EU law is world law


Loot boxes are simple to implement (or most game developers wouldn’t do it), and therefore simple to de-implement. There’s nowhere near as much work involved as handling customer data.


Keep in mind, people are general in favor of the law, and if a company announced that they would not apply the benefits of the EU to non EU citizens, it would be a lot of bad press.

Also, Trumpists don’t care about the well being of internet companies.


They wouldn’t understand what the law is trying to address.


Incorrect. You need a DPO only under a short list of circumstances:

  • You’re a public authority.
  • You’re conducting regular, large scale and systematic monitoring of people.
  • You’re dealing with particularly sensitive data, like medical records, criminal convictions, or records on people’s ethnicity/religion/sexual orientation/political affiliation etc.


Maybe you’re mixing it up with the role of the designated EU representative? (Which does need to be in the EU, but does not need to be a human employee). Again, that’s something you only need under very specific circumstances.

Incorrect. The regulation even explicitly says that it’s OK for the DPO to have other tasks and duties, it doesn’t need to be a full time role. They just have to be qualified for it, and can’t have any conflicts of interest. And there is no reason why e.g. a developer would automatically have a conflict of interest.

Not sure what you mean by “this rule” here. If you mean your list of incorrect DPO claims, it’s indeed true that company size doesn’t matter for that. All that matters is the nature of the data / the data processing. That seems pretty reasonable; if you want to deal in health data, you can’t be sloppy about it just because you’re a 10 person company.

For some other aspects of the GDPR, companies with fewer than 250 employees are exempt. (Again with exemptions for companies dealing in particular risky data).


I got that from this slide deck although I did misread the “large scale” requirement that you pointed out.

But it’s not clear to me what large scale really means. If I track data trends of my customers to make sure we are not causing features to not be used anymore after we do UI/UX changes, is the logging of that data large scale since it’s for every user that logs in? I don’t see a clear answer to that.

Other quotes that make it seem like a developer can’t be a valid DPO is

Cannot hold a position which leads DPO to determine purposes and
means of data processing (case by case assessment)

From this site it says as well

a DPO should not also be a controller of processing activities (for example if she is head of Human resources)

And a data controller has a definition of

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

As a developer (especially at smaller companies) I am usually consulted not only on how to deal with the data we have on customers (so we can track metrics, user activity, find trends that cause people to bounce off the platform, etc…) but I’m also the implementor of said data tracking. Therefore I find it hard to see how I (or any of the developers at my company) would not fit that rule the way it’s written. It also can’t be any C level executive, so at my company that would leave our customer support staff, a sales person, or our college grad marketing hire, none of which are the least bit qualified.


Well, yes. But instead of loot box regulation use food regulations, do you want to eat bleached chicken cooked in sewer fat because that’s OK in US/Chinese markets and not EU?

All I’m saying here is games developers selling on the international market are subject to same regional standards that food manufacturers selling to an international market are. You shouldn’t be beyond regulation and above the law because of your product isn’t always physical.


US/Chinese producers could just not ship chicken to the EU any more. That’s not possible with Web sites unless you block traffic from a bunch of IPs.


The website can comply or switch to a more expensive geoblocking solution.

The chicken producer loses profit, the website loses profit, the consumers are protected. We have a culture of consumer interests over profit. This obviously clashes with US/Chinese cultural values where profit is king.


Part of the problem is that GDPR is still in the “Wait, what?” phase of implementation. Which should be okay, as long as you prove you’re moving in the right direction, assuming you’re not a Google or Facebook.


A couple of points:

One. This is par for the course. As an app developer, I’ve had to use a lawyer to deal with the US’s hopeless patent laws, for instance (or restrict my apps from the US market). If you’re dealing internationally, you have to deal with laws everywhere you do business. There are a ton of such laws - food safety laws, manufacturing laws, transportation laws, storage laws, ingredients laws, commercial operation laws, administrative laws, employment laws, etc., etc. In short, this is just one more law on top of every other law you need to deal with if you’re doing business internationally.

If you’ve been on the internet for any amount of time, you have almost certainly run into another national law which has become “world law” -> the DMCA. If you’ve produced any digital goods at all, you’ve definitely run into the DMCA in its ugly forms. So cry me a river.

Two. The reason companies are screaming (and have kicked off what can best be described as a GDPR hysteria, presumably in an effort to try and damage/weaken the law), is that this is a law that potentially has serious teeth. And the reason the law has these teeth is so as to ensure that big companies such as Google, Facebook, Apple etc cannot simply pay a fine and ignore it.

Three. This is not a particularly burdensome law (despite the panic). Everyone needs to consider what the law means for them, absolutely, but apart from that the impact is directly proportional to the size of the company and the amount and kind of data the company stores. The burden on a large company holding vast amounts of sensitive data -> huge. A small company holding small amounts of non-sensitive data? You (almost) don’t have to worry.

The GDPR is a law that regulates the internet and digital goods - a poorly regulated space - but it means that the EU has finally entered the information age. This is a good thing because - contrary to public opinion - the EU mostly creates laws that benefits consumers. The law itself (from what I’ve seen), is surprisingly well written and reasonable. And unlike almost every other law targeted at the internet (such as, e.g., the DMCA), this is a law whose intent is to protect every-man (i.e., you and me, as private persons), rather than to favor the rapacious exploitation of the internet by corporate entities. This is a very good thing.

The GDPR is only the latest battle in the fight between international government and supra-national information-age corporations, but as a person not named Page, Zuckerberg, etc., our interests should be firmly with the former.


A big part of the problem is that people mostly do not understand what the GDPR means. See for example, all of the companies sending out “Please subscribe to our spam mails, because otherwise we cannot spam you in future”, which are themselves (in most cases) a violation of the GDPR. Or they do, and are running scared because their business model is based upon violating it (which is why my sympathy for the companies who close “because of GDPR”, e.g., Klout, is pretty much nonexistent. Good riddance to bad rubbish).

Briefly put (not directed at DM), as a company, you can no longer:

  • Store all the data about EU citizens that you can get your hands on forever
  • Ignore requests for deletion, correction, or insight from EU users about their data that you collect
  • Pretend that private data you collect is yours, rather than that of the private person. Most importantly, you can no longer sell end-user data as if it was yours.
  • Fail to obtain the consent of the EU citizens whose data you collect and use without telling them
  • Ignore data security. You can no longer pretend that breaches did not happen

As a company your must:

  • Have data life-cycle management (aka - treat the data your collect responsible, just like any other asset)
  • Have an understanding of what data you are collecting and which data are in the scope of the GDPR (again, something that you should already know, as a responsible company)
  • Disclose the data that you do collect and use in your privacy policy (also, disclose the companies that you have data processing agreements with)
  • Ensure that your systems are secure
  • Obtain consent from users if you store and use their private data, and have routines in place to handle them deciding to revoke that consent
  • Report security breaches that are above the reporting threshold


One of the interesting side effects of GDPR will be that, although the law is really a way to extract more money from large internet companies like Google and Facebook, those companies will benefit the most from the new legislation due to how complicated the regulations are.

You’re already seeing some companies just deciding to block EU based business rather than comply, and some of the requirements are going to make smaller startups gain much of a foothold in the first place without huge infrastructure investments.


What’s great about the law is that the companies that have stopped operating in the EU (I think there is an unsubscribe service that started refusing EU citizens) should probably be on the short list of companies and products you don’t want to use.

As mentioned earlier, the penalties are severe, but the actual requirements seem reasonable. So if a company can’t comply with the law, it’s probably because they pay their bills by taking as much of your personal data as possible.

As always, if you don’t know how a company is making money off the product, then chances are, you are the product.


I don’t disagree - but you described pretty much all the free services that you can get on-line.

The law pretty much guarantees that no new services will rise up in the EU to fight against any established free on-line service provider. Not a bad thing per se, but a side effect of the law.


Thank you for bringing up the DMCA point. I really like that the EU is willing to push consumer protections because, as noted, the US law is surprisingly lopsided in corporation favor, and often to the detriment of the interests of the people.

I don’t know enough about the specifics and implementation to know if this is the right step, the right law, but absolutely agree with the aim of protecting individuals. Which, if nothing else, makes men extremely sceptical of those raising a stink.


FYI, this is the coming thing in the U.S. Last year the New York Department of Financial Services, which regulates all banks and insurance companies that do business in New York state, which means all the big ones, put out its own cybersecurity rule. So you have all the banks and insurance companies moving to comply with that. And it will only spread.


So, perfect example of the scare-mongering and hysteria surrounding the GDPR.

The law is not an attempt to extract more money from large internet companies - although the latter like to misrepresent it that way. That is simply not how the EU works, and the entire history of the EU is the proof of that. This is a consumer protection law. Consumer protections has always been a central part of developing the EU internal market, to the point where it is enshrined in the EU treaty itself and is specifically called out in the Charter of fundamental rights for the European Union . Article 38, if you’re curious.

As already mentioned, the punitive damages are there to ensure that Google, Facebook, et al., don’t just shrug, pay a fine, and continue their unethical practices - like they did with the EU’s previous attempt to legislate this area. And the reaction to the GDPR shows that this approach worked.

Not even sure how to respond to that nonsense about competition becoming impossible, other than to say that it bears no relation to reality.

Firstly, it is already almost impossible to start up new “free” internet services, simply because of the economics of scale. I have friends who work in startups and/or have created startups themselves. It’s crazy. They’re crazy people (and I mean that in a positive way).

Secondly, if the new business idea is built on data privacy violations, I couldn’t really care less that it will now be even more impossible. Good riddance, as far as I am concerned.

Thirdly, old companies built on data-collection practices are in massive trouble now (especially if they’ve closed your eyes and ears to this for the past two years). Most companies have crap data collection and handling routines, which is why some companies are (rightfully) worried about the costs involved and have been whining about this for a while now. If you’re a new company, you build your company from the start based on sane and reasonable privacy handling principles. Contrary to your expectations, this is pretty much 100% guaranteed to be both cheaper and more effective than the old companies having to deal with the security holes and workarounds in legacy software caused by carelessness or malicious intent (now illegal).

If anything, the advantage of existing “free service” companies is reduced, because they are now less able to exploit our personal information for their various profit making schemes. Of course, they still have the benefits of scale - and their massive corps of lawyers to fight the EU with - but this is no different from how it was before the GDPR.

P.S. I work as an IT architect specialized in data storage and handling in the EU; have done so for 15+ years (longer, if you add my academic career). Analyzing and implementing how to deal with this stuff is literally my bread and butter.


I’m in the industry too and have spent the past few quarters working with companies figuring out how to get compliant - I stand by my comments.

I’m willing to retract my comments if/when EU based companies get fined by GDPR law but from the conversations I’ve had around the industry companies like Criteo (based in France) are pretty confident that EU will focus their enforcement abroad and not locally.


Of course they’ll be focusing abroad. If you work with data in any seriously-sized, law-abiding company based in the EU, nothing in the GDPR is particularly new. Many of the things in the GDPR were introduced more than ten years ago and has been part of extensive legal battles for the past decade (e.g., the right to be forgotten which has caused numerous policy changes in Facebook and Google). The only thing “new” here is that the new directive has serious teeth, where before big companies would routinely ignore it - and that it is now (finally) codified in a reasonable and (relatively) understandable targeted directive.

And if you work with the GDPR, then I have even less of an understanding for your claim that the law will make it harder for startups.


You’re right that previous EU laws have been stricter than the US but I think you are being very idealistic in asserting that EU technical data compliance is all that much better.

In my experience the exposure is comparable and the main thing that differs is how strictly they are complying based on how they evaluate their risk of fines.