zlacker

The amount of discretion and lack of clarity in the penalties is part of the problem. It opens you up to risk based on the whims of politics and the regulators and increases uncertainty. Laws should be clear, limited, and understandable - this is not.

>>danthe+(OP)
In an ideal world, yes. But that leads you down a Kafkaesque hole of bureaucracy - at some point you have to stop adding detail and leave things open to interpretation. There are plenty of laws out there with fines "up to €X" and, from my limited experience, I don't think the GDPR is especially ambiguous compared to others.

>>frereu+C
Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!

>>kingof+71
Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.

>>danthe+(OP)
The law says that the fines should be "effective, proportionate and dissuasive". That gives companies ample room to challenge a fine that is way out of proportion to the damages caused to their users.

>>DanBC+U1
I think this is a common misinterpretation though because of the lanauge - that the maximum fine is actually the minimum, because the figures that are talked about are "€20m or 4% of global turnover, whichever is the greatest." It's the emphasis on "the greatest" that has an undercurrent of "we're going to fine you the maximum of these two numbers."

>>danthe+(OP)
If the penalties were exact and written into the law then companies could simply make more from your privacy data than the fine they would have to pay. That would have the opposite effect of the law. Adding a clause that the fine is discretionary gives the enforcer the ability to adapt to this sort of behavior.

>>DanBC+U1
It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender. You can, of course, say "don't be slow then", however, when for an out-of-EU entity (be it biz, or NGO) simple math doesn't show it is worth the effort, then it makes perfect sense to stop offering services to EU. Which is a side effect of the legislation. OP apparently understands it puts GDPR in a bad light, so he says about "overreaction" in every topic related, and this post is likely comes as the response to the latest one.

>>kingof+71
General law applies as well. There's lots of case law on the size of fines.

Which means in practice that if x other people have been fined around y for an offense similar to yours, your fine has to be in the vicinity of y. Ditto if x people have been fined more for larger offenses or less for smaller. This kind of assessment is routine. General. It's not something that needs to be written into each and every law.

>>kingof+71
Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.

>>frereu+S2
I'm not sure what you mean by "actually the minimum". They will find you the maximum of those two numbers, at most, if you flagrantly disregard the law.

>>kingof+w4
But merely being a repeat offender isn't enough to trigger the maximum fine.

You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.

Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.

https://ico.org.uk/action-weve-taken/enforcement/

>>danthe+(OP)
I really don't know why people think that the authorities will (or even could) automatically punish each minor infraction with 4 % of global revenue or 20 million €. GPDR article 87 specifies in great detail when fines should be imposed and how their value should be calculated, and the Article 29 WP also has a guideline on that:

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.

>>ThePhy+y7
I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?

Edit: If there is such a thing I bet it's Cambridge Analytica/"SCL group" involved, since they made their money from large scale nonconsensual abuse of political personal data, and have an arm dedicated to swinging elections with misleading Facebook adverts.

>>DanBC+U1
>Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

Nothing in the GDPR states this. It's obviously the intent, but ultimately it's left up to the bon vouloir of EU regulators.

It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

>>lyscho+k2
You say this as though "challenging a fine" were trivial.

After countless months spent in a courtroom and tens of thousands of Euros in legal fees, even if you win, you lose.

>>Stavro+I6
Yeah, this is the confusion - it's difficult to write it out in a way that isn't ambiguous! I think the fact that there are two numbers, the higher of which is the maximum fine, may imply to some people that the lower figure is the minimum - i.e. if 4% of your global turnover is €100m then €20m is the minimum - but of course there in fact isn't a minimum. It might have helped comprehension if there had been an arbitrary minimum figure - say €100 - to anchor the discussions.

>>DanBC+t7
Note that this is the UK agency, you might see different behaviors if you scanned the Belgian regulators enforcement list.

>>frereu+i9
Ah, I see what you mean now. That's not how I understood it, but some people might.

>>omgint+69
>It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

No it isn't. Read Article 83.

https://gdpr-info.eu/art-83-gdpr/

>>pjc50+K7
There is probably a large number of consultants who make money out of getting "GDPR ready" etc. and in whose interest it is to maximize the fear.

>>frereu+i9
The problem with that is that it would introduce a minimum fine, where currently there doesn't need to be a fine at all (if you coöperate).

>>omgint+69
Article 29 states this.[0]

[0] https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

>>omgint+f9
If you are fined 10k-100k you have the typical problem of whether it is worth fighting..

But you are supporting the argument that you could be illegally (according to article 83) fined 4 million euros as a first offence because a regulator wants to be disproportionate and set an example with your small company and then have costs of 10-100k to throw out an obvious case, but it wouldn't be worth it?

>>danthe+(OP)
> based on the whims of politics and the regulators

Political whims? Maybe in the USA judges and prosecutors and police cheifs are elected every few years and these things are political and can change, but this isn't the case in many EU countries.

>>jdietr+kb
Neither Article 83 or 29 impose any actual limits. They say that those imposing fines should take some things into consideration. After which they can impose a multimillion-dollar fine.

>>ThePhy+y7
Because those people tend to come from a country which doesn't have laws open to interpretation and thus mark people who drunkenly pee on a fence with the same sex offender tag than child molesters. If you're country functions in a way where laws can't be interpreted according to context it's hard to think of a different system.

>>kasey_+o9
Sure, but the people spreading FUD about this are not referencing anything at all.

>>kingof+w4
> It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender.

When I read things like this I realize how many companies are not treating user data as they should. Protecting user data should already be built into the company software and process.

Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.

>>matwoo+Lh
Yes. We've had PECR for years. If companies are surprised by GDPR they're probably already violating PECR.

But, dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen. Why do people think GDPR is sudden;y going to make things so much worse?

>>yayana+Ld
It's worth it but it bankrupts you.

No customers, no investors, and all your cash gone before your appeal is heard.

Block all EU traffic. Just cut the transatlantic cables.

>>downan+ef
Kinda common in continental European law... Nothing new, nothing to be scared of.

>>kingof+w4
The whole world has had TWO YEARS to be compliant. "It takes time" is not an excuse.

>>izacus+Gf
Which is an indictment of the laws, but not necessarily the system.

>>ghein+ji
I don't think there's a need to cut the transatlantic cables, but if a company doesn't want to take proper care of user data then it's perfectly reasonable that they stay away from that market and let other companies have that business.

>>matwoo+Lh
As a user I suppose they should do whatever satisfies me, and I'm not always need a bunch of populists from EU parliament, who can't write a clear text, run to save me, making field even more favorable for big corpos at the expense of SMEs, and small non-profits in the course of action.

>Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.

That would be good news for the EU, of course. Even before GDPR, entrepreneurs were routinely advised to incorporate in US instead, and the legislation likely added incentives for that.

>>DanBC+6i
The OP reacts to news of businesses stopping serving EU, and those businesses are from outside of the Union. So PECR is not so relevant.

>dispite this widespread non-compliance and fierce fines available to the regulators the sky hasn't fallen

Don't you really see how absolutely wrong is this? When law is composed in a way which makes it in practice only selectively applicable, it leads to erosion of justice, and invites for corruption.

>>ghein+ji
Maybe you should list all of the possible cases that could be initiated against you as a business owner in the US and which ones you can and can't guard against before you worry about that cable.

>>pjc50+K7
I mean part of the issue is that I literally cannot answer the question "are we GDPR compliant?". The amount of time we've spent figuring out whether we need to sanitize apache logs has been ridiculous.

If you search for GDPR IP address you'll get 100 different opinions on what you need to do. That in my opinion is what makes this law ridiculous. How can companies be expected to comply with something this unclear? I'm sure I would have had your opinion before I was the person who is ultimately responsible if my answer to GDPR compliance is wrong.

Everyone having issues with this is somewhere in the line of fire for a wrong answer to any of these questions. Our concern over the fuzziness of this law is very valid, I don't like uncertainty personally.

>>losved+bk
But they are different systems. For example contracts in the EU tend to be way shorter, as long as you get the gist. Contracts in the US are painfully long, listing things out explicitly, etc.

This exactly what rules-based regulation (US) and principles-based (EU) regulation means, and why the GDPR is written the way it is.

>>thomas+7D
When all else fails, just make something up. In the unlikely event anyone asks, just tell them you have no logs with their IP address. What are they going to do, check themselves?

>>M2Ys4U+4j
I didn't see the text TWO YEARS ago. Did you?

>>ThePhy+y7
Because they don't know anything about EU authorities and have no reason to trust that they have the interests of US small businesses at heart? To them, this could potentially be a money grab with no pain to their constituents. It's already playing out to some extent with their new tech taxes.

>>thomas+7D
Regulators want to see that you thought about the issue and formulated a plan.

If they ultimately disagree with your judgments, they will tell you, and you'll have plenty of time to get a common understanding.

They will certainly not fine you just because you made a honest mistake.

They will maybe fine you if all you have to show is "I didn't want to find a plausible way myself, nobody spoon-fed me, it's not my fault".