Comment by crote
4 hours ago
Yes, because it is the start of enforcement. That's how it works, not just a one-and-done slap on the wrist.
If they don't fix it, it'll eventually continue to the "20% of worldwide revenue" kind of fine everyone on HN was so afraid of when the GDPR was introduced. But that's not what it starts with.
This is a key observation and I also remember those dumb discussions. The top end of the fine scale is more or less theoretical if you demonstrate any willingness to improve. Looks like Temu has engaged in really bad practices, and they still only get what's (to them) a gentle reminder that there are rules.
It will never continue to 20% of worldwide revenue. No matter how long they refuse to comply with EU laws for.
GDPR has been a farce in terms of enforcement.
Because the GDPR enforcement is left to privacy agencies in the members states. The DSA is enforced at the EU level, so that might actually work.
Also a big problem is that the GPDR is a law in the style of all EU laws:
1) they are NOT laws. Despite what's published everywhere you get zero legal rights from the GPDR. A legal right is some right you have, and if someone violates that right you can ask a court to intervene. With the GPDR, there is no such right. No court will help you under the GPDR.
The executives of member state governments (and ~40 "international organizations", most famously Interpol) have the right to enforce GPDR. You can only complain to these new, totally separate from any other enforcement mechanism (ie. they're not police) organizations. And they, of course, generally don't listen.
If you go check the complaints lists are full of people complaining that their medical files were leaked by hospitals (because private doctors are in revolt to the GPDR) to various other government organizations, with very large consequences. For instance medical files being used to decide on insurance status, immigration status, unemployment/long term illness status, and family law status. There is no reaction to this, even when it does violate the GPDR. And my next paragraph is why it generally doesn't.
Second, the executives of member state governments have the right NOT to enforce GPDR. Specifically, the executive has the right to grant exceptions to the GPDR to any organization they want (including transitively: allowing a government contractor not only violate the GPDR themselves but to allow anyone else they use to violate the GPDR. For example, this is the reason Google, Amazon and Microsoft have essentially all medical files of everyone in the EU, and Palantir has some 20%)
These exceptions are made transitively AND after-the-fact. Neither of which is legal, but the only one who can complain is the government itself.
2) It means there is no point for individuals to file GPDR complaints. Normally there is "1831", which is a legal principle which refers to a particular law. Essentially that if you damage someone else by violating the law, you are responsible for that damage (ie. you can be made to pay for them). This applies to essentially every EU law. But not GPDR (and also not to other famous EU laws like DMA)
To illustrate the common problem: you go to the hospital, because you took drugs. Maybe you're scared it'll have serious consequences, whatever. Now you go to your insurance ... and they will no longer cover your treatment for heart arythmia. "It's your own fault, because you did drugs". Now what happened is that the hospital updated your medical file, and sent it to the government. Medical insurance is national, so they have access to medical files. Of course, it is a VERY serious GPDR violation that the information leaked, and with any other law this would mean that a judge will convict the hospital to pay for what you lost, say in this case, they would be forced to pay, WITHOUT the insurance covering it, your heart treatment.
Not with the GPDR. Even if you get the government to go after it, and you get them convicted, you get nothing. Nor is the insurance forced to change their decision.
This is how most new EU law works. The crucial difference is that for essentially all these laws, the EU commission holds all the cards. They then use their position of power to negotiate and come to an understanding with all these organizations. That's how they work, how they've always worked.
And it's one more reason I'm very opposed to the EU. Europeans will THOROUGLY regret giving the commission this power, that's a certainty in my mind.
Specifically what the commission does is to give companies exceptions to these rules. For example, Teresa Ribera, as well as Ursula Von Der Leyen, personally (and without any parliament approval) have the right to extend Apple's exemption to the DMA (and thus Apple's 30% cut to all transactions involving an iPhone in the EU). Both were born rich (Ursula Von Der Leyen is a member of a noble family that has been very wealthy for at least 400 years. Notably, her family's wealth survived WW2 in Germany ...) How is such enormous power in the hands of individuals used? Well, look up how and why a communist served for 8 years as the chairman of Goldman Sachs International.
So you're saying if I start a company in the EU that violates safety standards, copyright, trademarks, ... I will be allowed to profit of that for 3 years (let's pretend it's just 3 years that Chinese producers have been doing that) before facing any consequences and at that point STILL only be required to clean up my act (ie. not face any consequences for violations already done)?
I find this incredibly, incredibly hard to believe.
If you start the company in China and ship to EU. If you start it in a EU country I think local laws will stop you much faster than the EU commission. Still there are plenty of grifters that start fraudulent companies in the EU and roll assets into a new one as they bankrupt, and they can operate for decades before they eventually get stopped.
The EU does in fact not have an infinite amount of safety inspectors, however hard this is to believe for you.