On phone, so can’t type much. Please have a look at article 83: list of conditions to consider when determining the corrective measures (fines or other measures).
EU law does not work with exact codified procedures, which I understand is more common in US. So indeed, you will find guidance but not exact procedure (though it seems to be clear enough to me)
Nothing in the “guidance” you provided disincentivizes large/maximum fines, or actually limits the fines from being the maximum in any way. Downvote this all you like, that won’t change what they have (or more accurately, have not) written into the law.
Courts have discretion when deciding on penalties. This is the case for the vast majority of laws you can think of. You might argue that not having a "first-offender" concept is unfair, but that stops courts from being able to punish really egregious first offenses. It might also incentivise companies to try to work around the repeat-offender rules so they can continue to violate GDPR without any serious penalty.
> Indeed they can impose the maximum fines for a first offense, and are fully incentivized to do so
And yet they didn't when they first fined Google[1], where the fine was 50 million euros -- which was only 1% of the maximum fine they could've imposed. It's almost as if the maximum penalty is the upper ceiling and not the default.
A lot of people in industry especially at larger companies are preparing for the 4% global revenue fine the first time a very large company fucks up GDPR in some way because they are anticipating being made examples of
It really says more that most people don't assume the EU to enforce GDPR in good faith and to just opportunistically use it as a way to take money out of the tech-company piggy bank. Everyone I know takes GDPR seriously. Of course at a big organization it potentially only takes one dumbass out of tens of thousands to screw up catastrophically
No, it takes bad faith/intent to circumvent to screw up catastrophically. And shoving third party trackers down the visitors throats using dark patterns to avoid them not accepting them is absolutely bad faith. These offending news sites need to be fined the hell out of the internet.
The EU actively despises American tech companies. Go back and watch Zuckerberg at the EU Parliament. I can totally see them bringing down the hammer for minor infarctions when it's popular to hate a certain company.
I was referencing their attitude. When Zuckerberg was at the EU Parliament an MEP asked him to name an EU competitor for Facebook implying that if he can't name one then Facebook is a monopoly. That is the attitude we show to American tech companies in Europe.
Maybe it’s a matter of perspective? Because the way I see it, only the EU is willing to hold companies accountable and remind them that are aren’t in fact top dog.
> It really says more that most people don't assume the EU to enforce GDPR in good faith and to just opportunistically use it as a way to take money out of the tech-company piggy bank.
Funny, considering that there already are cases going on and not a single one is close to those maximums.
> Everyone I know takes GDPR seriously
Wow, what people do you know? Considering that the vast majority of sites doesn't even have opt-in into tracking but opt-out after they started tracking, I think the people you know are some weird exception.
Everyone I know at large tech companies, not podunk shitty websites 2 people have ever heard of. I work at a large multinational company you've definitely heard of. Like I said, we take GDPR extremely seriously because of the magnitude of potential fines