> The implementation of such a law is impossible as far as I can tell and opens up huge vulnerabilities to smaller companies.

Have you actually read the article from GDPR about "Data Portability"? (https://gdpr-info.eu/art-20-gdpr/)

It's easier than you think. Offer a endpoint that spits out a ZIP file with JSON/multimedia of all the data you have associated with the user. Now you're done, you don't have to do anything else.

If possible, you should provide a good format (see my other comment https://news.ycombinator.com/item?id=27278816) but you're not strictly required to.

The intent of the article is not to allow people to import Facebook posts into Twitter, the intent of the article is to force businesses to allow people to export their data in a machine-readable format. What that entails exactly is up to each company to decide, and court of law to determine if it was followed properly.

I hadn't read the law yet, thanks for the link, but I don't think that solves any problems at all and has potential for plenty of issues. The devil is in the details and the people already have the power to only use services that allow data exporting.

You're attempting to force companies to behave in a pro-social manner but if that company never wanted to behave in a pro-social manner we'll have just given them another attack surface with their lobbyists to use to kill their competitors.

I'll withhold judgement until I see how this plays out, it could end up being a great thing, the issue with laws isn't that they can't help - the issue is that laws that end up hurting almost never go away.

> but I don't think that solves any problems at all and has potential for plenty of issues

It does solve the problem with some businesses not offering exports in machine-readable formats in order to stop users from being able to move to other services together with their data. Or which problems do you think they are aiming to solve here?

> the people already have the power to only use services that allow data exporting.

Yes, but the directives are not meant to help people to chose services, it's meant to help people already using a service and being able to move to a different one with their data. By forcing companies to follow these directives, users no longer have to chose an inferior product just because they offer exports, because all the products have to offer export.

> You're attempting to force companies to behave in a pro-social manner but if that company never wanted to behave in a pro-social manner we'll have just given them another attack surface with their lobbyists to use to kill their competitors.

I don't really understand this line of reasoning, but I'm interested in understanding it. We already have bunch of laws and directives to make companies behave more ethical, since they made it clear that they need laws sometimes to do the right thing. How is this adding another attack vectors to kill their competitors? If company A is "anti-social" (I guess), doesn't offer an export and want to kill their competitor B (who does offer export), how does the export tie into company A being able to kill company B? As I understand it, company B is following the directives while company A isn't, so users of company A could sue that company, but that doesn't affect lawful company B.

But I might misunderstand something so please, elaborate :)

> We already have bunch of laws and directives to make companies behave more ethical, since they made it clear that they need laws sometimes to do the right thing. How is this adding another attack vectors to kill their competitors?

I'd go as far as saying that such regulation fixes an attack vector. Before, a company behaving pro-socially was at a competitive disadvantage - their competitors that "never wanted to behave in a pro-social manner" could adopt antisocial strategies that the pro-social company couldn't. Banning those strategies levels the playing field.

> It does solve the problem with some businesses not offering exports in machine-readable formats

and which data should businesses allow users to export in machine readable formats, every click, view, views on other sites with that sites cookie/callback?

what is a common machine readable format? Literally all data is machine readable - what if the "common" format is purposefully complex and hard to implement right and you have to use paid libraries to do it correctly? These are things big companies can afford to do that kill small competition.

and since they are a big company simply them using it makes it "common" by some definition since more people will use it by virtue of more people using their services.

> If company A is "anti-social" (I guess), doesn't offer an export and want to kill their competitor B (who does offer export), how does the export tie into company A being able to kill company B?

company A, being the dominate evil-corp can pay lobbyists to define the protocol for export in a format they define....company B (the small good willed company) already exports in a format, but now they are forced to change their existing systems resulting in a lot of work lost - that is effectively money stolen from company B

Now, a reasonably pro-social reaction would be to allow both exported formats, but how difficult would it be to have lobbyists convince a non-technical governing body that their format is superior and should be used?

Imagine a non-technical family member is overseeing some committee and facebook shows up with their amazing analytics and awesome data export tool with graphs, charts, everything. Do you think your non-tech family member will recognize that the underlying format is bad for small businesses? I don't think I'd expect a non-techie to understand the costs there.

edit: further, are there SLAs for export uptime? what happens when bad PR hits a company and data export laws effectively mean a company is expected to export terrabytes of data within a day or so? Is that small company now legally liable because they can't handle that kind of load - which is further compounded by the fact they are getting data export requests because of bad PR to begin with? Does that company now have to choose between serving exports or keeping their service running?

I'm sure if I spend an hour thinking of scenarios that could hurt businesses that are otherwise doing the best they can I can come up with plenty.

I think you're approaching GDPR with a wrong mindset, perhaps one rooted in the US legal system. EU countries tend to put more weight to the spirit of the law than US does.

In GDPR, many of the things seem technically underspecified, because they aren't describing implementation details - they're describing the principle behind them.

For instance, what "common machine-readable format" means is obvious to everyone who does anything with digital data. For generic data, it's XML, JSON, CSV, you could probably get away with XSL(X) or DOC(X); for images it's BMP, PNG, JPG. Etc. If you think you have a valid reason to use something more niche, you can. If you're afraid someone will contest it, you can request an interpretation from appropriate regulatory body. If someone contests your choice, you can justify yourself - but if you're being purposefully obtuse, the ruling will be against you. The legal system gives you plenty of time to prepare, seek clarification, complain, dispute, get reprimanded - and ultimately comply, or, if you stubbornly refuse, get punished.

Consider what would have happened if GDPR actually defined what "common machine-readable format is". Plenty of companies would have a valid reason to complain that the list of allowed formats is too narrow, and unsuitable for their particular use case. The law would have to be updated to reflect the fast-changing landscape of computing technology, or risk slowing progress by forcing everyone to maintain legacy technologies.

Instead, GDPR, focuses on the guidelines to achieve the intended results, while leaving the implementation details for the industry to figure it out. It's better this way, than having regulators figuring out what's the difference between "cookie" and "local storage".

> and which data should businesses allow users to export in machine readable formats, every click, view, views on other sites with that sites cookie/callback?

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

https://gdpr-info.eu/art-4-gdpr/ - (1)

> what is a common machine readable format?

JSON, XML and a few others are candidates that are generally considered common. If you haven't heard about the term before you can find more information here: https://en.wikipedia.org/wiki/Machine-readable_data

> what if the "common" format is purposefully complex and hard to implement right

Then I guess the company is shooting itself in the foot if they make it harder to build the export functionality than it has to? The directive is not about being able to import data from any service, the directive is about being able to export your data in a machine-readable format. Not sure how much more clearer I can make this.

> company A, being the dominate evil-corp can pay lobbyists to define the protocol for export in a format they define

Company A is allowed to export the data in whatever data model they want, no lobbyists required. What it has to be though, is machine-readable.

> company B (the small good willed company) already exports in a format, but now they are forced to change their existing systems resulting in a lot of work lost

No, the directives nor laws around GDPR won't force a small company to change their export format. The directives are aimed at larger businesses that don't allow export at all, to get those companies to actually become user-friendly instead of user-hostile.

You should really give reading the full GDPR a go, it's not that long nor complicated and explains everything you're worried about (seemingly at least).

Here is the full version: https://gdpr-info.eu/

And here is a simpler quickstart explaining broadly what GDPR is: https://termly.io/resources/articles/gdpr-for-dummies/

Edit:

> edit: further, are there SLAs for export uptime? what happens when bad PR hits a company and data export laws effectively mean a company is expected to export terrabytes of data within a day or so? Is that small company now legally liable because they can't handle that kind of load - which is further compounded by the fact they are getting data export requests because of bad PR to begin with? Does that company now have to choose between serving exports or keeping their service running?

Again, I invite you to actually read GDPR before commenting further as both you and me spend more time answering each other than the time you could have taken to just read the resource you're commenting about now.

Article 12 (3):

> 1 The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. 2 That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 3 The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. 4 Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If you can not handle running your service + the export in a way so people clicking the export gets their data within 30 days, I don't feel so bad about you actually just closing down your service instead, as the uptime in general must be very bad.

> The devil is in the details and the people already have the power to only use services that allow data exporting.

The problem with this is that people are choosing products and services based on many different aspects simultaneously. In particular, price and (with Internet services) network effects are such a strong factors that they pretty much override all other considerations. How this plays out in practice is, the whole market stops offering value along the "irrelevant" factors.

In case of GDPR - because abusing users' data makes money, and not abusing it costs money, everyone starts abusing it to reduce price (or their costs). You're not going to ditch Facebook if all your friends are there. You're not going to ditch your primary care provider because it plays fast and loose with your data - it's a big hassle, and there's no guarantee other providers aren't even worse.

Imagine switching this discussion to one about food safety regulation. If they were suddenly all repealed, you can bet your top dollar that the quality of food would quickly degrade across the board. Even the most upstanding companies would start making sacrifices to keep up with their less ethical competitors, or risk getting outcompeted - relaxing standards allows to drop the price (or increase and reinvest profits), which allows to keep this up through economies of scale, while companies standing their ground on quality lose customers, lose efficiency, and have to increase the price. Customers won't choose the more increasingly more expensive, quality food, because in a typical countries, most people can't afford expensive food.

The end result is the market locking into a new, much lower, food safety level.

There are certain patterns on the market that are very predictable, and which are impossible to fix from within. That's where regulations are needed. And they do seem onerous to businesses when introduced - that's because we usually realize the problem only when we're deep in it.