[locust101]

Basically companies like facebook and google have abused the data collection and public trust so bad that EU had to come up with these absurd fines just so those behemoths would pay attention. Also is there a reason why it is a maximum of x and 2% of revenue? Shouldn't 2% of revenue big enough for a company to be scared?

[BrentOzar]

> Also is there a reason why it is a maximum of x and 2% of revenue? Shouldn't 2% of revenue big enough for a company to be scared?

Nah, if it was 2% of our revenue, I'd be much more likely to take the gamble. I'd be willing to invest a little in our staffing & infrastructure to take that risk.

I want to do the right thing - but that multi-million-euro penalty means the risk/reward equation just doesn't make sense. We'd never bring in enough revenue to pay off the hit from one angry judge determined to make an example out of us.

[londons_explore]

Google was mostly compliant with the GDPR already. When you delete your account on Google, it really does delete all data from all services and all backup records etc.

They implemented it like 3 or 4 years ago. Yes, it was a lot of work for a lot of engineers.

Arguably, it's much harder for smaller companies to comply.

[peoplewindow]

GDPR classifies any sort of cookie as PII. So you can request deletion of data that's the result of logged out queries, in theory.

Also the Google tool deletes your account data. It does not delete all things that are conceivably personal data. For example if you commented on or edited a shared Google Doc and then delete your account I'm not sure the comments are deleted too. So it's not quite that simple.

The law is so broad you could conceivably also demand that Gmail deletes any email you sent to it under your own name, out of other people's inboxes.

[erk__]

You also want smaller companies to comply, where 2% is maybe too little for them to care, as it would cost more to comply with GDPR.

[UncleEntity]

> up to €10 million or 2% of your company’s annual revenue, whichever is higher

They might care about a €10 million fine if they only have, say, €2 million in annual revenue.

I remember when I first heard about this thinking "why even bother doing business in the EU?"

--edit--

Which is exactly what you were saying in retrospect...

[valuearb]

2% of revenue is a huge fine for any profitable business.

[BrentOzar]

> 2% of revenue is a huge fine for any profitable business.

Not necessarily. In a business like ours (online training) where any additional new customers basically flow through to the bottom line, if I got 20% of my revenue from the EU, and I had to pay a 2% fine now and then, it wouldn't be terrible.

I can see how some slimy businesses would say, "I'm not even going to bother complying - I'll just keep taking revenue off the table and paying the small fees."

[valuearb]

Sure, if your profit margins were 50% on EU revenues, it wouldn’t be a big deal to pay 2% of the max fine. Or if your startup doesn’t have revenues, you could get off scot free.

But most profitable businesses are going to have profit margins in the 10-20% range, and that fine is considerable. And if the EU applies it to the last 5 years revenues, they could wipe out a years profit.

For example, Apple probably has close to $100B in annual EU revenue, $2B is a huge incentive to invest in doing this right. But if your EU business is $1M, $20,000 is probably a fraction of your cost of implementation.

The law would have been far better if it specifically limited fine levels by size of company. IE < 1M in sales, 1M to 10M, 10M-100M, 100M-1B, 1B+.

[nolite]

It’s on worldwide revenues, not EU revenues

[valuearb]

Ouch, that's amazingly short-sighted.