Deploying them should be carefully considered. For insurance and financial services, the tradeoff makes sense. For literally every business that might ever touch a European's data, it's a bit overblown.
That's a fair argument to make. The counterpoint is that before GDPR we had so many problems with companies mishandling data that "a bit overblown" is not something that everyone would agree with. Additionally, some countries (e.g. above-mentioned Poland) had GDPR-like laws (Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych) for over two decades now, with a corresponding regulatory office (Generalny Inspektor Ochrony Danych Osobowych) that regularly looked into complaints. In practice it turned out to work great, local businesses easily complied with the law, and nobody saw this as a huge hassle in the two decades of the application of the law. I find it hard to believe that it's going to get much worse than that with GDPR. Many companies are just overreacting here really.
> before GDPR we had so many problems with companies mishandling data that "a bit overblown" is not something that everyone would agree with
GDPR should have had a minimum revenue threshold for the bulk of its requirements. Enforcement should have also been centralized in a single EU enforcer. A simple process for obtaining non-compulsory affirmative compliance certificates, for businesses at or below the revenue threshold, would have also been nice.
> I find it hard to believe that it's going to get much worse than that with GDPR
I see Facebook and Google gaining market share and failing to change their behavior. In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
This whole episode is deeply frustrating as I'm strongly anti-Facebook and pro-privacy rights. The degree to which the EU turned an opportunity to lead into a wholesale boondoggle is jaw-dropping.
I’ve had discussions with people working in ads at Google that are basically, “so GDPR is the EU’s attempt to kill off all our competition and presently entrench us in the marketplace.”
> In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
Since that's a broad statement, would you care to back it up?
> I see Facebook and Google gaining market share and failing to change their behavior. In addition, Europe is no longer a market one launches in simultaneously with the U.S. and Asia for most foreign businesses.
Are you saying that Facebook and Google are not GDPR compliant, and that furthermore, the EU doesn't care that they are not GDPR compliant?
Facebook is dramatically noncompliant, and people on my privacy professionals listserv have been debating parts of Google. I assume the EU cares, but it's also a massive fight to pick, and Facebook and Google are well-suited to handling it.
That's a fair argument to make. The counterpoint is that before GDPR we had so many problems with companies mishandling data that "a bit overblown" is not something that everyone would agree with. Additionally, some countries (e.g. above-mentioned Poland) had GDPR-like laws (Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych) for over two decades now, with a corresponding regulatory office (Generalny Inspektor Ochrony Danych Osobowych) that regularly looked into complaints. In practice it turned out to work great, local businesses easily complied with the law, and nobody saw this as a huge hassle in the two decades of the application of the law. I find it hard to believe that it's going to get much worse than that with GDPR. Many companies are just overreacting here really.