If you have a site in an EU language that is spoken in other countries as well (Spanish etc) but your site doesn't have an EU domain extension and your content and services are generally not targeted at EU residents, then GDPR likely does not apply. Language isn't the only test. If you have a site in German that is reporting German news though, you're likely going to have GDPR apply to you even if you have a .com extension and are not in the EU.
Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.
Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis [1] [2]. The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.
Don't worry, I am sure it wont be abused. The whole fearfull effect was created by adtech companies trying to create public outrage and paranoia to pretect their money source. Be sure that there are going to be some nasty penalties for greatest violaters (like online dating sites) I have noticed a lot of them is packaging GDPR into terms and conditions and privacy policy changes and those will have to get a fine, but I am sure warning will come first. But as one of ICO said (UK?), "We will always try to use carrot instead of stick, but some companies are carnivores, they don't eat carrots."
Also I am sure, half of world will have similar laws in next few years. Private data invasion just went to far, this has to be stopped.
It would be the first time in history that such a law has not been abused. The fear is real and fully warranted.
I am sure warning will come first
There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
It's not a law it's a regulation and EU regulation is largely intended to be more of a carrot before the unpack the stick.
See the Smartphone Charger regulation. It requires all smartphones vendors to come up with a standard for charging, everyone picked microUSB (though moving to USB C now). The EU is fine with that and the smartphone vendors know that if they start pulling the "everyone has their own port" shit again that the EU will get out the stick.
Nobody wants the stick. The EU not and the Vendors not. The carrot was the EU Cookie law, which was largely ignored and the consent dialogs poorly implemented (not even asking for consent the majority of the time). So this is them getting out the stick. Now you can pick which one you want.
>There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.
I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.
Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.
People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).
I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
>I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it.
Canada, Japan and some other countries and even the US have indicated to copy the GDPR if not in letter atleast in spirit, though the US response is a lot weaker.
>I will not be dictated to or threatened by a foreign government.
The US is a foreign government and does it all the time to me, why is it a problem now?
>I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
You won't have that. The GDPR has a strict guideline on how to impose fines, it's not a law an won't be enforces as such. The regulatory bodies have bite because large players like Facebook or Equifax that leak large amounts of userdata require more than an angry letter in their mailbox.
As these articles mention, the agency imposing a fine should severely think about the level of fine and ensure it's appropriate. If you get hacked by a 0-day, you followed the advice of your regulatory body, your shit gets leaked and you inform your users immediately, it's very unlikely anything will happen.
If you get hacked because you didn't update your MySQL server in 5 years, you ignored what your regulatory agency said and you don't tell your users, don't expect them to go easy on you.
Easy as that. If you don't like it you can sue back and get the fine reduced or rescinded.
People keep saying all of this. Again, there is absolutely nothing enshrined in GDPR limiting fines, other than $10/20 million. It says they should consider some things when determining the fine. But (for example) one of the 28 countries could decide that in their country, the lowest level fines are “only” $5 million, and they go up from there based on the factors they are supposed to consider. That would still be enough to destory most businesses.
You cannot tell me that there is anything limiting the fines (other than the cap) because it isn’t written. You’re saying that you hope and think that each of the 28 governments involved here will be reasonable, but in truth you have no way of knowing, and they have every incentive to not be reasonable.
I hope that my government won't do this. As a EU citizen I only have to care about the one in my country.
Again, if you think the fine you got is too heavy you can escalate this to the courts (even EU courts).
There is also no incentive for the regulatory agency to impose such fines if the business cannot pay them. In that case they would get less or even nothing as the business collapses and it has not been the modus operandi in any EU regulatory body I know or experienced.
If they aren't reasonable than the EU courts will make them reasonable or the EU will add additional paragraphs to the GDPR to prevent excessive fines. Simple as that.
Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.
Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis [1] [2]. The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.
[1] http://www.adweek.com/digital/could-mark-zuckerberg-face-a-p...
[2] https://tribune.com.pk/story/342031/blasphemy-arrest-mark-zu...