Is the 20M EUR maximum reduced by law, or just by regulatory discretion? The USA is currently demonstrating (with DACA, marijuana enforcement, etc.) the fragility of the latter.
The law explicitly lists factors the regulators have to take into account for determining the fine. If they give a large fine for a small infringement, they're going to have a hard time to claim they took all factors in your favor in account properly.
From what I've seen, it's partially like in the US - each EU member has its own data protection authority which imposes those fines, but they are closer linked than the US states' laws. I can definitely see some EU countries slacking off on enforcing, or being less/more harsh than the others.
But 20 million is possible right? Even for a small offence? Where in the actual text of the law does it say that they will never impose the maximum fine for a trivial or minor offence?
It actually doesn’t say that. This law has the effect of small business essentially needing a 20 million insurance policy to protect against the possible whims of an overzealous regulator? It’s either insure yourself for 20 million or risk losing your entire business over potentially a trivial matter.
When people in the UK have been jailed 8 months over traffic cameras or prosecuted and jailed for speech, I wouldn’t give a European government the benefit of any doubt. Willingly inviting an unelected regulator, accountable to nothing but the letter of a badly written law created by another unelected government body — that’s just foolish.
It’s probably not possible. I wouldn’t map the (EU) GDPR on how a US-like legal system works. E.g. it’s very unlikely that the regulator seeks maximum penalties in the EU, and worst case you could go to court arguing that a penalty is non proportional compared to other cases (and win)
But the GDPR works like this too? The $20 million fine is not automatically applied. Here's a flow chart which details the process of a GDPR breach: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp...
from https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio...
If you breach the rules, a simple reprimand without a fine is possible too.