You went on and on about some tedious point and kept doing it long after it was clear no productive discussion would take place. Also, you've done this many times before on this particular topic. I don't have a way to stop you from doing that other than banning you, and I don't want to ban you. But if you can't or won't stop doing this, we're going to have to. So would you please stop doing this?
I am not sure how I was supposed to know, in advance, that “no productive discussion would take place”. I only mentioned facts, not my own opinions, so the outlandishly negative reaction was not predictable. It seems that I am being held to a different standard than others, because now I am supposed to somehow correctly forecast the reaction of people to factual information before I post it, or risk being banned. I don’t post here much anymore anyway. I will do my best to make this calculation going forward, however I do not see how I can be expected to do this with a great deal of accuracy, given the wide variety of people that use HN.
Also, you claim that you marked it as “off topic” even though it clearly wasn’t.
Many, but not all of them said this. Given that GDPR has absolutely no requirement that warnings be issued, it is not reasonable to expect that warnings were issued and/or ignored in cases where it doesn’t specifically say this occurred.
You don't seem to have brought up any cases where we know that fines were imposed without a warning, nor any reason to believe this particular case was special.
If, out of all the cases that we do know whether warnings were issued, warnings were in fact issued in the vast majority of them (or even 100% of the known cases), then for a case where we don't know and have no reason to believe is special, isn't the reasonable assumption that it's not special and is no different from the other cases?
Once again, under GDPR, it is entirely legal to issue fines without a warning. Therefore, in any case where it does not say that there was a warning, one can reasonably assume that no warning occurred - especially given that in some cases (according to you, most cases) they did say something about a warning. The absence of the mention of a warning in this context implies that there wasn’t one.
The point is, and no one has been able to refute this, that warnings are not required under GDPR. Even if they have issued warnings in most cases thus far, it is still early days. As these actions under GDPR become more common, there is no guarantee that even those countries that have been issuing warnings first will continue to do so. The enforcement of regulations that have the potential to generate massive revenue streams for government entities tends to become increasingly aggressive and creative as time goes on.
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law. No warnings are required under GDPR, and thus the potential exists for fines to be issued without warning. There is no argument or opinion to be interjected here. This is a binary fact. Are warnings required? No, warnings are not required. It’s that simple.
Once again under UK drug law it is entirely legal to send someone to prison for five years (I think) for an eighth of weed. Except it never happens. To get straight to a maximum penalty there would be very damning circumstances.
It's why we have regulators, judges and magistrates - to apply judgement and proportionality. Sure there's a few headline cases of some absurdly harsh sentence - and just about always the details reveal there were a lot of very damning circumstances that make the sentence seem pretty reasonable.
Do US judges rubber stamp a maximum sentence each and every time? No. Does every visit by police result in prosecution? No. Is every warning and scaling mechanism offenders get in the US expressed perfectly in statute? No. Otherwise you would have fired all the judges as surplus to requirements.
You're just spreading FUD. Understand the legal system in Europe before spreading such rubbish.
You appear to be spreading false rumors about them issuing warnings even though they don’t have to. When I organized the data on this site by fine amount, not a single case on the front page said anything about any of the companies fined having received a single warning.
So, by comparing this to legal situations where “it never happens” you are purposely misrepresenting the risk of receiving a fine under GDPR without any type of warning. While having an eighth of weed rarely if ever results in a 5 year sentence in the U.K., clearly not receiving a warning before being fined occurs quite frequently. You have made a false equivalence between these two things.
You also need to remember that if the regulator has got it wrong there is a remedy available for the person being fined.
About cannabis: generally the first offence will receive a warning unless there are aggravating factors. Police are expected to take an escalating approach: 1st offence = warning, 2nd offence = penalty notice for disorder (which doesn't result in a criminal record if it's paid), 3rd offence = arrest followed by caution or charge and prosecution.
Why would you expect a site built to report GDPR fines and penalties to report GDPR warnings?
ICO haven't yet released aggregate figures for GDPR, it's too soon. GDPR is a minor update of DPA, and they have released aggregate numbers on that for a while. Fines are levied in a tiny minority of cases. Warnings are far more common, as is steady escalation. The expectation here is the proportions will remain the same under GDPR.
On weed, actually no, because the default action for weed for the vast majority is just a warning. So no, it isn't clear that getting fined without warning first happens quite frequently, because that's also simply not true. You're very unlikely to see a court without a warning first.
It is not a minor update[1]. The Information Commissioner's Office is extremely aware and vexed, given the current state of affairs, that Data Protection Act 2018, needs to be aligned as closely to the GDPR to allow for information to flow freely after Brexit (Article 45)[2][3].
Furthermore, ICO has not been the epitome of a regulatory body enforcing the law to it's fullest extent, for which it has had the remit for ─ by stopping business' doing a runner or imposing maximum fines, neither has it had a good record on collecting the fines issued. Although, it has made a meal of some of the high profile rain-making cases which have already been in the public eye. It is ironic that there are no real details forthcoming from ICO and one has to resort to FoI requests to get any information on it's previous escapades under DPA 98![4]
That is an entirely different issue. GDPR is effectively an update of DPA 1998 that it replaces. Most is the same, definitions and scope are widened and modernised. A company that had implemented DPA(1998) was most of the way there for GDPR(2016). If you're going to get pedantic, DPA 1998 is one of the many implementations of EU's DPD 1995 as there is a fundamental difference between EU Regulation and EU Directive.
Clearly I am not calling GDPR (2016) a minor update of a subsequent law UK DPA (2018). That is UK's implementation of GDPR, which thanks to the stupidity that is Brexit may indeed have some issues interrelating with the EU. Probably the least of our issues, but still...
UK ICO's stance is fairly well known, but I don't think they can be held responsible for businesses that liquidate in the face of fine. That seems more likely to be an issue of UK company law.
>UK ICO's stance is fairly well known, but I don't think they can be held responsible for businesses that liquidate in the face of fine. That seems more likely to be an issue of UK company law.
You are confusing ICO's stance and responsibility with it's reluctance to enforce powers, which have already been granted to them by the government, in order to pursue negligent cases and collect fines under the UK law.
The Insolvency Service has general powers to investigate both insolvent and active companies, including those companies that undertake direct marketing activities. If a director has deliberately acted to the detriment of the company and/or its creditors, action may be taken against the directors under the Insolvency Act 1986 or the Company Directors Disqualification Act (CDDA) 1986.
That's the Insolvency Service, which isn't ICO, and presumably they (IS) would have to instigate action. I've no idea how it interrelates with ICO's powers, but I'm completely outside my knowledge here.
No one is saying warnings are required. I said I expected one was given, because 1) it appears to be the common practice, and 2) it is the reasonable thing to do. So I doubt that this person would have been fined without a warning, but indeed, I have no way of knowing. That said, I'm open to the idea that perhaps the law should stipulate a warning, but perhaps the language around proportionality/reasonableness is sufficient.
The absence of the mention of a warning in this context implies that there wasn’t one.
Why? Many of these summaries aren't official justifications of the fine, they're news clippings. What leads you to believe that if a warning was issued, the news would always mention it? They're not trying to justify the fine, they're trying to inform the public, and they can never include every detail, they always have to leave stuff out. What leads you to believe the news always mentions warnings if issued?
I don’t understand why anyone, even those in favor of GDPR, would attempt to refute the black and white text of the law.
Literally no one in this thread has attempted that, and you incessantly repeating this strawman is why you're being repeatedly downvoted.
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
A) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentional or negligent character of the infringement;
e) any relevant previous infringements by the controller or processor;
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
> (otherwise you wouldn’t be downvoting it, right?)
You're assigning a strawman to your downvotes. OP said "I expect" (not "There must have been"), and it is the usual procedure. It's not a _requirement_ as some bigger or more deliberate infringements may warrant an instant fine.
It is not a requirement, which is why nobody should have any expectation that they or anyone else will receive one before being slapped with a heavy fine.
It does not explicitly require warnings, but Art. 83 (https://gdpr-info.eu/art-83-gdpr/) requires that the authority, when deciding whether to impose a fine, takes into account a number of things. It would be hard to argue for an instant fine if the things listed in the article were favorable in a specific case.
It shouldn't need to be explicit when the enforcement agency has the discretion of deciding appropriate action and whether or not to prosecute. Otherwise there's no discretion and they become rubber-stamp agency. By the same token UK law doesn't include warnings in the Acts for offences that almost always get a warning or caution on first offence, e.g. possession of class B drugs.
When you get to actual penalties, all EU law has the principle of proportionality under it, and has since about the sixties. I know it's written into some treaty or other. There's been countless appeals to the EU courts that some penalty or other was disproportionate.
Can you show that it is an outlier for a law to not require warnings to be given? I can think of many laws (road rules, all of criminal law) which don't require warnings to be given, but instead warnings are up to the discretion of police officers or courts.
Also, the EU is not the US. There is a very different culture and jurisprudence when it comes to proportionality of laws. If the GDPR was a US law, then I would also be concerned about the penalty guidelines. But it's not a US law, so bringing a US-centric mindset to the discussion causes misunderstandings.
Can you show that it is an outlier for a law to not require warnings to be given?
No, my initial comment on this issue was in reply to someone that said "I expect there would have been a warning given in that case before assessing a fine." [1]. This is an oft-repeated and entirely baseless sentiment that HN's resident GDPR defenders love to cite - it shows up in every one of these threads. That is why I was making it clear that in fact no warnings are required, and indeed as time goes on, few warnings are likely to be given.
> "I expect there would have been a warning given in that case before assessing a fine." [...] That is why I was making it clear that in fact no warnings are required
They didn't say warnings were required, they said that warnings were the norm. You haven't provided counter-examples to that claim, you're arguing against a straw-man argument that "warnings are required by the GDPR".
As an example outside GDPR, it is not required to give children warnings when they commit petty crimes (such as shoplifting) but that is the overwhelming norm in most countries. In this analogy, you're arguing that "most children don't get put in juvenile detention for shoplifting and get warnings instead" isn't true because there isn't a provision in the criminal code saying that children need to be given warnings.
> indeed as time goes on, few warnings are likely to be given.
This is an example of the "baseless sentiment" that you claimed you're trying to fight against. On what basis do you claim to know (or even conjecture) that "few warnings are likely to be given" in the future?
There are many examples of GDPR warnings being given. To me, it seems to be the norm -- if you have an actual counterexample (other than pointing out that warnings aren't required, despite now basically admitting that legally-mandated warning stages aren't common and so that entire line of argument seems to be a non-sequitur) I'd love to see it.
They didn't say warnings were required, they said that warnings were the norm.
Sadly, it appears that warnings are not the norm. When you organize the data on this site by the size of fine, you’ll notice that none of the top 10 received any warning.
Ignoring that we don't know how complete the one-paragraph summaries of the cases are (many of the links are not in English) -- how is looking at the top 10 largest fines a fair sample? Surely taking 10 random samples is a much better selection?
It seems possible that the largest fines were for the most severe transgressions, or for companies that are large enough to know better. In fact, the topmost example of Google's Android penalty is a prime example of both factors. So it's possible there is a statistical bias for larger fines to be for more severe cases where warnings make less sense.
There is no section of the GDPR that requires warnings to be given. This should not be a surprise or shocking to you. If there were required warnings for first-offenders then really heinous data leaks by first-offenders would not be punished.
There is no provision in road rules that says police officers should give warnings -- for exactly the same reason. Instead, it's purely up to the discretion of the police officer whether you get a warning or not. GDPR acts in exactly the same manner, but instead of it being individual police officers it's officers appointed for that role.
> What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
It's not in GDPR because it's part of EU law. Two parties to a case need to attempt to fix it before going to court. In the UK this is why you have letters before action setting out what you think your case is, how you want it to be fixed, and what you'll do if it isn't fixed. You don't just leap to issuing court papers straight away.
And yet this site details numerous examples of GDPR fines being issued without any warning. So clearly this law that you claim requires warnings does not actually do so when it comes to GDPR.
>What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
Edit: the downvotes on this are coming in fast. Because you are downvoting it, you must know of a specific section of GDPR that requires warnings to be issued (otherwise you wouldn’t be downvoting it, right?). So, along with your downvote, please reply to this comment with a link to the specific section that requires warnings, and I will be happy to say that I am wrong.
Nothing in the GDPR requires compulsory fines for every infraction. In fact, if you had read Chapter VI, Section 2, Article 58, 2(a)[0], you would know this.
I’m not sure what that has to do with this discussion. We are discussing whether or not GDPR requires warnings before fines are allowed to be issued. The answer is no, it does not require them, and the text you linked to does not disprove this simple, undeniable fact.
Incorrect. You're moving the goal posts. Let's stay on the topic-at-hand, yeah?
The OC comment was:
>I expect there would have been a warning given in that case before assessing a fine.
To which your initial retort was:
>What makes you expect this? Unless you and I have read entirely different versions of GDPR, no provision of GDPR requires any warning of any kind prior to issuing fines.
When you started receiving the downvote storm is when you challeneged for proof that the GDPR requires warnings.
I gave a response that supports the OC's position, that a warning could and would be expected; not because of requirement but because it is up to the discretion of the supervisory authority.
After all, the initial challenge that was given to the OC was, "What makes you expect this?" was it not?
Now, it's your turn to disprove that a warning would be expected. I'll wait...
One cannot expect a warning if a warning isn’t required. You may hope to get a warning, but unless it is required you should not expect it. There are numerous cases listed on the website we are discussing where, in fact, no warning was issued. Had those individuals/companies read the comments in this thread prior to receiving fines, they would have been wondering why they received no warning, since everyone claims they should “expect” their self-appointed, benevolent, data overlords to give them a warning first. Unfortunately for them, all of you are incorrect that they should “expect” to receive warnings. Why? Because they are not required, and not only that, warnings don’t even appear to be the norm.
