CC instead of BCC has been a regulatory offence with fines up to 300000 EUR before GDPR. This is not a theoretical risk, companies have been fined for that in Germany.
As an American, I'm skeptical about the odds of enforcement. If it were an American company that did this, on the other hand, I'd assume a decade of uncertainty and indecision followed with a fine.
The fact is political bodies have been empowered with increased enforcement discretion. They are motivated, as political bodies, by politics.
I watched the same thing happen, around 2012, in Frankfurt and Berlin with respect to Germany's regional banks. Weak and undercapitalized, in violation of EU rules, they were summarily ignored due to political necessity. The same tendencies will apply with GDPR. The lack of a requirement for politically-independent enforcement was a mistake.
The "political bodies" in this case are the National Data Protection Authorities. They are indendent, and their only politics is ensuring compliance with the data protection regulation, as required by the GDPR, Article 52 .
Furthermore, due to lack of evidence, your example is not conclusive as to show that regulatory bodies act for political reasons they were not supposed to pursue. Also, if one regulatory body broke the rules, that does not mean that others will do so, too.
However, I'd love to know the details of what bank was breaking what regulation and what authority was not acting according to their mission, if that is what you want to exemplify.
They should have just sent the email one per individual user anyways for safety.
When you CC/BCC it spawns the copies downstream and can cause issues sometimes if there are too many.
Back in the day over dual ISDN lines, we used to update pharmaceutical machines with FTP and email back in late 90s and when we BCC'd the backup updates (machine tried to connect FTP then looked for email updates to update itself) the ISPs would get mad at us as it hosed their systems a few times due to the number per message.
Depending on the volume and sensitivity, it is sometimes better just to send one per user not only for privacy/protection but for cpu/memory reasons up or downstream.
Do you mean it’s easier for humans to then not set those rate limits if you’re using multiple RCPTs?
Probably less of an issue now, but back then the ISP/provider would duplicate the sending of the messages with multiple recipients, could have just been a flaw at the ISP which was Frontier back then. Could have just been a DDoS type event where too many were pulling at once rather than throttled/tapered or spaced out over time. The group emails spiked their systems, probably not an issue today.
Personally though the cost of CPU/memory is small now, I wouldn't risk sending sensitive data to a large group unless I could verify BCC was being set not CC. Seems a small price to pay to not allow a mistake like that by duplicating the messages app side rather than provider side. By sending out throttled by user on app side, even if a developer or marketing person inadvertently chose CC rather than BCC, it wouldn't leak sensitive info (emails).
I love asking why when I get these kinds of request so i can better understand the requirements. I’ve found that some people aren’t interested in helping you understand. I had a recent interaction with a surgeon who was vexed by me asking for more detail and why that reminded me that some people just want to do their job and don’t care about learning.
If you don't also complain about the use of "really", you are just signalling.
Pedantry: title should use "its", not "it's".
A better starting point for such a policy would be to enforce use of a mailing list for e-mails to customers.
But what you're saying is analogous to saying checklists are ineffective for preventing errors. This isn't true. The first thing a person should do after finding and closing a security breach is to pull out the procedure, because not forgetting a step is important.
In a way I'm glad this happened. This highlights why gdpr is needed. If you can't handle my data safely you shouldn't handle it at all. Keep your plugin offline and account-less.
I remember the good old days when software companies used to like to reuse stuff to prevent having to use user data. I used YNAB and they had all the user data in a Dropbox folder. So their app knew who you are and I/O’d to Dropbox, but the YNAB company didn’t know.
Then they switched from software to service and all of a sudden it was essential that they know their customer and have an account and whatnot.
Proper software design minimizes complexity.  If users are likely to already have a common, free way to synchronize settings, design for that. Don’t add another risk by collecting PII. Especially if it makes you money in ways you aren’t disclosing.
 Steve McConnell Code Complete, page 80 - http://aroma.vn/web/wp-content/uploads/2016/11/code-complete...
It's kinda serious, but kinda funny at just the ridiculousness of the whole situation.
Ghostery users definitely appreciate their privacy though, this may require some. Bending over backwards for ghostery to make it right to their users. I suspect they may be perturbed about this thing.
I've never looked back.
Then that ‘reply all’ bs wouldn’t be the plague of mankind.
I feel bad for the person responsible for that.
Your story makes me miss listserv. Doing @here on Slack just isn't the same.
Eli Lilly’s mistake not only cost it some settlement money up front but as I understand it helped push the U.S. pharma industry into a very expensive regulatory regime that now impacts every server they build and every software update they roll out. The process requirements are quite onerous.
(I had worked closely with the teams involved but left about a year before the mistake. When I heard about it I spent a few hours racking my brain to make sure I hadn’t left behind some tool they might have used.)
No. It can also mean "it has", e.g.:
It's been 18 years since the turn of the century.
The alternative to a mens rea requirement is https://en.wikipedia.org/wiki/Strict_liability .
> When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following
> the intentional or negligent character of the infringement;
A company with good intentions is going to be regulated less severely than a company who does't care.