My question is, if you're a US startup, and you simply ignore GDPR requests, what happens?
Does Europe have some way to require its ISP's to firewall you off or blackhole your DNS? Can they force Amazon to shut off your AWS account? Do your executives risk being taken away in handcuffs to a European jail when they go to Europe on vacation?
If there are no consequences, why don't US tech companies just completely ignore it? (Of course, big players like Google probably have EU-based datacenters and other assets that could be seized to pay their fines. I'm thinking of small, cloud-hosted startups whose employees, bank accounts and physical assets are all on US soil.)
> If there are no consequences, why don't US tech companies just completely ignore it?
Once you grow big enough the EU will inevitably have leverage over you: Servers rented in the EU to lower latency, payment streams from EU customers, offices in the EU to get talent, subsidiaries created for tax reasons, executives on vacation, employees on conferences, money spent on advertising, etc.
If you are a startup in SV the EU migh not have much direct pressure it can apply, but how would an investor react when given the choice of "we could spend some more money now, or we could do nothing and be significantly limited once we grow to a certain size, basically unable to do anything significant in one of the largest economies of the world".
> how would an investor react when given the choice of "we could spend some more money now, or we could do nothing and be significantly limited once we grow to a certain size, basically unable to do anything significant in one of the largest economies of the world"
The simplest solution would be ignore GDPR, dominate the American market (which is easier to scale across than the EU), and then use that momentum to launch a simplified version in Europe. (Or buy a competitor.) The scale advantage will almost always outweigh being prepared for multi-market growth from the beginning.
Which gives ample room for a European competitior that does adhere to GDPR to clean up the EU market. We live in a very globalised world and the EU knows the leverage it has -- just as the US knows it's soft power extends well beyond her borders.
> Which gives ample room for a European competitior that does adhere to GDPR to clean up the EU market
Agreed. My point was with respect to an American start-up—compliance with GDPR is of lower priority than scaling. The priority, for both, should be scaling.
Advantage goes to the American start-up, however, in launching from a single market. But one might counter-argue that consumers in e.g. China will prefer to do business with European start-ups over American ones due to GDPR. (No evidence for that. But it’s a valid hypothesis.)
Not to mention that avoiding GRPR, laws that shouldn't need to have been written in the first place, is like walking around with a big sign 'we are evil and not to be trusted'. Because if you are to be trusted, a simple cursory check would simply affirm you are already within the GDPR.
We work in the b2b in the financial sector and part of our contracts in Europe is that all of the data is hosted in infrastructure that complies with the GDPR. That could be Google or Amazon, but not Slack or any SV startup.
Or they'll block payment processors from transferring money from EU customers to you
It's hard to imagine what a startup would be doing that makes them interesting enough for the EU to notice and want to levy fines, yet be completely out of reach.
You could probably get tangled if you accept money from EU citizens. If you don't take money from them (or use cryptocurrency), the EU can't really do anything.
If you're only moving packets, you generally have nothing to fear until the EU develops into an empire, at which point there's a good chance that they will have a mandatory firewall mechanism (some members already do impose firewall rules on ISPs through the courts, AFAIK).
If you have no business in the EU, generally the worst they'll do is censor your website.
If you are a US-based startup and don’t sell to EU customers, then I guess it doesn’t really matter if you attempt to comply.
However, most US SaaS-type startups very much want access to EU markets. Ignoring GDPR won’t matter until it does, and then when it does, it will matter very much. For example, you grow and want go establish a presence in the EU, investors with EU ties may be hesitant to get involved, a potential acquisition is ruined because the buyer has an EU presence and isn’t willing to take on the historical liability.
Yes, there’s a lot in GDPR. If you’re a startup that is making money by selling user data, the cost of compliance will be quite high. But if you are selling an actual product or service that generates revenue by collecting fees from your users, compliance is probably not as hard as you think. And building your startup with user data protection in mind, you’ll find it can be something you use as a selling point.
With more than a year of history, it’s not hard to find easy-to-digest articles that put GDPR in terms that an average person can understand. Integrate those principles and processes into your business, document what you’re doing, and then stick to it. Even without a huge compliance budget - if you do that and nothing else - you’ll be in a much better position than to just ignore it, even if you don’t fear punishment.
No B2C tech company can avoid doing business involving EU member state or UK citizens. You have to assume you’re in-scope unless you have zero contacts with Europe.
> Does Europe have some way to require its ISP's to firewall you off or blackhole your DNS?
Not in a systematic EU-wide way. Courts sometimes force individual ISPs to blackhole websites used for copyright infringement.
I guess if your company ignores the GDPR, it's treated as an illegal organization. So you may still be able to provide your service in the EU, but people cannot legally pay you, including paying you for ads.
GDPR enforcement is through the corresponding data protection offices of the different countries and fines issued by them (now if you don't pay the fines and completely ignore the offices that might be an issue that's escalated)
Some people are making it sound like the EU Cyber police is going to hack your services or parachute and kick their way into your office in SV because a user in Slovenia didn't get their data portability request on time, which is not what is going to happen.
GDPR set the terms of the debate as model regulation, and is inspiring similar legislation elsewhere. California's CCPA is largely similar to GDPR. Tech companies are lobbying in committee to neuter it, but it's not a foregone conclusion. Thus as a startup you should incorporate it in your architecture and roadmap, even if you do not execute on it right away.
Also your US clients may be subject to GDPR and pass it on to you transitively as they are required to do for subcontractors or IT services vendors.
If a US company wants to do business with another company (partenship, approved vendor, platform marketplace, or even having them as a B2B customer) that other company may require them to be GDPR complaint.
Does Europe have some way to require its ISP's to firewall you off or blackhole your DNS? Can they force Amazon to shut off your AWS account? Do your executives risk being taken away in handcuffs to a European jail when they go to Europe on vacation?
If there are no consequences, why don't US tech companies just completely ignore it? (Of course, big players like Google probably have EU-based datacenters and other assets that could be seized to pay their fines. I'm thinking of small, cloud-hosted startups whose employees, bank accounts and physical assets are all on US soil.)