> how these data protection laws are implemented in general and I wish the discussion would be about that instead

Let’s do that, shall we?

Before GDPR there were laws in each European country protecting private data (GDPR is basically Sweden’s data protection law in that regard).

Not a single “poor company that will need comply” gave a damn.

Then GDPR was introduced, discussed, amended. Quite publicly. Not one of the “poor devs that would be hit by it” gave a damn.

GDPR was passed and companies were given two years to adjust their software/systems/business practices to comply. Hardly any of the “let’s have a discussion shall we” devs gave a damn until the last few months of the transition period.

And only when they realized that they had to actually do something, something they should have done literally years ago, we had (and still have) this fake outcry of “boohoo these laws make us work hard and do right things and we don’t wanna”.

Cry me a river.

As a top engineer of a EU headquartered company, I can be one instance of saying this was not true of us. We started our preparations almost a year and a half in advance of the March 2018 deadline. Once we engineers and our GC were done interpreting the extent of what we believed we needed to do and the resources to do it, we were basically ordered by the CEO to do as little as possible as late as possible, automate as little as possible, and just wait to see if anything came of it. I left the company a few months after GDPR-day so cannot say how it worked out, but it was the CEO’s company and his choice to do it in a way that it then became my responsibility to implement.

Compliance/legal is a company risk and as I indicated in the challenger article here a few days ago, as an engineer I can advise on hat the risks are and the potential consequences of bad outcomes, as well as the costs to reduce them. The business decides what level of risk to take. I personally would have preferred a robust response to GDPR and thorough internal procedures, but it was not my call to make.

Of course, I personally believe that we humans should own our data and digital footprints, so I agree with a lot of the concepts behind GDPR and CCPA even if I do not agree with all and as an engineer may think some are ... silly/overzealous/misguided or what have you. Case in point: the IP tracking discussion above. If I hit your network, thats on me (barring externalities or bad actors, etc.). Retention periods and use definitions are fine, but a requirement to treat it as PII or other super sensitive data seems a bit much to the engineer in me.

Yes, true. In the end it comes to business decision. My focus on devs is mostly because it's devs who comment and complain on HN, so my comments are mostly geared towards them.

It's true, businesses (or people who run them) will in the end judge the direction where the company will go, and their judgment is often worse that that of developers.

So yes, I would replace "devs" etc. with just "companies" in my comment.

I wouldn't say "worse" judgement in general. Just "different" in general. I have had both "worse" and "better" cases.

However, the better integrated and communicated the company's goals and rationales are, the more aligned the judgements become.

>Going into effect in a year? Seems like a business opportunity.

GDPR was law two years before it came in to effect and everyone left it until the last ~month.