As the General Data Protection Regulation (GDPR) marks its third anniversary, lawyers and data protection experts continue to raise concerns that fine decisions are largely arbitrary, vary considerably from one EU country to the next, and lack transparency.



