This post is also available in: Deutsch (German)
Translated with www.DeepL.com/Translator
What have they threatened with these high fines? Although the FUD principles (Fear, Uncertainty and Doubt) might work in some cases, I strongly believe it won’t have a big impact here.Of course, a law that is supposed to be effective also needs a corresponding catalogue of penalties. But there are worlds between intent and simple negligence when it comes to data protection. I maintain that all companies today would be affected by fines in accordance with the provisions and content of the GDPR. It is currently impossible for organisations to comply fully with the GDPR. Some data protection authorities have recognised this, others are still on the fundamentalist track.
Fortunately, individual legal provisions have already been relativised. The Art. 29 working group of the EU has already weakened some provisions. That is at least a good sign. In principle, however, one can argue that in criminal proceedings the presumption of innocence applies and that the plaintiff must prove that the accused has committed a data protection violation (in some cases the reversal of the burden of proof also applies, which makes sense in some cases, but not in others). In most cases, the breach will have been negligent. Compliance with the duty of care must be demonstrated by the defendant. Such lawsuits can be long and expensive, if only because the parties are dependent on expensive experts.
Fortunately, there will probably never be uniform law enforcement because the EU has too much room for this, opinions are too different and national interests are too heterogeneous. The hope here is that the spoken level of due diligence will move a little closer to the real world than the law. But perhaps we will be talking about this in ten years’ time, first of all the above-mentioned court practice has to establish itself.
Of course, there are also organizations that systematically commit data protection violations, and here it is urgent and important that they can also be prosecuted and punished. However, I have little hope here. Because such organisations prefer to keep their data in countries where there is neither adequate data protection legislation nor enforcement of the basic data protection regulation.
Is it already grossly negligent for employees to synchronize their personal address book with the cloud? Should the employee or the representative of the organization be punished?