The dark side of GDPR

Today on Hacker News I read the sad news about the application StreetLend shutting down its services. The reason for this was not that the app was not successful. It was. Being a service by the people, for the people (with only a couple of commercial elements to foot the bill and sustain the operation of the service) StreetLand is in many ways is an example of humane technology.

The main reason for having to throw in the towel by founder Chris Beach, as described in the announcement message on the StreetLand landing page was the GDPR laws that will come into effect in the EU in May:

What’s Streetlend?

Streetlend.com was a website that helped neighbours and friends lend items to each other. Ladders, drills etc.

The site was modern, mobile-friendly and easy to use. Scroll down to see how Streetlend worked, and why it was reluctantly shut down.

Lenders listed hundreds of items, mainly in London. Many friction-free transactions were made, at no charge to lender or borrower.

Streetlend’s business model involved affiliation with Amazon. When members searched for an item to borrow, they were also shown items to buy, and Streetlend earnt a cut of the sales revenue. Did it turn a profit? No, sadly not, but running at a loss was fine as my day job covered the bills.

StreetLend Landing Page2798×1996 1.32 MB

Why shut down the site?

With sadness, StreetLend was shut down in April 2018, after five years of operation.

Unfortunately the European Union’s new GDPR (General Data Protection Regulation), introduced on 25th May 2018, creates uncertainty and risk that I can’t justify taking.

GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops. The law, combined with parasitic no-win-no-fee legal firms, puts website owners at risk of vindictive reporting. Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high.

Perversely, this new EU law hurts small and ethical startups, but helps reinforce the dominance of Facebook, Google and Twitter, who are able to prepare and defend themselves using established legal teams and cash reserves, and who now face less competition from startups. The EU Cookie Law, EU VAT regulation and now the EU GDPR are all examples of poorly-implemented laws that add complexity and unintended side-effects for businesses within the EU.

See the StreetLand website for the full message and a description + more screenshots of the great service it offered.

We have discussed GDPR in previous topics, but then highlighting the positive aspects of this regulation… the privacy protection it offers to citizens of the EU in times where it iso much under threat (see also: Privacy is fundamental to Humane Tech (and Democracy)!)

I would like to dedicate this topic to discussing these downsides of GDPR and ways to avoid them!

See also the Hacker News discussion on this with now already more than 600 comments…

SAN FRANCISCO — In Europe and the United States, the conventional wisdom is that regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy.

But new rules may instead serve to strengthen Facebook’s and Google’s hegemony and extend their lead on the internet.

Although I agree with criticism of the EU VAT system for the creating problems with tech startups - I don’s see why GDPR is in the same category.

From what I have read so far - GDPR is excellent and exactly the kind of step forwards that the humane tech world should be supporting.

I suspect some aspect of GDPR made the business model difficult - and if you stare closely I suspect that it creates difficulty for some good reason.

On the screenshots, it shows a prominent section on the home page: “StreetLend with Facebook friends (and their friends, and people they endorse)”

That, right there is a privacy horror show. This suggests they are using the Facebook features used by Cambridge Analytica to harvest Facebooks social graph: the site is closing because this way of doing business will not work any more - Facebook is cutting of this supply of data in response to GDPR and the Cabridge Analytic fiasco.

Reading through the hacker news thread - as far as I have got - does not change my mind on this: GDPR is a good thing and it is RIGHT that businesses adjust to accommodate this or close up shop.

I say this as someone who is desperately trying to adjust two online businesses in order to comply!

The main things I need to do are just allow users a way to delete their accounts fully, ensure historic data which is no longer central to the business transaction are deleted and allow users to download a full copy of their data.

Yes, this is a PITA if you have a complicated website that barely breaks even - but none of this is unreasonable.

Any ethical business should be happy to comply with GDPR and be pleased that there this ‘levels the playing field’.

In terms of risk of being sued. Maybe I am missing something, but we have been subject to the Data Protection Act which is 80% of the way to GDPR for years now. I have heard of the ICO prosecuting a few egregious breaches but it did not open floodgates of civil litigation.

I think StreetLend is a none story. It was a loss making website that would have needed further investment to comply with GDPR and the owner could not stomach the task. The growth model that StreetLend relied upon was likely to piggy back of the Facebook social graph - and this hosepipe of data was being turned off.

If I have this right - this is good news for humane tech… and privacy in particular.

Thanks for your insights, Richard!

I agree that GDPR is mostly a good thing (especially from the perspective of individual consumers), and maybe StreetLend is not the best example. But there are many small businesses that apply similar models with advertising and trackers.

As far as I understand it, one of the big differences to the Data Protection Act are the high fines that are involved with breaches of GDPR law. This could stimulate a whole industry of shady law firms targeting small business owners who fail to be fully compliant. It can lead to situations where the ones that can pay for the best lawyers have unfair advantages. The GDPR is also open for interpretation and this has led some non-profits and open initiatives to e.g. close their comments sections and such, out of precaution.

How this turns out in reality remains to be seen. I am by no means an expert on this subject. I just thought it important to not only highlight the positive aspects of GDPR, and therefore this thread

I just added some resources on positive impacts of GDPR, but found a couple of negative ones as well:

And (while not necessarily a dark side, still tricky things to take into consideration… there is more on this on the same blog): Another GDPR Gotcha: HR and Employee Data is Tricky

Legislation seldom works, its almost always complicated, difficult to understand and seems like it usually ends up annoying people’s time more than actually helping anything. But in the case of GDPR, legislation was needed as a last resort, because the industry failed to provide a solution itself.

Privacy and tracking is out of control. It’s tech and media which have the dark side. Google, Facebook and the entire publishing industry (especially all new sites) and the entire advertising online ad industry have more than just failed us, they have abused our privacy.

Yes GDPR is a mess like all legislation. But I think the good news is any good lawyer will tell you that laws are not meant to be taken too literally. Laws are there to catch the worst and biggest offenders.

Companies will, and should slip through this law just like they do through all other laws unless they are big companies and are clearly in violation. The GDPR fine is “4% of turnover or €20 million”. What the really means is that they will only target big companies, and would never put a small business out of operation. But the EU of course will still try to scare everybody into compliance, as they should.

Streetlend isn’t even a small business, it’s a tiny minuscule site and failed business, so their suggestion that they would be targeted by the EU is foolish.

Unfortunately the big businesses like Google are ready to respond to GDPR by trying to fool their users into agreeing. I will be very interested in seeing the tricks big business will employ on their users come 25 May.

I already see that Google is trying to make it as technically difficult as possible for its ad partners to comply with the law (Google is the world’s largest ad network), by requiring all their partners to literally program in their own compliance screens or their own code to both detect EU users and then another piece of code to stop tracking them. It makes me sick, because no honest company would do something like that. I’m beginning to think Google is the next Facebook, the next black sheep.

Serious dark side of GDPR regulation: In Romania an investigative journalism group - who were investigating theft of EU funds by people in highest echelons of politics - were ordered by the Data Protection Authority (the one that supervises GDPR regulation for their country) to disclose their sources.

The timing is very suspect, and there are links between the authority and the same people that are under investigation.

The GDPR expressly gives protection to the information sources of journalists, but the way this case is set up (carried by the authoritative body itself) makes it a real possibility that these do not apply. In other words, a loophole in the GDPR.

As expected this is now a hot topic on Hacker News: https://news.ycombinator.com/item?id=18416887

As I predicted GDPR has helped strengthen Big Tech’s illegal monopolies, by hurting their smaller competitors. According to statistics, one year after GDPR:

• Smaller competitors have seen an average 8-10% drop in revenue and traffic from the European Union. Yes revenue has actually gone down, in an industry where revenue is only supposed to go up by double-digit percentages.
• Big Tech, Google and Facebook have seen a 17% and 26% increase in European Union revenues, respectively.

Europe’s Privacy Rules Hurt Small Firms, Not Tech Giants