Actually, the maximum fine is 4% of revenue or €20m, whichever is more. For a small business or organization, the 4% number isn't the scary one.
You can say that in practice this would never happen, but calling it FUD also doesn't seem right since the regulation is super vague and only mentions maximum fines, not likely actual fines.
>I think it's always safe to assume the worst from bureaucrats.
No it isn't. As a law-abiding web developer, I have had frequent contact with European data protection authorities for many years. Without exception, they have been thoughtful, reasonable and gone out of their way to help me comply with the regulations.
The regulatory authorities exist to ensure compliance, nothing more. They are not a revenue-generating scheme or a Kafkaesque bureaucracy.
The GDPR explicitly states that penalties must be proportionate and sets out no fewer than eleven factors that must be considered before any penalty is issued. It also explicitly establishes a mechanism for ensuring that enforcement is consistent across all member states, by means of the European Data Protection Board. The regulations simply do not allow a member state to "go rogue" and start handing out €20m fines for trivial infractions.
> The GDPR explicitly states that penalties must be proportionate
Proportionate to what? The max fine is 4% or revenue or $20 million dollars, whichever is larger.
So is it proportionate to the $20 million dollar fine? If my infraction was small they can just fine me a small proportionate fine of 1% of the maximum.
Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different ways.
> They are not a revenue-generating scheme or a Kafkaesque bureaucracy.
This law is absolutely kafkaesque and you can't point to any written case law or section of the law that can concretely dispel my doubts since it does not exist. All you and other posters can do is state that I'm spreading FUD and give me feel good assertions about how I can trust in the benevolent EU bureaucracy and that I should have faith in the system. Can you not understand why I can't take that seriously when millions of dollars and my entire way of life are at stake?
> Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different
"So, using customer email addresses for marketing lists and not infringing any other way is a worth a 0.1% of revenue fine but our analysts project a 0.5% increase in revenue from our marketing list, so let's do it anyway". It's to give authorities scope to punish organisations making calculations like the above, more than "Your local library decided to tell everyone who took out a book last year about their new book club, not realising it's an illegal use of personal data".
And you are allowed to take it to the european court if you think the fine is bullshit.
And if you don't already know, european court don't take bullshit very well.
Anyway, all regulatory instances are working together (in a group named G29, imagination is not their strength) to draw guidelines for fines and warnings. They will also discuss together ongoing cases (to avoid multiple prosecutions i guess). If you are not trying to cheat data from your customers and if your security is up to date, you risk nothing.
You can say that in practice this would never happen, but calling it FUD also doesn't seem right since the regulation is super vague and only mentions maximum fines, not likely actual fines.