[TomVDB]

Last year, when GDPR was heavily discussed, people were criticizing those who decided to just stop their small hobby websites because of the potential GDPR exposure.

The argument back then was that they were overreacting, that we didn't understand how Europe works, that you'd only get fined after repeated warnings about violating procedures etc.

I'm sure the private person was dumb for doing what he did, but that doesn't invalidate the general point: unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet that might be used by EU citizens.

The benefits, whatever they might be, just don't justify the risks.

[NeedMoreTea]

Except we see just the fine. We have no idea how many attempts and warnings to get them to comply were sent first. It wasn't one email, it was multiple emails, multiple times over months.

This site makes no mention of warnings and escalations, and ICO at least doesn't normally announce that for individual cases. Though they do put out aggregate stats. When they have fines are clearly shown as arising in a small minority of cases.

[easytiger]

There are other examples at least from Germany where no warning or time to rectify was given, just a fine.

https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-o...

[NeedMoreTea]

800k email records and passwords in plain text when breached. I don't know how big Knuddels are, so I don't know if that fine sounds lenient, right or high. Yet as it's a large breach it seems fitting of no warning first, considering the scale of negligence, mitigated by their "exemplary cooperation" afterwards.

Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.

Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.

[TomVDB]

> We have no idea how many attempts and warnings to get them to comply were sent first.

True. But I doubt that even the most ruthlessly efficient GDPR enforcement authority could multiple enforcement requests between mid July and end July.

[sgift]

Why are multiple requests needed? You do shit, you get a request to stop it, you don't do it, you get hit with a fine. How many requests do you expect the authorities to send? 5? 10? 100? If I get summoned to court and don't follow it I get a fine. How is this any different?

[NeedMoreTea]

Sure, but offences between July and September 2018, and convicted Feb 2019 only against the small sub selection in July.

There's potential time for quite a few ignored warnings before prosecution, but I don't know and can't find out from here if or if not.

[tjoff]

They almost certainly got complaints from the users on that list. You tend to get pretty swift response from that.

Very likely that they just ignored it.

[comboy]

> unless you're sure you that can afford making these kinds of mistakes, don't provide a service on the internet

DOT

sounds good

[llao]

What does DOT mean?

[comboy]

.

[llao]

Thanks, I thought it was some acronym.

[losvedir]

What does . mean?

[comboy]

It is used for several purposes, the most frequent of which is to mark the end of a declaratory sentence. (why are we doing this?)

[tremon]

I thought English uses PERIOD to verbally mark the end of a declaratory sentence, not DOT. That's probably where the confusion comes from.

[TomVDB]

Everybody makes mistakes. Which makes GDPR a recipe to hand over whatever remains of the Internet to only corporations that afford paying for them.

[comboy]

Sure, but there are different kind of mistakes. Surgeon can make a mistake, but it's a different kind of mistake if instead of a surgeon, a plumber cuts the patient with a kitchen knife.

I agree it's a difficult problem and it's hard to define boundaries, but some level of competence is welcome when handling data that belongs to other people.

If you start some internet service, I expect you not to lose my data (in some lame way, s.h.), just like I expect my car mechanic not to destroy my engine.

edit: to give it context, I closed my programming website with thousands of active users that I had for almost 20 years because of GDPR, I'm not a big fan of it, but what I like even less is when complete incompetence when handling personal data results in zero consequences

[cyphar]

Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.

All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.

The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.

[closeparen]

>deciding to create a business around other people's personal information

>profit off people's personal data

Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.

[cyphar]

Yes, climate change effects would probably be a more accurate analogy -- but many people are very much against carbon tax schemes so it felt best to avoid that comparison.

[TomVDB]

I used to have a website that did stuff with GPS data that was uploaded by users.

It was purely a hobby affair that was a net loss, but Google ads ($10 per month) reduced the cost somewhat.

Those ads probably made it a for profit business.

I shut the thing down before GDPR, but if I hadn’t it surely would have been an excellent reason to do so.

Those are the kind of websites that you lose.

I consider that a loss.

[ygra]

GDPR doesn't prevent you from collecting personal data. It only requires you to have a clear reason for collecting everything and being transparent about what data is collected and how it is processed.

[closeparen]

The examples here make clear that "a clear reason for collecting everything" means an ironclad justification for each field, each bit of precision, each minute of retention. That is not a casual thing. As in, one of the fines here is for retaining a phone number to fulfill a need to communicate, when postal mail could have worked instead.

It is doable, if you have the lawyers and the time. But that's not a degree of scrutiny you want to gamble your life savings on for a personal project.

[hdfbdtbcdg]

Why could GDPR possibly make someone shutdown such a website?

Pure FUD.

EDIT: Downvotes don't change reality. The OP is spreading FUD.

Edit: unless the website was actually abusing users privacy in which case I'm glad it is gone.

[closeparen]

Well, suppose he does some transformation involving position. GPS points also have altitude in them. He neglects to sanitize altitude at the point of collection, and is therefore collecting and retaining more data than necessary to perform the service. He plots positions on a relatively zoomed-out map. Only the first six significant figures make a perceptible difference in the map position, but he retains the same precision that was uploaded, usually higher. Again, failure to minimize. Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.

Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.

[TomVDB]

You receive an email with a request for a privacy statement? Great, one way or the other, that's work with potential legal repercussion, which means you probably should talk to a lawyer. Additional expenses and hassle for no good reason.

You make a fix in the email system that accidentally emails everybody at the same time? (It almost happened.) Oops. There's your exposure to some nice fine.

You don't need to be abusing somebody's privacy to be concerned about legal exposure. Just like there are asshole companies, there are asshole users as well who can make your life miserable.

Any hobbyist who doesn't take this kind of exposure into consideration is naive.

[ubercow13]

That's a pretty weak argument in and of itself. Many crimes are mistakes.

[TomVDB]

Similarly, many simple mistakes shouldn’t be treated as a crime.

[Angostura]

If you make a mistake and you do so honestly, not out of malice and fix it, you are very unlikely to get a fine - you will get guidance and a warning. Unless you are being egregiously slip-shod.

[easytiger]

That's not true, unfortunately.

https://www.lexology.com/library/detail.aspx?g=d8d0c69a-620e...

[josefx]

Storing user names and passwords in plain text when you have several hundred thousand users is not a "honest mistake" in 2019. In other fields a commercial entity failing basic security practices can be considered criminally negligent.

[cosmodisk]

That's absurd. Talking purely about the UK right now: there were tens of thousands of cases logged with ICO since GDPR came into power. So far,there were only a handful of companies that had to pay fines and their actions were either borderline criminal,or deliberate refusal to cooperate with ICO.