* Posts by Frau Blücher

2 publicly visible posts • joined 9 Jul 2019

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

Frau Blücher

Re: Unpopular Opinion

To continue the car example, there are two elements involved. One is liability in criminal law - that is only the responsibility of the car thief. The other would be civil liability. Again, that is the car thief's responsiiblity, but of course we know most thieves never pay for the cars they steal.

Therefore of course, we usually insure our cars against theft. The insurer will pay the value for the stolen car or its damages, but only if the insured hasn't been negligent or sloppy. If you leave it unlocked with the keys in then you won't get covered. But leaving it in a dark alley in a dodgy part of town is usually not grounds to refuse payment (I think - depends on the policy I suppose - foreign travel to some countries is excluded).

Taking this together, I agree with the original poster - this is like the police fining the car owner (or say the friend of the owner who was using the car) - I guess the question is, has the friend done the DP equivalent of leaving the keys in the ignition, or just parked it somewhere dodgy? I guess in the former case a fine is legitimate, BUT it still is (to me) a very blunt tool to set a liability.

In theory there is already negligence law which could allow an individual person to sue a data holder for negligently letting it leak out. But the victim would have to show some kind of loss. The scale of these fines suggests this link is absent (360 quid per person involved) - weird to set it by reference to the global revenue. Maybe one victim lost nothing, and another had 1,000s of pounds run up on their card. Each person should get their respective sum lost.

Frau Blücher

Watching the GDPR actually get used makes me uncomfortable. Besides the mental and ongoing costs of compliance, the actual enforcement seems to be an affront to basic principles of justice. BA's argument is a fair one, what is the harm done here - how does that link to the penalty awarded? That is a starting for damages awarded in normal civil claims in the common law world. And why does the regulator get to set the penalty? They act as rule maker (via guidance docs issued), prosecutor, and jury. Fine - this gets appealed to the proper courts, but usually this kind of right is granted only to police in fairly low level offences (e.g. speeding tickets). The scale of penalties creates vast power in a single regulator. And finally, it is essentially victim blaming - in most UK cases the data controller has been hacked, which is in fact a crime against them - imagine applying this logic to victims of sexual violence...

The answer to all of this is that this a European invention and this is how things go in civil law countries. Ok fine, but it doesn't sit well with the common law tradition. And as usual it seems to me the UK regulator enforces the "rights" rigorously and hands out swingeing fines, even against local UK companies (when the fines were in reality calibrated to hit FB, Google etc.) - whereas various contintenal counterparts get away with fairly limited fines, if they get fined at all.,