[ohazi]

When are we going to admit that GDPR is a failure?

Asserting a bunch of rights around personal privacy is great, but I've yet to see any compelling evidence that the relevant courts and bureocracies are capable of enforcing the law effectively. EVERYBODY is cheating.

Every time this is brought up on HN, the response is to wait for when the big fines start coming.

It's been two years. They're not coming.

[ThePhysicist]

A lot of the work that is done to become and stay compliant with the GDPR is invisible from the outside, but I can assure you that most large companies and a lot of the smaller ones are taking it serious.

The GDPR also has a "pull-in" effect on companies outside the EU that (often illegally) sell personal data because their clients in the EU (the data controllers) have to prove that these companies (their data processors) adhere to the GDPR if they want to do business with them. If a EU company buys personal data from a company outside the EU or sends personal data to that company they are liable if this data gets abused or if the personal data was not acquired in accordance with the GDPR. The whole "privacy shield" mess was about the question whether EU companies can still send personal to the US based on a self-certification process US companies go through (turns out they can't).

Some of the data brokers already feel this pressure and will be forced to change their business models unless they want to lose their clients within the EU. Sure there are still EU companies that do business with these data brokers today, but most of them know that they're exposing themselves to considerable risk and are already looking for alternatives.

[jacquesm]

Some pretty big fines have been issued already. See:

https://www.enforcementtracker.com/

Over time I expect them to go up further as companies can no longer claim they did not have enough time or were not aware of the law (that never was a defense anyway but DPAs tend to be lenient. So far).

Since the GDPR has come into effect I see in my practice that companies are a lot more aware of their responsibilities towards their users, have better processes and security in place. Is it perfect? Not by a long shot but the improvement is immense and as time goes by and more companies end up setting an example of how things should be done and those that don't end up getting find I expect this trend to continue.

What I like most about the GDPR is that it steers towards compliance, not towards making life of businesses unnecessary harder.

Contrary to you I think the GDPR is a resounding success, the only thing that would make it much better still is if other areas of the world would take up similar legislation so the playing field would level.

[ohazi]

I mean, I genuinely hope I'm wrong here, so I'm happy if other people are disagreeing with my interpretation.

[jaclaz]

I dont know.

From what I can understand of German/Google translate, the third from top:

https://www.enforcementtracker.com/

Link to .pdf:

https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180927_DSB_D5...

Is the Austrian Authorities making a 300 Euro fine to a "common citizen" making "illegal" use of a dashcam (it seems - but I am not sure about it - that the issue is that the car is not - how? - visibly marked as videorecording?).

Anyone more familiar with German (and legal German) can clear the matter/explain?

[jacquesm]

Why would you pick that example, rather than the 16 million fine an Italian company received?

[jaclaz]

As a counter example to the "success" you mentioned.

Again if I got it right a "common user" got stinged because of a dashcam.

The Italian example you refer to is actually a success, like most other ones, I was objecting not to the Law in itself (that is IMHO a good one) but rather on how it is applied, here and there, in spots and seemingly in a random way.

[Gwypaas]

The larger fines are starting to trickle through[0], remember EU bureaucracy is usually less about flashy cases than US and more of giving people the tools to do the right thing.

[0]: https://www.enforcementtracker.com/

[luckylion]

It's 350 cases in two years in an economic zone of 450m people though.

[Gwypaas]

350 publicized cases, most cases are too small for the public to take note of.

This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties.

[Jdam]

I just read a bit on that site:

> The private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation.

What a PATHETIC thing this GDPR is. Fully agree that we should admit that GDPR is a massive failure (who would have thought!)

Greetings from a European.

[bryanrasmussen]

>EVERYBODY is cheating.

All the big European companies I've worked for seemed to put lots of effort into complying.

[arpinum]

Can individuals sue and go to court? Or do complaints have to pass through privacy regulators.

I’m curious how a class action hasn’t been formed around Verizon and Oath’s behaviour?

[talideon]

There's currently no equivalent of a class action suit under EU law, IIRC. Some jurisdictions within the EU have something equivalent, but there's nothing Union-wide. I vaguely recall some movement by the Commission to establish something like that though a few years back, but I don't recall where it went.

[arendtio]

So you say, the intent is good, but the execution fails. What is your proposal that serves the same purpose?