zlacker

[return to "GDPR: Don't Panic"]
1. caffei+Ox[view] [source] 2018-05-18 14:08:58
>>grabeh+(OP)
I'm an attorney who's spent the last year or so working on GDPR compliance for a US SaaS provider some of whose clients have EU employees. My understanding is that it's true that EU enforcement is more in the spirit of "how can we get you compliant?" before doling out fines (vs. the US where it can be more "let's make an example of this company by hitting them with a big fine" and scaring others into compliance). I also agree that the authorities aren't going to be handing out 7 figure fines like candy, both because it's not their historical approach and because they don't have the resources to fight too many of those battles. I want to say I read that the Irish authority's annual budget is around $9M. Theirs is higher than most and Ireland is where most of the US tech giants are established due to tax laws. That said, I think to say that GDPR compliance is simple because it's text is fairly readable or that EU data protection law is simply a matter of transparently respecting people's personal data and not being a bad actor as to privacy is an overstatement. For example, the ePrivacy Directive, most known for prompting all those cookie consent banners, can be incredibly complex to comply with. Each member state has implemented that Directive in different ways. Look at this example https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-... where Honda sent out emails to its 350k database simply trying to confirm continued interest in being on their list and got a 13k euro fine for their troubles. I don't know all the facts, but from the document, it doesn't appear that Honda got the fine because they were recalcitrant or being terrible actors. And if the fine is proportionate to the offense (not to the size of the violator), then 13k euro might be levied against a small company for whom it is a significant penalty (not to mention costs, legal fees, etc. in dealing with it).
◧◩
2. charle+CJ[view] [source] 2018-05-18 15:37:36
>>caffei+Ox
The Honda case actually seems pretty reasonable to fine - Honda had an issue where consent from dealer events and other sources wasn't correctly recorded. So they have a large list of emails, where consent falls into three categories:

* Person did not consent, they left the form blank

* Person consented, but it was not recorded

* Person actively denied consent ( wrote "no")

Honda then sent commercial email to this set of users, to "confirm" their preferences. In my view, that's not reasonable - if I leave a "would you like to receive email" item in a form blank, that is not permission to send me email.

◧◩◪
3. mindsl+sR[view] [source] 2018-05-18 16:37:01
>>charle+CJ
Also 13k/350k is 4 pence per email, which is tiny! Well below what they'd have had to pay if pay-to-be-received had been workable.

I'm not a fan of government or of fines, but this amount isn't even a slap on the wrist.

[go to top]