GDPR max fine is (iirc) 4% of revenue. So if you are a small fish you will be paying less then the big fish. Also the fines are for wilful failure to comply, if you accidentally broke GDPR then your first offence is going to be more a slap on the wrist then an instant 4%.
Except it says "whichever" is higher, so if they decided to fine you 10 million or 2% of revenue, and your 2% is much lower than 10 million, guess which one you're paying...
> Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
_Up to_. It's subject to various considerations (Article 83):
> (1) Each supervisory authority shall ensure that the imposition of administrative fines [shall] be effective, proportionate and dissuasive.
> (2) [...] When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
> the intentional or negligent character of the infringement;
> any action taken by the controller or processor to mitigate the damage suffered by data subjects;
> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
> any relevant previous infringements by the controller or processor [and other specified criteria]
> (8) The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
They can't just arbitrarily decide to fine you the maximum.
GDPR breach fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
Fining a small mom and pop site 20 mill (20mil/4% is the highest fine depending on the case) is not proportionate, not effective because I would like to see them actually collect on that and I would say such a fine to a mom and pop would be dissuasive of doing business at all which is not that the ICO in the U.K. would want. Speaking of the ICO, their big fine (fucking auto correct) to BA for shockingly bad security earned them a 1.5% fine instead of the max 4% because they worked with the ICO (but the ICO still found they failing in a duty of care to protect data) and have been pushing the fine down the road ever since it was issued, atm the earliest ICO will actually fine BA is next month and it’s been almost a year since they filed their "intent to fine".
So while they can throw around heavy fines. It’s not like they run every mom and pop site out of the country.
>I would say such a fine to a mom and pop would be dissuasive of doing business at all
Welcome to the EU. They've pulled these stunts before. When they introduced changes to digital VAT collection the lawmakers "forgot" that VAT has exemption thresholds. This effectively barred some small and micro businesses from selling their digital services/goods to other EU countries, because the business would not have been exempt from VAT afterwards. It took the lawmakers years to implement a minimum VAT threshold.
>It’s not like they run every mom and pop site out of the country.
Of course they won't, because people want to do business. There will always be more businesses that get started. The question is whether there will be fewer businesses started because of the regulation. So far analysis after GDPR points to yes.
They key part there is "if they decide to fine you...".
The max(€10m, 2%) and max(€20m, 4%) are the most that supervisory authorities may issue as fines.
But supervisory authorities have a legal duty to issue fines that are proportional which means than unless you breach the GDPR in a wilful and egregious manner you're unlikely to be fined that much (and if you are you can appeal the fine to a court who would reduce it to a proportional amount).
When would it ever be proportional to charge a small business more than 2% if they can never charge a large business more than 2%? Are small businesses, as a general rule, somehow more capable of causing damage than larger businesses?
Is the law as written somehow vulnerable to some legal hack where all my revenue goes through Company A but all my data goes through Company B, so that Company B has a small global revenue despite being extremely profitable to the controllers of the companies?
>Is the law as written somehow vulnerable to some legal hack where all my revenue goes through Company A but all my data goes through Company B, so that Company B has a small global revenue despite being extremely profitable to the controllers of the companies?
No. Who the data controllers are is a matter of fact, not assignment.
To quote the Court of Justice of the European Union in the Fashion ID case (C‑40/17) at paragraph 68:
"[A] natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller".
Furthermore, as per that case, multiple data controllers may exist for some processing activities.
So both Company A and Company B may be considered to be Data Controllers and thus both liable.
But since we're talking about small sites and small businesses, how many of these will actually be able to afford to go to court to argue this? In every system mistakes are made and corruption exists. Why word it in a way that seems to increase the likelihood of both?
