> The cases that make the news with 100 million dollar fines to trillion dollar companies are just the ones in which the prosecution can't even reach someone at the company cause 100 million dollars is a drop in the bucket not worth looking at.
Is this true? I thought they were based on a % of global revenue and that definitely hurts.
That's the upper limit, not a minimum requirement. Levying the full 4% of global income is something that's reserved for those who blatantly refuse to comply with orders of their respective DPO or repeat offenders.
The maximum fine allowed by GDPR is "10 million or 2% of global revenue, whichever is higher". The goal is to ensure the GDPR "has teeth" even against companies for who 10 million is a drop in the bucket.
Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.
And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.
Is this true? I thought they were based on a % of global revenue and that definitely hurts.