I think this kind of point has come up quite a few times in this thread, and I'm gonna use your comment to go over something which I don't think has been discussed much.
The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate. It also seems fairly clear to me that they do not expect smaller organisations to jump through the same hoops as large ones such as Microsoft and Facebook. If you are a small organisation and you can show that you have and will continue to take meaningful steps towards protecting the data you hold and providing your users with transparency as to your processing, then the ICO and other regulatory authorities are not going to hit you with a 20M Euro fine [1].
I certainly feel as though the law is being perhaps misrepresented as some sort of anti-business regulatory overreach. I highly doubt the European Union wants to a) Drive businesses away from Europe and all that yummy tax money that they bring with them, or b) Piss off European consumers by restricting their access to all the fun things being provided by non-EU companies. It's not in the EUs interest to do either of those things, but there has to be a balance, right? The fact that organisations can collect huge amounts of personal data and when/if something happens just shrug it off (exaggeration, I'll admit). The current legislation doesn't give supervisory authorities (such as the ICO) enough of a bite to encourage compliance from larger companies. £500k (current fine limit) is nothing to an organisation that turns over billions a year globally. I'm sure in many of these circumstances the cost of compliance would far outweigh any fines handed out.
The debate here is very interesting though, as there are plenty of people viewing this from different angles. I wonder if some residents of non-EU countries here feel as though the EU (to them an unelected body) is effectively overruling their domestic legislation, and that this is not right. I can certainly understand the argument that whilst (in my opinion) this law could be overwhelmingly good for consumers, especially given the current climate, it could be viewed as setting a dangerous precedent for extraterritorial reach.
> The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate
That's a problem, imho. We cannot rely on good intentions when it comes to the interpretation and enforcement of the law. Anyone who's gotten caught up in the quagmire of legal bureaucracy understands that.
The law is the law, and will outlast the good intentions of the authors or people currently in charge. If the law, as written, was not intended to be as such, then it should be amended.
I agree with you, I think your point is in a similar vein to my comment about the extraterritorial nature of the law. It's great whilst we have people in charge who we might agree with, but where are the protections if you do not agree or if the circumstances change. I can envisage the legislation, being interpreted in the strictest fashion, being used against organisations for political or other motives. Do we have adequate protections against this in the legislation?
That is reflective of the nature of the crime, and history of the criminality of the accused, not their intrinsic characteristics, such as being small businesses or large businesses.
Depending on the nature of the violation, it may also reflect the scope of the violation, such as fraud. This is a scenario where, again, the size of the business, or the risk of the business going under, is not taken into account.
If we really want two separate punishments for the same crime- one for small businesses and one for large businesses, because we don't intend on putting anyone out of business- then that should be a codified part of the punishment.
The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate. It also seems fairly clear to me that they do not expect smaller organisations to jump through the same hoops as large ones such as Microsoft and Facebook. If you are a small organisation and you can show that you have and will continue to take meaningful steps towards protecting the data you hold and providing your users with transparency as to your processing, then the ICO and other regulatory authorities are not going to hit you with a 20M Euro fine [1].
I certainly feel as though the law is being perhaps misrepresented as some sort of anti-business regulatory overreach. I highly doubt the European Union wants to a) Drive businesses away from Europe and all that yummy tax money that they bring with them, or b) Piss off European consumers by restricting their access to all the fun things being provided by non-EU companies. It's not in the EUs interest to do either of those things, but there has to be a balance, right? The fact that organisations can collect huge amounts of personal data and when/if something happens just shrug it off (exaggeration, I'll admit). The current legislation doesn't give supervisory authorities (such as the ICO) enough of a bite to encourage compliance from larger companies. £500k (current fine limit) is nothing to an organisation that turns over billions a year globally. I'm sure in many of these circumstances the cost of compliance would far outweigh any fines handed out.
The debate here is very interesting though, as there are plenty of people viewing this from different angles. I wonder if some residents of non-EU countries here feel as though the EU (to them an unelected body) is effectively overruling their domestic legislation, and that this is not right. I can certainly understand the argument that whilst (in my opinion) this law could be overwhelmingly good for consumers, especially given the current climate, it could be viewed as setting a dangerous precedent for extraterritorial reach.
[1] https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-...