With that in mind, I like what the EU seems to be doing with GDPR[0]. For failing to properly manage user data, you can end up with fines like:
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
...which, considering the stuff companies have been pulling off rencently, seems quite OK. A 10M EUR minimum might, hopefully, at least scare off some of the small "innovators" in the area of surveillance economy. As for big corporations, I doubt anything but jail time for executives will work though.
I like this law. Now the real question - is it actually enforced? Because it's meaningless otherwise.
In most cases we don't need new laws, we just need the existing ones to be enforced. Like all these "bullying" laws. I never understood why we needed them when we already have plenty of harassment laws on the books. Enforce those and problem solved.
> I like this law. Now the real question - is it actually enforced? Because it's meaningless otherwise.
Right, yeah, see regulators don't want a court challenge. They could find their whole charter declared unconstitutional. Not as punishment, but simply because nobody ever challenged it.
They try to strike a balance between going to court and enforcing the will of the people/legislators/regulations. If it seems akin to a traffic ticket, well thats because traffic cops are doing the same thing
Regulators and civil society groups have taken the GDPR's predecessor (the Data Protection Directive) to court plenty of times, usually very successfully. The most famous regulator-brought court case is probably the Google Spain/Costeja "right to be forgotten" ruling of the Court of Justice of the EU (CJEU).
The European Union is a new entity and is still forming its case law. Its courts are granting themselves more power and it is probably a few years until their own Marbury v. Madison equivalent. For now its just seeing what sticks and learning the whims of the judges, but you have to recognize the relativity of their authority.
It's not in force yet, but will be from May 2018. Then, like its predecessor the Data Protection Directive, it'll be enforced by over >30 regulators EEA-wide, with a brand new "consistency" mechanism to help multiple national regulators from different countries agree what to do about complaints that involve each one's country (though the defendant will in theory only need to deal directly with the authority of the country where the company has its main establishment; that lead authority will funnel questions etc. from all the others. Note that the existing Data Protection Directive is very actively enforced. Here's the UK's track record (and bear in mind the UK isn't one of the meanest): https://ico.org.uk/action-weve-taken/enforcement/
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
...which, considering the stuff companies have been pulling off rencently, seems quite OK. A 10M EUR minimum might, hopefully, at least scare off some of the small "innovators" in the area of surveillance economy. As for big corporations, I doubt anything but jail time for executives will work though.
[0] - https://en.wikipedia.org/wiki/General_Data_Protection_Regula...