GDPR Penalties Prove Why Compliance Isn’t Enough—And Why Companies Need Clarity

The legal uncertainty created by the General Data Protection Regulation (GDPR) is becoming so common, it’s starting to go unnoticed. In yet another recent example, Poland’s data protection authority (DPA), UODO (“Urząd Ochrony Danych Osobowych” in Polish), fined a European company over €220,000 for failing to comply with a GDPR requirement that companies provide individuals with privacy notices. As Eline Chivot and Daniel Castro write for Techdirt, this case hasn't drawn considerable attention but could have considerable implications for many other European companies. The Polish decision shows that compliance may not be enough to protect companies from GDPR fines. Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions. Even if a company appeals a decision, it will take time before the final outcome establishes jurisprudence.

EU policymakers and data protection authorities should focus on clarifying the legislation, specifying the technical requirements to provide information, and take into account the costs and difficulties compliance may impose on companies in some cases. Otherwise European businesses will continue to face difficulties interpreting and complying with the GDPR.