A basic rule when designing a law is to create a precise link between the “order” part (thou shall not…) and the fine deriving from the non compliance (… otherwise shall go to jail.) But this is not enough, because to have a law working properly or being effective, it must be actually enforceable, otherwise this law would turn from a social regulation tool into an abuse of power from the State.
An example (at least from an Italian perspective) is the infringement of speed limits set forth in the motorways: almost nobody actually cares about the 130 km-per-hour limit, but a very limited number of infringers is caught and, due to several long-lasting mistakes in the bureaucracy of the sanctions, some of them is actually fined.
The GDPR fits exactly into this frame, since:
- its principles are sound in theory, while hardly effectively enforceable in real life,
- its wording is convolute, complex and hard to match with specific issues,
- its bureaucracy is overwhelming and inertia generator, if we compare the number of the civil servants working with supervisors to the number of potential claim to be handled.
To put it short: there are literally millions of data processor out there, tenth of millions of data subjects and zillions of personal data processed on a daily basis.
It would suffice that all the data subjects included into a mailing list of a medium-size marketing firm or consumer goods manufacturer file in the very same time a complain and even the most efficient among the data protection supervisor would falls on its knees, unable to stand up.
What follows is anecdotal, but clarifies what I mean.
Back in 1996, when Italy passed the first data protection law that was not the enforcement of the Data Protection Directive, one of the obligation for the data processor was to notify the data protection supervisor of some specific processing. To err on the side of precaution, since the provision wasn’t clear about the “who” and the “what”, million of entities, from big companies to solo professionals, sent the supervisor authority this notification by registered letter (the only way allowed by law.) As if handling millions of incoming parcels wasn’t enough, it was being decided that the proof of delivery too should have been sent by registered letter. It is not hard to figure out what possibly happened: nobody within the supervising authority actually could handle the tons of paper sent by the data processor.
Again, this account is anecdotal in its conclusions, but is absolutely true when tales about the consequences of the confusion created by a badly written provision and its worse enforcement.
The direct and obvious conclusion, as I wrote on a Linkedin thread, answering an acute comment by Steven Firth (who I stolen from the “regulation with no teeth” line) is:
This is the evidence of how unfair is the GDPR. The supervisors will never ever be able to check the compliance of each company, thus there will be a (relatively) low sacrificial lambs fined on the altar of the “protection of fundamental rights”, while the rest will “enjoy” not being “the chosen one” or, as you said, will not care much about the GDPR and deal with the problem when – AND IF – it becomes real.
In the meantime, those who will be fined under the Data Protection Investigation Russian Roulette shall only console themselves with the old roman line: A chi je tocca, nun se n’grugna (roughly translated as: when your turn comes, don’t be hangry.)