[downandout]

Now you can pick which one you want.

I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.

Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.

People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).

I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.

[zaarn]

>I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it.

Canada, Japan and some other countries and even the US have indicated to copy the GDPR if not in letter atleast in spirit, though the US response is a lot weaker.

>I will not be dictated to or threatened by a foreign government.

The US is a foreign government and does it all the time to me, why is it a problem now?

>I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.

You won't have that. The GDPR has a strict guideline on how to impose fines, it's not a law an won't be enforces as such. The regulatory bodies have bite because large players like Facebook or Equifax that leak large amounts of userdata require more than an angry letter in their mailbox.

As these articles mention, the agency imposing a fine should severely think about the level of fine and ensure it's appropriate. If you get hacked by a 0-day, you followed the advice of your regulatory body, your shit gets leaked and you inform your users immediately, it's very unlikely anything will happen.

If you get hacked because you didn't update your MySQL server in 5 years, you ignored what your regulatory agency said and you don't tell your users, don't expect them to go easy on you.

Easy as that. If you don't like it you can sue back and get the fine reduced or rescinded.

[downandout]

People keep saying all of this. Again, there is absolutely nothing enshrined in GDPR limiting fines, other than $10/20 million. It says they should consider some things when determining the fine. But (for example) one of the 28 countries could decide that in their country, the lowest level fines are “only” $5 million, and they go up from there based on the factors they are supposed to consider. That would still be enough to destory most businesses.

You cannot tell me that there is anything limiting the fines (other than the cap) because it isn’t written. You’re saying that you hope and think that each of the 28 governments involved here will be reasonable, but in truth you have no way of knowing, and they have every incentive to not be reasonable.

[zaarn]

I hope that my government won't do this. As a EU citizen I only have to care about the one in my country.

Again, if you think the fine you got is too heavy you can escalate this to the courts (even EU courts).

There is also no incentive for the regulatory agency to impose such fines if the business cannot pay them. In that case they would get less or even nothing as the business collapses and it has not been the modus operandi in any EU regulatory body I know or experienced.

If they aren't reasonable than the EU courts will make them reasonable or the EU will add additional paragraphs to the GDPR to prevent excessive fines. Simple as that.