[merinowool]

> would be a potential target of regulators looking to establish precedents of enforcement with a big name.

Shouldn't law apply equally to everyone? One could have thought that setting an example "to show them!" wouldn't have occurred in a civilised country.

[bearcobra]

In a world of limited resources, it makes sense that regulators would pursue enforcement against entities that impact a large number of people.

[kodablah]

In such a world, it would make more sense to limit the scope of the law until enforcement can catch up. Minimally enforced laws that are enforced subjectively are problematic regardless of why.

[Tyrek]

Are you suggesting that the US government suspend income tax while they hire enough people in the IRS to go through every individual's tax return?

[kodablah]

No, I'm suggesting they don't add any more compliance rules with new punishments unless they staff up.

[xevb3k]

Minimal enforcement can be used to make everyone a criminal. You then selectively apply the law against people you don’t like.

Taxation (I would hope) is not minimally enforced.

[YeGoblynQueenne]

It's a union, not a country and it definitely won't go after big players with any kind of prejudice. It will go after those who flaunt the regulation, big and small.

Because it's the EU and not some other Union.

[s73v3r_]

Regulators only have so many hours in the day. Prioritizing high visibility infringers can persuade lower visibility infringers to get into compliance.

[merinowool]

Not sure how they could persuade if they won't go after lower visibility infringers? I can't follow your logic.

[EpicEng]

No one said "they won't go after small timers". Hitting the big players hard makes everyone wary of violating and they will absolutely catch some small fish as well.

It's just silly to expect any enforcement body to go after everyone equally. It doesn't even make sense; company A has data on 1.5B people, company B has data on 27 people and the owner's mother. Why would you go after B before A?

[danpalmer]

They have said this.

a) they have said they don't want to punish companies for the sake of it, they want to use it as an incentive to fundamentally change the approach to the handling of user data. This means not suing tiny companies for more money than they are worth.

b) they have said that the standards will roughly increase with the size of the company and resources it has. A company with 27 users (and few employees) would not be expected to have a data protection officer, or many of the control processes that a company with data on 1.5B people.

[zerostar07]

I think everyone is talking about the UK 's ICO, which is just 1 of the 28. We have heard nothing from others and its best not to make assumptions - the ICO may be following different rules in a year.

[danpalmer]

True, some of this is more from the UK ICO, but some is from the official guidance from the EU.

[merinowool]

> This means not suing tiny companies for more money than they are worth.

Which effectively kills that company even if court finds their violation was minimal.

[s73v3r_]

I never said they wouldn't. But showing that they're willing to go after infringers is easier when you use high visibility cases to do it.

[celticninja]

https://jacquesmattheij.com/gdpr-hysteria

Setting an example is how the US regulators work, not so much the EU.