[notafraudster]

I support this fine in principle. Maybe not the magnitude, maybe not without a warning, and of course a three liner isn't enough context to be sure.

But using CC instead of BCC causes a massive leak of personal information, especially when either the subject being discussed or the people on the list are sensitive. In my life this has mostly been annoyance at large org stuff, but my wife has had this happen with a sensitive medical practice and we were not in the US so HIPAA did not apply.

I don't think fines are the only solution, of course. But I think fines should be on the table and it's easy to me imagine a circumstance where 2k euro would be appropriate.

[Radle]

There were multiple warnings and the guy was a repeated offender. He had already been fined earlier.

[TomVDB]

Last year, when GDPR was heavily discussed, people were criticizing those who decided to just stop their small hobby websites because of the potential GDPR exposure.

The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.

I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.

The benefits, whatever they might be, just don't justify the risks.

[NeedMoreTea]

Except we see just the fine. We have no idea how many attempts and warnings to get them to comply were sent first. It wasn't one email, it was multiple emails, multiple times over months.

This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.

[easytiger]

There are other examples at least from Germany where no warning or time to rectify was given, just a fine.

https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-o...

[NeedMoreTea]

800k email records and passwords in plain text when breached. I don't know how big Knuddels are, so I don't know if that fine sounds lenient, right or high. Yet as it's a large breach it seems fitting of no warning first, considering the scale of negligence, mitigated by their "exemplary cooperation" afterwards.

Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.

Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.

[TomVDB]

> We have no idea how many attempts and warnings to get them to comply were sent first.

True. But I doubt that even the most ruthlessly efficient GDPR enforcement authority could multiple enforcement requests between mid July and end July.

[sgift]

Why are multiple requests needed? You do shit, you get a request to stop it, you don't do it, you get hit with a fine. How many requests do you expect the authorities to send? 5? 10? 100? If I get summoned to court and don't follow it I get a fine. How is this any different?

[NeedMoreTea]

Sure, but offences between July and September 2018, and convicted Feb 2019 only against the small sub selection in July.

There's potential time for quite a few ignored warnings before prosecution, but I don't know and can't find out from here if or if not.

[tjoff]

They almost certainly got complaints from the users on that list. You tend to get pretty swift response from that.

Very likely that they just ignored it.

[comboy]

> unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet

DOT

sounds good

[llao]

What does DOT mean?

[comboy]

.

[llao]

Thanks, I thought it was some acronym.

[losvedir]

What does . mean?

[comboy]

It is used for several purposes, the most frequent of which is to mark the end of a declaratory sentence. (why are we doing this?)

[TomVDB]

Everybody makes mistakes. Which makes GDPR a recipe to hand over whatever remains of the Internet to only corporations that afford paying for them.

[comboy]

Sure, but there are different kind of mistakes. Surgeon can make a mistake, but it's a different kind of mistake if instead of a surgeon, a plumber cuts the patient with a kitchen knife.

I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.

If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.

edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences

[cyphar]

Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.

All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.

The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.

[closeparen]

>deciding to create a business around other people's personal information

>profit off people's personal data

Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.

[cyphar]

Yes, climate change effects would probably be a more accurate analogy -- but many people are very much against carbon tax schemes so it felt best to avoid that comparison.

[TomVDB]

I used to have a website that did stuff with GPS data that was uploaded by users.

It was purely a hobby affair that was a net loss, but Google ads ($10 per month) reduced the cost somewhat.

Those ads probably made it a for profit business.

I shut the thing down before GDPR, but if I hadn’t it surely would have been an excellent reason to do so.

Those are the kind of websites that you lose.

I consider that a loss.

[ygra]

GDPR doesn't prevent you from collecting personal data. It only requires you to have a clear reason for collecting everything and being transparent about what data is collected and how it is processed.

[hdfbdtbcdg]

Why could GDPR possibly make someone shutdown such a website?

Pure FUD.

EDIT: Downvotes don't change reality. The OP is spreading FUD.

Edit: unless the website was actually abusing users privacy in which case I'm glad it is gone.

[ubercow13]

That's a pretty weak argument in and of itself. Many crimes are mistakes.

[TomVDB]

Similarly, many simple mistakes shouldn’t be treated as a crime.

[Angostura]

If you make a mistake and you do so honestly, not out of malice and fix it, you are very unlikely to get a fine - you will get guidance and a warning. Unless you are being egregiously slip-shod.

[easytiger]

That's not true, unfortunately.

https://www.lexology.com/library/detail.aspx?g=d8d0c69a-620e...

[josefx]

Storing user names and passwords in plain text when you have several hundred thousand users is not a "honest mistake" in 2019. In other fields a commercial entity failing basic security practices can be considered criminally negligent.

[cosmodisk]

That's absurd. Talking purely about the UK right now: there were tens of thousands of cases logged with ICO since GDPR came into power. So far,there were only a handful of companies that had to pay fines and their actions were either borderline criminal,or deliberate refusal to cooperate with ICO.