[downandout]

Says some random dude on the Internet that seems to be a tremendous fan of GDPR. I prefer to base my understanding of laws on the text of the law. This one says that no warnings are required and that fines can be up to 20M EUR.

[YeGoblynQueenne]

>> Says some random dude on the Internet that seems to be a tremendous fan of GDPR.

Let's be a little self-conscious here, shall we?

Of all the articles on HN that discuss the GDPR that I've read, I've found one that you didn't contribute to and your contributions never show an "understanding of laws based on the text of the law". For instance, you have consistently claimed that there will be 28 (btw, not 27) different interpretations of the law, completely disregarding entire articles devoted to the consistent application of the Regulation- which, as a regulation, does not need to be made into local law and is applicable across the bloc.

You are clearly on a warpath against the GDPR, which is perfectly fine of course; yet at the same time you accuse jacquesm of being a "tremendous fan of the GDPR". If you can express your opinion despite having an agenda, so can he - and he seems to be much better informed of the law than you are.

Edit: Just to clarify, I don't have some axe to grind against you. You're one of the few users whose handle I recognise because your comments in GDPR threads stand out so much in their fervour and because there are so many of them.

[downandout]

I’m not on the warpath, but I will consistently dispute rosy predictions about the “good natured enforcers” (a direct quote from Jacques) of GDPR. No law or regulation this easy to violate, with fines this large, that claims extraterritorial powers, has ever not been abused, and this will be no exception.

With regard to your claim that it will not be subject to unique interpretations in each country within the EU, that simply isn’t true. Each country will have its own enforcement agencies. They’ll enforce it in different ways, and to different degrees. Since this regulation is so vague, it simply isn’t possible that they will all interpret and enforce it in the same way.

You seem to be in Jacque’s corner, claiming that our new self-appointed privacy overlords will be perfectly coordinated and “good natured”. As someone with quite a bit of experience dealing with government agencies, I can tell you that few of those that seek out relatively low-paying government jobs where the primary perk is having power over other people are “good natured”. There will be abuses.

The good news is that D-Day is here, and now we can all stop arguing and watch to see whose predictions come true.

[ggg9990]

Neither of you are right. The EU is not going to go out guns blazing with $20m fines for small companies. They’re also not going to host a drum circle for companies to harmoniously join the movement towards better user privacy. They’re going to get some big fines out there on big companies (who doesn’t love free money) and also go after smaller companies actively doing bad things with user data. Yes, they could, but in the same way that the person standing at the bus with you could punch you in the face. It might happen, but realistically, it probably won’t, and you’re probably not actively prepping for it.

[tluyben2]

As Jacques and me as well have said; that simply means panic and it is not needed. You maybe do not live in the EU but the letter of the law is not such a thing here as it might be in the US (and although punishment is harsher and often far harsher than it is here, US also looks at intent). The EU is not going to punish any company that has the intent to offer its users privacy under this law, but made some mistakes or forgot things. They made this especially vague simply because a) we know they are not going to blanket destroy all violators anyway (we have many crazy vague laws for many decades; no one cares) b) if someone is clearly violating (and I am looking at you, obfuscating user tracking ad companies who, until now, got around pervious regulations by moving servers to other countries and other tricks) they want to be able to enforce, no matter what. This is all very clearly based on user intent, not letter of the law. It might be incredibly hard for litigious country citizens to understand, but we have been living all our lives (and it differs per country as well) with this.

[guelo]

That's the recipe for political enforcement of draconian laws. It's especially dangerous for big foreign american companies which are perfect for politicians to demagogue about. I would not bet the business on any extra-legal grace from their beuracracy.

[olivierduval]

"political enforcement of draconian laws"... like: how the US use their extra-territorial law to fine US Business's competitors (banks, industry...) ? ;-) It's funny to see how the US way of mixing law and business is terrifying when others may use it too, no? Anyway: it hasn't been how Europe worked until now, so relax. French Regulator said, for example, that it won't enforce strictly the regulation ... because... well... EU companies aren't more ready than US ones. And they'll have to.

[Chris_Jay]

The US paving the way for such practices is not exactly reassurance. If the laws are so complex nobody is capable of operating within them, the result is a police state. Being subject to arrest at any time because the law of the land explicitly gives the government that power or because it is so byzantine that nobody can know all of it works out to the same thing in the end.

Your argument seems to be that a police state where the authorities have a lighter touch is preferable. That's obviously true compared to a draconian police state, but it's a police state either way.

[vertex-four]

Under existing law companies can be fined somewhat ridiculous amounts for data breaches and essentially never are, so why exactly would the enforcement strategy change for the GDPR? Maximum sentences just aren’t an EU thing, nobody gets them unless they’re wilfully causing damage to people and this isn’t their first time. I don’t know if America does things differently, but based on what I know, it doesn’t - maximum fines and sentences are essentially never passed out there either.

[celticninja]

Where do you see the "no warnings are required"?

Article 58 says that fines can be issued along with, or in place of, other enforcement action. That isn't "no warnings". Plus if you read the text of the law you would note that it is very clear that the size of the fine is dependent on 11 factors, many of which revolve around future compliance and efforts made by the business to resolve the breach and showing willingness to conply.