undefined | Better HN

0 pointsfrereubu7y ago0 comments

In an ideal world, yes. But that leads you down a Kafkaesque hole of bureaucracy - at some point you have to stop adding detail and leave things open to interpretation. There are plenty of laws out there with fines "up to €X" and, from my limited experience, I don't think the GDPR is especially ambiguous compared to others.

0 comments

kingofhdds7y ago

Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!

DanBC7y ago

Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.

frereubuOP7y ago

I think this is a common misinterpretation though because of the lanauge - that the maximum fine is actually the minimum, because the figures that are talked about are "€20m or 4% of global turnover, whichever is the greatest." It's the emphasis on "the greatest" that has an undercurrent of "we're going to fine you the maximum of these two numbers."

StavrosK7y ago

I'm not sure what you mean by "actually the minimum". They will find you the maximum of those two numbers, at most, if you flagrantly disregard the law.

1 more reply

omginternets7y ago

>Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

Nothing in the GDPR states this. It's obviously the intent, but ultimately it's left up to the bon vouloir of EU regulators.

It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

jdietrich7y ago

>It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

No it isn't. Read Article 83.

https://gdpr-info.eu/art-83-gdpr/

1 more reply

shakna7y ago

Article 29 states this.[0]

[0] https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

kingofhdds7y ago

It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender. You can, of course, say "don't be slow then", however, when for an out-of-EU entity (be it biz, or NGO) simple math doesn't show it is worth the effort, then it makes perfect sense to stop offering services to EU. Which is a side effect of the legislation. OP apparently understands it puts GDPR in a bad light, so he says about "overreaction" in every topic related, and this post is likely comes as the response to the latest one.

DanBC7y ago

But merely being a repeat offender isn't enough to trigger the maximum fine.

You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.

Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.

https://ico.org.uk/action-weve-taken/enforcement/

1 more reply

matwood7y ago

> It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender.

When I read things like this I realize how many companies are not treating user data as they should. Protecting user data should already be built into the company software and process.

Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.

2 more replies

M2Ys4U7y ago

The whole world has had TWO YEARS to be compliant. "It takes time" is not an excuse.

1 more reply

Arnt7y ago

General law applies as well. There's lots of case law on the size of fines.

Which means in practice that if x other people have been fined around y for an offense similar to yours, your fine has to be in the vicinity of y. Ditto if x people have been fined more for larger offenses or less for smaller. This kind of assessment is routine. General. It's not something that needs to be written into each and every law.

kingofhdds7y ago

Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.

j / k navigate · click thread line to collapse

0 comments

kingofhdds7y ago

Well, lots of ends open to interpretation, and $20 mln fine - so obviously nothing to care about! Hysteria!

DanBC7y ago

Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

It's not a minimum.

frereubuOP7y ago

StavrosK7y ago

I'm not sure what you mean by "actually the minimum". They will find you the maximum of those two numbers, at most, if you flagrantly disregard the law.

1 more reply

omginternets7y ago

>Maximum possible fine for repeated worst possible violation after ignoring previous attempts at regulation and not making changes after previous smaller fines.

Nothing in the GDPR states this. It's obviously the intent, but ultimately it's left up to the bon vouloir of EU regulators.

It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

jdietrich7y ago

>It is perfectly legal under the GDPR to make an example out of you by levying the maximum fine for a first offense, and without warning.

No it isn't. Read Article 83.

https://gdpr-info.eu/art-83-gdpr/

1 more reply

shakna7y ago

Article 29 states this.[0]

[0] https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

kingofhdds7y ago

DanBC7y ago

But merely being a repeat offender isn't enough to trigger the maximum fine.

You'd have to be a consistant repeat offender, with no effort made at remediation, with no cooperation with the regulator, and probably handling sensitive or financial data.

Here's a list of recent actions taken. I think the current maximum fine is £500,000. Have a look through a few of these hopefully it's somewhat reassuring.

https://ico.org.uk/action-weve-taken/enforcement/

1 more reply

matwood7y ago

> It takes time, and real money to be compliant, and getting slow on this quite plausibly can make one a repeat offender.

When I read things like this I realize how many companies are not treating user data as they should. Protecting user data should already be built into the company software and process.

Given FB revelations and additional scrutiny to Google, I see some form of this law coming to the US.

2 more replies

M2Ys4U7y ago

The whole world has had TWO YEARS to be compliant. "It takes time" is not an excuse.

1 more reply

Arnt7y ago

General law applies as well. There's lots of case law on the size of fines.

kingofhdds7y ago

Also, minimal level of $10 mln doesn't look nicer unless you are a big corpo.

j / k navigate · click thread line to collapse