That sounds a lot like "I told you so" tone when I still disagree with you. But in case you're here to talk about it and not just to assert your version of the truth, no, I don't think anyone ever claimed that small corps are a loophole. Then big corps would just delegate it to a shell company and be done with it. European law is, to the best of my knowledge, fairly reasonable: if you do something wrong regarding privacy either because you didn't know (like, you tried to follow GDPR but missed something) or do a small thing, you won't get ridiculous fines. But if you're a 10 person company working with huge amounts of personal data and you were grossly negligent, then of course they'll look at that differently from a 10 man company that produces pencils for retailers and incorrectly stored customer's delivery addresses.
Courts will always base their decisions on case law, and I suspect that you can reasonably expect a certain kind of GDPR case law to arise, given what the standing case law is already.
> Common law gives judges an active role in developing rules; civil law is based on fixed codes and statutes.
This is a dramatic and misleading oversimplification. Under civil law systems, judges still do have great leeway with interpreting and applying regulations. And under common law, it's not really true that judges have an active role in developing rules - they have the ability to interpret them in the contexts of cases which come up, but they don't legislate. The closest thing that they can do (aside from overturning provisions) is to introduce limitations or tests on existing law that is challenged, but even then they're mostly only allowed to do that to the extent that they are using the tests to connect the law back to the Constitution or other existing legislation.
Case law is not binding in civil law (at least not to the same degree as it is under common law), but does definitely play a significant role.
Furthermore, it's flat-out wrong to say that "case law is not binding in the EU". The Republic of Ireland and the UK both use common law, under which case law is binding. Not only are UK court decisions are enforceable across the entire EU, but UK law is actually the jurisdiction for a lot of contracts and agreements within the EU, similar to how New York is the chosen jurisdiction for a lot of contracts or even international treaties that are enforced worldwide, whether or not the parties are based in New York.
Even if you're referring specifically to legislation passed by the European Parliament itself, it's still not really correct to say that case law isn't binding. The European Parliament is an international body held together by international treaties, and while EU courts might have decided to use civil law in interpreting legislation passed by the European Pariament itself, that doesn't mean that case law does not come into play, either in countries with common law systems or even in countries with civil law systems. It's way more complicated than that.
This is, incidentally, one of the problems that Brexit is currently introducing: it's unclear whether parties that have elected to govern their contracts under UK law will continue to be able to do so with the expectation of enforceability.
There is no doctrine of stare decisis in EU courts. Case law is not binding. Further complicated by the huge number of courts that might hear a case, dependent on the DPA.
tl;dr: a non-profit got fined 75K€ because their website leaked 42,562 private documents from their users. Anyone could modify numbers in the URL and read other users' documents. The documents included passports, tax information, identity documents, and more.
Oof, I can see why then. On the other hand, if you're not storing people's passports... is this really something you should be worried about? And shouldn't somebody who's intentionally storing thousands of passports be required to implement basic security practices?
The "you won't get big fines if you try your best" thing isn't in the law. I believe you that it is probably true, but it relies on the reasonableness of all current and future regulators. I don't like that.
The law only says regulators should think about your intentions when assessing penalties (among many other factors).
Is there anything stopping a regulator from deciding an unintentional violation is "only" a company-destroying 5M euro fine instead of the full 10M? In fact, couldn't it still be a 10M fine? Or should I expect to be let off with a warning? Seems like I'm depending on the good will of the regulators of every single EU member state...
I do not think it's impossible to write a law that says fines for minor and unintentional violations are limited by statue.
That's what makes me nervous about interpretation of GDPR. The EU has 28 member states. Let's say each one of them has a 90% probability of their regulators being reasonable at any given time. Does that mean the chances of the regulators on the whole being reasonable are 0.9^28? (In other words, about 5%?)
As an outsider, I would love to hear that that's not how it works. Do the member states have any checks on each other's enforcement?
