That's a pretty default thing that most educated people know though. Regulation and bureaucracy usually benefit the established behemoths with enough lawyers, while gray zones, sluggish laws or easy processes benefit new players or small ones without all the legal armor.

No wonder that Facebook is lobbying for getting regulated and Microsoft proposed regulating some computer vision uses (faces) etc. Some people of course eat it up and think it's because they are just mature now and understand their responsibility and want to benefit the public etc. In reality it's because they have armies of lawyers who can follow all the legal minutiae, have the internal processes for compliance and documentation, audits etc. Which allow them to do whatever they did before (obviously they lobby for laws that allow their use cases) but make it difficult for others to enter. It's the "kicking the ladder" idea.

Most of my Euro friends didn't think this. There's a huge difference in approach to regulation between the EU and the US.

I would guess that this article is written from a US viewpoint - the "isn't it strange how everyone is approaching enforcement of this differently?" attitude isn't even remotely strange to a European.

As lots of people pointed out at the time, GDPR in Europe isn't that groundbreaking - almost all EU countries had/have data privacy laws that approach the GDPR (not least because the GDPR itself is a continuation of EU regulation in this area). It came as a shock to US companies because of the sudden "well, none of you paid any attention when we didn't give this regulation teeth, so here's the fangs" enforcement change.

And yeah, I'd love to take part in retrospective reviews of old news to work out who was right :)

That's why such a news app would be so interesting.

I remember comments from back then slightly differently.

HN was (is) super into GDPR and any dissonance was (is, but fortunately less nowadays) quickly downvoted.

A person commented and asked me about suggestions, but deleted his comment before I could answer so here it is anyways:

Super quickly (I'm sure you have heard of, or can quickly use a search engine to find the commonly listed issues):

Damages: damages need to be scaled according to the company size, severity and amount. GDPR was created to punish Big Players, but the wording that would have fit them is equally (and should be, laws should be equal) applied to small companies resulting in an impedance mismatch. Frankly, the damages are too small for the Big Players, but insane to the small ones. GDPR also does not apply to the state, but holy shit it fucking should!

Enforcement: it needs to be equally enforced and you need to be able to sue by yourself over it instead of just limiting it to a state organisation.

Data: it should be data that is directly tied to you, ie leave the normal web logs etc out of it. PII is just a sham as it's defined today. A factor of usage also needs to play into it, ie normal web server ip logs that are separate and don't feed into a user specific connection into a database should not be a consideration.

Access: access _needs_ to be able to be done online if the data is collected or transferred online. Ie no this "you need to physically mail us a certified mail with your id" shit. GPDR is a fucking failure in this aspect. Also no required strong authentication: access should be just directly through your account you can access normally without strong authentication.

Usage: GDPR does not allow you to trade tracking for access (ie monetisation of content is almost impossible if you care about user privacy): this is insane. GDPR also supposedly does not allow for those complicated "accept all or modify your preferences" windows, but it should have no saying in that: if a site wants to make the experience painful, that's up to them. It is up to the user to select if they want to use that site or not.