Interesting to see the correlation between size of a company and their fine.
ORANGE spain for instance got a 200,000 EUR fine, but some local physician only got 1,500.
A review of what the GDPR is and what an expected fine is according to the law itself, this is exactly what you would expect to see. Its maximum penalty is related to the company's annual, worldwide revenue.
> The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
(emphasis theirs, well, bold not italics, but yeah.)
Meta/Facebook/WhatsApp was fined about 2.4 billion (6 out of top 10 fines), but still nowhere near close to the maximum (which would be about 54 billion).
The US law firms and compliance consultants were scaremongering a lot around these fines (after all, they got paid for consulting there and making sure this is as scary as possible).
To be fair, in the US regulations seem to be thought of as something enforced against smaller companies while larger companies can afford expensive lawyers to sidestep them. The difference is that EU privacy law can't easily be sidestepped because it specifically targets these large companies.
OTOH this might just be a case of "temporarily inconvenienced billionaire" logic or the same fear mongering as "if we raise minimum wage you won't be able to afford rent".
That was an error with potentially very grave consequences, but it seems the MoD handled it well once they were aware of it (“Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients”)
I don’t think a larger fine would have made them do better, so why make it higher?
That sounds like a fine that was the maximum under the pre-GDPR regime, rather than the GDPR-era penalty regime. If the offence took place before the new rules were in force, the old penalties apply, even if the case takes some time to be resolved.
Everytime a new EU regulation is discussed on HN people are up in arms about the "maximum fines" and some replace the "maximum" with "mandatory".
Fines need to be reasonable and proportional and that is not optional if they should survive a court case.
The big fines are tool used to bring global conglomerates into compliance.