Talking from the experience because the previous laws in Spain, LOPD and LSSI (which basically was the same across the different EU countries). They had "maximum" fines (it was 600.000 Euros). They start for small law infringement with 600 euros, 1.500 euros, unless is something very severe, then it come to something like 30.000 euros, etc. If you keep repeating the law infringement, then the 2nd time it may become 150.000 Euros. If it is massive infringement (for example massive spam), then it comes to 300.000 or even 600.000 euros. Here there is an explanation for the LOPD fines, is in Spanish, but a translator should work: http://www.cuidatusdatos.com/infracciones/ My guess is that the GDPR maximum fines are there just as maximum, and there will be agreements among the EU DPAs, to better define how much is the fine, in a similar way they are doing now. Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces+jordi.palet=consulintel.es@nanog.org> en nombre de Rob McEwen <rob@invaluement.com> Fecha: sábado, 26 de mayo de 2018, 21:06 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote: > Original text from EU Commission: > "Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher” > > -> Administrative fines_up to_ 10M (or 2% if your 2% is higher than 10M). > > It’s a cap, not a minimum. Thanks for the clarification. But whether that fine will be less than 10M is extremely vague and (I guess?) left up to the opinions or whims of a Euro bureaucrat or judge panel, or something like that... based on very vague and subjective criteria. I've searched and nobody can seem to find any more specifics or assurances. Therefore, there is NOTHING that a very small business with a very small data breach or mistake, could point to... to give them confidence than their fine will be any less than 10M Euros, other than that "up to" wording - that is in the same sentence where it also clarifies "whichever is larger". All these people in this discussion who are expressing opinions that penalties in such situations won't be nearly so bad - are expressing what may very with be "wishful thinking" that isn't rooted in reality. -- Rob McEwen https://www.invaluement.com ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.