While not “automatically applied,” what part of what you linked to says they won’t use their discretion to assess the maximum penalty in most situations? What stops them?
There are no rules in what you linked to that would prevent or even deter maximum fines in every single case. The only limits imposed are $10 million for lower level fines and $20 million for upper level (or percentages of revenue, whichever is higher - the static amount will always be higher for smaller businesses).
Edit: to those downvoting this (and all of my other comments) - this comment contains only facts. So please show me where it says that there are circumstances under which they must fine you less than the maximum. Otherwise there is nothing to downvote.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
I think this highlights the EU vs US perspective on Government nicely
In the EU you tend to trust your bureaucrats to make a "Fair and Just" application of the law
In the US we tend to expect our bureaucrats to be vindictive, corrupt, petty, and generally impose fines and penalties not based on the law but based on their personal feelings about the target of their "legal action"
Thus such open ended wording like you posted being classified as a "rule" scares the shit out of most Americans
> I think this highlights the EU vs US perspective on Government nicely
And the differences in the legal systems specifically. I think this is why a lot of HN commentators are finding the GDPR vague. In the US rule based regulations are the norm. For better or worse this tends to allow those with clever lawyers to search for loopholes. UK law is much more principle-based, which means trying to abuse the exact wording is not going to save you from a fine, and equally a technical-breach of wording is not going to get you prosecuted. It's not just the civil servants that we trust with this, it is the judges too.
In the US we have learned that trusting government normally does not work out well for the citizens of that nation.. you end up putting people in jail for Tweets, and Jokes ;)
Explicit criteria existing deter maximum fines, since it opens up the authorities to counter-claims that they did not take criteria in your favor into account.
To most small businesses, whether the fine is $5 million or $20 million doesn’t matter - they still can’t pay it. So if some of these factors are considered and “only” $5 or $7 million is assessed, that’s still a company killer.
Under what circumstances are you expecting to receive a $5m dollar fine? To me (who is assessing this risk at a UK SME) the idea of an SME receiving this kind of fine is absurd. As the poster above said, the law asks for proportionate fines.
The big number max fines in GDPR are there to deal with companies like Google and Facebook who can write of $5m as a rounding error.
People who have been fined at all under the existing DPA, being enforced by the very same people as GDPR, have been negligent, repeat offenders. I don't believe anyone has ever received the maximum fine in the existing regulations. That just isn't how UK law works
They need tax revenue, jobs for their citizens, and goods and services that their citizens want?? It doesnt even make sense for them to run around, shutting down every business they can. It would hurt them.
Some people just accept it when someone says they won’t do something that they totally can.
I know, it doesn’t really make sense. If someone tells me “well it says that we can do that if you go by what’s on paper, but we wouldn’t actually do that”, then change it so that it says on paper that you won’t, or I’m inclined to think that you totally will, because you totally can.
