HN Reader

I think the title is clickbait'y. The EU proposes to simplify the law rather than abolish it, which makes sense to me.

I think simplifying the law for companies smaller than the 500 person cutt-off makes sense. The Brussels effect is strong. I was just in a company of approximately ~150 people in America and a significant portion of our time went to GDPR/California law takedown requests. User data was everywhere, it was a nightmare. No one thinks of this stuff when everyone is still in sink or swim mode. We got it done though.

Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.

I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.

One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?

At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.

Interesting timing with the digital sovereignty movement.

Quite apropos that this article was cookie-walled with a "We value your privacy. Customize/Agree" modal screen

Let’s roll back the stupid cookie notification. Replace it with “sites must respect the user setting in the browser” so we can set it once and be done with all that nonsense.

GDPR is not complex because it is hard to comply with but because seemingly no one wants to.

EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.

Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.

How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.

noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.

The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]

[1]: https://noyb.eu/en/23-years-illegal-data-transfers-due-inact... [2]: https://noyb.eu/en/noybs-consent-banner-report-how-authoriti... [3]: https://www.enforcementtracker.com/?insights [4]: https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas...

As a big GDPR fanboy, one thing I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.

The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.

But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.

I don't live in Europe. I still believe GDPR is god send. I just send a chat-gpt generated e-mail to the company to forget me citing GDPR and voila it just works.

just have to lie as bit that i am a resident of EU though.

I see lots of comments supporting it but I can see they are mostly from the business side. What does "simplification" mean for users? I'm expecting companies to be given way more room for exploiting user consent for shady data collection practices.

Before tossing GDPR onto the bonfire, perhaps the EU should first look at DORA.

Whilst I don’t like cookie banner, I personally appreciate the EU GDPR simple style of cookie banners which are simply three options:

- accept all - necessary only - reject all

So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.

GDPR is really simple.

Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.

In the US - fuck the customer.

I know which I prefer.

So cookie banners go first? As an obsolote "requirement" when all that tracking will be finaly banned? Right ? Just like paper journals - they don't do any identify-your-page-flipper...

And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.

> "the simplification plan will focus on reporting requirements for organizations with less than 500 people"

I consider this extremely bad! It should be based on revenue, not people.

I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.

The politicians cite competitiveness as the motivator for relaxing the GDPR. The real reason for the EU lagging behind the US in "big tech" is of course the lack of venture capital and the red tape in registering corporations.

The GDPR does not prevent US big tech from operating in the EU.

As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.

Cookie consent banners might be one of the most frustrating aspects of modern web browsing. A better solution could have been a thoughtful extension or fork of HTTP, specifically for EU implementations, something that handles consent through HTTP headers instead. That would allow users to easily opt in or out, either globally or per tab, without the clutter. Ideally, technical regulations like these should be designed by people with a strong understanding of technology, to ensure practical and user-friendly solutions.

> The GDPR is seen as one of Europe's most complex pieces of legislation by the technology sector

Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.

Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.

I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.

Uh oh. I'm all for cutting the red tape, but (in my opinion) the GDPR is: 1) easy to comply with if you're not doing nasty stuff with people's data, 2) actually needed.

Any opposing views?

If the GDPR is simplified, the fines should be drastically raised. (At least for companies) E.g. to minimum 20% of the global last years revenue, for bigger companies (FAANG-Scale) to minimum 70% of the revenue. The GDPR must make companies afraid of breaking the law.