[hopeless]

A lot of people complained that GDPR was too onerous on small firms and that they should be exempt. According to LinkedIn https://ie.linkedin.com/company/exactis-llc Exactis has just 10 employees (obviously some error possible. Call it 15-20?)

Now do you think small firms can’t hold large quantities of damaging data?

[Normal_gaussian]

notably in the UK the size of a company is determined not just on employee numbers, but on turnover as well. For example in UK Government guidance on lodging company accounts with Companies House[0] it says:

"There are thresholds for turnover, balance sheet total (meaning the total of the fixed and current assets) and the average number of employees, which determine whether your company is a micro-entity, small or medium-sized."

And there are different requirements for each

[0] https://www.gov.uk/government/publications/life-of-a-company...

[lucb1e]

That sounds a lot like "I told you so" tone when I still disagree with you. But in case you're here to talk about it and not just to assert your version of the truth, no, I don't think anyone ever claimed that small corps are a loophole. Then big corps would just delegate it to a shell company and be done with it. European law is, to the best of my knowledge, fairly reasonable: if you do something wrong regarding privacy either because you didn't know (like, you tried to follow GDPR but missed something) or do a small thing, you won't get ridiculous fines. But if you're a 10 person company working with huge amounts of personal data and you were grossly negligent, then of course they'll look at that differently from a 10 man company that produces pencils for retailers and incorrectly stored customer's delivery addresses.

[faho]

What I'd love to know is how much of that is codified law (as in in the actual act) as opposed to just expected to come from reasonable courts.

[hydrox24]

Courts will always base their decisions on case law, and I suspect that you can reasonably expect a certain kind of GDPR case law to arise, given what the standing case law is already.

[raarts]

The EU has a civil law system where the US has a common law system.

Common law gives judges an active role in developing rules; civil law is based on fixed codes and statutes.

Case law is not binding in the EU.

[chimeracoder]

> Common law gives judges an active role in developing rules; civil law is based on fixed codes and statutes.

This is a dramatic and misleading oversimplification. Under civil law systems, judges still do have great leeway with interpreting and applying regulations. And under common law, it's not really true that judges have an active role in developing rules - they have the ability to interpret them in the contexts of cases which come up, but they don't legislate. The closest thing that they can do (aside from overturning provisions) is to introduce limitations or tests on existing law that is challenged, but even then they're mostly only allowed to do that to the extent that they are using the tests to connect the law back to the Constitution or other existing legislation.

Case law is not binding in civil law (at least not to the same degree as it is under common law), but does definitely play a significant role.

Furthermore, it's flat-out wrong to say that "case law is not binding in the EU". The Republic of Ireland and the UK both use common law, under which case law is binding. Not only are UK court decisions are enforceable across the entire EU, but UK law is actually the jurisdiction for a lot of contracts and agreements within the EU, similar to how New York is the chosen jurisdiction for a lot of contracts or even international treaties that are enforced worldwide, whether or not the parties are based in New York.

Even if you're referring specifically to legislation passed by the European Parliament itself, it's still not really correct to say that case law isn't binding. The European Parliament is an international body held together by international treaties, and while EU courts might have decided to use civil law in interpreting legislation passed by the European Pariament itself, that doesn't mean that case law does not come into play, either in countries with common law systems or even in countries with civil law systems. It's way more complicated than that.

This is, incidentally, one of the problems that Brexit is currently introducing: it's unclear whether parties that have elected to govern their contracts under UK law will continue to be able to do so with the expectation of enforceability.

[ijidak]

Wow. Thank you for explaining that. I've never fully understood the distinction between the two.

[lvh]

There is no doctrine of stare decisis in EU courts. Case law is not binding. Further complicated by the huge number of courts that might hear a case, dependent on the DPA.

[JeanMarcS]

The French CNIL just fined an association for 75,000 € for a leak in their data.

It was a 2017 case, but I guess it will reflect what can happen ?

[vertex-four]

Can you link to this? Searching for "CNIL", "75,000" and "2017" doesn't turn up anything useful.

[delroth]

https://www.lexpress.fr/actualites/1/styles/protection-des-d...

tl;dr: a non-profit got fined 75K€ because their website leaked 42,562 private documents from their users. Anyone could modify numbers in the URL and read other users' documents. The documents included passports, tax information, identity documents, and more.

EDIT: better source: https://www.cnil.fr/fr/sanction-de-75-000-euros-pour-une-att...

[nerdponx]

On HN, it's people associated with businesses in the latter category that seem to be complaining the most.

[aalleavitch]

What if gross negligence is the industry standard?

[tjoff]

That's when you introduce laws (GDPR) to try and change course.

[eli]

The "you won't get big fines if you try your best" thing isn't in the law. I believe you that it is probably true, but it relies on the reasonableness of all current and future regulators. I don't like that.

[arrrg]

It is in the law. It’s one of the basic principles of law.

By its very nature, however, you cannot nail such a thing down and define it precisely beforehand.

[eli]

The law only says regulators should think about your intentions when assessing penalties (among many other factors).

Is there anything stopping a regulator from deciding an unintentional violation is "only" a company-destroying 5M euro fine instead of the full 10M? In fact, couldn't it still be a 10M fine? Or should I expect to be let off with a warning? Seems like I'm depending on the good will of the regulators of every single EU member state...

I do not think it's impossible to write a law that says fines for minor and unintentional violations are limited by statue.

[seandougall]

That's what makes me nervous about interpretation of GDPR. The EU has 28 member states. Let's say each one of them has a 90% probability of their regulators being reasonable at any given time. Does that mean the chances of the regulators on the whole being reasonable are 0.9^28? (In other words, about 5%?)

As an outsider, I would love to hear that that's not how it works. Do the member states have any checks on each other's enforcement?

[mygo]

I think the root of the argument about small firms was not about employee count, but that small firms typically do not have the resources to comply. But what is Exactis’ annual profit? Maybe they did have the financial resources.

[callalex]

If you don’t have the resources to be a good steward of a dataset, you don’t have the resources to gather and store that data in the first place, even if it may seem easy to do so.

[mygo]

I would agree.