[pavlov]

GDPR specifies fines up to 4% of annual global turnover or 20 million euros, whichever is greater. That seems like plenty enough bite, if it were enforced.

[Scoundreller]

Why does an unprofitable 1person tiny business get a bankrupting (identical) fine as a profitable 1000 employee firm with $500m in turnover?

[munchbunny]

It doesn't. Those numbers are upper limits. Just like with traffic tickets and other fines, the actual amount is left to judgement.

[Mirioron]

If this were true then why have upper limits at all? The only reason I can think of is to protect large corporations.

[dragonwriter]

> If this were true then why have upper limits at all?

Because while the rulemaker believes that there is a range of potentially reasonable judgments based on particular circumstances, they do not believe that range is unbounded.

> The only reason I can think of is to protect large corporations.

The fixed minimum upper limit of $20 million is actually probably to prevent (or limit the effect of) large corporations using smaller subsidiaries and fancy accounting for GDPR-risky activities, rather than the upper limit protecting large corps.

[munchbunny]

For two reasons:

1. To prevent cruel and unusual punishment.

2. To set expectations about the seriousness of the infraction in the eyes of the law.

I am not a lawyer or a legal scholar, so I'm sure there are more reasons.

[dragonwriter]

“up to” and “equal to” are not the same.

When a store says “Everything up to 50% off”, that doesn't mean everything is half price.

[northwest65]

>up to

I think that is the catch?