As the General Data Protection Regulation (GDPR) marks its third anniversary, lawyers and data protection experts continue to raise concerns that fine decisions are largely arbitrary, vary considerably from one EU country to the next, and lack transparency.

According to Privacy Affairs, a website that compiles GDPR enforcement data, there have been 661 fines under the law as of May 17 totaling approximately €293 million (U.S. $359 million). France’s €50 million penalty against Google in 2019 remains the highest. Spain has issued a third (222) of the total number of fines logged—some three times that of Italy, in second place with 73.

Other active data protection agencies (DPAs) include Romania (54), Hungary (39), and Germany (30), though fines vary widely—from Germany’s €35 million penalty against retailer H&M to Hungary’s €28 fine against Google’s Irish subsidiary.

While the GDPR has the potential to fine companies up to 4 percent of their global revenues, no penalty has yet come anywhere near that amount—much to the chagrin of privacy campaigners and even some DPAs. In last December’s Twitter decision—the first cross-border Big Tech case and first to go through the GDPR’s Article 60 and 65 dispute resolution mechanisms—Ireland had initially proposed a fine at between €135,000 to €275,000, settling on €450,000 (U.S. $547,000) after pressure from other DPAs.

Germany had recommended a penalty between €7.3 million and €22 million.

Twitter’s fine is not the only decision that has exposed weaknesses in penalty notices. The U.K. Information Commissioner’s Office (ICO) came under fire after it drastically cut its GDPR fines against British Airways and Marriott International by close to 90 percent and 80 percent, respectively.

Experts say such disparities undermine regulators’ credibility and add to companies’ frustrations about how “unfairly” they could be hit with a fine depending on the identity of their lead supervisory authority.

Jane Sarginson, barrister at law firm St Philips Chambers, says, “Different countries prioritize aspects of privacy differently.” She adds, “Ensuring countries apply GDPR adequately well is an issue,” especially when at least one member state—Slovenia—still has not incorporated supporting legislation.

“It is more important that any GDPR decision results in a good outcome for the complainant and that the harm caused has ceased or been remedied. The size of a fine makes no difference to the complainant, but a change in the organization’s behavior does.”

Wojciech Wiewiórowski, European Data Protection Supervisor

Nicola Howell, managing attorney, legal at Dun & Bradstreet, says, “The vast differences in levels of fines that some regulators are prepared to hand out shows work needs to be done. The ICO’s decision to reduce its fines so drastically also sends out a very weak message that it is worthwhile for companies to challenge intention-to-fine notices.”

Axel Voss, a member of the European Parliament who was closely involved in how the GDPR was drafted, believes, “The weak and inconsistent enforcement of the GDPR, which lacks harmonization across member states, is a huge part of the problem. Some DPAs have published very strict interpretations that were clearly against the will of the legislator.”

He adds, “The diverging level of sanctions leads to forum shopping,” as companies appoint regulators that are perceived to be passive as their lead supervisory authority—an accusation that has been repeatedly leveled at Ireland, home to the majority of Big Tech firms.

Regulators don’t share the same view. Maria Wilhelm, head of the European Department for the Commissioner for Data Protection and Freedom of Information in Baden-Wuerttemberg, Germany, believes, “Most fines levied so far are proportionate to the level of harm caused considering the individual situations of the cases.”

European Data Protection Supervisor Wojciech Wiewiórowski, whose role is to oversee how the GDPR is implemented in EU institutions, says the focus on the size of fines is “a bit primitive.”

“It is more important that any GDPR decision results in a good outcome for the complainant and that the harm caused has ceased or been remedied. The size of a fine makes no difference to the complainant, but a change in the organization’s behavior does,” Wiewiórowski says.

Increased pressure to police Big Tech

Another concern is that investigations into Big Tech firms are still taking too long—even in those cases where the companies have self-reported breaches and noncompliance. Ireland’s final decision into Twitter’s data breach came nearly two years after the firm self-reported it, for example.

Last week, the European Parliament adopted a resolution calling on the European Commission to start infringement proceedings against the Irish regulator over its failure to take action for GDPR enforcement. It also called on other DPAs under Articles 61 and 66 of the GDPR to force Ireland to step up.

Many have blamed the “one-stop shop” mechanism, where one DPA acts as the “lead” in cross-border privacy complaints, as a source of friction in conducting GDPR investigations. The head of the Irish regulator has said it is “unsustainable.”

However, Bjørn Erik Thon, director-general of the Norwegian DPA, says blame does not lie with the GDPR or its dispute resolution mechanisms, which have finite timelines in which to deliver decisions. Instead, he says, “It does seem to us that some member states have very formalistic procedural constraints on administrative processes, which allow companies to successfully delay any enforcement action. That seems to be a much bigger issue.”

What’s next for the GDPR?

Regarding the GDPR’s future, regulators are generally upbeat. David Stevens, chairman of the Belgian Data Protection Authority, thinks the regulation is largely “future-proof.”

“The GDPR is principles-based, technologically neutral, and aims to push for data minimization and increased transparency. All of these principles are the right ones,” he says. “I think the regulation will need to have some sort of revision in the future, and perhaps some other legislation added to it, but it is a very good framework from which to move forward.”

Wilhelm believes, “The GDPR provides a solid framework upon which to build, though the regulation will probably need to be revised at some point. How much change will be required remains to be seen, though I doubt it would need a massive overhaul.”

She adds it would be more likely “the Commission adds rules that complement the GDPR, rather than try to change it, as it is doing with its digital strategy and proposed rules on trustworthy AI.”

Camilla Winlo, director of consultancy at data privacy specialist firm DQM GRC, agrees that, as a principles-based regulation, the GDPR “is pretty future-proof.” But she adds the future success of the regulation depends on “the level of change that companies are forced to adopt to actually comply with some of the more technical aspects of it.”

Another issue, she says, is “for many companies, commercial risk is a bigger driver of compliance than regulatory risk, meaning that organizations may be more focused on meeting their customers’ expectations than on complying with the law.”