[egourlao]

Article 83:

> When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to [...] the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.

https://gdpr-info.eu/art-83-gdpr/

[downandout]

That doesn't limit their ability to impose the maximum fine for a first, single violation. It says they should consider some things. But it does not limit their statutory ability to impose the maximum without warning.

[kelnos]

There's no reason for them to do that.

Look, their goal here is compliance. They don't want to fine a company into oblivion, because that just encourages companies to be fearful and do what you're doing: cut ties with the EU entirely. And that's not a win for them either.

I get that it's hard to trust governments, but remember that they're still made up of people. If you deal with the regulators in a straightforward way, and cooperate to the best of your ability, they're not going to stick it to you. No, I don't know that for every single instance. But I also don't know a lot of other things that can add risk to a business, but that doesn't stop me from doing business in general.

But sure, if you've done the math, and the cost of compliance isn't worth the EU revenue you'd otherwise get to keep, that's your call. I'm just getting a little tired of all the FUD getting spread around GDPR.

[downandout]

There's no reason for them to do that

Sure there is. Their government will be the direct beneficiary of the money. Why would they care if they bankrupt a foreign company? In fact, they may use it for this explicit purpose. They win by collecting the money, and they win by decimating foreign competitors of local businesses.

[kelnos]

I get that you're incredibly cynical about this process (and probably any government process), but I really don't see it as dire as you do. I don't think any further discussion will be productive, though, since we seem to be operating under some vastly different base assumptions about human behavior.

[M2Ys4U]

Data protection authorities have to be independent of government according to the GDPR.

[downandout]

They have to be citizens of the given country, do they not? They probably wouldn’t mind their government collecting a few extra million from foreign businesses. It still goes to their benefit.

[stordoff]

Fines must be "effective, proportionate and dissuasive", taking into consideration those factors. A maximal fine for a first, single violation (unless it is a willing and gross violation) is just asking for judicial review.

[cjalmeida]

Dude, the limitations are explicit on art 83, (2)

When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

the intentional or negligent character of the infringement;

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

any relevant previous infringements by the controller or processor;

the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

the categories of personal data affected by the infringement;

the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

You should DEFINITELY look for a better lawyer. Pro tip: one not looking to sell mitigation services.

[downandout]

Show me where, either in your pasted text, or in the rest of the GDPR, it says that there are circumstances or mitigating factors that MUST result in a fine less than maximum. There is no such clause.

[Latty]

In terms of liability insurance, which is the claim here though, the reality is the insurer knows that the EU isn't going to dump 20 million fines on every small company making a first offence. The idea that they are going to treat it like that's the likely outcome is insane.