[pmiller2]

That's the thing that really gets me. GDPR fines can be anywhere from 2-4% of annual revenue (not profit, revenue), yet none have even come close. I guarantee you if you took 4% of Facebook's gross revenue right off the top, they'd notice.

For 2020, their gross revenue was just shy of $86B, so, 2-4% of that would be about $1.7-3.4B. Considering that 2020 EBITDA was $39.5B, that would represent 4-8% of their profits.

Tell me that's not going to affect the stock price. Because that's what you need to do to actually get these companies to do something is materially affect their stock price and piss off the shareholders.

[TeMPOraL]

Some weeks ago, I saw a comment on HN[0] that made me think. It presented an argument for current level of fines for all kinds of white-collar mischief being sufficient. The reasoning as I remember it was along the lines of:

- The fines are usually attached to an order to stop the activity in question. This leads to the misbehavior being corrected, because a company continuing their practice against the order will be committing much serious offense.

- Such "slap in the wrist" fine clearly establishes a particular practice to be illegal, which influences decision making process in other companies. When considering whether to walk a legal tightrope, there's a world of difference between theoretical liability and a clear example of someone else landing in hot water for doing that same thing.

Put like that, it sounds reasonable to me if fines start at a low level (regardless of the public's opinion of the offender).

I'm posting it here not because I agree[1], but in hopes that someone can point to evidence for or against this approach working. Do companies continue to do the things they were fined for in the jurisdictions they were fined for? Are other companies opting to engage in a behavior after someone else in the same jurisdiction was fined for it?

--

[0] - Can't find it now :(.

[1] - I have no opinion just yet. I thought about it a little, and I realized that from game theory point of view, you'd expect a company threatened with the 2-4% annual revenue level fine to put up an expensive fight, not to protect the behavior in question, but to contest the fine itself. This adds another point in favor of this view.

[corty]

> Such "slap in the wrist" fine clearly establishes a particular practice to be illegal, which influences decision making process in other companies.

> Put like that, it sounds reasonable to me if fines start at a low level

This is fine if you want a low level of compliance from businesses. I.e. if you want them to ask for forgiveness later and preferably not get caught. Because slap-on-the-wrist fines are not something that will ever appear in a risk calculation in any meaningful amount, illegal behaviour will be tolerated within the company, and only corrected upon getting caught once. Because only the subsequent fine might hurt. Meaning that you entice all your companies in covert illegal behaviour.

If, on the other hand, the first fine really hurts, you get deterrence. Meaning that catching a fine is seen as a business risk, and the company will try to avoid getting fined in proportion to the amount. Behaviour will be more legal-by-default and seeking permission.

Which one is desired is a matter of public policy, and it isn't binary in the amount and may be different for different laws and behaviours. I am personally preferring the latter.

[buran77]

> Put like that, it sounds reasonable to me if fines start at a low level (regardless of the public's opinion of the offender).

The real reason fines are never crippling is because they would not be paid, there would be endless back and forth in courts for what could be decades, with the authorities always being less prepared and less funded for such a battle. So they take what they can get away with. Then there's the aspect of giving a large fine and hitting vital interests of a major company from another country... You're inviting some form of nation level retaliation sooner or later.

All the calculated proceeds resulting from an illegal activity should be clawed back if this is to ever solve anything. Keep in mind that we're not talking about actions that are suddenly declared illegal, we're talking about actions that were illegal all along and the company was officially found guilty of that. Not guaranteeing an overall loss for the company if they're caught means the worst that can happen is they lose some of the profit. This is literally just "the cost of doing business" and proliferates.

[Aeolun]

> The real reason fines are never crippling is because they would not be paid

And then Facebook, Whatsapp and Instagram cease to be a thing in Germany.

At least, that would be nice, but the politicians that would impose that are probably too attached to their instagram dog photos.

[buran77]

A crippling kind of fine would have to be applied by the EU, not by one country. The EU is a big enough market that withdrawing would do even more damage since the company still has to pay the fine but without a good chink of their market, which they now handed off to rivals or newcomers. Look at VW who hasn't withdrawn from the US market despite the absolutely massive fines.

The difference is the US never shies away from leveraging their top position in a way the EU is simply not able to. So while the EU will leave VW out to dry when they're caught with their hand in the cookie jar, the US is all but guaranteed to apply as much pressure as it takes to protect their interests. I have seen the process repeatedly and nobody will ever be allowed to hit any US interest without massive retaliation. The proof is in front of you, there's no single instance of a major fine payed by a US company in the EU. The largest fine was the one applied to Apple (~$15bn), it's still being contested, and Apple pretty much just agreed to pay a part of the taxes they owed instead (not all, and not the fine).

The fine FB got for the way they lied about the WhatsApp deal was... $122m.

[usrusr]

Sounds a lot like the saying that it's easy to keep honest people honest. But that's about keeping people to rules that, for all practical concerns, have been there forever. Regulation is often dealing with quite the opposite. When you decide one day that it's not ok anymore for a chemicals plant to just dump spent reagents in the river it's about changing behavior, not about preventing bad habits to form. That makes it much harder.

Another question is how closely the behavior in question is related to the income streams: the chemical plant won't sell less if they avoid unprocessed dumping. Chances are they can even convert part of their waste into sellable side-products. And if a hotel chain had a little side income from selling Wifi communication metadata to ad networks they could stop doing so any time without changing the tiniest thing in their core business besides some minor numbers in the balance sheet. But Facebook doesn't have any business outside of ad targeting and telling them to stop some forms of data collection almost seems like an attempt at winning over Henry Morgan to peaceful cargo transport.

[llampx]

Consider the use of fines in changing private people's behavior. Get a $5 fine for parking in a fire lane? You're probably not going to think twice about it. Get a $500 fine? Or they take a % of your income? You will think hard before parking where you're not supposed to.

[quietbritishjim]

I think parent's point was: a $5 fine for the first time anyone ever parks in a fire lane would be reasonable (not the first ever parking ticket, but the first of that particular type). It may have been obvious already that it's wrong, but now it's been tested in the courts the precendent is much stronger. So long as fines for things violating obvious legal precendent are closer to that $500 mark then that would be enough to stop further offenses (by original party and others).

Like the parent comment, I'm not saying I agree or that this represents the actual situation here.

[samizdis]

> [0] - Can't find it now :(.

Was it this comment?

https://news.ycombinator.com/item?id=26832852

[throw14082020]

If the fine was $1.7-3.4B, you can expect facebook to spend $1.6999-3.3999B on undoing that (or have already spent preventing that, e.g. front pages on newspapers for Apple's ATT feature in iOS 14.5). Looking at a forces perspective, facebook has more weight/ incentive behind it because they stand to lose a lot of money, Zuckerberg will be managing the situation. Governments works with none of these pressures or systems. Yesterday, I got back a complaint I submitted to the ICO (information commissioners office) in February 2021, asking for more information/ data. Responding to my complaint in that quality should've only taken less than 5 minutes.

[vidarh]

The courts are not going to push up towards the upper limit of that unless someone does something extremely shockingly bad, because otherwise they have no room for a graduated response if something worse comes along.

It'll take time - if politicians see the fines that get applied are too modest, hopefully there will be steps taken to firm up the criteria or increase the amounts.

[viraptor]

Almost no organisation / judge / regulator / ... will hit someone with the full fine immediately. This is an incentive to comply not an attempt at killing the company. It seems to work since I haven't heard of gdpr ruling being repeated for the same offence so far. I expect the fine would just go up.

[pmiller2]

Taking away a few percent of a company's profit, while still leaving a quite substantial profit margin is not "killing the company." There needs to be some teeth behind these fines to make companies respect them. You may not have heard of repeat fines for the same offense, but all that shows is that they fix things after they're pointed out. Wouldn't it be better if they thought about how they're handling peoples' data before they got caught doing it wrong?

Somebody needs to be made an example of, and a company like Facebook that not only can absorb the hit but is not well known for respecting peoples' privacy is a great target, IMO.

[concerned_user]

Are you sure you can apply it like that? My understanding is that there is no Facebook Global that you can fine citing these revenues but some local braanch Facebook CountryName will get the fine with only local revenue. Therefore expecting fines of 1.7-3.4B is somewhat unrealistic I beleive.

[pmiller2]

I'm sure they report their revenue like that, so, yeah, probably?