| At the time of the GDPRpocalypse last year, there were a lot of discussions here, and a lot of FUD being slung around about how if your US website wasn't 100% GDPR-compliant you'd be handcuffed if you set foot in an EU airport bla bla bla, or that minor infractions would incur the maximum penalty of millions of euro, bankrupting your awesome adtech startup bla bla bla. Most of it was fueled by the clash between US and EU jurisprudence, the legal systems are actually pretty different. Some of us argued that no, this is not the apocalypse, the law says that fines will be proportionate, and the various national agencies will work with you to ensure you are compliant. And unless you willfully do the kind of shady shit the law is meant to protect against, you're fine. Seems we were right. This list looks pretty sane to me, with one exception. 250k€ for using the microphones of all users of an app to spy and determine if they were in a pub that showed football matches without a license. Fuck yeah. 400k€ for a hospital that had effectively unrestricted access to all patient files for all staff. Yes. What would the HIPAA-equivalent fine be? 1400€ for a police officer abusing systems doing lookups for personal gain. Yes. 170k€ for a school district allowing public access to personal data of all minor-aged students. Yes, yes, yes. The one exception is the fine on Google in France. This is purely a political bullshit game over control and loss of control. |
Arguably, and so far.
There are sites that just block requests from the EU, there's a difficult-to-measure chilling effect on small businesses, and just because nobody's been hanged over it in year one doesn't mean it won't be abused, oppressive, or have other negative unintended consequences in the future.