Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unless I'm misunderstanding what you mean by absolute and relative, I think the law is already relative:

> The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.

From here: https://www.itgovernance.co.uk/dpa-and-gdpr-penalties



In context, "relatively bigger" would mean something like a progressive tax bracket. $20MM up to $500MM rev, 4% up to $1BB rev, 5% up to $2BB rev, 6% up to $5BB rev, etc...

A straight 4% would be absolutely bigger, but relatively the same (once beyond $500M).


This is a good idea. However what about phantom businesses which commit the crime and would not have real revenue.

My problem is with fines that they don't really force the PEOPLE in the businesses to play fair.

What about required & [RESPONSIBLE] roles and jail?

I am asking that in general because I am fed up with our business-entities made world where committing a crime is basically RECOMMENDED if the numbers and percentages say so.


I think it's not about "income brackets", it is about profit margins which can vary a lot between industries. 4% of revenue is enough to bankrupt traditional business, like Wallmart with profit margins of 2,48%. Google is a low-cost business, with profit margin of 25%, so even the maximum GDPR fine is something they can just write off.


So just make the fine a portion of profit? Maybe a three layer system that takes into account flat euro rate, a percent of revenue, or a bigger percent of profit; whichever is highest.


Making fine a percentage of profit would be even worse: Amazon, for example has no taxable profit at all, so the GDPR fine for them would be $0 (or $20M, which does not make much difference). And having different fines for different industries, based on gross profit margings could be viewed as discriminatory, and therefore ruled illegal.


Though I think the GDPR is bad law in some ways (chiefly in terms of the chilling effect on small operators), I think that allowing the cap on the fine to be revenue based (and specifically global revenue based) is nearly essential.

Otherwise, you get into accounting chicanery (or outright loss-making companies being able to operate with impunity while they grow).

There's nothing stopping the enforcement action to take into account the underlying profitability if something like a grocery store were to run afoul of GDPR.


This




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: