It does not explicitly require warnings, but Art. 83 (https://gdpr-info.eu/art-83-gdpr/) requires that the authority, when deciding whether to impose a fine, takes into account a number of things. It would be hard to argue for an instant fine if the things listed in the article were favorable in a specific case.
It shouldn't need to be explicit when the enforcement agency has the discretion of deciding appropriate action and whether or not to prosecute. Otherwise there's no discretion and they become rubber-stamp agency. By the same token UK law doesn't include warnings in the Acts for offences that almost always get a warning or caution on first offence, e.g. possession of class B drugs.
When you get to actual penalties, all EU law has the principle of proportionality under it, and has since about the sixties. I know it's written into some treaty or other. There's been countless appeals to the EU courts that some penalty or other was disproportionate.
Can you show that it is an outlier for a law to not require warnings to be given? I can think of many laws (road rules, all of criminal law) which don't require warnings to be given, but instead warnings are up to the discretion of police officers or courts.
Also, the EU is not the US. There is a very different culture and jurisprudence when it comes to proportionality of laws. If the GDPR was a US law, then I would also be concerned about the penalty guidelines. But it's not a US law, so bringing a US-centric mindset to the discussion causes misunderstandings.
Can you show that it is an outlier for a law to not require warnings to be given?
No, my initial comment on this issue was in reply to someone that said "I expect there would have been a warning given in that case before assessing a fine." [1]. This is an oft-repeated and entirely baseless sentiment that HN's resident GDPR defenders love to cite - it shows up in every one of these threads. That is why I was making it clear that in fact no warnings are required, and indeed as time goes on, few warnings are likely to be given.
> "I expect there would have been a warning given in that case before assessing a fine." [...] That is why I was making it clear that in fact no warnings are required
They didn't say warnings were required, they said that warnings were the norm. You haven't provided counter-examples to that claim, you're arguing against a straw-man argument that "warnings are required by the GDPR".
As an example outside GDPR, it is not required to give children warnings when they commit petty crimes (such as shoplifting) but that is the overwhelming norm in most countries. In this analogy, you're arguing that "most children don't get put in juvenile detention for shoplifting and get warnings instead" isn't true because there isn't a provision in the criminal code saying that children need to be given warnings.
> indeed as time goes on, few warnings are likely to be given.
This is an example of the "baseless sentiment" that you claimed you're trying to fight against. On what basis do you claim to know (or even conjecture) that "few warnings are likely to be given" in the future?
There are many examples of GDPR warnings being given. To me, it seems to be the norm -- if you have an actual counterexample (other than pointing out that warnings aren't required, despite now basically admitting that legally-mandated warning stages aren't common and so that entire line of argument seems to be a non-sequitur) I'd love to see it.
They didn't say warnings were required, they said that warnings were the norm.
Sadly, it appears that warnings are not the norm. When you organize the data on this site by the size of fine, you’ll notice that none of the top 10 received any warning.
Ignoring that we don't know how complete the one-paragraph summaries of the cases are (many of the links are not in English) -- how is looking at the top 10 largest fines a fair sample? Surely taking 10 random samples is a much better selection?
It seems possible that the largest fines were for the most severe transgressions, or for companies that are large enough to know better. In fact, the topmost example of Google's Android penalty is a prime example of both factors. So it's possible there is a statistical bias for larger fines to be for more severe cases where warnings make less sense.
