Yes, always suspicious. I mean the GDPR is not that complicated really, unless you really want to do personalized tracking
I think one of the least wise things a person (or company) can do when faced with any law is to assume that it's "not complicated really."
Much, much wiser to assume "there be dragons" and only engage once qualified legal counsel has helped you understand what compliance means to you.
And along these lines... The second least wise thing to do in this scenario is listen to randos in a forum like this tell you, "but all you have to do to comply is..."
The problem with thinking like yours is that legislation like GDPR is _really_ made to be simple and straightforward, but since companies whose livelihood depends on them abusing your privacy will fight it tooth and claw, they will gladly make it look like it's more complicated and insurmountable than it really is. They will also devise ways to comply in such ways that's most cumbersome for the end user and will readily blame GDPR for it.
To devise such a way to comply, they definitely need a large and expensive legal department.
The privacy abusers are much like trolls on the internet who, upon seeing a code of conduct (previously known as "rules") consisting of only "don't be a dick", will spawn endless arguments about what a "dick" is and how it is or is not inappropriate word, what does it really mean to be one, or, indeed, to be, question the use of the indefinite article, and complain about "don't" being too assertive and arrogant.
> ...they will gladly make it look like it's more complicated and insurmountable than it really is
There are non-malicious explanations for the same pattern of behavior at large organizations - the motivation (malice or not-malice) that seems correct is a Rorschach test.
If I accidentally log IP addresses for EU users that opted out on some throw-away experimental page on my site, Brussels would never find out. If Google does it, it not only has to report the incident, but will most likely be fined. In order to avoid this outcome, they have internal review processes which makes ot "complicated and insurmountable", because how do you justify investing many hours of dozens of lawyers and technical reviewers time for a frivolous, niche AI demo?
Ok... Let's assume this is true (which I'll reiterate, that I contend assuming so is foolish). What happens when courts have interpretations of this "simple law?" Do the courts make an effort to keep things simple and in plain language? Or do lawyers and bureaucrats do what they can to drive unintuitive interpretations, but favorable to their cause, of otherwise plain language? Are European laws such as this subject to the interpretive lens of case law? If so, the best intentions of legislators may only be secondary relative to the actual rulings and unintended consequence of their laws. The problem with thinking like yours is that it dismisses all of this messy reality in favor maintaining the idealism that might have motivated public support of the law.
Those that have to follow those laws need to care about the mess.
You should probably do some trivial research. No, there is no case law in most of Europe, for sure in none of EU.
Second that. GDPR actually made those aspects clear and never caused a headache during implementations I've seen or participated in (more like a checkbox on a list). When I see any complaints, then it's clear some iffy user sniffing is happening.
For an experimental project every extra requirement is annoying/slows down release. It’s completely reasonable that they don’t one to add more work before releasing to a large customer base that doesn’t need the extra work.
> I mean the GDPR is not that complicated really
Doesn't the EU also have an 'AI Act' that imposes additional rules, even when you're not tracking anyone?
And a lot of employers have legal teams who are extremely risk-averse, so even if it's obvious to you and me that rules about "deepfakes" don't apply to a tool for generating pictures of chess pieces made of cheese, doesn't mean legal will sign it off.
Not sure it is a GDPR issue – it isn't filtering my out on either mobile or the office connection. I'm in the UK, and despite brexit we are still (technically at least) covered by GDPR (there are some differences in UK-GDPR, and more will come, but IIRC they are not significantly substantive yet). Unless, perhaps, they are banking on our ICO being toothless so won't enforce anything.
From my experience helping my company with GDPR, IMO it's true that the principles of GDPR are straightforward. But there can be a fair amount of ambiguity in how certain parts are interpreted, so in practice if you're taking it seriously (which every company should), you'll want to loop in your lawyers. Then there are more and more conversations to make sure everybody understands what the company is doing and what their stance is on GDPR.
Sadly, GDPR is not a black-and-white (pun intended with the chess project) checklist with black-and-white checklist items.