> GDPR threatens website owners with fines of 4% of turnover or €20 million (whichever is higher) if they do not jump through a number of ambiguously-defined hoops.
Disregarding the "hoops" -- shouldn't this 4% go entirely to the affected users? I thought this was meant to protect the users. Seems like a cash-grab by the government. Can someone make a good argument as to why the fines should be paid to a third party (the state) when this issue is between the service provider and the customers?
The only thing I can think of is that the state is the only entity which can enforce the new rights, meaning they get paid for violations of the rights. Still, if someone threatens the integrity and privacy of your data, shouldn't the damages be paid to you?
Much like class action lawsuits, the end user doesn't make much. The lawyers or the state, which go to great expense may recover their expenses, or they may not. The largepunitive fine is to prevent the suits from ever happening in the first place.
> [...]Can someone make a good argument as to
> why the fines should be paid to a third
> party (the state) when this issue is between
> the service provider and the customers?[...]
The same reason you pay speeding tickets to the
state instead of personally to each person living
on the street you sped on, or who could otherwise
have been directly affected by that specific
occurrence of speeding. Or the same reason health
inspection fines for restaurants in the US are
paid to the city or state, not everyone who's ever
visited the restaurant.
There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated, where are you getting that idea from?
> pay speeding tickets to the state instead of personally to each person living on the street you sped on
Roads are usually state-owned property, whereas your personal information is your property, right? If Alice mishandles Bob's property, why is Charlie getting paid for it?
> There's no concept in the GDPR that the violation only exists between the site and the users whose privacy it violated
Why not? The site-customer relationship is the only relevant one here. What prevents a profitable, large-scale data mining company from simply accepting the Max(4%,$20m) = 4% tax for mishandling data?
A $20m dollar fine would surely deter smaller actors, but the 4% fine doesn't seem like a deterrent for large-scale data-mining operations, which can be incredibly lucrative. For example, if Facebook had the choice between not using the data and making $60b per year, versus using the data and making $90b - .04 x $30b, wouldn't they accept the tax and continue using the data? If this is the case, I don't see GDPR making a big difference if the highest-market-share companies can "get away" with paying the fee.
This would increase the gap of viable profit models between smaller and larger companies, at the sole benefit of the state, with little, if any, benefit for the victims (the users). Of course, I am assuming that there is no criminal penalty for noncompliance. The government might think: why impose a criminal penalty if the state can simply tax large corporations for the mountains of profit they are making off of insights from personal data?
I think your questions come down to general European v.s. US
jurisprudence.
> If Alice mishandles Bob's property,
> why is Charlie getting paid for it?
If Alice and Bob both join Fight Club and have a consensual fight and
one of them dies, even in the US the survivor will be charged by the state for
that.
The reason is that certain violations aren't simply seen as
person-to-person violations, but disturbances of the general order
that have ripple effects on the rest of society.
European countries in general are more prone to seeing something like
the violation of business law as being a crime against the state, not
just a violation of the specific people who were victims in that
specific instance.
It has upsides and downsides, but I think in general it's better than
the US system. American companies tend to have to worry about
compliance with regulators and the possibility of huge payouts from
court cases filed by individuals. If you have a small company and
screw something up (but not much more than other companies in general)
you can go bankrupt mainly due to bad luck.
In Europe companies tend to mostly have to worry about just the
regulators and the state, except in cases of gross negligence, which
makes it easier to predict when you need to be compliant etc.
There's also the practical matter that the state has a lot more
leverage against the likes of Facebook and can exercise collective
bargaining. You can see how well this "your personal information is
your property" idea is going in the US with the likes of Equifax,
Facebook etc. In practice the little guy just has to eat the TOS of
these services and doesn't have anything like a property right over
his information.
As to your question of whether some companies will simply eat the 4%
fine. We'll see, but that's a topic unrelated to who the fine is being
paid to.
If some company like Facebook were to publicly flaunt the GDPR you can
bet they'll find something else to charge them with. The GDPR isn't
the only privacy regulation in effect, there's also various national
regulations that could be brought to bear. The threat of the 4% fine
is mainly intended as a big stick to bring companies into compliance.
Disregarding the "hoops" -- shouldn't this 4% go entirely to the affected users? I thought this was meant to protect the users. Seems like a cash-grab by the government. Can someone make a good argument as to why the fines should be paid to a third party (the state) when this issue is between the service provider and the customers?
The only thing I can think of is that the state is the only entity which can enforce the new rights, meaning they get paid for violations of the rights. Still, if someone threatens the integrity and privacy of your data, shouldn't the damages be paid to you?