TBH most food & construction safety laws are way more small business friendly than the GDPR. Food safety has a well defined relatively easy to follow rule set and food inspectors come in and give you a food safety rating, which you can work on and improve. It won't destroy a small mom & pop restaurant with a $million fine.
For construction, you build your building to 'code', an inspector comes in and stamps the building and then your done. If your not code compliant, then you can correct without much penalty at all, not get a $million penalty and you don't have to go to court or get lawyers. Making your own shack in your backyard isn't an arduous process as far as code compliance goes.
Since most software is constantly modified and edited, I don't think the construction model really works. More the food safety one or a data fiduciary one.
Is the 20M EUR maximum reduced by law, or just by regulatory discretion? The USA is currently demonstrating (with DACA, marijuana enforcement, etc.) the fragility of the latter.
The law explicitly lists factors the regulators have to take into account for determining the fine. If they give a large fine for a small infringement, they're going to have a hard time to claim they took all factors in your favor in account properly.
From what I've seen, it's partially like in the US - each EU member has its own data protection authority which imposes those fines, but they are closer linked than the US states' laws. I can definitely see some EU countries slacking off on enforcing, or being less/more harsh than the others.
But 20 million is possible right? Even for a small offence? Where in the actual text of the law does it say that they will never impose the maximum fine for a trivial or minor offence?
It actually doesn’t say that. This law has the effect of small business essentially needing a 20 million insurance policy to protect against the possible whims of an overzealous regulator? It’s either insure yourself for 20 million or risk losing your entire business over potentially a trivial matter.
When people in the UK have been jailed 8 months over traffic cameras or prosecuted and jailed for speech, I wouldn’t give a European government the benefit of any doubt. Willingly inviting an unelected regulator, accountable to nothing but the letter of a badly written law created by another unelected government body — that’s just foolish.
It’s probably not possible. I wouldn’t map the (EU) GDPR on how a US-like legal system works. E.g. it’s very unlikely that the regulator seeks maximum penalties in the EU, and worst case you could go to court arguing that a penalty is non proportional compared to other cases (and win)
Don't use people personal data and dont allow others to spy on your users (ads, analytics,..) and you wont need to do anything.
Work in best interest of your users and you will be compliant. I don't think that this is harder than food safety regulations.
By the way, the technology is changing fast and a strictly defined law with "do" and "don't"s would be downplayed in weeks. that's why GDPR is conceptual (and thats why everyone is pissed off, as they can't downplay it - how many sites have you seen that are giving you a fair cookie choice?)
And in food or construction if you willfully break the law then that can be criminal and you will face severe fines and/or jail. It's all about your intent.
it absolutely is, see as an example Art 83,
"General conditions for imposing administrative fines" which has at point b "the intentional or negligent character of the infringement".
For construction, you build your building to 'code', an inspector comes in and stamps the building and then your done. If your not code compliant, then you can correct without much penalty at all, not get a $million penalty and you don't have to go to court or get lawyers. Making your own shack in your backyard isn't an arduous process as far as code compliance goes.
Since most software is constantly modified and edited, I don't think the construction model really works. More the food safety one or a data fiduciary one.