
Open list of GDPR fines so far - marahh
https://github.com/lknik/gdpr/blob/master/fines/README.md
======
unreal37
There's a German fine for a police officer where he used the license plate of
a "random acquaintance" to get their landline and mobile phone numbers and
then used that to call them. This was for personal reasons and not related to
his duties.

I'm willing to make a $5 bet that he was attracted to a friend of a friend,
and figured he'd user her car license plate in order to get her number so that
he could call her. She got freaked out and reported it. I wonder how to find
out more specific details on this case...

~~~
w-m
It was only a 1400 Eur fine, as it was a first offense a there was only one
affected person.

But misuse of the available databases for fun and personal gain seems to be
quite rampant in the police force, for example they looked up the personal
data of a pop star during the night of a concert 83 times recently [1].

Will be interesting to see whether some guards will be put in place (and more
officers fined) to combat this behavior.

[1] [https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-
wue...](https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-
verhaengt-erstes-bussgeld-gegen-polizeibeamten/)

~~~
FDSGSG
This is a standard practice by police forces everywhere. I'd be surprised if
there was a single police force in the world with strong audit controls on the
usage of their DBs.

------
jngreenlee
The original data site might be more usable for browsing:
[http://www.enforcementtracker.com/](http://www.enforcementtracker.com/)

~~~
martin_a
It bothers me, that the website does not scroll to top when I change the page.
Or is this only happening for my Firefox on Ubuntu?

~~~
borumpilot
Same here, windows & brave.

------
sithlord
So, who gets the money for these fines? The idea is for consumers to be
protected, but some entity to get rich?

or do funds gets distributed to the affected individuals?

~~~
mrtksn
AFAIK the EU commission gets the money and as a result the EU members pay in
less for the budget.

The fine is not for the damages.

~~~
AnssiH
That is true for EU fines, but these are fines levied by the national
authorities so they to go the national budgets of those countries.

~~~
vonmoltke
I thought GDPR violations were handled by national ICOs on behalf of the EU.
Am I confused?

------
vortico
I'm interested to see who the first US-headquartered company will be. My
understanding is that US companies aren't immune when dealing with EU
customers, but it might be more difficult for EU governments to enforce the
fine. Google France doesn't count.

~~~
eco
Marriott International, Inc is incorporated in Bethesda, Maryland. I believe
Country in the table just refers to the EU member country that brought the
action (someone correct me if I'm mistaken).

~~~
Hamuko
Doesn't Google Inc. predate that?

~~~
vortico
Yeah, it looks like you're right. I thought the fine was for Google's French
offices, but it was actually filed against the one-and-only Google. I'm not
even sure there's a French office or data center.

------
mywittyname
The Private Car Operator is interesting. I'd like to know what he did to
receive the fine.

~~~
opportune
I believe some court ruled that using a dashcam violated GDPR since it was
recording people’s “identifiable information” without their consent

~~~
totalperspectiv
I wonder how this will interact with self driving cars and all their always
on, always recording cameras.

~~~
dvlsg
Or even just regular cameras. If I take a picture of something unrelated, and
the background happens to contain a license plate on a car, or the face of a
person walking by, am I at risk for recording a person's identifiable
information?

~~~
martin_a
No. The so called "Freedom of panorama" [1] will protect you from such things.
As long as the license plate is not the main aspect of the image, you should
be fine.

[1]
[https://en.wikipedia.org/wiki/Freedom_of_panorama](https://en.wikipedia.org/wiki/Freedom_of_panorama)

------
lixtra
See also GDPR enforcement tracker (initial source of data for the github
project):
[https://news.ycombinator.com/item?id=20278819](https://news.ycombinator.com/item?id=20278819)

------
NikkiA
That scatter plot is terrible - don't use light coloured dots on a grey
background.

------
kebman
Some American web sites simply stop EU citizens from accessing their pages
from Europe (nevermind that not all European countries are EU countries) "for
legal reasons regarding GDPR." So just because an EU citizen can access a web
page that is hosted in the USA (or other place in the world), then EU law
applies, apparently. I think that is dumb. When you visit the USA, American
laws apply. Should be the same for web pages. Just my opinion. Yes, I might be
a little salty for not getting to see that American web page because of GDPR
legalities lol! Also, it would seem, that simply having a web page in the EU
is now a liability. Well, that's one way to define progress I guess... Look, I
get that there are some good things about the GDPR, and that computer privacy
is important, but this is just getting too excessively authoritarian for me. I
guess my biggest gripe with it, is that I never voted for it. Literally. I'm
Norwegian. So it was just shoved into my face, and I had no say about it. In
fact my country voted against the EU, but yet here we are. Sigh. I got two
choices: Accept it or accept it. And bear the consequences if you don't.
Double sigh.

~~~
TheBranca18
It's authoritarian that American web sites can't do the bare minimum to comply
with privacy laws in the EU? I worked on some GDPR integration, on a
publishing site no less (considering most of the time I noticed publishing
sites being unable to be visited when I was overseas), and it took us all of
one sprint to do so correctly. It's laziness not difficulty.

It's also not the EU's fault that people in the United States (I say this as
an American) are ignorant enough to associate Norway with the EU when it's not
a member. The effort involved to actively block people from viewing websites
could have been pointed towards GDPR integration.

Edit: You know the real reason some American sites aren't complying? Because
they looked at their European analytics and decided that it wasn't worth their
effort.

~~~
tzs
For small sites they might not want to deal with Article 27, which can cost
hundreds of euros per year.

~~~
kennywinker
If they’re not able to pay hundreds of euros per year to access the european
market, they’re not likely making much money off the euro market... so what’s
the problem?

~~~
mpalczewski
Barrier to entry for indies.

~~~
angus-prune
It doesn't apply if you're only occasionally processing personal data or not
doing so on a large scale.

If you're regularly processing personal data of EU citizens on a large scale
then you damn better be doing so securely and in compliance with EU law.

~~~
tzs
Article 27 doesn't apply if the processing satisfies all of these
requirements:

• it's only occasional,

• it does not include, on a large scale, processing of special categories of
data as referred to in Article 9(1) or processing of personal data relating to
criminal convictions and offences referred to in Article 10, and

• it is unlikely to result in a risk to the rights and freedoms of natural
persons.

Most businesses don't have to worry about the second of those.

How about a risk to the rights and freedoms of natural persons? Recital 75
talks about that:

> The risk to the rights and freedoms of natural persons, of varying
> likelihood and severity, may result from personal data processing which
> could lead to physical, material or non-material damage, in particular:
> where the processing may give rise to discrimination, identity theft or
> fraud, financial loss, damage to the reputation, loss of confidentiality of
> personal data protected by professional secrecy, unauthorised reversal of
> pseudonymisation, or any other significant economic or social disadvantage;
> where data subjects might be deprived of their rights and freedoms or
> prevented from exercising control over their personal data; where personal
> data are processed which reveal racial or ethnic origin, political opinions,
> religion or philosophical beliefs, trade union membership, and the
> processing of genetic data, data concerning health or data concerning sex
> life or criminal convictions and offences or related security measures;
> where personal aspects are evaluated, in particular analysing or predicting
> aspects concerning performance at work, economic situation, health, personal
> preferences or interests, reliability or behaviour, location or movements,
> in order to create or use personal profiles; where personal data of
> vulnerable natural persons, in particular of children, are processed; or
> where processing involves a large amount of personal data and affects a
> large number of data subjects.

That's pretty broad. Note that the overall structure is an "or" of six
clauses, and most of those clauses are "or"s of several different kinds of
data. Unless this is interpreted very narrowly, most businesses that sell to
Europeans online, even if only occasionally, will fall under it, and so
Article 27 will apply to them.

------
jakeogh
"This is not a complete enforcement list because most are not announced in
public"

Trust us! say the deciders.

