The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The GDPR carries a fine risk of up to 20 million, but usually the fines are a few hundred/thousand euros depending on the entity. Think "300 euro fine to a driving school" rather than "300 million euro fine to Google".
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
It would be foolish to ignore the risk, however, especially if you work on something potentially controversial, such as encryption, privacy tools, or any software that may have uses that the EU frowns upon. I strongly suspect that this will eventually be used as a cudgel against disfavored projects/devs to compel project changes or even kill the project outright (or force it to move overseas).
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
This is a rather big maybe.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.