Europe's GDPR privacy law is headed for red tape bonfire within 'weeks'

Original Article ↗ Hacker News Discussion ↗

Perceived value and intent of GDPR

  • Many commenters see GDPR as necessary, straightforward regulation if you aren’t doing “nasty stuff” with data and only collect what’s needed.
  • Several point out most complaints about “complexity” come from organizations dependent on tracking/monetizing personal data.
  • Supporters emphasize rights: access, correction, deletion, breach reporting, data minimization, and limits on profiling and targeted ads.
  • Some non‑EU users report successfully invoking GDPR rights by (falsely) claiming EU residency, viewing it as a “godsend.”

Burden on small sites, individuals, and SMEs

  • Disagreement over scope: some argue GDPR should apply only to corporations (ideally large ones), not hobbyists or individuals running small sites.
  • Small operators describe stress and legal risk from SARs and compliance ambiguity, leading a few to shut down free services.
  • Others counter that if you architect systems correctly from the start and avoid unnecessary data, compliance is easy even for small firms.

Cookie banners, ePrivacy, and confusion

  • Huge debate over whether cookie banners are actually required:
    • Several insist GDPR itself does not mandate them; they stem from the older ePrivacy Directive and are overused/misused.
    • Others say lawyers and regulators effectively force banners, especially for analytics and marketing cookies; there is confusion about “strictly necessary” vs “analytics” vs “tracking” cookies.
  • Many see banners as malicious compliance or sabotage to turn users against GDPR, relying on dark patterns and making refusal hard.
  • Some argue the proper fix is protocol/browser-level consent (e.g., mandatory “Do Not Track” honored by law) instead of per-site popups.

Enforcement, US data transfers, and big tech

  • A key criticism is weak, inconsistent enforcement: big firms (especially US platforms) repeatedly violate rules and treat fines as a cost of business.
  • Data transfer to US-linked infrastructure is described as a legal limbo: court rulings vs economic reality (cloud, payment systems).
  • Some argue the main problem isn’t GDPR’s text but regulators’ reluctance and political pressure around US tech firms.

Proposed reforms and risks of “simplification”

  • The Commission’s plan is said to target reporting burdens for organizations under ~500 employees, not core rights.
  • Mixed views:
    • Support for easing paperwork but concern that a headcount threshold (not revenue) could let large data traders slip through.
    • Some want removal of barely used/implemented features (like data portability) and a rethink or abolition of cookie rules.
    • Others argue simplification should be paired with higher fines and strict action against malicious compliance.
  • Several fear “simplification” will mean weakened protections and more scope for exploitative consent practices rather than genuine clarity.