine - meaning its possible to use their tool without the collection of any data, even creating a user account. Many other tools are doing nothing nefarious with data but its not possible to use their tool without collecting data.

It's neat that DuckDuckGo was able to find a business model through showing ads based on what you search into the search box. For me personally, I don't see much of a difference between being shown ads on what I searched at that moment and having a cookie stored in my browser and getting showed ads based on that later on.

None of this disproves what the article is saying anyway - Google & Amazon will be the best equipped to handle the nuances of any data laws and as bureaucracy increases, they will benefit the most, storing more data.

> Many other tools are doing nothing nefarious with data

You're missing the point of the danger then.

Facebook isn't doing anything "nefarious" with the data either. And yet Cambridge Analytica happened.

Fact of the matter is, it's not what you do with the data that counts the most, the biggest problem being that the data gets collected in the first place without users being aware of it, or aware of implications.

How many users do you think are aware that Facebook follows them around the web and that this might affect their credit score, or the price they pay for their health insurance in the future? How many people in a minority, e.g. of a certain religion or of a certain sexual orientation, do you think are aware that their habits can be used to precisely identify their identity and preferences, which could put many such individuals in life threatening situations?

Of course, you might be a responsible company, you might actually do good by your users and customers, but if the users don't expect tracking to be part of the service and if making them aware makes those users to not opt-in, then you are doing something nefarious by definition.

Which is what GDPR is about.

> zero problems with GDPR

Do they comply with right to be forgotten etc?

What do you think the RtbF means for a service like DDG?
Right to remove results
That wouldn't be possible in GDPR.
Doesn’t DDG use Bing and Yahoo? I’m not sure how well would they work in a vacuum where they can’t take advantage the benefit of “tracking” through outsourcing.
Yahoo also uses Bing. You may be thinking of Yandex, another search engine DDG taps from besides Bing.
I think of the GDPR as similar to clean operations with regards to environmental impacts.

If, right now, there was made a law that fairly charged for all externalities on environmental damage of their products, then the companies that do things "right" with regards to environmental practice would be some of the most profitable.

The GDPR is the similar type of law, but for data hoarding of PII. If you're doing privacy and handling user data that preserves users' rights, you likely wont have much anything to change. Sure, you'll have to put together 5 documents how you do use data... but everyone does in the EC.

If you're a hoarder, spread PII everywhere it shouldnt be, or otherwise do bad things your users would find unconscionable, it's going to be a very rough time.

As an American, I try to buy sustainable products.. But the GDPR makes it easy to see which tech maintains my privacy of my data.

Given that Techcrunch/Oath was called out by a lot of people for "GDPR fails", I find their impartiality rather suspect.
An EU company will have a harder time targeting EU residents under GDPR than a US company will have (for its own residents). Wasted money on non-personalized ads could be the difference between continuing to exist for some. So it could potentially hurt EU companies that want to advertise too - though I really don't know the extent of advertising there.
That's exactly what's going to happen.

I can create a business model in the US market - in the vast majority of nations in fact - that can't exist in the EU, pay for it with targeted advertising in the US market and give the product away for 'free.' I can scale it with US ad practices, then move into the EU with full GDPR compliance and continue to fund that product with the vast, lucrative, targeted US ad market, doing things with customer data and generating margin that is impossible in the EU. The EU can't project its jurisdiction globally to prevent this approach.

GDPR is a massive win for US companies, it increases the already overwhelming US competitive advantage. The US tech giants can trivially comply with GDPR, and the EU ends up as more of a tech hermit kingdom with every restriction and compliance requirement they put into place.

Starting and building a company like Google or Twitter in the EU was very difficult before, now it's impossible. Every future Google in the West will be born in the US perpetually from here on out.

And then 20-30 years later large scale automation goes into full swing and the EU has a smaller qualified work force to pull from. I just don't see this ending in a beneficial way for the EU.
Add to that, that an EU website is already more likely to be dependent on ad funding, as VC money to burn is scarce.
Depends what you do, I am building EU (UK) company right now. We started before GDPR but we had it in mind early on and I don't believe it made it any harder for us. Obviously our business model didn't assume selling our costumer data.

Being 'GDPR ready', 'privacy first' and putting our users in control of their data was a good selling point and important part of our story. It definitely made it easier for me as a tech guy in founding team to argue for reasonable privacy policy, avoiding data monetising revenue models and attention to security.

GDPR compliance for any company that isn't sacrificing their users' privacy to the dark gods of marketing is not hard.
The article lays out its thesis pretty well. In the wild wild days of little regulation on personal data, everyone vacuumed up as much as they could, because it might be useful someday, and there were few laws with teeth to stop them. Usually, this was used for analytics and 'big data', but frequently, it cycled back into targeted ads. Entire conglomerates made most of their revenue this way: Google, Facebook, Verizon+AOL+Yahoo. I'm not sure Amazon really fits here, because they make most of their money by selling you actual things (compute, products) rather than your data to an outside party, but they do collect a fair bit of data about one's preferences, so let's keep them here.

Now, the door's been shut behind them. It's fair to assume that big companies are better equipped to hire experts to navigate the issue of compliance than a random 8-person startup fresh off the press; whereas 10, 20 years ago these exact sort of new ventures are what grew into data harvesting machines that were usually acquired by someone with bigger wallets. This is one of the mechanisms of regulatory capture: even if the law is good for the public, most of the companies that engaged in the now-illegal tactics can pivot to something else or figure out how to stay in compliance, while any new players hoping to use the same mechanism are forbidden from doing so. This is a fairly typical outcome when regulation is first applied in a space where it wasn't before.

The twist is that some of the same players that engaged in the harvesting and trafficking of personal data have also branched out into cloud computing and various value-add SaaS to sell B2B, and they can capture some revenue from other companies that are just going about their everyday business and are looking to stay compliant with the new regulation. This is a boon for the likes of Amazon, Google, Microsoft, who've engaged in both targeted ad tracking and cloud computing. Increased uptake in their cloud offerings will help insulate them from the tightening of the targeted ad space.

The substance of the article is solid. But for those alleging FUD, keep in mind that TechCrunch is owned by Oath, the content subsidiary of Verizon, a content and infrastructure company without a strong story in B2B cloud computing, and whose revenue is chiefly derived from (1) providing bulk telecom interconnect, (2) being an ISP, both wired and wireless, and (3) correlating user behavior across their portfolio of sites and using their network. One can easily make the case that these sorts of companies are among the most vulnerable to this sort of regulation.

It really depends on whether the regulation actually changes practices and cuts into their core business model. A big part of GDPR is simply making consumers aware of how their data is being used. As awareness and scrutiny increases, it's entirely possible that ad tech as a whole suffers, and that will hurt Facebook/Google disproportionately.

If the landscape changes significantly, that is advantageous to startups because they can choose to avoid quagmires entirely. It's really the middle-stage ad tech companies that don't have the cash to comply, but have too much momentum to change course that will really be fucked.

Of course it's true that you can't start another Google or Facebook today, but that is for many reasons among which privacy regulation is merely a footnote. I get that a lot of fortunes were made in ad tech, but innovation will not stop because practices need to change.

(comment deleted)
It's not about the fortunes that were made. It's about the fact that these kinds of rules could put an end to the relatively free internet we have had so far. It makes it harder for smaller sites to pay for maintenance costs while also increasing the barrier to entry even on the very lowest level.

Remember the teenagers that were setting up their forums and messing about? You can't do that anymore. The chance that people like that would follow these laws are tiny. The effects of something like this are very hard to predict, because we know that hobbyists gave us many cool things over the years and they ended up transitioning into lucrative careers. This kind of an avenue is severely hampered by this. I'm afraid that this kind of regulation is simply the first step to wrestle control over the internet, and if governments manage to do that then the internet stops being free.

This is pure FUD. For a forum to be GDPR compliant all you have to do is tell the user what you plan on using their data for (probably just posting to the forum) and give them an option to delete their account. Also, the chances of regulators coming after hobby projects is nil. A lot of people seem to be parroting these talking points that are straight out of an ad-tech lobbyists handbook. The sky is not falling, and the threat to the free internet is far less than what we are facing from ISPs.
Any additional barriers to entry are still barriers to entry. These are non-technical problems that are difficult to truly grasp, because even people who do this for a living seem to disagree on many points.

>Also, the chances of regulators coming after hobby projects is nil.

"The regulation is okay, because we're only going to use it against the bad guys." This is not how a society based on justice is supposed to work.

China , Russia have strategic interest to protect. The EU , i'm not so sure what it is protecting, and reading this law it's really hard to tell if we are supposed to have some kind of advantage now. It seems more like an extreme, wrist-slapping attempt of its leftist lawmakers.
Leftist? The EU? Now I have heard it all!
Are they not? Isn't a significant portion of the EU on a ~50% tax burden?
Depends on your PoV.

From my [summed up] European's PoV Obama was very right wing and Trump is veryyy right wing. From an American's PoV that PoV lacks nuance. So I generally refrain from using those simplistic terms when potentially talking to Americans; gets discussion nowhere.

Here's the data on political groups (coalitions) in the EP. [1] Claiming these are "left wing" is.. well.. clearly US centric PoV, but also overly simplistic and bifurcating. Calling Europe left-wing, knowing that Europeans are going to read it and reply is also fuel for a flamewar. Hence why I linked some data to put things in perspective.

[1] https://en.wikipedia.org/wiki/Political_groups_of_the_Europe...

As a European as well I disagree with Obama being right wing. I can't even fathom what constitutes left wing in that case that isn't socialism.
Well the mastermind of GDPR is a Green Leftist so...
You poor dumb alt-rightist cunt
I’m surprised that so many people are missing this. Google and Facebook may come off better than most tech companies, but surely the real winners must be whoever was not relying on your personal data to begin with? E.g. tv, radio, and print.
If people are on the internet, they're not going back to radio because of GDPR.
People who purchased internet advertising because they were sold on being able to narrowly target their niche demographic might now instead purchase radio ads.
That is not what I’m getting at at all. I’m referring to the changes in relative value of different advertising channels post GDPR.
But the return on ads is based on absolute value, not relative value. It would be irrational to spend more on radio when radio doesn't change.
I don’t know that ad budgets are allocated perfectly rationally. My understanding is that it more often works like: “marketing department, here is XX million. Do your best with it.” Add to that the lack of perfect information about impact and penetration, and it’s hard to determine absolute value.
Not perfectly. But over time they tend to go with what produced returns.

But yes, I suppose in the short term budgets will be fixed and some may try radio etc again

Thought control is such a lunatic term that I cannot take anyone serious using it.

There is no thought control, only data (lots of ads of course) that you yourself receive, think about and shelve.

'Control of the information flow to your populace by censoring bad things and putting out misinformation, which then informs the thoughts of the populace'.
This is a good thing.

For all the criticism of Google, of which I have extensively done, very little negative is said about their security. The fact that you can have 99 character passwords in GMail speaks to this (Paypal and Bank of America’s limit is 20 for example).

Everyone today worships small business, but the 30 years of incredible economic growth was partly achieved by the partnership of Big Business with Big Labor and Big Government.

As Galbraith said at the time: “the entrepreneur, as many see him, is a selfish type motivated primarily by greed, and he is furthermore, unhappy.”

I think entrepreneurs have contributed a lot to society, but I also think new era’s come and go, and the worship today of “innovative startups” will not last forever.

It's really cynical that before I can even read this article about the GDPR, TC makes me painfully aware that they

- violate my GDPR rights by requiring opt-out from their tracking, instead of opt-in

- are going to sell my data to hundreds of "partners"

https://gdprhallofshame.com/5-techcrunch-engadget-and-oath-c...

Even if I would bother enough to do this dance from my mobile device, which I don't, there is no way the article can convince me that it's unbiased journalism.

The EU needs another top level agency to decide what is OK to remember.