A single national regime and enforcer. No obligation for every complaint to result in an investigation. Fines based on gains and damages, not revenue. Liability that can be privately enforced. And a trebling of damages where noncompliance is shown to be willful.
Absolutely yes to private right of action and treble damages. Not sure why you want "no obligation for every complaint to result in an investigation" though. That's contradictory to the private right of action.
Disagree on fines based on gains and damages on their own. My understanding is that percentage of global turnover usually is a higher number than gains and damages. I'd prefer it be "the higher of either".
> Not sure why you want "no obligation for every complaint to result in an investigation" though
It's trivial to bulldoze a European start-up by having complaints filed in a bunch of jurisdictions alleging this or that nonsense. It's nonsense, so no fines. But the mandate to investigate means this tiny start-up now has up to twenty-eight national supervisory authorities sending it demands, which can easily overwhelm a small team.
> Disagree on fines based on gains and damages on their own. My understanding is that percentage of global turnover usually is a higher number than gains and damages. I'd prefer it be "the higher of either".
Gains and damages contrates the discussion to the malfeasance at hand. Global-revenue fines are subject to grandstanding. That means lots of headlines and fewer fines actually paid.
> It's trivial to bulldoze a European start-up by having complaints filed in a bunch of jurisdictions alleging this or that nonsense.
You vastly overestimate the responsiveness of data protection authorities. Your complaints will be filed and requests be sent in what, months? Certainly not all at once; and for pretty much all requests, even a small startup will have general answers prepared (or can make them up) they can send out immediately, with clarifications sent later.
Edit: And that's even glossing over the fact that for your bulldozing, you'll have to research how to report your "nonsense" for each individual jurisdiction, in that country's language; and I'd be surprised if they wouldn't want to know which citizen encountered the privacy violation you're trying to report; the people working there aren't stupid, either. All that is to say: I've yet to see such a trivial bulldozing happen.
That's already the case (cf. article 83(2)). The percentage of revenue thing in articles 83(4) and 83(5) is a cap, not a fixed amount. I don't think anybody was ever fined the maximal amount possible.
> And a trebling of damages where noncompliance is shown to be willful.
This is taken into account, cf. article 83(2)b. Not a trebling though, it's up to the DPA to decide, and cannot exceed the cap.
A single national regime and enforcer. No obligation for every complaint to result in an investigation. Fines based on gains and damages, not revenue. Liability that can be privately enforced. And a trebling of damages where noncompliance is shown to be willful.