Comment by eclipsetheworld
5 hours ago
As a European founder building startups since 2015, I’ve spent a massive chunk of my career navigating the "alphabet soup" of EU regulation: GDPR, DSA, DMA, AI Act, CSRD, SFDR, CBAM... the list is exhausting.
While the goals are usually noble, I’m increasingly convinced we’re regulating ourselves into irrelevance. I’m not a Big Tech company yet my interests align with theirs. We desperately need an EU that prioritizes actual growth over well-intentioned paperwork. To me, the AI Act and the GDPR are the worst offenders here, representing the largest possible gap between "good intentions" and the actual effect they have on the ground.
Consider frontier LLM labs. We have the talent, the Nordic data centers, and access to the GPUs. But why would any investor drop $100B on a frontier LLM lab here when the legislative environment is fundamentally more hostile than the US? It feels like we’ve already watched Mistral and Aleph Alpha get left in the dust.
To give you an idea of the "compliance vs. reality" GDPR gap: I worked on a project processing healthcare data for millions of people. We had a clear, easy-to-find privacy policy and a responsive DPO. Total GDPR requests for info or deletion? Exactly 53. Out of millions. We spent thousands of hours building systems for rights that only 0.001% of our users cared to use.
If you look at the courts, the "damage" being prevented is equally vague. Since EU courts don't really do punitive damages, most awards are tiny unless there’s actual identity theft. Most of what GDPR protects is "mental distress" or "loss of control"-concepts so ambiguous that courts rarely award anything for them unless something else went wrong.
The result of all this "protection"? No FAANG-equivalent, no frontier AI leader, and no homegrown ad-tech. It turns out the most perfectly regulated company is the one that never exists in the first place.
You're so right.
I cannot stand reading these comments left by people clearly detached from reality.
I used to work in a medical AI company myself, over the years we had a few requests for deletion, all from some crazy old German people. Moreover, we couldn't train our models on European data, which is absurd.
This is a great comment. At the same time GDPR and other standards do not address practical issues that (arguably) cause real harm like including features to generate undressed images of women and children.
It's the same dynamic that has warped the California housing market by adding a forest of regulations that make it almost impossible to build new housing. Those regulations for the most part add nothing but cost and time to projects. Meanwhile housing prices go through the roof.
i'd argue that, at least in my european country, there already more severe laws regulating such thing that might earn you jail time, while gdpr wasn't made with that in mind
The problem is enforcing those laws now the Trump administration is using X and other social networks as instruments of national policy and forcing others to use them, to the detriment (potentially considerable) of European societies.
So deletion of user accounts meant thousands of hours of development time?
Thanks for the comment. It actually perfectly illustrates my point. Most people equate GDPR with a "Delete My Account" button, but that’s just the tip of the iceberg.
We didn't spend thousands of hours on a deletion feature (or just development time). We spent them in total to be compliant in a healthcare environment. That time goes into:
Documenting the entire lifecycle (how, why, and where) of every single data point we process. Conducting and documenting formal risk assessments for every major processing activity (Privacy Impact Assessments (DPIA)). Drafting and negotiating data processing agreements (DPAs) with every single partner and vendor we use. Building strict role-based access and logging systems to track exactly who views and edits data and why. Implementing pseudonymization and logical data separation to ensure we meet "privacy by design" standards. Constantly coordinating between the product and dev team and the DPO to update policies and communicate changes to users.
The point I’m making is that the EU has built an incredibly expensive regulatory environment to support rights that, in practice, the vast majority of users don't seem to care about. We’re over-engineering for a "loss of control" that the average user hasn't shown much interest in reclaiming.
Those things are all necessary anyway, apart from the last one (communicate to users) which absent GDPR is a nice-to-have. If you don't do them, or something equivalent to them, then your processes will be wrong and you'll have breaches – and breaches of healthcare data are extremely bad. What GDPR gives you is the assurance that you won't be at a competitive disadvantage for doing the bare minimum due diligence, because your competitors are required to do so, too.
> We spent thousands of hours building systems for rights that only 0.001% of our users cared to use.
GDPR does not require that any of the data subject rights are automated, other than "right to be informed" (which it doesn't explicitly spell out has to be automated, but "put the information on the website" is the easiest way to comply if you're relying on the consent basis for anything). If you expect that under 200 people are ever going to exercise a particular right, and automation will take longer than manually fulfilling those requests, then don't automate them: just add it to your DPO's job description.
> that, in practice, the vast majority of users don't seem to care about.
You can't use "people are choosing not to waste the time of a healthcare provider" as an argument that people don't care. They may simply be being kind. I very rarely require GDPR data subject access requests, but when I do, it's very important that I can get them in a timely manner.
If I know what information is kept by the organisation (and therefore would be included in the GDPR request), and there are other ways of me accessing the information I care about having, I don't need to perform a GDPR request. It's organisations where there aren't where I'm most likely to need to make a GDPR request. If a company is actually complying with data minimisation and purpose limitation, I do not need to make a GDPR deletion request. etc etc. I think you're focusing on how annoying it is for you, and not thinking of the impact on your less-ethical competitors (who might otherwise be able to run you out of business – depending on the industry).
6 replies →
I'd wager it's less expensive than US medical services.