The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
The rules are so vague that any firm could be argued to be in violation. And the EU acts as judge, jury and executioner. It looks like a way to tax the SV tech firms without needing a treaty change. After all there's no practical difference between a tax and a law that everyone is guaranteed to always be in violation of that has huge fines attached. The money all goes straight into EU central coffers.
> How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
How is that different from a US law like HIPAA? The structures of the law seem largely the same, in that they give you guidelines to follow, but provide no clarity about what specifically is required by it and what isn't.
Understanding HIPAA has largely come from companies doing their best to comply with their understanding, and clarifications tend to come from courts when there's an actual dispute in progress.
Then, the US (through it's various district courts, circuit courts, the supreme court, and regulatory bodies) acts as the "judge, jury, and executioner".
HIPAA and other mega-regulations like them have the same problems. And they do cause people to just give up rather than deal with the risk. I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.
> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
I hear you that it makes things more difficult, but I think it's hard to overstate how terrible & uninterested conservative revenue stream businesses (e.g. insurance, utilities) are at keeping up with IT trends.
Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.
Why?
Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.
Sure, but the other side of the equation is an unknowable number of thousands of lost lives and billions of dollars, because of medical advances that were never made.
There are other important values than privacy in the world!
As a consumer, my view is: if a potential idea is abandoned out of fear of HIPAA then HIPPA is working and I am thankful that that idea went nowhere. Soon, s/HIPPA/GDPR
This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.
> HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)
As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.
I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.
I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.
Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.
Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.
The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.
Legislating from the bench is not a bad thing, to the extent it doesn't contradict a fully valid statute. Indeed, most law in the US is judicially created, and always has been, dating back to the English common law system from which we inherited ours.
American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.
I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.
The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.
Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.
If GDPR analogously has a chilling effect, reducing the proliferation of "social" products, I'd consider that a positive outcome. I don't really buy that any of these are "making the world a better place" as Zuck loves to say, though you might have a better case with the health products.
1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court
2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.
>The rules are so vague that any firm could be argued to be in violation.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
If the text of is too specific you could have the opposite effect of companies weaseling through.
It is not a tax. It's pretty clear that the EU expects companies to treat private user data with respect. If your company cannot operate without exploiting this info, than maybe the world is better off without it anyway.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
Most EU countries follow civil law, and precedence has a much more limited role than in common law countries. So it actually matters that the statutes be written clearly.
Why have any law at all, by your logic? Just have a single law that says "Whatever we decide, is final" and make up all rulings and fines on the fly. No 'weaselling' is possible then. Only problem is, it's totalitarian. Nobody knows what is or is not allowed, there is no such thing as justice.
Law is meant to be precise. If it's not, then ignorance of the law does become an excuse and law loses its moral authority.
Unfortunately the EU does seem rather keen on laws so vague that they're impossible to understand - it's rule by law, not rule of law.
Somewhat ironically, as it's the--presumably soon without the UK--EU we're talking about, but you're basically objecting to a Common Law system. Admittedly, in modern times, there's a lot less practical distinction between civil and common law jurisdictions than there once was, but nonetheless common law is "the part of English law that is derived from custom and judicial precedent rather than statutes."
As mentioned in another reply, the actual laws will have to be implemented by the member states anyway. So the text for each country can vary and can be more specific.
As for your strawman that I somehow argued to abandon all law: I won't deal with that.
No, they actually won't. The Data Protection Directive needed to be implemented by national legislators into national law, but the GDPR is a regulation which means it is directly binding law.
Only a few technical, minor points need to be spelled out in national regulations or laws.
Each country (or state, in the case of Germany I believe) will have their own privacy commissioner with substantial leeway. Now technically these differences won't be implemented as laws, but there will be substantial differences between eg the French and the UK privacy regulators.
The GDPR also allows for individual states to strengthen its provisions, eg for genetic data.
That’s true only if you regard he EU as a single entity. Laws made via the EU will be turned into national law, and independent judges will judge all cases, up to the EU high court. By the same right you could call the US judge, jury and executioner on all laws and rules made and enforced by the US government (FACTA anyone?)
No. That's not how the EU works. That's how a national government would work but not the EU.
The GDPR is not a directive so it does not have to be translated into national law. It is directly binding and applies immediately everywhere.
Fines have to be paid up front, before appeals are exhausted. Appeals can of course take years.
The EU courts have judges appointed by the same people who control the rest of the EU, and are ideologically aligned as such. They have a long history of legislating from the bench and making shocking and nonsensical decisions: consider the case where they simply voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK. The court simply decided it didn't like that bit of the treaty and so it did not apply. I do not regard the ECJ as a robust court. It will rule in whatever way is most favourable to the European project.
No, the enforcement is through the national "supervisory authorities" such as the ICO. Most of the enforcement process is through national courts and the ECJ is only for the final layer of appeal. This very article says "German Court rules ..."
> voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK.
[citation needed]; did you read this in the UK press?
In the section "Wasn’t the UK supposed to get an opt-out from EU human rights laws?"
The summary is, when the Treaty of Lisbon awarded the EU new human rights powers the UK and Poland negotiated an opt out which was written in the treaty. It was a part of convincing the UK government to accept the new treaty without granting a referendum on it, as they had previously promised.
The opt out is very clear, really as clear as lawyers can make such things. It says:
The charter does not extend the ability of the CJEU, or any court or tribunal of… the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of… the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms
and
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law
In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
A few years later the ECJ decided that the opt out was meaningless and voided it, under a new interpretation that they claimed meant they'd actually always had these powers, and therefore the treaty did not "extend" them, and so the opt out didn't "work" despite its apparently clear wording. They then began overturning UK laws.
It's unclear why the treaty had anything new in it at all if the courts had always had these powers of course, but this is how things go in the EU - no matter how plainly something seems to be written, no matter how clear the assurances seem to be at the time, the moment it becomes politically inconvenient to the project the rules are tossed out under bizarre and kafkaesque re-interpretations.
Same thing happened to Ireland with corporation tax. They were promised the EU wouldn't interfere with their tax policies. Then the EU decided low taxes were "state aid" and awarded itself the power to control Irish tax policy. Nobody had previously interpreted the state aid clauses that way.
It's a decision that makes perfect sense if you read the preamble to the Charter (my emphasis):
> This Charter reaffirms [...] the rights as they result, in particular, from [various pre-existing sources].
The opt-out specifies that the Charter does not _extend_ the ability of the courts, but does not limit the powers that the ECJ already had prior to the implementation of the Charter. Even if the UK had a cast-iron opt-out (e.g. "The Charter, in its entirety, is not applicable to the UK, no rights are granted under it to UK citizens, and no court may refer to it in reaching a decision affecting the UK"), more or less the same results would likely be reached.
Also note Article 51(2): "The Charter does not extend the field of application of Union law beyond the powers of the Union or establish any new power or task for the Union, or modify powers and tasks as defined in the Treaties.". This is broadly similar to the UK/Polish opt-out, further suggesting that the Charter did not grant powers that the UK had not otherwise agreed to.
> In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
It does not grant them _new_ abilities to do so, and the second statement only refers to a subset of the rights considered under the Charter.
> They were promised the EU wouldn't interfere with their tax policies
EU promised not to meddle as long as preferential treatment wasn't given. As in if Ireland gave the exact same tax deal to every company in Ireland then it would have been fine.
(the no preferential treatment in taxation bit is part of getting access to the single market)
The reason d'être of the EU is to unite, so I expect eventually all opt-outs to end or to become meaningless. Countries joining the project should have that in mind, and I think they all have and had, even if they're not talking too much about it.
>consider the case where they simply voided the UK's opt out of new human rights related legislation
Erm...you are aware that this case has nothing to do with the ECJ, but with the ECHR, which isn't even an institution of the EU, but of the Council of Europe* , which is an entity completely separate from (and older than) the EU.
* not to be confused with the European Council or the Council of the European Union. Yeah, it's a bit silly.
I think that this source suggests that this idea may have been a mis-representation by Michael Gove [0] during the course of a referendum (I was interested, as I wasn't aware of any such decision).
Then again, all's fair in love, war and referendums :)
Now, now, you make it sound like a single human actually endorses those three roles. Any state (or group of states) is judge, jury, and executioner. I also write and dictates laws…
The real world is very complicated. As time goes on, there will be lots of court cases which set a precedent.
Even though I dislike em, I think the laws surrounding fair use and copyright are another example. Due to its nature, it's incredibly difficult to provide exhaustive guidelines.
As long as these large enterprises engage in a good faith attempt at complying with the law they shouldn't end up receiving huge fines.
> The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
I'm feeling a huge cultural gap in the discussions in this thread.
Americans seem to have a different tolerance for privacy abuse and draw the line elsewhere.
And I suppose that's okay, live and let live etc. However, so far it's really been mainly US tech companies pushing their views on privacy (read: less of it) in the EU market (kind of poisoning the field for EU companies as well, because obviously you can make more profit that way).
I don't see the (EU) public making a huge fuss about EU businesses taken to court over privacy violations (which happens), because we see it as justice as usual.
Now that the EU(/Germany) pushes back against a huge US corporation (ok multinational, technically), it's considered really harsh, from a US point of view. Some arguments going even as far as attacking our legal system (which is a bit much, coming from the US, IMHO. Americans themselves flat out admit justice is a matter of financial resources and consider that justice as usual). Apparently we have different values.
Personally, I agree it doesn't go far enough even though I'm very happy with the German ruling and hope other countries will follow suit.
GDPR is reasonable. How Facebook handles user data is not.
I'm sure, they'll mostly ignore the law at first, and if they get sued, they'll claim having a legitimate interest [1], but that will be their strategy, because actually complying with the law voluntarily would likely cost them more.
And yes, especially Germany already had a very similar law in place, but Facebook did not actually need to keep to it most of the time, because they were operating from Ireland. GDPR does not care where you're operating from. The fines would have also not been much more than operational costs for Facebook (the highest fine placed in Germany for privacy violations so far is at 300,000€).
Ignoring the court order of which they were duly informed and which contains time to comply is a felony. Including a huge fine in this case, which will likely be calculated per German user. Think something closer to 30 M€.
With "ignore the law", I meant not (fully) implementing the requirements that the GDPR imposes. If a judge actually rules that they did not properly implement the GDPR requirements, then yeah, they will correct that.
But until someone sues them and that court case concludes, there's going to be a lot of time, in which they can probably make enough money by not properly implementing the GDPR requirements to easily recover however high that fine is in the end.
If somebody says "X has money and an army of lawyers" the implication is they are going to beat the case, Microsoft didn't, they were slapped with the largest fine ever at the time ($794 million USD). They are fine despite the inability of lawyers and prep time to deliver victory, not because of it. No guarantees FB will fare better (or worse).
They're not going to withdraw. Best-case scenario, they stay in the EU but stop abusing users' data there so much, but still make a profic. Worst-case scenario, they're able to weasle their way out of having to change anything.
The problem with the GDPR isn't that it is too far-reaching. The problem is that it isn't clear what companies have to do to comply with the new regulation.
Large companies will simply pay their lawyers to deal with this. Small companies basically will have to do their best and hope they don't get sued.
As I wrote already in another comment: all these regulations will end up doing is strengthen the market position of the established players and cripple any competition from new incumbents :(
It’s the end of an era...not too long ago anyone could compete with the big players...soon nobody will
given the feedback loop of social networks there wasn't much of a reason for viable competitors to emerge in the first place.
The lack of competitors here is structural, not everything is an issue of 'we must remove the red tape!' That would do nothing because nobody is voluntarily going to switch away from an established social network monopolist. It's a nash equilibrium of sorts.
Myspace was pretty much dead the moment facebook arrived. It's true that companies like Facebook can be replaced, but they almost never coexist or directly compete. Chat services usually split geographically. Wechat in China, Whatsapp outside of the US, snapchat in the US.
Anecdotally I know very few people who simultaneously use multiple messenger apps or switch around a lot. (For the reason outlined in the post before, you lose your network).
> Facebook will do just fine, they had years to prepare and an army of lawyers.
They won't do fine. Don't want to go into details but their actual products/required architectures for their products just can't be GDPR compliant. And they didn't prepare anything. You confuse them with Google--they prepared GDPR but FB?
Btw, one of GDPR's key motivation was to take FB down.
A grandiose claim offering nothing better than "don't want to go into details" counts as unsubstantive and flamebait, two qualities that are deprecated here. In the future, could you please either make a comment like this substantive, or just not post?
Dang, no need to get aggressive. I was on mobile and had not the time explain why all products around Facebook—which need to collect user's behavioural data to target ads etc.—can't ever get compliant with the strict GDPR. I guess you are not informed about GDPR. If you were my prior message with a "don't want to go into details" would be have been super clear.
So, this is a misunderstanding and again your aggressive tone is for somebody who is representing YC just sad.
Besides, thanks that you gave my profile more gravity when posting comments. Now my comments drop so quickly (first seconds after posting) and people with 0 karma move above me.
Without a citation, I doubt this claim and wonder if you have any personal investment in or relation to Facebook or a similar company whose profit is generated by selling or buying personal data.
No, but I have to comply with the GDPR. The first thing to understand about the GDPR is much of it is quite vague, and is essentially a framework for rule making for 30+ privacy regulators. See eg legitimate interests where you are supposed to conduct a balancing test between competing interests with very limited guidance on what a reasonable balancing test is. Second, these lazy morons haven't issued final guidance approximately three months out from the deadline. Now, there is some guidance, but there's no hard cap on the distance between working and final guidance. How they expect companies to comply with that is obvious: they don't, and will use the opportunity to fine them. The ICO has been quite explicit about this; I don't have quotes on this laptop but one of their senior staff basically said that grace periods are not part of their regulatory strategy. Grace periods are apparently only for the regulators. And that's the ICO, one of the more reasonable regulators! The french regulators, who aren't particularly reasonable, are no doubt anticipating the influx of cash.
So if you're a company that is relying on some mix of legitimate interests and consent to service your customers, market, and perform outbound, it's very difficult to understand what the rules are. And this is worse if you are an American company and therefore probably don't have a lead regulator and will have to attempt to comply with the (almost certainly) conflicting rules as decided upon by every privacy regulator instead of just one.
Much of the GDPR is quite reasonable (besides the DPOs, ie employment program for EU lawyers) -- privacy dashboards, the ability to delete data, SARs, etc. But it's wildly unreasonable to not have final regulations in place.
> Btw, one of GDPR's key motivation was to take FB down.
this all seems very similar to the new VAT scheme, in that it was designed to target a foreign giant (Amazon), which was barely affected as a result, and instead ended up hurting the competitiveness of the EU's own small businesses
the EU Commission's response to small business concerns about that new VAT scheme? "we'll allocate some time to talk about that in 5 years"
That's not entirely true - MOSS actually works quite well, and preparing a sales report grouped by country should be trivial no matter what infrastructure you're using.
No matter what infrastructure you're using? You won't believe how many payment systems out there are not very MOSS friendly. If you are a developer and cannot use VAT MOSS logic as e.g. plugin you basically have to get IP country code, add country VAT tax and adjust the payment plan. Yeah... all really really trivial if the payment system is not used to dynamic pricing on different country of customers! I hope you see the irony. This is all very unpleasant for small businesses!
Do you have to actually change the retail price? The way we do it is to keep the price constant for the customer. If their country has a lower VAT rate, they have to pay more. I'm not sure most even know/care how much VAT they pay, but they do care about the total price - and this doesn't change no matter if you change IP/user VPN etc. It also removes any incentives to cheat.
Good comment. Actually this is what I'm doing... move the logic to the book keeping side and deal with less income e.g. on Hungary with 27% VAT. Nevertheless why do I have to do all this hassle when somebody who sells e.g. a hardcover (vs. ebook) does not need to do this when selling cross border and they need to start thinking in this direction once they cross over 50 - 100,000 € on one country. Because I'm selling digital goods is much harder on my side.
This is all stupid if you sell a really small amount of digital goods online. It all starts with 1€ (and less) on a ebook and in comparison: On normal goods there is a threshold of roughly ~100,000€ depending on country sales.
Well, it's not that - before that law was introduced, you could simply ignore the country, since it's about digital downloads. If all you cared for was getting a payment, it was not unusual to have the transaction list in the forms of e-mails. Now you need much more information.
A customer is entitled to an invoice and a full invoice requires an address. Most businesses that offer digital goods and services should have had that even before. All the people I know that were affected by the VAT changes certainly had all customer
adresses.
This is wrong. You are not forced to give your whole address always to buy something, especially on digital goods. In fact e.g. giving only your payment information like your debit/visa card is actually enough for buying stuff legally online as a normal customer in EU (b2c).
previously when I had a new idea that I might be able to turn into a business I could form a limited liability company for about £10, try the idea out with essentially no paperwork at all
then if the idea panned out I could worry about the huge-pain-in-the-ass-that-is-VAT later
now with this regulation it's a problem once I've made my first sale to a non-domestic EU customer, and my agility goes through the floor
EU countries have gone from being fantastic places to start a digital services micro-company to being at best mediocre ones, all to try to stop Amazon avoiding VAT
utter madness: small companies started as side projects turn into the big ones, but apparently we no longer want that
> EU countries have gone from being fantastic places to start a digital services micro-company to being at best mediocre ones, all to try to stop Amazon avoiding VAT
Well, so how do we deal with Amazon avoiding VAT and still being fair to all players on the market, big and small?
the paperwork is a minor bureaucratic annoyance, it's not a significant problem
the significant problem is now the fact that I have to register for VAT domestically if I want to to sell to people in other EU countries
before if my turnover was below ~£70,000 I paid no VAT at all due to the exemption (giving me a competitive edge vs. big companies with better economies of scale)
after the new regulations if I make any EU sales I have to either fill in VAT returns for EU member state I've sold to (not feasible, that would be hundreds of VAT returns/year in many languages), or register for domestic VAT which will handle that for me, but kills my business model
the EU Commission doesn't see this as a significant problem, likely as it is a beneficiary of VAT (the VAT being an EU mandated tax)
That's not the hard part of the VAT rules. If it was just asking the user what country they're in and then submitting sales figures by country, that'd be easy.
There are two hard parts to what the EU did, for businesses.
The first is you have to charge variable VAT rates and remit the collected tax. However VAT rates do vary not only by country but in some cases within countries too, and they do change, so you have to make sure you have a really up to date list of tax rates and geographies where they apply. Including varying rates down to the city levels.
But the real kicker is that you can't trust the user's claim about where they are. Users are financially incentivised to lie about their location because these are digital downloads. So if they claim to live in a low VAT region they pay less, but download the same files. Simple as that.
As a consequence the VAT regulations have a LOT of complicated edge cases and "guidance" in them about how to figure out where the user really is, not where they say they are. This is hard of course, the user may be using VPNs and so on. There is specific guidance on how to handle users who are on ships sailing between VAT regions, or planes that are in the air when a purchase is made. So you've got a really complex pile of logic to start with, and then you're also in an adversarial situation where the users are all trying to screw you over by forging their location. And if they succeed, you can suffer big fines.
Oh and finally of course, you can't use any technical tricks to figure out where the user actually is, because then you'd violate EU privacy laws ... have fun with all of this! In practice it has to all be outsourced, it is too much work to implement in house for all but the largest of firms.
A while ago VAT rules for digital goods were changed. Before, the VAT of the country where the company was located applied, after the VAT of the customers country. Amazon, Apple, ... exploited that by officially making the sale in a low-VAT country and pocketing the difference.
Many small businesses were concerned that they would have to register for VAT in all EU countries and deal with individual VAT laws, but the implementation for small businesses allows you to basically register at your home countries tax authority and provide them with a list of sales broken down by country. (MOSS in the UK, iirc) The initial hubbub has largely died down.
This is grossly simplified, but captures the gist. No tax advice, yadda, yadda.
my solution was to stop selling into the EU, though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
whereas this is from 2015. I was confused by language where you described it as a law to target Amazon. Now I see that was just an opinion.
> my solution was to stop selling into the EU
Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
> though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT. This was a response to my question about the catastrophic cashflow impact that losing the VAT rules on imports would have to UK businesses. He told me not to worry, as VAT alignment was simply a necessity.
> Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
the cost of having to pay VAT on all of my UK REVENUES (digital services, remember!) would vastly dominate the PROFIT (not revenue) made from my EU sales
compliance wise, I'd rather not have to fill in VAT returns if it is optional (this is a side business, not my main employment)
> Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT.
well I'm glad his crystal ball is operating well... saying that I'm sure we will have a similar VAT after leaving (payable to our exchequer instead of the EU), but unless something radically changes the EU's laws won't be directly enforceable in the UK post brexit, and it's unlikely the UK will go out of its way to collect EU specific taxes for the EU's benefit
regardless, all of my "is EU VAT optional outside the EU?" discussion in this post and above is only an interesting thought experiment, it's not worth the possible consequences in practice (especially if your main worry is the lack of UK VAT free allowance like me... maybe if you're a large US based SaaS provider it's different)
I'm not sure you have that right. I don't professionally engage with MOSS so I will not give advice, but I professionally do work with VAT and handle some millions in VAT a year, so I am pretty familiar with the dreaded VAT guide. All quotes are from the aforementioned resource
> the cost of having to pay VAT
Presumably you mean the higher price from charging VAT
> on all of my UK REVENUES
"your UK sales will not be liable, unless they’re above the UK VAT registration thresholds". So it makes no difference to your UK revenues at all, you either had to register for VAT because your total revenue was over the threshold, or you didn't.
> I'd rather not have to fill in VAT returns if I don't have to
Wouldn't we all love to avoid administering taxation.
> well I'm glad his crystal ball is operating well.
I think it is rather more than a crystal ball when you are the UK VAT lead for a big 4. This means you get consulted on it by the government, get to sit in on meetings with them, and work with the biggest companies in the UK who will also be lobbying the government. I think you rather trivialise their positions when you assume they know the same amount as me and you.
>(payable to our exchequer instead of the EU)
When did you ever pay VAT to the EU? I pay all of my VAT to HMRC despite trading extensively across Europe. It is possible as a consumer that you paid VAT that was passed on by the supplier to one of the member states tax authorities, but under what circumstances could it be paid to the EU?
> it can claim jurisdiction all it wants, enforcing it is another matter
Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
> but unless something radically changes the EU's laws won't apply to me in the UK after the process is complete
The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill. So EU law will apply to you. Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement. This will require a customs union, and a joint body of oversight (like the European court). The government has further committed that Northern Ireland will have the exact same terms as the rest of the UK under it's coalition deal with the DUP. Therefore the whole UK will be covered by that customs union. This is before we even discuss what EU oversight will be placed over a future trade deal with the EU. So whilst the government might bluster about what leaving the EU means, it is quite clear that it's options are
a) stay in the customs union and therefore under EU law
b) Leave the customs union and violate the Good-Friday Agreement, whilst also breaking the coalition agreement and therefore bringing down the government.
I wonder against that backdrop how you think you are going to be outside of EU law? You seem to have a downer on the EU, if you don't mind me saying?
> I think it is rather more than a crystal ball when you are the UK VAT lead for a big 4. This means you get consulted on it by the government
given the cabinet doesn't seem to know what their objective is, this seems like a fantastical claim
> When did you ever pay VAT to the EU?
not directly, but that's why it exists and where (a chunk of) the money goes -- read about the history of the VAT, it used to form the 40% of the EU's budget (down to about 14% these days)
> Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
doesn't work like that in practice, once we're out HMRC isn't going to spend money chasing people for taxes due in Bulgaria, in the same way it doesn't chase people for taxes owed in Russia today
> The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill.
yes
> so EU law will apply to you.
no, at that point it will be UK law
> Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement.
depends on what they mean by "open" -- regardless of that: there's nothing that prevents a customs border in the good-friday agreement (have a read, it's only about 10 pages long: [1])
> (various points based on the assumption that the government will commit absolutely to one policy voters don't care about and completely abandon all others)
the government has also committed to leaving the EU customs union and the single market
I agree that it's hard to see how both are possible, but politics is the art of the fudge
> I wonder against that backdrop how you think you are going to be outside of EU law?
I don't accept the premise or the conclusion -- b) doesn't violate the GFA[1] or the confidence and supply agreement[2] (not a coalition)
to be blunt: it seems like you're making things up
> You seem to have a downer on the EU, if you don't mind me saying?
why should I like it? if you're running a medium sized or big business it's fantastic (unless you're a large foreign business like Facebook, Amazon or Microsoft), but I'm trying to run a small business, and it seems like they're doing their best to kill me
hell, if in 5 years we're still subject to the ever increasing mountains of poorly thought out legislation written by morons, I suppose emigration is always an option
There is no legal way around ignoring EU VAT rules and selling to EU customers (no matter where you or your company is located). If you do business with EU end customers you have to comply to EU VAT rules. Just telling you how it works in theory.
This was quite a hit to small companies, because now they have to manage collecting and remitting taxes to every country their consumer customers reside in. Previously they only had to collect and remit taxes to their own home country.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
Here's an excellent introduction:
https://ico.org.uk/for-organisations/guide-to-the-general-da...