[CLGrimes]

If an EU citizen believes that their personally identifiable information was obtained without their consent, the EU GDPR allows firms to do an audit on the company. The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm, meaning, if they don't win (with infractions being $10 million minimum), the citizen, who is now a client of the firm, would not be out any money. If they do win, most likely the firm would make a windfall after carving out their share of the proceeds.

[smnrchrds]

Wait! I was under the impression that fines due to GDPR are just that, fines. They are paid to the government, not individuals. At most, getting fined due to non-compliance can suggest that if individuals bring civil lawsuits against the company, they may win and be awarded damages, the amount of which depends on how much damages they can prove they have incurred as a result of misuse of their data, not statutory amounts. Is that not the case? Is the fine actually paid to the individuals?

Or are your suggesting that some patriotic legal firms would do all the legwork for free so that the government treasury would get a boost?

[Lazare]

Yes, your understanding is completely correct. Only EU member states can levy fines under the GDPR, and it's likely few will have any interest in trying to fine small businesses. Lawsuits are possible, but only for damages, and good luck showing any damages from a minor technical violation by a small SaaS tool. And without any prospect of large damages from a deep-pocketed defendant, good luck finding a law firm willing to work on contingency.

The whole thing is FUD, although mad props to the people behind the linked service for making a play at profiting from it.

[Matticus_Rex]

I don't have a lot of actual information on this, but the buzz in my privacy professional listservs is that EU courts have been VERY expansive about what constitutes "damage" in related legal spheres, and that those of us coming from a US legal background should not rely on our instincts about what kinds of damage could actually create a cause of action worth suing over.

[DanBC]

No. EU courts tend to define damage conservatively, and people suing for damage normally have to demonstrate actual financial losses.

But it's irrelevant here, because the law isn't based on damages.

[niko001]

Cease and desist letters from predatory law firms are a very real thing, even in Europe. In Germany, entire law firms have been established for the sole purpose of collecting out-of-court settlement fees for small mistakes in websites' legal notices, which they find using automated searches: http://transblawg.eu/2003/10/13/u-s-comment-on-impressumgerm...

GDPR will give them new ammunition on a European scale.

[GordonS]

Your link is from 15 years ago.

[lucio]

No, some firm will ask you to pay $100,000 as private settlement because you make a mistake, or else they'll will have to seek remedy by filing a complaint on the EU courts, potentially costing you around 10M

[yorwba]

But unlike copyright trolls, the law firm in question can't guarantee that paying the protection money will actually protect you from being reported, so there isn't the same incentive to pay. A protection racket only works if the mafia monopolizes the threat, otherwise any random thug could destroy their business.

[threeseed]

> with infractions being $10 million minimum

Stop talking nonsense. It is up to $10 million or 2% of revenue.

https://www.gdpreu.org/compliance/fines-and-penalties/

And so for most websites the fine would be significantly smaller than what lawyers typically earn to litigate.

Hence your entire "no win no fee" premise falls completely apart.

[yorwba]

Both amounts are lower bounds. "No win no fee" falls apart because the lawyers don't get a fee for a fine collected by the government, not because the fine is too small.

[DanBC]

> with infractions being $10 million minimum)

FFS, this is a maximum, not minimum.

[CLGrimes]

Fines are up to $10 million or 2%, but it can go up to $20 million or 4% of annual global revenue, whichever is higher. That percent, whichever is higher is the key. Facebook's 2017 revenue was ~40.7 Billion. Four percent of that amount isis ~1.6 billion

[DanBC]

You said 2 things:

> if they don't win (with infractions being $10 million minimum

But all of the numbers you give are the maximum possible fines. The actual fines imposed by the regulators will always bee smaller than that.

You also said:

> The citizen who filed the complaint would enlist help from a no-win-no-fee legal firm,

That's not how the fines work. They're fines, paid to the regulator. They're not compensation paid to the victim. There's no payout for no-win-no-fee solicitors, and so they're not going to get involved.