General Data Protection Regulation (“GDPR”) ⚖

1385 readers

2 users here now

Everything related to the #GDPR is discussed here. This is the first and only community specifically for GDPR topics which is decentralized and outside of walled-gardens. #EDPB recommendations and guidance can and should also be discussed here.

For the moment, chatter on the similar California Consumer Privacy Act (CCPA) could be discussed at least until the volume of messages compels us to split it into a separate community.

founded 2 years ago

MODERATORS

freedomPusher@sopuli.xyz

🇧🇪Belgium: “public bodies are exempt from GDPR fines” (web.archive.org)

submitted 1 week ago* (last edited 1 week ago) by freedomPusher@sopuli.xyz to c/gdpr@sopuli.xyz

10 comments fedilink hide all child comments

Gem from the article:

Under Article 221, §2 of the Belgian Data Protection Act of 30 July 2018, public bodies are exempt from GDPR fines in Belgium.

So Belgian public services have no incentive to comply with the GDPR.

Yikes. The money taken by fines does not disappear. It would normally move from one public pot to another public pot.

(update) less confusing source: https://eurocloud.org/news/article/no-gdpr-fines-for-public-sector-bodies-at-all-no-discrimination-and-no-problem/

It’s also interesting to see the comment on this case.

you are viewing a single comment's thread
view the rest of the comments

[–] Corporal_Punishment@feddit.uk 1 points 4 days ago (3 children)

We don't disagree entirely.

But having worked in the public sector i can tell you that whilst fining organisations like schools that are already on their knees financially might sound good in theory, the reality is much different.

The alternative that you allude to is holding DPOs personally liable for breaches and non-compliance. Again nice in theory but in practice it means that in most cases you're holding one person responsible for the actions of someone else.

My org had a high impact breach a couple of months ago. Caused by a part time administrator in an understaffed, overworked team making a very simple and careless mistake.

They'd had their training, they'd been told to double check everything as it "went out the door". But they're human and they fucked up.

Fining us would accomplish nothing. It wouldn't teach the DPO a lesson - they've done everything the law requires. The only outcome that would have any sort of deterrent effect would be to fire the hapless admin person. That deterrent effect would last all of 5 minutes until someone hapless individual somewhere else made a mistake.

This is where GDPR collides with employment law and the real world.

[–] freedomPusher@sopuli.xyz 1 points 4 days ago* (last edited 4 days ago) (2 children)

The alternative that you allude to is holding DPOs personally liable for breaches and non-compliance. Again nice in theory but in practice it means that in most cases you’re holding one person responsible for the actions of someone else.

I doubt it’s legal to hold someone personally liable. I know a bar owner who would do a money grab on his bartender’s paycheck whenever he did something objectionable. I don’t think that was legal, nor would I suggest it.

The main purpose of a legal person is to shield natural persons from lawsuits. The DPA would be fining the public agency as a whole.

The public agency should of course internally attribute the DPO’s failures to the DPO. From there, I doubt it would be legal to do an instant money grab on the DPO. But there are of course legally sound corrective actions. If the DPO is an outside agency, it’s simple to outsource to another provider of DPO services. If it’s a direct employee, they can be sacked or reassigned a different role. They could be given a pay cut in the future, like at their next annual appraisal, at which point they can decide whether to accept the new terms. They could be required to attend training. It’s a management issue.

My org had a high impact breach a couple of months ago.

A breach is not in itself an infringement by a data controller. But if the data controller was negligent in their infosec and not up to GDPR standards which is then attributed to the breach, then the negligence would be an infringement.

wouldn’t teach the DPO a lesson - they’ve done everything the law requires.

Without having the details I can only figure that if the DPO did everything the law requires, then a conviction and penalty has no merit in the 1st place.

And without knowing about your org, I cannot judge whether resources are being sensibly allocated. It sounds like GDPR compliance has an low priority there (which actually makes sense if the org is legally immune to GDPR fines anyway).

[–] Corporal_Punishment@feddit.uk 1 points 4 days ago (1 children)

Just really picking up on the last part.

GDPR is taken incredibly seriously here. But human error is the leading cause of breaches and in a situation you have teams that are grossly understaffed then mistakes will happen. A fine wouldn't deter it.

The only real solution is to hire more staff and share the workload. But there isnt any money so 🤷

[–] freedomPusher@sopuli.xyz 1 points 4 days ago* (last edited 4 days ago)

The DPA is not limited to fines. A DPA can give advice, issue warnings, and orders. A DPA is unlikely to use a heavy-handed but simultaneously ineffective or inappropriate tool for enforcement. The DPA also has discretion in the amount of the fine. The law at hand w.r.t this thread disempowers the DPA from fines -- which would be increasingly important for repeat offenders.

I think it’s far-fetched to suggest that a DPA would ruin or sink a school. But it would be sensible for the penalty limit to be lower for public data controllers if that concern is realistic. There could also be an imposed leniency on 1st time offences.