[BGizzle]

GDPR is not about consent or data being collected. If it were, the EU would not penalize violators based on a (largely irrelevant) PERCENTAGE OF GLOBAL REVENUE for a breach.

I'm an external auditor. The GDPR is a cash grab.

Regulations that actually incentivize organizations toward stronger privacy and protection practices are designed more like HIPAA or PCI where the MAGNITUDE OF THE BREACH is the primary factor determining the monetary fines imposed (e.g.,number of records exposed, was it PII, PHI, etc.).

Taking 4% of the company's annual revenue from the previous year, irrespective of the size of the breach, results in a regulation about as effective as clicking those cookie consent boxes. "Oh thank goodness I gave my consent, I think now we can all rest easy that our data is being handled securely and appropriately!" No, the EU included the ticky tacky consent requirement to create major global visibility about itself so that when a company doing business with the EU has a breach, they won't be surprised when they then get an additional bill from the EU for not only having the breach, but now being in violation of the GDPR too.

The GDPR is a despicable joke. And my use of 'the' gives me the right to that opinion. If anyone else out there was involved in GDPR's creation or implementation, I think you would agree:

GDPR owns the Greatest Dung Pile Record, Grandma's Dildo Paste Replenisher, the Gagging Damaged Penis Rectum and one Gigabyte of Dick Punch Radiation in addition to €2.83 billion (as of 12/2022) collected from breached companies in 1,401 cases for "violating the GDPR".

[M2Ys4U]

Respectfully, you're talking nonsense.

The GDPR doesn't mandate fines of 4% regardless of the nature of the breach. That's the maximum size of the fine.

You should go ahead and actually read the text of the GDPR. Specifically, Article 83.

Paragraph 1 states that "the imposition of administrative fines [...] in respect of infringements of this Regulation [...] shall in each individual case be effective, proportionate and dissuasive".

Paragraph 2 lists eleven factors that the SAs have to have regard to when setting fines, and top of the list is "the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them".

[atoav]

I know that the fines are a percentage of global revenue. And I am totally on board with this. I wish we had dynamic fines like these in more areas of society.

The other option would be to have fixed fines that Google et al. pay out of their small change, while it absolutly would torch their small competition.

Sure, they could also jail CEOs for this. I would also be for that.

If a fine doesn't grow with the income it is a fee. So if you want a corporation to follow your law, it needs to come with a fine that motivates those in charge enough to follow it. Money is the soft option there.

It is totally possible to run websites in compliance with GDPR. I built multiple that require no consent whatsoever, because guess what: No personal data is collected, where it is not absolutely technically required.

For me as an EU citizen the GDPR turned my data-related communications with companies from essentially begging into the void, to actually getting a response.