I guess we need higher fines to get the message across.

That's been the case for 4 years now, none of these fines have occurred. The total amount of fines across all companies over those 4 years is barely above 1Bn.

> The limiting factor at the moment seems to be a lack of resources for the regulators that are responsible for enforcing privacy rules

Not just resources but also willingness. I have the feeling that nobody actually wants to enforce this and campaigning for doing so is a politically-risky move, as not only does your campaign rely on the same companies that would be fined, but those companies now control the majority of humanity's social fabric and can trivially restrict even organic sharing of information/links about your campaign.

Worse: in the UK, there's been news about actually weakening the GDPR, based on the Culture Secretary being stupid (or having financial incentives for doing so) and actually believing the tech industry's vilification of the GDPR. Hint: if an industry making a huge chunk of its profit based on non-consensual data collection complains about data protection laws, it means the laws are actually working as designed. Most likely, this insanity will also go ahead, if it didn't already.

The largest fines so far have been approaching 9 figures, far more than the "couple of million" in the comment I replied to above.

That's not pocket change even for a multinational and of course there has to be reasonable due process before handing out that kind of penalty. If anything I'd say the fact that several eight-figure penalties have already been handed down is reassuring.

I have the feeling that nobody actually wants to enforce this

I'm genuinely curious about how you formed that impression. Here in the UK our data protection regulators have been fairly consistent in their public views on these issues under multiple Information Commissioners now and have handed down some significant penalties, so I don't really buy the conspiracy theories about corruption and so on.

Worse: in the UK, there's been news about actually weakening the GDPR, based on the Culture Secretary being stupid (or having financial incentives for doing so) and actually believing the tech industry's vilification of the GDPR.

As someone who is both a strong proponent of privacy safeguards and involved in running businesses that actually have to comply with the GDPR, I have very mixed feelings about this.

On one hand I don't like the idea of weakening important privacy protections and I have no faith whatsoever in the competence of the current government here to understand the technical or social implications of these policies.

On the other hand I also don't think much of the GDPR as written. It's full of ambiguity and it is unnecessarily difficult for a good actor to comply with it, particularly smaller organisations that don't have dedicated staff to deal with this kind of admin and also don't have any interest in doing things with personal data that most of us here probably wouldn't like. People like to focus on a tiny number of points that we'd probably agree are positive steps or at least well-intentioned, but the GDPR is roughly a hundred pages long and that's before you include supporting materials like official guidance on interpretation from all the different regulators. There are a lot of small and a few big problems in the rest of those pages once you look past the headlines. Not coincidentally those areas also tend to leave loopholes that some bad actors are relying on to escape the trap.

I have multiple experiences dealing with the UK one, spending unreasonable amounts of time raising complaints for obvious breaches of the GDPR with no outcome. I've summarized my experience here: https://news.ycombinator.com/item?id=30662905

Not to mention, this high-profile incident which they are themselves proud enough to announce on their own website: https://ico.org.uk/about-the-ico/news-and-events/news-and-bl... - so you've got a company whose entire business is to manage people's personal data and is large enough to have the resources to understand & comply with the regulation, and you caught them red-handed misusing data that people outright had no choice in giving up (I don't know any bank that allows opting out of CRA reporting even if you never actually intend to take out credit) for a purpose that's definitely not in the data subjects' best interests, and the outcome is a letter?

What message do you think the above sends? To me it sends that breaching the GDPR absolutely does pay and you should absolutely do it at least once because even getting caught brazenly breaching it (considering the size & resources of said companies, number of people impacted and the fact people had literally no choice) will lead to just politely being asked to stop with no monetary penalty nor having to compensate the affected users.