Why small fines initially? I’d like to see privacy fines being used to make lots of money like traffic fines are used today. It’s a way to tax tech companies in your jurisdiction with the added benefit of improving privacy.

Because the goal is compliance, not to put companies out of business. When the laws were first enacted everybody was screaming that it was just to put companies out of business. Now they are wondering why the small initial fines.

It's simple: change your ways and use the initial fines as a wake up call. If you then do not wake up and persist the fines will get heavier and heavier until you will pay attention.

A Dutch hospital managed to get to the third round of fines and they weren't all that happy afterwards. 460K Euro fine for a single instance of ignoring the regulators on a single individual.

Believe me when I tell you they have understood now.

The initial fine was zero, just a warning to improve.

The case revolved around a very minor dutch celebrity whose data was reviewed by hospital employees that should not have had that access.

> Because the goal is compliance, not to put companies out of business.

There's middle ground between "we take 100% of your revenue" and "we take 0.001% of your revenue". Given that we're not this lenient with private citizens and small companies, why should we be with international corporations?

That's why the fines can be ramped up. The largest fines were a substantial fraction of the revenues for the companies they were addressed to and there is no practical limit once you take per violation figures into account. You ignore this at your peril.

It's not 100%. The fine can get up to 4% global revenue or 20 million Euro, whichever is higher.

There is still some unclarity as to whether or not multiple fines can be issued for different transgressions, there hasn't been such a case yet and nobody has gotten close to the limit so for now this is still grey. But I think that once fined at that level no sane CEO is going to risk getting a second such fine in the same year or even at all.

Imagine if we lived in a society where you were given a small fine for the first time you commit murder and then life imprisonment for the second offence. This may lead people to believe that murder is a serious but forgivable offence when it is not. That’s my first argument: small fines play down the seriousness of the “crime”.

My second argument is the efficiency of using capitalism to fight capitalism. Take money from companies who make mistakes with personal information. Be that out of ignorance, malice or bad luck. Why does it need to be fair and just - make money from it. Make it a risk to capture personal information in the first place. If those companies go out of business then so be it. Others will take their place. It’s not impossible to do business without storing personal information, there is just not enough incentive to bother.

(1) this isn't murder, so that's a false equivalent. Murder is in a different book of law than privacy laws.

(2) small fines do not play down the seriousness of the transgression (which is the word I think you should be using for instances like this). They merely indicate that you should clean up your act assuming no real harm has been done. In some cases the regulators have immediately resorted to fines, and quite large ones as well if they felt that the case warranted it. They do have that option.

But putting companies out of business was never the goal, contrary to what a lot of alarmist people were screaming when the law went into force. Also, over time as more and more companies have been fined I would expect that the initial fines will go up because claiming ignorance really isn't an option any more. Some comments in this thread are particularly worrisome in that light, it appears that some people still don't get it and they are in positions where they really should know better.

Turning data into a liability rather than an asset is the long term outcome. This will take time, and when it happens I'll be that much happier. Every company will have to seriously weigh the price of holding on to some datum vs the price of losing it.

You’ve made some good points there. I guess it’s a balancing act and if the regulators go too far too quickly then we may never get to that long term goal.

Exactly. I keep a close watch on the fines via the enforcement tracker. I think some of them are too strict, some too lenient but overall the picture is actually quite ok.

> Imagine if we lived in a society where you were given a small fine for the first time you commit (an offense) and then (a harsher punishment) for the second offence.

We do live in that society. For example, the first few time you get caught speeding, you get a warning or a ticket with a fine. Keep getting caught speeding, and you lose your license and/or go to jail.

Initially it was almost certainly accidental, or in a system first implemented before data protection laws covered this sort of thing.

From the moment the problem is brought to their attention, then it becomes intentional and willful, so the fines should be much bigger.

If it takes deleting one's account to truly wipe your data, it should be made clear.

What makes you think even deleting one's account will truly wipe data?

These companies profit from personal info whether one is a customer or not. I would imagine everything exists with a "user de-activated since $DATE" entry or similar in their database.

Perhaps I'm too cynical?

Actually I think the incentives are aligned here.

If they can't show the pictures that they have claimed to have deleted then they can't use it to bring in eyes for advertisers, which means that the data is a net loss for them, causing them to have to buy more storage sooner.

They should want to delete data as soon as possible

Hmm yes, they probably free up the bulk of space and just keep extensive metadata instead: "We don't have the picture, but we know you took one at date, time, location, make & model, shutter speed & aperture, and we regognized the faces of these 2 users X & Y, and another non-user for whom we have shadow profile Z wwas also tagged."