The observation that regulation usually ends up helping the incumbents is not new.
That said, I find the "meshed society" concept useful. It highlights the radical level of collaboration possible between individuals, enabled by the internet.
> For example the GDPR takes the best of intentions around citizen privacy and ends up causing unintended harm by layering ambiguous and extensive responsibilities and liabilities on small businesses and individuals with web presence.
This happens in spades in the finance industry, which has addressed it by outsourcing it: small companies start up that do nothing but compliance for regulation X or Y. You can see this, for example, in US retirement funds: if you put a dollar into your 401(k) various people touch it before it is actually invested, certifying that the 401(k) fits this or that qualification restriction, certifying various arms length rules etc, each taking a small fraction of a percent as a fee. In then end only perhaps 97* cents of asset is purchased with your dollar.
In case it is not clear: I am not advocating this system! Just saying that the market can adapt to it, and favoring big incumbents is not the only way/consequence. Each of these little entities of course becomes a protected incumbent themselves.
* I don't remember the precise amount but it was more than a percent and I think it ended up added up to three or four. But it was many many years when I looked at this, and it was when I was evaluating a company's tech stack for an investor, so my focus wasn't on these details. But it was fascinating how the market had adapted.
>"For example the GDPR takes the best of intentions around citizen privacy and ends up causing unintended harm by layering ambiguous and extensive responsibilities and liabilities on small businesses and individuals with web presence. They either comply at great cost (relative to their turnover) or ignore it all, intentionally or out of bewilderment."
What a load of BS. I own a small business with "a web presence". GDPR is extremely easy. What is hard is wanting to collect data legally. Just don't do it if it is too hard. Times have changed - change or die. If you write such FUD I won't trust a single word written.
Most harm from GDPR to small business actually happened thanks to armies of "GDPR consultants" who smelled money in the market and, in my experience, often heavily skewed perception in order to increase their own profits.
Majority of small business never have to deal with GDPR unless they gather personal information - and for most of them the limited cases that a small business might gather information were already covered by previous laws, and for most cases can be done on simple process of human action.
Data privacy laws applied whether you used computers or not, and GDPR doesn't change that.
Ultimately, the simplest way of not having to deal with GDPR is to not store private data, or storing the minimal possible set. The archetypical smallest possible business already outsources a lot of such operations to aggregate eShop vendors, which are a good place to place controls. Those who run B2C sales directly in ways that require private information can spend a bit of time on getting compliant, generally with a set of cookie-cutter processes.
The definitions of personal data are highly ambigious. Perfectly normal processes that people would not normally consider collecting personal information (like maintaining a normal HTTP access log) do count because of things like claiming an IP Address is personal information.
hell everything about the law is highly ambigious. Let's say somebody runs a web forum where people can post messages. We are using one right now. Lets say no personally identifiable data is deliberately collected. No use of email addresses as usernames, or even to offer a forget password flow. The user names are arbitrary. There is no IP address logging of any form even to combat abuse. All posts are publicly available, so users don't need to sign up unless they want to post, and obviously posting is entirely voluntary, so obviously consent is no issue.
Even under this scheme, which is seeking to minimize all compliance burdens of the GDPR while still offering a forum, the site still needs to offer data dumps from users on demand, since their screenname is quite plausibly linkable to their real life identity.
And how do you implement the right to be forgotten. You can implement it as a mass delete of that user's posts, but that is probably not good enough. The problem is that many forums either support or have a user convention of quoting parts of previous messages (including screen name) so people know exactly what you are trying to reply to.
If commonly used, then that defeats mass deletion as a proper implementation of the right to be forgotten, since large chunks of the user's posts (associated with the user's screenname) will be left in replies. Filtering that out may range from easy to difficult, or even to being a completely manual process (which wouldn't work well for certain super prolific posters).
And this is before considering the fact that the law does not let you off the hook if you fail to find some personally identifiable data for that data dump because it was something somebody else posted as unstructured text in the body of a post. It could just be a phone number and address pairing, with no reference to the screen name or anything. No way are you going to reliably find that, but you are still technically liable if a user discovers you had that data and missed it when they requested the data dump. The regulators may decide not to really enforce such edge cases, but they could. They even might enforce that against you if the regulator decides they want to send a message, and crack down hard on violations.
Consider instead a video provider, and there is personally identifiable information about a different user mentioned in some uploaded video. Are regulators going to expect you yo be able to find that video in response to a subject access request? Surely not. But what if you are YouTube? The answer then could very well be quite different, since google could easily search their autogenerated closed captions to potentially find this video. They certainly could be doing that already to augment their profile of you. (I doubt they are, but it is definitely not impossible).
Very very few business never collect any personally identifiable information. Even if they try, they will likely collect some accidentally, like if a consumer calls with a question which cannot be answered right away. A note of some form will be taken that will probably have a name or phone number, so that once an answer is found, it can be provided back to the caller. A B2B business cannot avoid this either, since they still deal with individuals in the other businesses. While I'm sure the majority of businesses just ignore this, since the GDPR is really only targeting mass data collection, not little incidental bits here and there, but the terms don't actually make any such distinction.
The GDPR depends a lot of regulators exercising discretion in terms of not going after such tiny violations. Which is not really a problem per se, but does mean greater legal uncertainty in cases that involve some slightly gray areas. At least in contrast to the often far more black and white hyper-specific legislation often found in civil law countries, or even the eventual binding precedent over ambiguous laws set in common law countries. The main avenue for getting such certainly with the GDPR is the enforcement harmonization system in the GDPR which will likely take several more decades before many common gray areas have been definitively settled.
>Your experience is not shared by small businesses
As I own a small businesses I know for a fact that is not so, as I just stated. Maybe some do and some don't but you cannot claim it as universally so. Which small businesses are you talking about? Your own or something you read online?
Again, you don't want to deal with the "huge complexity" of making sure you keep your users personal data secure, don't store any of your users personal data, just like what Daho0n said.
GDPR is something you have to follow if you meet the requirements (like collecting personal information about your users and more), not something you have to follow as soon as you publish a HTML file on the internet.
I understand that businesses don't have the time (or maybe care?) to fully understand GDPR before jumping to solutions, but I would think the crowd here on HN to do better than that. Read through GDPR and you'll see it's much easier to follow than you think, it is surprisingly small and easy to approach: https://gdpr.eu/tag/gdpr/
Yeah. GDPR is an example of very good legislation and regulation. I have read through the entire text and it is comprehensive and focused on the rights of individuals. There is next to nothing wrong with it at all.
One does not simply "not collect data". You could potentially be in violation of GDPR from server logging that you don't even know about.
Sure, if you're intimate with your entire stack and have turned off all logs - you're for sure good to go. But that's not most small business owners, and also, good luck debugging if you ever need to.
Normal server logging is going to be covered under legitimate interests. Apply a reasonable retention period to it (5 year old logs are not necessary for any legitimate business purpose). Disclose it to users. Done.
This is a problem caused by people using things they don't understand. If you don't understand servers you should pay someone who does. If you know enough to debug using a log you know the log is there. But I feel this is a bit disingenuous. As far as I know no webserver logs personal information that isn't legitimate interest. Again, if you don't ask for people's information things in logs won't be a problem. It only becomes a problem when you both want to collect data and not do the work GDPR says you should. If you decide to collect personal identifiable information and refuse to secure where it ends up, you are the problem not GDPR.
Reading the GDPR rules helps you know. If you had done so, you would've known that Article 6(1)f allows you to log PPI if "processing is necessary for the purposes of the legitimate interests pursued by the controller ". Security and site reliability are legitimate interests.
That said, I find the "meshed society" concept useful. It highlights the radical level of collaboration possible between individuals, enabled by the internet.