Talking from the experience because the previous laws in Spain, LOPD and LSSI (which basically was the same across the different EU countries).
They had "maximum" fines (it was 600.000 Euros). They start for small law infringement with 600 euros, 1.500 euros, unless is something very severe, then it come to something like 30.000 euros, etc.
If you keep repeating the law infringement, then the 2nd time it may become 150.000 Euros.
If it is massive infringement (for example massive spam), then it comes to 300.000 or even 600.000 euros.
Here there is an explanation for the LOPD fines, is in Spanish, but a translator should work:
http://www.cuidatusdatos.com/infracciones/
My guess is that the GDPR maximum fines are there just as maximum, and there will be agreements among the EU DPAs, to better define how much is the fine, in a similar way they are doing now.
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces+jordi.palet=consulintel.es at nanog.org> en nombre de Rob McEwen <rob at invaluement.com>
Fecha: sábado, 26 de mayo de 2018, 21:06
Para: <nanog at nanog.org>
Asunto: Re: Whois vs GDPR, latest news
On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:
> Original text from EU Commission:
> "Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
>
> -> Administrative fines_up to_ 10M (or 2% if your 2% is higher than 10M).
>
> It’s a cap, not a minimum.
Thanks for the clarification. But whether that fine will be less than
10M is extremely vague and (I guess?) left up to the opinions or whims
of a Euro bureaucrat or judge panel, or something like that... based on
very vague and subjective criteria. I've searched and nobody can seem to
find any more specifics or assurances. Therefore, there is NOTHING that
a very small business with a very small data breach or mistake, could
point to... to give them confidence than their fine will be any less
than 10M Euros, other than that "up to" wording - that is in the same
sentence where it also clarifies "whichever is larger".
All these people in this discussion who are expressing opinions that
penalties in such situations won't be nearly so bad - are expressing
what may very with be "wishful thinking" that isn't rooted in reality.
--
Rob McEwen
https://www.invaluement.com
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.