So we are just supposed to hope that they will be nice to us when inevitable violations occur under one of the 28 unique interpretations that this law will be subject to?
I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction. First you get a letter, then a sternly worded letter, then a tap on the finger, a hard tap on the fingers and if you still refuse to learn the lesson then they break your knees.
If you have minor infractions caused accidentally and you cooperate I have doubts that any regulatory body for the GDPR will go beyond sending a simple letter asking you to fix a problem.
Perhaps it's a cultural difference but here in the US we interpret all laws literally, fully expecting maximum penalties. And yet they are trying to apply this law to American startups who can barely afford a lawyer here, let alone a EU counsel.
laws are interpreted literally in Europe too, or they wouldn't be laws.
But most laws have a range of penalties, and often account for intent and attitude.
E.g. in US law you have "manslaughter" (voluntary or not) and "murder", for example. And you have different penalties for first offense and repeated offence.
I am not one to say "trust the EU government, it is good".
But the intent of the legislator is obviously not to kill businesses willy nilly, it is to punish certain behaviours, they have no reason to willingly cause a business to shut down, which is why the GDPR explicitly accounts for collaboration.
In the end, it is up to you to decide not to abide to the law. There have been local regulations forever, this won't change much.
Note that, in parallel to the EU regulation, the statutory maximums can be enacted(ever since Booker judges can use their discretion again), but in reality most judges rule within the sentencing guidelines.
> I don't think I've heard of many EU regulatory bodies that will immediately go for the maximum punishment the moment anyone does a minor infraction
Yet. Wait until the company is another political organization that is identified as an enemy or competition. Then these laws become tools for shutting down dissenters with selectively applied fines, even to companies outside of the EU.
That’s not what the law says they have to do. All reasonable businesses have to assume the worst case, not the best case. These governments have a built-in financial incentive to not be lenient in any way, shape, or form.
That's the US, yes. EU regulatory bodies are generally rather lenient when you attempt to follow the regulation.
And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.
There is a good flowchart in this thread too, I recommend to study it.
But they have never had the extraterritorial reach that they are claiming under the GDPR either. This could easily be used to suck money out of foreign countries. I don’t think they’ll play nearly as nice with people that don’t vote in their own countries.
I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced. Either way, the net result will be that EU residents will have access to a far smaller universe of content and services. Most businesses just won’t take the risk.
Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.
It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.
The people saying how easy it is don’t know what they are talking about.
>> It is nearly impossible to fully comply, and may actually be entirely impossible, based upon how much conflict there is between the 28 different interpretations that this will be subject to.
By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.
Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.
Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.
This is from an article I quoted earlier:
Coordination and Consistency
Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.
One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.
Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.
> I am hopeful that the US will pass legislation exempting US firms from enforcement of fines under GDPR on US soil, but I am not optimistic. Under current law, it is likely that they can be enforced.
What would be the mechanics of enforcing the GDPR against a US company with no EU presence? I'd understood the opposite, and that the EU's best options to enforce were probably indirect (via customers, vendors, etc. with EU presence).
That and privacy shield (or equivalent). The EU courts could simply go the the US courts and tell them that under privacy shield, the company violated the EU law. Then the US court could decide that, yes, the company did indeed violate EU privacy law and enforce the fine on their side.
If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)
> While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.
So how does that affect companies that don't elect to join Privacy Shield?
Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...
Without privacy shield, I guess the EU might still try to go through the US court system to have a foreign claim enforced in the US.
I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)
Apparently, existing treaties that the US has allow for the domestication of EU civil judgments in US courts. The prevailing logic right now is that nothing new would need to be passed to allow for that to include judgments issued under the GDPR. Here is one article, there are many more:
> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...
