Laws that are stupid and not widely enforced because they are stupid are damaging to the entire concept of law. Particularly if they can hang over like a sword of Damocles if you piss off the wrong people.
The law will be enforced, just as current data protection is.
The law can be enforced without every case attracting the maximum penalty. That's why nearly every law has a range of penalties.
Accidental and minor breaches can attract a minor penalty or a letter asking you try harder. Wilful and repeated breaches affecting many customers will attract harsher penalties.
Same goes for speeding offences - go 40 in a 30 limit, get a fixed penalty ticket. go 140 with the GoPro race footage of you and your buddy posted to twitter expect a much larger fine and a driving ban.
In neither instance is it not enforced, or damaging to the concept of law.
I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
What @megaman22 is saying fully matches my experience as an Eastern European -- piss off the wrong people and the law will fall on you with its full might. Some people would really love to make an example out of you if you give them the chance. And I don't think that only applies to E.E. but have no data either way, it's just an observation from news and hearsay from affected people around here.
I fully support the GDPR and I'll do my utmost to comply with it even for hobby projects.
That was never something I disputed in my root comment that spawned this big sub-thread.
What I said and will continue saying is -- laws like these open even more doors for legal trolls, big players and nasty competitors to exhaust you out of business. The fact that it doesn't happen on a massive scale in my eyes means nothing; or rather, it means that agents used as an example to scare off others isn't something that's done often because usually just a few lawsuits and their aftermath are plenty enough for those many others to get the message.
So IMO using statistics here is not a strong enough argument. I am not trying to alter your thinking. We actually agree on most points but I simply can't agree that past statistics are a good proof that the new law won't be used in a more heavy-handed manner than originally intended.
To me, that remains to be seen yet and none of us can claim with certainty that what seems likely to them will materialize.
Almost missed this thanks to the incorrectly flagged message up thread.
> I don't think that people like you and people like me will ever agree in these discussions because you look at statistics and I look at possibilities.
You may be right in our chances of agreement!
I see a judiciary separate from state which is more than happy to put politicians back in their box when they introduce bad or overreaching law. Governments of all colours complain about the judiciary and Lords here in the UK - which I see as proof that the separation basically still works. I see data protection bodies that are separate from government and politics. I see occasional stories of record fines or breaches from mainly Western Europe and talk to friends and conclude small business and solo developers are not being fined or trolled into oblivion in nearby countries either. Yet EU DPA is most of what GDPR is with smaller maximum fines. Why isn't the disaster scenario you foresee already happening with current DPA and other laws? Why are so few fined for breaches and only the most extreme cases getting fines?
I'm less aware of justice systems further east and yes it's obvious that former Soviet bloc are going to be rightly more sensitive to and concerned about corruption. I'm also not aware how successfully that's been left behind from adopting EU laws and years of membership. That said, reading the pieces that turn up on HN it seems that the US is the one with problems of corruption in the justice system currently. No doubt that's also unrepresentative thanks to what's being shared about a vast nation.
So, the legal trolls - it's going to be registrars and data protection bodies bringing cases or seeking sanctions. Just like happens with current DPA. This does not appear to be akin, or anywhere near, the US DMCA where large media companies massively abuse takedowns via automated software and triggering numerous trivial errors. I don't see the scope to exhaust someone out of business - yet it's clearly easy with DMCA. There's nothing a Sony can abuse to pick on a little guy with GDPR - they can report me to the registrar.
You're right that it remains to be seen, but I sincerely doubt our data protection bodies are suddenly going to break out thumb screws and bring orders of magnitude more cases when they've kept fines for the final, extreme, and rare sanction til now.
I honestly expect that just as I feel more should have attracted fines and sanctions under DPA I'll find that GDPR is also being too lightly applied. We'll see. I've been wrong on the internet before. :)
The speed limit analogy is terrible. Or maybe perfect, for my point.
Because speed limits are not enforced, everyone goes somewhere between 5 and 15 mph over, all the time. But catch a pissy cop, or one in a town that uses speed traps as a revenue source, and you can get pinched for hundreds of dollars arbitrarily. Yeah, the jackhole that burns tire at 110 past a school-zone is most likely to get pinched, but almost everyone on the road could.
