The cases that make the news with 100 million dollar fines to trillion dollar companies are just the ones in which the prosecution can't even reach someone at the company cause 100 million dollars is a drop in the bucket not worth looking at.
Most of the time, when somebody contacts you because of these issues, you have 30 days to comply, and if you discover that the problem is bigger than anticipated, these deadlines can be negotiated.
The point of the laws in the EU isn't to collect fines, but rather to make sure that everyone complies. You don't win much by going to trial and letting the other party explain why complying in 30 days is physically impossible.
So as long as the other party is willing to comply, the first attorney letter get things moving, and then the issue is resolved.
> The cases that make the news with 100 million dollar fines to trillion dollar companies are just the ones in which the prosecution can't even reach someone at the company cause 100 million dollars is a drop in the bucket not worth looking at.
Is this true? I thought they were based on a % of global revenue and that definitely hurts.
That's the upper limit, not a minimum requirement. Levying the full 4% of global income is something that's reserved for those who blatantly refuse to comply with orders of their respective DPO or repeat offenders.
The maximum fine allowed by GDPR is "10 million or 2% of global revenue, whichever is higher". The goal is to ensure the GDPR "has teeth" even against companies for who 10 million is a drop in the bucket.
Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.
And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.
The purpose of these laws isn't to penalise, its to ensure compliance. Giving them some time to figure out what they can and can't keep is a fair compromise. Anything else is really just bullying .
If they were fined, people would be here saying "just the cost of doing business".
As far as I understand that is what everyone caught violating these laws gets at first, a warning pointing out the issues and a time frame to fix those. The real trouble only starts if you fail to meet the deadline or get caught again afterwards.
> Is it really so refreshing that they get away with breaking regulations, seemingly without any sort of penalty?
It doesn’t appear that they’re getting away with anything? It’s the first offence, so they get a reasonable period to address the issue and fix things. Give them not enough time and they complain about the regulators being unreasonable.
And it’s certainly refreshing compared to what happens in other America or Australia which is “basically nothing”.
> The watchdog ordered Europol to erase data held for more than six months and gave it a year to sort out what could be lawfully kept.
They even get a year to figure out in what way they broke the law, to legally keep as much data as possible.