[cantagi]

If Facebook's business model is built around collecting and selling personal data, and more than 4% of their revenue globally comes from EU citizens, then they could decide to wilfully flout GDPR and just pay the maximum fine every year.

Another way they could deal with it is by disputing the EU-US privacy shield[1] or disputing the decision that overturned the original privacy safe harbour[2]. IANAL so I have no idea how they would do this, but it will be costly for ECJ and FB.

[1] https://en.wikipedia.org/wiki/EU-US_Privacy_Shield [2] https://en.wikipedia.org/wiki/International_Safe_Harbor_Priv...

[Sylos]

If a court rules that something you're doing violates the law, then that also means that you actually have to stop doing it. Not stopping with it would be a felony.

So, you can't just continuously pay fines whenever a court rules another time that it's illegal. The fine for a felony is much higher and at some point, you'd also simply be thrown out, or blocked in the case of Facebook, I suppose.

[quest88]

I keep reading this statement that Facebook sells personal data. Where is it stated that Facebook does this? Where is this fact of information defined?

My impression is FB allows targeted advertising without selling anything. In fact, why would FB sell their most valuable asset?

[PeterisP]

A fine doesn't imply that you can continue processing the data. GDPR also requires them to stop handling all such data if they don't have a legal right to do so (since the default case, if they can't show a valid legal reason, is that they're not allowed to do it).

And that's a maximum fine for a particular decision not the maximum fine annually. They can certainly be fined once and ordered to stop processing the data within, say, 30 days; then fined once more after the 30 days have passed for noncompliance with that order, and then so on.

There also is personal liability for the responsible executives and employees who'd be violating the regulator's order.

[bryanrasmussen]

I don't think that 4% is limited per annum, so that if you've paid 4% for case 1 in that year you pay out 0% for case 2+ in that year.

on edit: looking here https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio... it seems the second level of fines go up to 2% and are on a per case basis.