This is a good start, but I'm going to be very curious to see if EU data law ever starts getting enforced against european companies at scale, as opposed to international companies.
It does get enforced against European companies, they just don't make HN headlines because they're not big-tech so nobody here would have heard of them.
Also EU companies tend to be more mindful and take data protection very seriously, even before GDPR was a thing, so finding gross offenders is a rare occurrence anyway.
If you are aware of SAP breaking the GDPR and it's being swept under the carpet or if enforcement is lackluster given the scope of the problem then please supply some evidence. That SAP is large doesn't matter, what matters is if they are breaking the law.
The GDPR applies to all companies, social network platforms or not. It's not even about the internet in particular, it's about how companies can store and process private information of EU citizens.
SAP is B2B, the vast majoritybof personal data is professional (supplier and customer business contacts) and emoloyee data (payroll and such). Not much to fine here. Also, since SAP as a company isn't handling any of that data, SAP isn't really affected.
If they're deemed a data processors then yes in fact they do need to care about the application of the laws. SAP has user management at least in terms of companys' own users which will likely have PII.
The personal data handled by SAP, the ERP system not the company, is very well compartementalized and accessible only need-to-know. Assuming proper user rights policies and roles are in place, but that is on SAPs client, amd not SAP themselves.
Sure, but SAP's business model doesn't depend on doing as much privacy violation as they can get away with (this is basically the business model of all adtech) so they're far less likely to fall afoul of the GDPR. The main risk to a company like SAP would be _accidentally_ falling afoul of the law; this tends to happen where companies are grossly negligent in their handling of personal data, and this is then exposed in a major leak.
I'm absolutely in favor of making it impossible for adtech to make any profit at all as long as they build their business on monetizing user data and exposing their users to all kinds of hazards.
I find it funny that so few people here see a problem with that kind of behavior. It's as if they expect society to serve the market, instead of the other way around.
SAP is the company you go to to help you with potentially GDPR-affected processing. It would be quite a thing if they were doing any kind of non-accidental violation of GDPR.
The Netherlands DPA has fined CP&A, an unnamed orthodontic clinic, Transavia, a local political party, the municipality of Enschede, Booking.com B.V. (yes, Booking.com is Dutch), OLVG (a hospital), a redacted data trader, the Dutch national tennis association, an insurance company, another hospital, a semi-governmental organisation and 7 governmental bodies.
Some of these do business in foreign countries, but all of them are unmistakably Dutch.
I've left out the largest news organisation in the Netherlands, the Belgian company BPG Media, but they have bought up a bunch of local news organisations.
Non-EU-originating companies on the list:
- Tiktok
- locatefamily.com
Tiktok got fined by the Dutch DPA for not providing their privacy statement in Dutch while still doing business in the Netherlands. Further research into Tiktok was transferred to the Irish DPA (this fine). I suppose the Dutch DPA could've lodged a complaint with the Irish DPA for not providing the necessary documents in Dutch, but that seems rather silly to me.
locatefamily.com did not have EU representation at all so there was no need to process the complaint anywhere else. I doubt the fine will ever be collected, but who knows, maybe the owners are stupid enough to open a business in Europe somewhere down the line.
France against french companies: 40M€ for Criteo, 1M€ for Total, 1M+€ for AG2R, 2M€ and 800000€ for Carrefour, 600000€ for EDF, same for Accor, two 300000€ fines for Free, 125000€ for CityScoot, 500000€ for Brico Privé, 400000€ for the RATP. Perhaps others, didn't bother to check any further.
So you haven't researched the actual fines and warnings the EU gave out to EU and non-EU companies. but you just feel like the vibes are totally off?
I was really expecting better comments from hackernews. If we're talking about vibes you should acknowledge that it makes sense for the EU to protect their people and their personal information from really large foreign companies. Even more so from companies that are aligned with the state that has one of the largest military powers in the world.
> I was really expecting better comments from hackernews.
You really shouldn't on topics related to the EU. There is an incredible amount of misinformation peddled, and asking for sources or actual analysis beyond simple statements that keep being repeated is usually met with either silence or insults.
No. All I did was opening enforcement tracker, click on France, and look for familiar names. It was faster than writing my previous comment. I knew about one of the Carrefour cases, and the Criteo case though.
>The authoritarianism and the insanity of the laws in the first place is/are a far bigger problem
What is authoritarian or insane in GDPR? Or its previous iteration, the DPD (from 1995)? Oh no, we expect companies to handle personal data with care, the horror.
They kinda are but most EU companies just avoid it by not really collecting your data to begin with beyond what they need for service operation.
At least in my experience, when I deal with a service in the EU, their privacy policy fits on a few A4s, with the important bits frontloaded and written in an easily understandable way. Even most banks don't really hide what they collect on you and they explain why they collect it.
It's only foreign companies that tend to insist on massive privacy policies that border on being incomprehensible and use them to skirt the law. Seriously, just look at Googles privacy page for example - it's a single giant page that mostly just restates over and over "Google may collect info about you". It's unclear what the data is being used for, it's extremely reliant on other pages to detail what's being used and your average person has probably lost the plot by now.
It's difficult to put it in any other way, but foreign companies are the ones who think they can get away with breaking the law and make it as difficult as possible to trace what they're doing with your data. European companies just tend to actually follow the law. That's why all the landmark cases are against foreign tech giants.
And every organization in the EU has had to deal with the fact that this is now law, and had to think what they needed to change to comply with it. All companies, but also e.g. tiny volunteer run organisations (my local scouts group asks for health insurance, medical information, allergies etc of the kids again and again for every camp they go on because they don't keep the forms around anymore for the next one like they used to) .
It's probably different for organisations coming from outside the EU who get EU customers over the Internet.
> (my local scouts group asks for health insurance, medical information, allergies etc of the kids again and again for every camp they go on because they don't keep the forms around anymore for the next one like they used to) .
A lot of people were wrongly influenced by DPD consulting wannabes on their first gig. I have seen small org burn years of contacts they could have kept or easily manage in respect with the provisions of the law.
The boardroom can’t argue about whether or not to steal from the cookie jar when there is no cookie jar to begin with.
These are the moments I’m grateful to be living in the EU. GDPR was a huge circus of blame on EU bureaucracy back when it was introduced. A lot of hate poured out that every single paper you sign now needs to have a second separate GDPR thing for you to sign. Stupid Brussels making your life more complicated! But now everyone seems to be used to it.
But also, primarily European companies did generally take it a lot more seriously than multinationals. (Sometimes too seriously; while this has calmed down a bit, you'll sometimes see companies enforcing absolutely absurd policies around data on the basis that they incorrectly think they're required for compliance).
In my experience, this is absolutely not true. Sometimes mind-boggling so.
For example, it was US companies that stopped serving ads until they had GDPR infrastructure in place, while some very bad actors in the UK where not collecting consent at all.
Is there any reason to do that? European companies are more likely to follow the laws already, and taking less liberty in bending or even ignoring them. Mostly because the people working there have a better understanding and focus of them.
On the other side, European companies are usually smaller, so their get lower fines, which won't make the headlines. Which is, why you might not hear so often about the fines against European companies, which still happen. And if we are honest, we usually only hear about the super-penalties anyway.
There's plenty of EU companies getting fined: on top of the fact HN will naturally bias toward reportage on well-known US unicorns, there's also a language barrier: most reportage of fines outside of Ireland won't be in the English language.
The Irish DPC is also reportedly quite busy, by virtue of shouldering a disproportionate amount of the enforcement work for non-EU companies (due to tax-driven HQing there). They have taken cases against European entities as well however: notably they even even taken cases against the Irish government for violations around mandating biometric public service ID cards.
If you ignore Ireland and Luxembourg there (most of the big multinationals are subject to one or the other), then you'll get a much more balanced picture. For most of the countries, most of the top offenders are European.
You keep throwing around the "unbelievable" and "unreasonable" fines.
Why do you think that these fines are "unbelievable" and "unreasonable"? Because for me they are rather on the low side, given the business practices, the reach and the potential for abuse that these companies have.
1) They stopped it 3 years when their was an inquiry.
2) 2.6% of revenue for a company that isn't even profitable.
3) 2.6% of revenue for a global company, how much of this then is only EU revenue?? Are they supposed to get their legs cut off just for breaking one law of the 5 million that they're suppose to comply with?
4) This was a first offense for this company.
5) They're not doing anything harmful with the data. It's a social media platform. We need to relax. The burden should be on the parents.
1) GDRP has been in effect since 2018. It doesn't matter that they were in violation of the law "only" two years - they broke the law.
2) Just because they are incompetent doesn't mean they get to break the law. Why should incompetent businesses be absolved from any wrongdoing?
3) If they want to do business in the EU they have to play by the EU's laws. If they cannot abide by the EU's rules, they probably should not try to make business in the EU.
4) That's why they only have to pay 2.6%.
5) There were multiple breaches that exposed user's data. You might think that exposing user's data is not that serious, the EU has decided otherwise. The burden by law is with the company, not the parents.
I understand the tool of hyperbole, but this is a very flawed hyperbole.
We do have to keep people around if they behave in ways that harm society, but society is not morally bound to keep companies existing despite them misbehaving. They are not living conscious entities. They are organizations created for the purpose of accumulating money. And if they cannot do that without violating the laws, then they should be dissolved.
That's not an "authoritarian mindset". That's just the mindset "the law applies to everyone".
They wouldn't even notice 100'000 Euros and so the fine would be useless as a tool of discouragement. The laws have been specified so that they scale with the size of a company. Tiktok it's a big company. They make a lot of money. They can afford the 345 million. They will notice that.
