[g_sch]

Perhaps this shouldn't be surprising, but what this site makes clear to me is that GDPR enforcement is more lax on major companies than many people expected, and more severe on private individuals.

For all the breathless reporting of how GDPR would ruin companies financially by levying fines on worldwide revenue, there is exactly one fine listed that exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in the bucket compared to Google's worldwide revenue.

On the other hand, commenters below have pointed out that some private individuals have received fines in the hundreds to thousands of EUR for actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I agree that these are privacy lapses but it's pretty unfortunate to see the power of the state used for these purposes rather than bringing serial data privacy abusers in line.

[idlewords]

This could be a case of enforcement against large companies taking longer to conduct, given the complex nature of the cases and the resources of the legal teams involved. My understanding is that a lot of stuff is pending before the Irish data protection agency.

[detaro]

That certainly plays a role, especially as soon as courts get involved (or will get involved), see e.g. the pre-GDPR cases against Facebook still bouncing around the Irish court system. Smaller cases can be handled without international coordination, the facts are often easy to determine, ..., which makes them faster to process.

And the rules about international coordination mean other countries have to wait for Ireland in many cases.

[g_sch]

This is a good point! Hadn't thought of that.

[johannes1234321]

GDPR isn't in effect for a long time and a big case against Google and similar companies isn't easy. Doing this needs in depth research in the ways they process data and through the terms, which were written by hghly paid lawyers. Doing this right is hard and if the goal is not to make money but to improve privacy there is value in pushing them in a political way over fighting longncourt cases - during which they probably won't change a bit.

Also there is this rule, that primarily responsibility is in the country where the corporation has their European legal headquarters, and for many the tis Ireland and the Irish government prefers getting 0.5% in taxes for those corporations over having issues with them and having them move to Malta or something.

[Rockslide]

Except that of course it wasn't about "using Cc instead of Bcc in emails" but using CC instead of BCC in mailing lists with hundreds of recipients and also not about "using a dashcam" but using a dashcam illegally, which in itself can imply a much higher fine in some European countries regardless of GDPR. So not as benign as you are trying to make it sound.

[muro]

I honestly don't see how "using a dashcam illegally" is such a big deal, nor how "hundreds of recipients" on an email are a big deal. The email list seemed to be just rants.

I wish they would tell what the harm of both of those actually was.

[detaro]

Traffic tickets don't require harm to be actually done either. It's potentially the same kind of thing, at least for the dashcam case.

[muro]

But shouldn't the fine then be using the dashcam law and not GDPR?

[detaro]

The analogy was that GDPR fines, similar to other administrative fines (which was the term that had escaped me) like traffic tickets, do not require damage to be shown (although it plays a role in setting the amount of the fine) - unlike e.g. cases pressing for damages, brought by a wronged party, would be.

The law regarding dash cams (if there is an explicit one, I don't know enough about the situation in Austria) might just declare it a privacy violation, and thus defer to the enforcement mechanisms created by GDPR.

[muro]

Yes, makes sense. I think it case of Austria, there are fines specified for dashcams, so it's interesting they decided to use the GDPR instead.