undefined | Better HN

0 pointsdantheman7y ago0 comments

The amount of discretion and lack of clarity in the penalties is part of the problem. It opens you up to risk based on the whims of politics and the regulators and increases uncertainty. Laws should be clear, limited, and understandable - this is not.

0 comments

ThePhysicist7y ago

I really don't know why people think that the authorities will (or even could) automatically punish each minor infraction with 4 % of global revenue or 20 million €. GPDR article 87 specifies in great detail when fines should be imposed and how their value should be calculated, and the Article 29 WP also has a guideline on that:

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.

pjc507y ago

I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?

Edit: If there is such a thing I bet it's Cambridge Analytica/"SCL group" involved, since they made their money from large scale nonconsensual abuse of political personal data, and have an arm dedicated to swinging elections with misleading Facebook adverts.

tobias37y ago

There is probably a large number of consultants who make money out of getting "GDPR ready" etc. and in whose interest it is to maximize the fear.

thomaskcr7y ago

I mean part of the issue is that I literally cannot answer the question "are we GDPR compliant?". The amount of time we've spent figuring out whether we need to sanitize apache logs has been ridiculous.

If you search for GDPR IP address you'll get 100 different opinions on what you need to do. That in my opinion is what makes this law ridiculous. How can companies be expected to comply with something this unclear? I'm sure I would have had your opinion before I was the person who is ultimately responsible if my answer to GDPR compliance is wrong.

Everyone having issues with this is somewhere in the line of fire for a wrong answer to any of these questions. Our concern over the fuzziness of this law is very valid, I don't like uncertainty personally.

2 more replies

izacus7y ago

Because those people tend to come from a country which doesn't have laws open to interpretation and thus mark people who drunkenly pee on a fence with the same sex offender tag than child molesters. If you're country functions in a way where laws can't be interpreted according to context it's hard to think of a different system.

losvedir7y ago

Which is an indictment of the laws, but not necessarily the system.

1 more reply

taysic7y ago

Because they don't know anything about EU authorities and have no reason to trust that they have the interests of US small businesses at heart? To them, this could potentially be a money grab with no pain to their constituents. It's already playing out to some extent with their new tech taxes.

frereubu7y ago

In an ideal world, yes. But that leads you down a Kafkaesque hole of bureaucracy - at some point you have to stop adding detail and leave things open to interpretation. There are plenty of laws out there with fines "up to €X" and, from my limited experience, I don't think the GDPR is especially ambiguous compared to others.

kingofhdds7y ago

Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!

DanBC7y ago

Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.

3 more replies

Arnt7y ago

General law applies as well. There's lots of case law on the size of fines.

Which means in practice that if x other people have been fined around y for an offense similar to yours, your fine has to be in the vicinity of y. Ditto if x people have been fined more for larger offenses or less for smaller. This kind of assessment is routine. General. It's not something that needs to be written into each and every law.

kingofhdds7y ago

Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.

lyschoening7y ago

The law says that the fines should be "effective, proportionate and dissuasive". That gives companies ample room to challenge a fine that is way out of proportion to the damages caused to their users.

omginternets7y ago

You say this as though "challenging a fine" were trivial.

After countless months spent in a courtroom and tens of thousands of Euros in legal fees, even if you win, you lose.

yayana7y ago

If you are fined 10k-100k you have the typical problem of whether it is worth fighting..

But you are supporting the argument that you could be illegally (according to article 83) fined 4 million euros as a first offence because a regulator wants to be disproportionate and set an example with your small company and then have costs of 10-100k to throw out an obvious case, but it wouldn't be worth it?

1 more reply

davidhyde7y ago

If the penalties were exact and written into the law then companies could simply make more from your privacy data than the fine they would have to pay. That would have the opposite effect of the law. Adding a clause that the fine is discretionary gives the enforcer the ability to adapt to this sort of behavior.

rmc7y ago

> based on the whims of politics and the regulators

Political whims? Maybe in the USA judges and prosecutors and police cheifs are elected every few years and these things are political and can change, but this isn't the case in many EU countries.

j / k navigate · click thread line to collapse

0 comments

ThePhysicist7y ago

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

It is therefore simply not possible for a data protection authority to impose arbitrary or ridiculously high fines as they would never hold up in court.

pjc507y ago

I'm starting to wonder if there's an active disinformation campaign about this somewhere. Are people getting their fears from Facebook again?

tobias37y ago

There is probably a large number of consultants who make money out of getting "GDPR ready" etc. and in whose interest it is to maximize the fear.

thomaskcr7y ago

2 more replies

izacus7y ago

losvedir7y ago

Which is an indictment of the laws, but not necessarily the system.

1 more reply

taysic7y ago

frereubu7y ago

kingofhdds7y ago

Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!

DanBC7y ago

Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.

3 more replies

Arnt7y ago

General law applies as well. There's lots of case law on the size of fines.

kingofhdds7y ago

Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.

lyschoening7y ago

omginternets7y ago

You say this as though "challenging a fine" were trivial.

After countless months spent in a courtroom and tens of thousands of Euros in legal fees, even if you win, you lose.

yayana7y ago

If you are fined 10k-100k you have the typical problem of whether it is worth fighting..

1 more reply

davidhyde7y ago

rmc7y ago

> based on the whims of politics and the regulators

Political whims? Maybe in the USA judges and prosecutors and police cheifs are elected every few years and these things are political and can change, but this isn't the case in many EU countries.

j / k navigate · click thread line to collapse