Hacker News new | past | comments | ask | show | jobs | submit login
Open list of GDPR fines so far (github.com)
126 points by marahh 69 days ago | hide | past | web | favorite | 66 comments

There's a German fine for a police officer where he used the license plate of a "random acquaintance" to get their landline and mobile phone numbers and then used that to call them. This was for personal reasons and not related to his duties.

I'm willing to make a $5 bet that he was attracted to a friend of a friend, and figured he'd user her car license plate in order to get her number so that he could call her. She got freaked out and reported it. I wonder how to find out more specific details on this case...

It was only a 1400 Eur fine, as it was a first offense a there was only one affected person.

But misuse of the available databases for fun and personal gain seems to be quite rampant in the police force, for example they looked up the personal data of a pop star during the night of a concert 83 times recently [1].

Will be interesting to see whether some guards will be put in place (and more officers fined) to combat this behavior.

[1] https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wue...

This is a standard practice by police forces everywhere. I'd be surprised if there was a single police force in the world with strong audit controls on the usage of their DBs.

Posted the link on the fine above by mistake, here’s the one about the pop star (German as well): https://www.golem.de/news/datenmissbrauch-hessens-polizisten...

I'd be happy to see £1000 fine per user impacted!

Do you know anyone working for the german authority? If so, you could ask them to investigate for you.

Hahaha and then they ironically get fined for investigating the case for personal reasons...

That (and similar) cases aren't adjudicated under GDPR. GDPR would apply to the police force / state government, not the individual officer.

It was either an internal disciplinary action or a criminal case.

I saw that, don't see how that is related to GDPR? Police officers haven't been allowed to do that before GDPR (I remember a policemen friend being asked by another guy 10 years ago in Germany to help identify someone based on their license plate, he declined for legal reasons).

The original data site might be more usable for browsing: http://www.enforcementtracker.com/

It bothers me, that the website does not scroll to top when I change the page. Or is this only happening for my Firefox on Ubuntu?

Same here, windows & brave.

So, who gets the money for these fines? The idea is for consumers to be protected, but some entity to get rich?

or do funds gets distributed to the affected individuals?

GDPR fines are not supposed to be distributed to individuals, but those who believe they are affected by the non-respect of GDPR rules can sue the company.

AFAIK the EU commission gets the money and as a result the EU members pay in less for the budget.

The fine is not for the damages.

That is true for EU fines, but these are fines levied by the national authorities so they to go the national budgets of those countries.

I thought GDPR violations were handled by national ICOs on behalf of the EU. Am I confused?

Of course it goes to the customers. To keep things simple, it goes to all customers, not just the ones harmed in that instance.

I'm interested to see who the first US-headquartered company will be. My understanding is that US companies aren't immune when dealing with EU customers, but it might be more difficult for EU governments to enforce the fine. Google France doesn't count.

Marriott International, Inc is incorporated in Bethesda, Maryland. I believe Country in the table just refers to the EU member country that brought the action (someone correct me if I'm mistaken).

Ah, you are correct. That was less than a month ago too.

Doesn't Google Inc. predate that?

Yeah, it looks like you're right. I thought the fine was for Google's French offices, but it was actually filed against the one-and-only Google. I'm not even sure there's a French office or data center.

It's a lot easier to enforce the fine for companies with significant business presence in Europe - eg, Marriott, who has many hotels there.

I want to see the first company fined without an EU presence. Eg, some random US website operator.

The Private Car Operator is interesting. I'd like to know what he did to receive the fine.

And because a man illegally used a dashcam, he was fined 300 euros. It was a camera recording the use of a car from the driver's point of view, which is illegal. Two people were reprimanded for using surveillance cameras for their own home without permission.

Dash cams are generally not legal in Austria for privacy reasons. This predates GDPR (article from 2013: https://www.oe24.at/oesterreich/politik/Video-Ueberwachung-a...).

I think nowadays dash cams might be allowed if they don't store the video unless an accident has occurred, but someone from Austria has to confirm.

Interesting. Well, I guess that means I can’t visit Austria and drive. The dashcam is one of my coping mechanisms for OCD. I do get their concerns, though.

I suspect they’re going to roll that back if insurance fraud increases.

The laws for this was recently refined in Denmark, you are allowed to run a buffer (so that you can record x minutes up to an accident) but you are not allowed to save it permanently without hitting a button.

Most dashcam I’ve seen have a running buffer of, e.g. 2 and a half hours. Would that be permitted?

> The dashcam is one of my coping mechanisms for OCD.

I don't understand. Care to explain?

One of the manifestations of my OCD is that if I hit a bump on the road, something as simple as a manhole cover that’s a few millimeters different in height or less, or if I spy someone emerging into my rear view mirror that I didn’t expect, or if someone is hiding behind a pole and I suddenly see them in my peripheral after passing them, my immediate and inconsolable thought is that I’ve hit them.

To deal with it, I’ll do a lap around that spot to make sure I didn’t hit them. That lap can result in other bumps that I then have to make sure I didn’t hit anyone during.

This can repeat for a very, very long time.

To deal with it, I have a front and rear dashcam that I can go review the footage after I park.

Of course I haven’t hit anyone, but the fear and stress that I might have is debilitating and can be for an hour.

The dashcam allows me to review footage later; or, more often, calm myself long enough to think rationally and recognize what has happened as a moment of OCD and move on.

This appears anxiety related, with indeed the dashcam helping to cope with this specific occurrence. I don't know which other issues you have regarding anxiety, but you might want to look into a more global solution. If its only with regards to dashcams, then (depending on your demographics) avoiding driving in Austria is likely a better solution.

Full disclosure: My previous diagnosis was GAD. Now I have an autism diagnosis. I use medication to feel less agitated and nervous. These work, for me, though also force me to zoom in less. YMMV.

I'm diagnosed with OCD and have many of the symptoms for it. It tends to stay relatively low-grade and not life impacting, so long as I do the thing I said here. When it gets out of hand, I need to remember to follow through more with what this book told me to do: https://www.amazon.com/Brain-Lock-Twentieth-Anniversary-Obse...

That's the one my therapist had recommended.

I try to avoid medication, but that's a personal preference. I do hope you the best on your journey!

edit: removed a word that made my sentence mean what I didn't mean for it to mean.

Hey, though my comment was meant to be genuine I can, on reflection, understand that my comment got you angry. It did not occur to me that OCD could be a separate diagnosis even though I knew it is a specific ICD. Thanks for the book tip, I've added it to my list (I'm interested in related symptoms to [my] autism and some other PDs.)

I believe some court ruled that using a dashcam violated GDPR since it was recording people’s “identifiable information” without their consent

I wonder how this will interact with self driving cars and all their always on, always recording cameras.

Or even just regular cameras. If I take a picture of something unrelated, and the background happens to contain a license plate on a car, or the face of a person walking by, am I at risk for recording a person's identifiable information?

No. The so called "Freedom of panorama" [1] will protect you from such things. As long as the license plate is not the main aspect of the image, you should be fine.

[1] https://en.wikipedia.org/wiki/Freedom_of_panorama

Do self driving cars actually record things? As in, store the video? It seems to me they can just process the incoming videostream without storing it, right?

Yes and they upload to the cloud and a lot of vandals have been caught this way.

Did not know that. That's probably not GDPR compliant, no.

You can make that "definitely not compliant".

The case here is Austria where local privacy laws disallow any use of CCTV/Dashcams unless they only film private property. Exceptions to this require a permit. This in itself independent of GDPR but the same agency is tasked with enforcing it and some of the laws overlap now.

See also GDPR enforcement tracker (initial source of data for the github project): https://news.ycombinator.com/item?id=20278819

That scatter plot is terrible - don't use light coloured dots on a grey background.

Some American web sites simply stop EU citizens from accessing their pages from Europe (nevermind that not all European countries are EU countries) "for legal reasons regarding GDPR." So just because an EU citizen can access a web page that is hosted in the USA (or other place in the world), then EU law applies, apparently. I think that is dumb. When you visit the USA, American laws apply. Should be the same for web pages. Just my opinion. Yes, I might be a little salty for not getting to see that American web page because of GDPR legalities lol! Also, it would seem, that simply having a web page in the EU is now a liability. Well, that's one way to define progress I guess... Look, I get that there are some good things about the GDPR, and that computer privacy is important, but this is just getting too excessively authoritarian for me. I guess my biggest gripe with it, is that I never voted for it. Literally. I'm Norwegian. So it was just shoved into my face, and I had no say about it. In fact my country voted against the EU, but yet here we are. Sigh. I got two choices: Accept it or accept it. And bear the consequences if you don't. Double sigh.

Companies offering services(including websites) in the EU have to follow laws in the EU. Just like you can't open a shop in New York based on Norwegian law. It makes perfect sense to me. And if a website can't work without spying on me then I'm glad they're avoiding it by themselves.

Well of course! The site is already in the USA. And as such, when I try to access it, I would expect American laws to apply. The problem here, is that the EU tries to regulate foreign web sites, hosted outside the EU -- even if they're not "marketing to the EU" -- for which my country isn't even a member! Of course, the company is in their full right to stop me from viewing their site, in fear of reprecussion from the EU and their draconian fines (though I think it's overly cautios to also stop non-EU-citizens from accessing the contents). That's bessides the point. The point is that it shouldn't be necessary to define opening a web site anywhere in the world as "marketing to EU citizens" (which I'm de jure not, though clearly de facto), when it's clearly hosted in another country. It's exactly like you mentioned; to employ Norwegian laws on a New York shop, which is of course ludicrous. But that's obviously the world we live in now, where innocent bystanders are robbed of their freedom for simply being associated with the wrong entity, for my own protection, I guess, even though I neither asked nor voted for it...

> In fact my country voted against the EU, but yet here we are

And here you are, not in the EU.

Or did you mean Norway should have pursued a "winner takes all" course hinging on a tiny margin, disenfranchised about half the population, and probably caused internal political and economic turmoil for years to come?

If so, I have great news for you. There's an EU country who's about to do exactly that.

What's even better, you can up sticks and move there right now, thanks to the EU (even though you're not in the EU), to witness the glory of the aftermath of such a historic decision.

You might want to hurry though.

I'm already not in the EU, thank you! :) Quite happy with that, weren't it for being treated like I am by American companies making catch-all filters in fear of the oh so scary EU fines.

> I think that is dumb.

It would be dumb if that was what the law says, but it doesn't say that at all.

It says a company needs to be compliant if they operate from the EU or they market to the EU.

Is making a web site, hosted in the USA, "marketing to the EU"? I don't think so. I think it's akin to opening a shop in New York. If you choose to go there, out of your own free will, then American laws should apply, not third party laws to a kafkaesque organization I neither voted for, nor want to partake in.

Applying GDPR based on the country hosting the webpage would be a massive loophole, nullifying the law completely. I think it works well as it is. If websites wants to access the EU market they have to comply to GDPR, but they are free not too... To bounce back on your point, as EU resident myself I haven't had any issue with accessing websites that would not want to implement GDPR.

Except they're not "accessing EU markets." I'm a Norwegian, so I'm not in the EU. As such I never voted for EU laws to apply, and I feel they're being forced on me. Also, I'm the one who's technically accessing American markets, offered from the USA. So American laws should apply. Just my opinion. World leaders and companies don't care about individual freedom, so...

If my company doesn't operate in the EU, how can the EU fine me? Does extradition apply?

It's authoritarian that American web sites can't do the bare minimum to comply with privacy laws in the EU? I worked on some GDPR integration, on a publishing site no less (considering most of the time I noticed publishing sites being unable to be visited when I was overseas), and it took us all of one sprint to do so correctly. It's laziness not difficulty.

It's also not the EU's fault that people in the United States (I say this as an American) are ignorant enough to associate Norway with the EU when it's not a member. The effort involved to actively block people from viewing websites could have been pointed towards GDPR integration.

Edit: You know the real reason some American sites aren't complying? Because they looked at their European analytics and decided that it wasn't worth their effort.

The market isn't wealthy or large enough to target for a lot of American companies.

For small sites they might not want to deal with Article 27, which can cost hundreds of euros per year.

If they’re not able to pay hundreds of euros per year to access the european market, they’re not likely making much money off the euro market... so what’s the problem?

Barrier to entry for indies.

It doesn't apply if you're only occasionally processing personal data or not doing so on a large scale.

If you're regularly processing personal data of EU citizens on a large scale then you damn better be doing so securely and in compliance with EU law.

Article 27 doesn't apply if the processing satisfies all of these requirements:

• it's only occasional,

• it does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and

• it is unlikely to result in a risk to the rights and freedoms of natural persons.

Most businesses don't have to worry about the second of those.

How about a risk to the rights and freedoms of natural persons? Recital 75 talks about that:

> The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

That's pretty broad. Note that the overall structure is an "or" of six clauses, and most of those clauses are "or"s of several different kinds of data. Unless this is interpreted very narrowly, most businesses that sell to Europeans online, even if only occasionally, will fall under it, and so Article 27 will apply to them.

Dunno. I am bootstrapping as single founder and the investment was basically

- 2 days to change the app code so only data necessary for the actual use case of the app is processed and stored - 1 day to formulate a GDPR privacy policy in my own words (what data is captured, how is it used, how is it stored, etc)

Unless your business is somehow is fundamentally at odds with GDPR (flashlight app to grab IDFAs and sell those) it doesn't really seem terrible. Especially so as it is in my own interest even without GDPR to minimize my risk surface in case I get hacked and user data is leaked.

It is quite likely that you're not fully compliant, esp wrt chapter 3.

"This is not a complete enforcement list because most are not announced in public"

Trust us! say the deciders.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact