I don't think "enforce" means what you think it means. If you are contacted about a GDPR matter usually you have time to fix it before it's "a violation" that incurs penalties.
It's "squishy" terms in law, like "usually" that I find bothersome. Granted, I haven't read the complete specifics of all of the minutia when it comes to the GDPR, I'll admit. I do keep cookies by default though, as a habit, which seems to be in violation of GDPR rules.
Should I start publishing a blog or some such which was antithetical to the prevailing party doctrine, that happened to gain traction with the public, terms like usually tend to go out of the window. Al Capone wasn't indicted on bootlegging after all.
Enforcement action must be "proportionate", so even if you are pulled up by a supervisory authority it's unlikely they're going to give you a massive fine straight off the bat - especially if you are trying to comply and can demonstrate that.
I think everyone seems to be missing the point of what I'm saying, and maybe it's my fault. In the defense of the law that people have given to me, so far, the terms "Usually" and "Unlikely" have come up. Neither of those terms are very satisfactory if I write a critical piece critical of the government and am taken to the full extent of the GDPR's breadth, with little ability to fight it, being a small, independent, self published journalist who had a friend set up a server using the default Apache settings(this is an example - I am not).
In such a case, a massive fine would not only bankrupt that person but would silence such critical dissension from occurring in a much needed vocal minority. Investigative journalism from non-corporate outlets, through non-corporate outlets is a wonderful thing, which has become a rarity, and has the potentiality of becoming illegal due to clerical mishaps.
While I do understand the necessity of a user's privacy, I also understand the necessity of "removing the tumor and saving the leg", to borrow a colloquialism. Broad-brush approaches have quite a few down-stream consequences, which are seldom realized until it's too late. We've only to look at "the war on terror" and the domestic surveillance that came about in the name of "safety" to understand that =/
> In such a case, a massive fine would not only bankrupt that person
At worst you are fined for 4% of your annual income, it wont bankrupt you. No government is going to go through all that hassle just to fine an independent journalist for a paltry sum. If they really wanted that power they would add defamation laws like UK where they can put you in jail for speaking negatively about public figures.
And until the thing you fear happens at least once to a small business we can assume it will never happen. In the extremely unlikely event that it really happens you pay a 4% fee of your annual income, that hurts for sure but it isn't life altering.
The fine is up to up to €20 million or 4 percent of worldwide turnover for the preceding financial year—whichever is higher.
In terms of limits, €20 million is the floor of the upper bound of what the regulator can choose to levy as fine.
> And until the thing you fear happens at least once to a small business we can assume it will never happen
Yes. This is how we hand power to governments and then end up shocked when they are deployed for political ends. All it will take is one politically-inconvenient blogger to cross the wrong person with ties to the regulators, and then there's no structural back-stop to that person getting dragged through a €20 million fine process.
Remember, Aaron Swartz was facing "only" six months in jail...
> I do keep cookies by default though, as a habit, which seems to be in violation of GDPR rules.
Which cookies do you keep? That matters. GDPR doesn't care about cookies, it cares about PII and some other stuff.
For example, setting a cookie called "hello" with the value "world" on the browser of every user does not require consent, as long as this is not used to identify specific user, of course.
>For example, setting a cookie called "hello" with the value "world" on the browser of every user does not require consent, as long as this is not used to identify specific user, of course.
No, that needs consent because that cookie is not strictly necessary for the provision of the service.
(But the reason that requires consent is not the GDPR, it's the ePrivacy Directive)
