Two years in, GDPR defined by mixed signals, unbalanced enforcement

I would pay a subscription to a news site if they spent all their time evaluating 2-5 year old events and determining which side was right.<p>2 years ago comments of &quot;this will only benefit the lawyers&quot; would be -50 points. Turns out... actually yeah.

Nothing says GDPR is something that can&#x27;t be improved upon. Better enforcement, refinement of laws, everything is possible. It has to begin somewhere and that beginning is rarely perfect. Every failure is also an opportunity to learn what to do better. As some other people have commented, the intent is right, the execution has to be improved. Edit: Fixed grammar and some words

<i>We care about your privacy notices</i> have become the bane of my life.

Has anyone beyond big tech actually figured out what the rules are yet?

I work as a developer in the European public sector, we already took privacy and security rather serious because the laws governing it had always been and are still tougher than the GDPR.<p>I actually like that the EU is doing something, and I guess this is the best you get from a bureaucracy, but what it’s changed is that we document everything. Whenever I build anything that moves privacy data, even if it’s just hooking up a new system to our ADFS which accesses employee names, I need to fill out 4 forms and write a risk assessment. It all goes somewhere I suppose, I’m not sure because once I file them I never hear anything about it unless my wording wasn’t good enough.<p>As far as security goes, it hasn’t actually changed anything. I guess it does if you weren’t taking security very serious before, but the idea that we as developers will think about security first or design better systems if a bunch of lawyers force us to fill out forms and write essays on what can go wrong... I just can’t wrap my head about why anyone would actually believe that stuff.<p>Like I said, it’s a great idea, on paper, but the bureaucracy that is enforcing it is just so clueless. Passing inspections is more about having the right answers and documentation than having actual security, so it’s no wonder that the outcome is full of mixed signals and weird enforcement.<p>Still better than nothing, in my opinion, and it’ll probably get better with time.

The fears about GDPR when it passed, if I remember correctly, were mainly around arbitrary draconian enforcement. This article seems to only be talking about <i>under</i> enforcement. The causes of this under enforcement seem fixable. Ireland, putatively afraid of the big tech companies choosing to put their Europe HQs elsewhere, has been dragging their feet on privacy investigations. But the investigations are happening. Then there are some countries not putting enough money into it. The rest seems to be the various countries not being in alignment. For a sweeping, two-year-old regulation that has spent about an eighth of its life in the time of a major global crisis, this doesn&#x27;t strike me as all that shocking.<p>Does anyone have any actual examples of draconian fines being handed out for good-faith misunderstandings of the regulation? Big Tech has professed confusion over how they&#x27;re supposed to comply, but it seems to me like like they would simply prefer not to.

I think GDPR has its heart in the right place.<p>I don&#x27;t think it really helps and I suspect that is because users themselves really don&#x27;t know what is actually happening behind the scenes and no amount of banners or otter things changes their level of knowledge.<p>And I fear even if they know, users don&#x27;t care and are happy to click past a banner &#x2F; trade their privacy for free things.<p>GDPR seems to play out as a strangely legally mechanical beast that people are largely disconnected from.

I&#x27;m happy to see this as the top post on Hacker News, though would wonder if anyone would be able to provide me with a summary of the article since $399 is a bit steep for me (as in, I can afford it, but it&#x27;s obviously WAY too much for what&#x27;s promised by the title).<p>I&#x27;d also be interested in case anyone has any thoughts on what the short or long-term outcome of the situation would be. Come to think of it, I&#x27;d like it if someone could give me a rough outline of GDPR at all.<p>I&#x27;m a software developer working in Britain, and I reckon the local consequences are &quot;the lawyers make lots of money&quot;, but am always keen to hear other viewpoints.

<i>We value your privacy. Like, it&#x27;s valuable. We sell it for money. We&#x27;re going to nag you until you click this button so we can&#x27;t get in trouble for profiting off the data you give us.</i><p>Good legislation is important to let us penalize bad actors—does any one know of any accounts of some bad actors getting stopped by the GDPR?<p>What do you guys think: are there laws that <i>should</i> be in place to incentivize privacy-preserving tools?

Guys, we have a lot of European customers and we completely ignored GDPR rules. After it was introduced, only 2 potential customers asked us about it and we just moved their emails to trash. Not worth the hassle! There is nothing they can do anyway to force it if you are not living within the EU (unless there is a special agreement between your country and EU). I even know some startups who are located within the EU, but still don&#x27;t care about GDPR :D

This has been a constant headache, not the rules or how to apply it, but our customers still act like there isn&#x27;t such a thing like GDPR, and actively demand, DEMAND that we put in place functionality that is in clear violation of GDPR, and when you try to inform and explain to them who things work they get mad at me and threaten that they will get a more professional shop to do things for them <i>shrugs</i>

The worst effect the GDPR had was on offline bureaucracy. &quot;Data protection&quot; has become the go-to excuse for blocking every single goddamn thing.

Personally I am just annoyed by the cookie warning on every site. Gdpr does not apply to vast portions of the internet.

GDPR was known to be, is known to be, and will known to be a shit law that&#x27;s not tied to reality. It did have some good (allowing you to know what they have on you in general, and asking them to delete some of that), but the rest is just bad, bad, bad.<p>I wish people would be rational when supporting privacy increasing things. GDPR could have been much better and it saddens me that it was ruined, and defended by, zealots.

Who could have predicted that an overarching government program to control and regulate content on the internet is failing?

It is worth pointing out GDPR is really two sets of laws - one around data security and breaches, and another set of laws around privacy. It&#x27;s the second set of laws that get the most criticism for their opaqueness, but I don&#x27;t know if they are better or worse than the first.<p>They probably should have held off completely on the second set - the upcoming ePrivacy regulations are promised to actually <i>do</i> something, rather than just provide a really frustrating and opaque set of consent guidelines.<p>As it is now, the law doesn&#x27;t require anyone to actually stop what they are doing. The only difference now is you have to retain a lawyer to do it.