I think the parent's point is that in a more well-functioning system Amazon would be given notice and time to rectify their presumably mistaken wrong-doing which they would then appropriately rectify in good faith or to avoid penalties.
The parent is pointing out how the current system incentivizes "surprise" fines as an alternative to up-front tax and how this dynamic trends towards fines being seen as a simple cost-of-business rather than a true penalty/punishment.
GDPR was published and companies had time to get ahead of it before it went into effect. There were special recital sessions where guidance was given for what parts of it meant. Many companies put into place a lot of changes to comply. Yes, parts of GDPR could be a little ambiguous, but as with every law, a company can be more or less conservative in making sure they're above reproach.
Why should violations be "presumably mistaken" if a company has a legal department and the resources to comply with the law? If the speed limit is posted, I don't expect a cop to give me a warning when I've exceeded it under the assumption that it was inadvertent, and give me a reasonable period to come into compliance.
This is a massive understatement. There's a lot of comments here by people who clearly want to like and support GDPR but have never actually tried to "comply" with it in a large business. GDPR is a textbook example of how not to write law (unless of course you're actually trying to create a despotic regime). It has so many problems when viewed from a law engineering perspective that it's really quite expected that a lot of companies will just give up, because the only plausible explanation for the way it's written is to be able to arbitrarily fine certain types of companies on demand.
1. Absolutely everything is maximally vague and subjective. Whoever wrote it never wanted to have to justify any decision made under its authority. Everything is defined with terms like "legitimate", "disproportionate", "significant", "likelihood", and the perennial favorite "reasonable effort". If you believe you have a legitimate need or made a reasonable effort and a regulator doesn't, or that your users are giving consent and then someone else claims it isn't explicit enough, who can say who's right? There are no standards on which to judge anything so it turns into a pure difference of arbitrary opinion. Merely being conservative is no use at all because you don't even have any idea, based on reading the law, whether what you're doing would be considered conservative or aggressively non-compliant. Nor does anyone else.
2. Compliance is basically impossible for any large institution. The EU Commission was itself non-compliant on the day GDPR came into effect, which was noticed immediately, and their response was that they had written themselves (and nobody else) an exception into the law so that they had more time to comply with it. When the government that writes a law acknowledges an inability to follow it by the deadline they set for everyone else, you know a law has problems.
3. Because the law is written so badly you can find plenty of people interpreting it in ways that would imply Amazon is doing nothing wrong, like this page [1] which purports to be busting GDPR myths and states that "processing is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalization of offerings".
4. GDPR theoretically requires every company in the world to comply, or does it? It's triggered by "offering" services to people in the EU, but what counts as "offering" is left undefined and like everything else, could be interpreted in dozens of different ways. Is having a website sufficient? Nobody knows. Here's PriceWaterhouseCoopers' advice on GDPR compliance for Switzerland [2] which starts by saying "My company is only Swiss-based, does it have to comply with GDPR? Alas, there is no simple answer to this.".
The fact that so many results when searching for GDPR are articles that claim to be debunking myths about it, and that so many such pages directly contradict each other, is indicative of the massive level of confusion this law has justifiably generated. It can be interpreted in any way any government wants to justify almost any level of fine imaginable, and governments are directly incentivized to do exactly that. Cynicism about GDPR and its motives will not go away by simply having lots of EU-loyal HN posters tell Americans that compliance is easy when it so obviously isn't.
Yeah that's not how GDPR is written, there's no provision for notices, that's the law and it's available to everyone to read.
All of Amazon's competitors, including my employer, have spent a lot of money and energy to comply. Why Amazon decided to just ignore what everyone else knew was a big deal is beyond me.
We could broaden the conversation and also ask who are the people who got harmed to the tune of $1B, and how they will be redressed for that harm
The point is not the legal matter at hand but the nature of the law itself and how it came to be. As much as i like that we don't get spam calls anymore in the EU, the problem was pushed under the rug, not solved (all the spam calls are now from UK numbers). The bigger problem is that while the legislators legislate for putting restrictions on eu businesses, they have not legislated an equal amount that would be conductive to business in the eu.
Do you know what the phrase "throw the book at them" means.
It means you have a rich set of laws, which punish various offenses which look fine on paper, but in practice everyone violates just to do their regular job, so they're widely not enforced.
But if you want to fuck someone in particular, you can easily find them in violation of a dozen or two of them, and put them in jail for a long time or fine them substantial amounts.
You threw the book at them.
This is basically what most of EU's data privacy, cookie and so on laws are about, in practice.
It's interesting how you can take a collection of seemingly or genuinely good-intentioned rules and use them to basically rule as a king, but there you go.
That not really how, at least some, European countries work. Laws are written and companies are generally expected to follow them. We’re try to catch up, going from an society where rules are followed, without the need for actual enforcement, to one where companies don’t follow the law unless the court makes it unprofitable.
Are companies expected to follow laws the day they get signed, even if it might take over an year to implement compliance? Think about it. Because here's what happened:
> The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, which filed numerous lawsuits against Big Tech companies on the behalf of 12,000 people shortly after the GDPR was established that year.
This privacy group waited for the law to get signed, and promptly sued every big company that clearly handles user data.
Do you think finding everyone a billion or two would help them come up with a time machine and go back in time to implement a law before it exists so they're compliant by the time it's signed? Curious.
You'd think that if this was a legit defense they would use it in court, instead of "There has been no data breach, and no customer data has been exposed to any third party" clinging to anything irrelevant, as I'm sure they don't hire incompetent lawyers waiting for an online poster to come up with a solution
I think GDPR discussions are always heated on the 'EU vs US' line because of different approach to trust in the govt. In the EU people tend to (surprisingly maybe) trust politicians more because they at least want to be re-elected and distrust corporations/billionaires because they want to increase profit. In the US, I think, it's different, there is a distrust in the government because they are here to get us and more trust (surprisingly maybe) in corporations/billionaires because they are just like me working hard to earn money
The GDPR was enacted two years before it came into force. Companies trading in the EU had plenty of time to come into compliance.
LQDN didn't "wait for the law to get signed" - it was signed ages ago. They waited until it was enforceable.
It's worth pointing out that the GDPR is an EU "regulation". It doesn't have to be ratified by member states, and they don't have to implement some kind of compliant national legislation. This is very different from the previous EU privacy legislation, which required member states to enact suitable laws, which many of them were apparently reluctant to do.
The GDPR came into force the day the regulation was issued. It's just that "came into force" means that the 2-year breathing-space provided for in the regulation began at that time.
If we're talking about GDPR, it came into effect on 25 May 2018, after being adopted by the European Parliament on 14 April 2016.
That's two years, one month, and 11 days for implementation. Those additional days are days after it was published in the EU's Official Journal. It's not EU's fault that companies waited until 2018 to give a fuck about it.
> Do you know what the phrase "throw the book at them" means.
It's perfectly reasonable to throw the book at them, because unlike their competitors they don't seem to have made even a token effort to begin compliance.
If they didn't have the book thrown at them, people would complain that the law is toothless.
I've worked for two companies that had to implement GDPR, in both cases the legal departments were extremely serious about it and we had to do a lot of work to comply. Why should Amazon get a pass?
