
GDPR Resource Library - unstatusthequo
https://www.carpedatumlaw.com/gdpr-resource-library/
======
unstatusthequo
My firm put out these materials, and having seen a lot of FUD on here, to the
point of people closing up shop and other similar "overcorrection" activities,
I felt these needed to be shared with the HN community. It kills me to see
people closing up shop and throwing their work away out of fear.

Definitely watch the videos. I can tell you having done GDPR legal risk
assessments for the past few years that if you're only thinking about this
now, you're probably too late. The good news is the regulators are 1) going
after low hanging fruit first (Facebook, Google, Apple, etc); 2) many of them
are in disagreement about enforcement and priorities; 3) much of this is
really about pseudo-taxation (hence the 4% of global gross revenue scare
tactic); 4) some regulators are going to fight about who "gets to" go after
certain companies; 5) if you're a tiny solo shop that does messaging apps, the
likelihood of you even being noticed is so slim that closing up shop is really
extreme; 6) compliance is probably easier than you think if you are that
small.

~~~
malvosenior
Your comment doesn’t do much to assuage my fear. All I see is uneven and
arbitrary enforcement of an ill defined system that’s basically an excuse to
tax tech companies more. Oh and “if you're only thinking about this now,
you're probably too late”

GDPR is anti-tech and anti-small business.

~~~
Nursie
> All I see is uneven and arbitrary enforcement

Have we seen any enforcement at all yet?

~~~
unstatusthequo
Not yet because it's not even in effect until May 25th. Then enforcement _can_
begin. But yes, in the legal industry we expect it to be very uneven
enforcement. The German regulator may be more worked up than the Spanish one,
for example. And again, it's going to be low hanging fruit. Why would a
regulator bring an enforcement action against some solo practitioner making
$100k a year to maybe get $4k in fines when they can go after Facebook?

~~~
codexon
Why would they do 4k in fines when they can charge 20 million euro in fines?

~~~
detaro
Because they can't just charge 20 million, and don't want a court explaining
them why?

~~~
codexon
Have you even read the GDPR?

It literally says this.

"4% of annual global turnover or €20 Million (whichever is greater)"

~~~
mrunkel
It literally doesn't. What it literally says is:

"...subject to administrative fines _up to_ 20 000 000 EUR, or in the case of
an undertaking, _up to_ 4 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher."

It also says "...the fines imposed shall be effective, proportionate and
dissuasive."

~~~
codexon
Ok close enough? Forgive me for not remembering the exact wording of the GDPR
and taking the first result that comes up on Google.

[https://gdpr-info.eu/art-83-gdpr/](https://gdpr-info.eu/art-83-gdpr/)

"Infringements of the following provisions shall, in accordance with paragraph
2, be subject to administrative fines up to 20 000 000 EUR, or in the case of
an undertaking, up to 4 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher:"

Proportionate how? That's obviously up to them to decide and they probably
mean that large companies like Google will be subject to the 4% instead of 20
million euro. Are you going to bet your life savings that they will fine you
4k euro instead of 1 million euro?

Why would they bother to add the phrase with "whichever is higher" if they
were even going to consider a fine lower than 20 million euro? Think about it.
They don't care about the fine being proportionate to the downside, they are
just worried about it not being strict enough to companies like Facebook and
Google.

~~~
detaro
Really? There is a _long_ list of criteria to consider on that exact page you
link, and those _will_ be checked by courts if the DPAs appear unreasonable. I
didn't say a 20 million fine is impossible, but it'll need a very good basis.

Yes, the maxima are high, but it's crazy to believe the DPAs will be able
(both legally and politically) to hand fines even close to that out left and
right, even if you assumed they over night suddenly turn into organizations
hell-bent to do maximum damage.

It's weird how people see that maximum amount and somehow believe those will
be the norm, throwing all experience with both the DPAs and other regulations
out of the window. How many undeserving businesses have been fined to death in
other areas (financial regulation, environmental protection, ...) and why
should this suddenly start with privacy law? No government has an interest in
its enforcement arm ruining business, of course they care about downsides.
Regulation and its enforcement doesn't exist in a vacuum, as much as the
revenge-boner some "privacy advocates" (ideally selling some GDPR advice on
the side...) get right now wishes it were otherwise.

(On the other hand, these numbers seem to be the only thing motivating some
business owners to care, so even if they're never used they've served a
purpose. Really, the amount of conversations you see that go "And they are
complaining that suddenly doing X is so much work", "Didn't they have to do X
under previous law as well?" "..." is mind-boggling)

~~~
codexon
And tell me, how exactly does this long list show that you won't be fined a
ridiculous amount? Where does it say that if you only broke X out of Y rules
that you will be fined Z less?

There's __absolutely NO detail __on how exactly the fines will scale DOWN
other than to say that the fine could be as low as 10 million euro to 2% of
global turnover. And it is filled with vague, totally up to the imagination
terms like "nature, gravity and duration".

Do you really want to leave this up to the imagination of poor EU countries
like Croatia or Romania and think they are going to care about making some
random people bankrupt so they can cash in millions?

If the law does not prevent it, you can bet it will be abused.

How many business have been fined to death in other areas? I don't know but I
am sure you won't hear about them. No one wants to be the guinea pig.

This law probably has the widest and easily enforceable scope out of any
others in the past. That's what makes it different from before.

------
5706906c06c
Why do law firms believe GDPR is a legal issue? Privacy and Security have not
been an entirely legal issue, though legal representation is often in the mix
when dealing with regulations. I'm curious why GDPR continues to be treated as
a legal problem when the regulation is more than clear on its intent and
requirements?

~~~
detaro
Because a lot of detailed questions are not obviously _more than clear_ ,
especially if you have an interest in not just taking the strictest possible
reading, and thus people want legal opinions on that. And where those legal
opinions strongly disagree, there'll be legal proceedings to have the courts
clarify those.

~~~
5706906c06c
Fair. I guess it's far more pressing for the Data Controllers versus
Processors (my case), so I'll stop with my biased view.

