Whenever I encounter the label “made in EU”, “Germany”, “Estonia”, “France” … in the footer of a web project, which implies enhanced data-protection, apparently, I wonder:
How can it be so? There’re some data-protection laws, yes. But one can’t control a hosting provider 24h/day. One can’t know whether an employer there copies all data on his memory-drivers.
Can’t the police, if need be, seize a server as easily as it would in any other country on Earth?
Don’t the majority of all of countries in Europe share information with the intelligence of US by the agreements of the 5 eyes, 9 eyes, 14 eyes? Whereas the 2nd and 3rd world countries don’t.
How is it better than a label “made in South Africa”, “Thailand”, “Costa Rica”, “Egypt”, “Kuwait”?
I can see how “made in Germany” or EU makes a project worse in terms of privacy and data-protection. How could it make it better, though?
I wholeheartedly disagree that more than one fine a day on average, and 4,5 billion euros are “nothing”. All of the clients in the company where I work at have taken GDPR seriously, the possible cost to not do so would be devastating.
Where I live, we have an agency that investigates, aids and notifies before action is taken, and they are very active.
If and when you want to make a notification about a violation here, there’s a clear process to do so, and failure to comply to what the agency decides will escalate the situation to the aforementioned fines.
You’re still talking about voluntary compliance. The GDPR is not entirely useless for this reason - some orgs will comply despite the unlikeliness that any action results. Great! My long history of art.77 reports show GDPR-hostile orgs getting away with it.
Here’s how the math works: your expectation of a fine (cost of noncompliance) is compared to the cost of compliance (e.g. hiring subject matter experts for consultation and making adaptations as needed). The expectation of a fine is the fine amount multiplied by the probability. The fine amount is negligible (if anything) for gov agencies and the probability a fine is levied by a state against itself is even much smaller than the probability of a fine against a commercial corp. So gov offices laugh at the GDPR. Commercial orgs can get a huge fine but they tend to get warnings, not to mention the chance a DPA even bothers to engage the offender is infintesmal as it is. The cost of compliance is generally higher, which is why they don’t bother. Hence why I’m up to my neck in violations. Luckily the good samaritans orgs that comply are the ones who haven’t done the math.
The GDPR would only become an effective force if they were to amend it so that article 77 were itself enforceable against the deadbeat DPAs.
All law compliance is voluntary on the threat of consequences, that is a bad point, because since all compliance is voluntary, then you are saying that all laws are largely useless.
My personal experience, in my country, is that GDPR is working fine, just as fine as any other law. There are always some people who break laws, and there are always resource costs to catch and fine/prosecute the law breakers. As long as the observable majority are law abiding, the law works as well as it can.
Outliers don’t make the law moot, or GDPR “nothing” as you stated in your earlier post, and no amount of reasoning you attempt to give can convince me otherwise, as my personal experience and observations differ from what you are attempting to peddle.
FYI: no gov offices are laughing at GDPR in Finland, if they did, another separate branch of gov would fine them. What you are saying is that due to the fact that corruption exists, your govs are not taking the law seriously. That’s a separate issue and affects everything, not just GDPR, and again, doesn’t make GDPR moot.
Yes, but this only muddies the waters to mention. You’ve forgotten what I said previously. I’m not saying it’s voluntary on the trivial basis that all actions are voluntary. I’m saying compliance is voluntary because (as I have established and you failed to counter) the GDPR is not being enforced for the most part. You have ONE fine every THREE WEEKS by each DPA. How is your math not sorting that out? I will lay it out here:
52 weeks/yr ÷ 3 weeks × 23 DPAs × 5 years = 1993 + ⅓
That’s absurdly deadbeat on the DPA’s part. As one individual I am personally encountering violations at nearly that rate just on my own as one person. On average the DPA in one country is doing enough workload for one single victim. Scale that to a nation of people and the result is they’re doing fuck all.
My anecdotal experience reflects that of others and in fact mirrors the big picture. But you need not take my word for it. Read about it (“Fines are few and far between…Enforcement is, at best, patchy and inconsistent.”). Though I must say your lack of awareness makes your background questionable. You should know about the lack of enforcement problem if your career is tied to it. After all, your own numbers reflects this you’re just neglecting to do the math.
You’ve tried shifting the focus onto the revenue from the fines, which is irrelevant to the probability of getting a fine. The absurdity of that attempt is that “Meta…. accounted for 80% [of last year’s total fines], with its largest fine reaching €405 million.”
They do when the statistical outliers actually reflect cases of fines, as opposed to the cases of inaction. Again, 1 fine every 3 weeks for a whole country. That’s what makes the law moot from an enforcement perspective. You throw out the outliers and you’re left with no enforcement in the remaining dataset.
I didn’t exactly assert corruption. That’d be slightly overstated. There is certainly a conflict of interest when gov agencies are accountable to DPAs of the same country. You can use your own judgement as to whether to outright assert “corruption”. Either way, that’s only a factor when the GDPR offender is a gov agency. Lack of enforcement is bigger than that. As I said, the law itself is the problem because it’s not motivational. Again, there is no enforcement clause to force DPAs to honor article 77 reports. That’s the problem which you continue to ignore. It also doesn’t help that “DPAs complain about a lack of budget and personnel. While German DPAs employ around 1200 staff, Belgian, Croatian, and Romanian DPAs average only 50.” (from the same article) So the other problem is that the GDPR does not require member states to allocate sufficient resources for the workload – though that problem would take care of itself if there were a penalty for member states who fail to uphold art.77.