Comment by franciscop
3 years ago
Punish companies is not the same as you getting compensated. It happens (at least in EU) harsher with the GDPR, so yes it's fairly recent, but so is security online (just 10 years ago not even half of the sites used HTTPS).
There's dozens of high-profile fines every year due to data mishandling from Europe, just a quick search:
> Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021, according to international law firm DLA Piper.
"fined Facebook owner Meta META 265 million euros [...] for not better safeguarding more than half a billion users’ phone numbers and other information" - https://www.wsj.com/articles/facebook-parent-meta-fined-276-...
"European Union privacy fine related to data transfer of Facebook's EU users to U.S. servers" - https://www.reuters.com/technology/meta-face-record-eu-priva...
"Luxembourg DPA issues €746 Million GDPR Fine to Amazon" https://dataprivacymanager.net/luxembourg-dpa-issues-e746-mi...
"Manx Care faces £170k fine over patient data breach" - https://www.bbc.co.uk/news/world-europe-isle-of-man-62590514
etc
If you think those fines are strong punishments you are, frankly, delusional. Those figures are a drop in the bucket and are regarded by the companies in question as little more than the cost of doing business. Start putting CTOs in handcuffs and I'll consider it a strong punishment.
Edit: Also, just to be clear, the reason I brought up class action lawsuits is not because I think all punishment will result in remuneration for those affected, but because in those cases the class action lawsuits were the only consequence the companies in question faced.
Yes, I believe fining a company 1-10% of their annual revenue (not profit) is a strong fine (for this kind of crime!). The kind of issues I'm discussing here, involuntary data leaks, we are trying to make them change their ways, not to bankrupt them or have them leave the market altogether. These fines escalate (the next bigger than the previous) and can be repeated as needed, so if they don't change their ways they WILL be fined into oblivion. But the main goal is for them to change the way they deal with data and security.
> Start putting CTOs in handcuffs and I'll consider it a strong punishment.
But we are discussing companies, which take decisions to maximize profit for their shareholders; I would also agree with putting CEOs/CTOs in handcuffs under the right circumstances.
Those fines are laughable. There should be another zero or two on them
The latest Facebook one is literally 10% of their revenue (in Europe), how is that laughable? That's a big chunk of money, if you add two zeros to them that's probably more than their lifetime revenue.