The Right to Be Forgotten (and the Paperwork to Prove It)
On May 25, 2018, something curious happened to the way Europeans think about information. The General Data Protection Regulation—GDPR, in the acronym-heavy parlance of Brussels—came into force, and with it a philosophical proposition that would have struck previous generations as bizarre: that the mere handling of facts about a person constitutes a matter of fundamental rights, deserving of constitutional protection and punishable by fines that could bankrupt a mid-sized corporation.
The European Union is the only place on Earth where data protection has been elevated to the status of a freestanding fundamental right. Article 8 of the EU Charter of Fundamental Rights declares, with the quiet confidence of self-evident truth, that “Everyone has the right to the protection of personal data concerning him or her.” This constitutional anchoring permits—and, more to the point, politically justifies—a regulatory program far more expansive than anything attempted elsewhere.
The consequences of this framing are profound. The threshold for regulatory coverage is set extraordinarily low. “Personal data” means, quite literally, “any information relating to an identified or identifiable natural person,” and nearly any operation performed on such information constitutes “processing.” Combined with the regulation’s accountability principle, data controllers must be prepared to demonstrate compliance at every stage of a datum’s existence—from its collection through its storage, use, and eventual deletion.
What’s more, GDPR applies extraterritorially, reaching entities outside the EU that offer goods or services to individuals within the Union or that monitor their behavior. American commentators have taken to calling this “data-protection imperialism,” since non-EU firms must either restructure their global operations to satisfy European norms or withdraw from the EU market altogether.
Powers That Inspire Awe
The supervisory authorities empowered by GDPR wield tools whose scale exceeds nearly every other privacy regime in the world. They may impose fines of up to four per cent of global annual turnover or twenty million euros—whichever figure is higher. They may also prohibit or restrict processing entirely, which in practice means they can halt an entire line of business.
A 2024 academic study describes these powers as “awe-inspiring.” For comparison: California’s Consumer Privacy Act provides for penalties ranging from twenty-five hundred to seventy-five hundred dollars per violation. Brazil’s General Data Protection Law caps sanctions at two per cent of Brazilian revenues, with a ceiling of fifty million reais per infraction.
Bureaucracy as Regulatory Philosophy
The GDPR model rests on what scholars call management-based regulation: it demands documentation, processes, and internal controls rather than merely clear substantive rules. Typical obligations include maintaining records of processing activities, conducting data-protection impact assessments, appointing mandatory data-protection officers in many sectors, formally reporting breaches within seventy-two hours, and fulfilling extensive transparency requirements.
A report from the Confederation of Swedish Enterprise puts the matter bluntly: “The regulatory model on which GDPR is based risks creating unnecessary bureaucracy, unjustified restrictions on legitimate activities, unnecessary red tape, and legal uncertainty… There is a clear risk of excessive bureaucratization, particularly for smaller operations or those where the risks associated with processing are minimal.”
One American owner of a small software company, who simply stopped selling to Europe after the regulation took effect, wrote with evident frustration: “The EU—being the EU—has created another bureaucratic monster that will keep everybody busy… If someone asks us to delete their data, we not only have to delete it, but we have to audit that we deleted it, and maintain those records for EU authorities.”
The Burden Falls Heaviest on the Small
A consistent empirical and anecdotal picture has emerged: compliance costs are proportionally highest for smaller and younger firms, while the privacy benefits remain uncertain at best.
Research on AI startups has found that GDPR forced a reallocation of resources from product development to regulatory compliance—often involving data deletion that reduced the volume and variety of information available for training models. Testimony before the United States Senate, titled “The 10 Problems of GDPR,” argued that the regulation “strengthens the largest players and weakens small- and medium-sized firms.”
As one commentator put it: “The EU’s approach appears to be, in sum, ‘If you can’t innovate, regulate.’… Overly prescriptive regulatory burdens create barriers to entry… Research already indicates that GDPR has had this effect by ‘creating more concentrated market structures and entrenching the market power of those who are already strong.'”
Data-Protection Absolutism?
Following the Schrems II ruling, certain interpretations by supervisory authorities approached what the legal scholar Thomas Christakis has termed “data-protection absolutism.” He writes: “They have been asking data controllers and processors transferring personal data outside the EU to ‘eliminate’ all risks of access by foreign governments… This ‘remaining free from foreign laws’ proposal is overly restrictive, not mandated by GDPR, and could have a number of adverse effects.”
From a practitioner’s perspective, this creates an impossible standard—particularly when compared with the more risk-based approaches prevailing in other jurisdictions.
The Enforcement Paradox
Despite the regulation’s breadth, Max Schrems—Europe’s most prominent privacy activist and the plaintiff whose lawsuits have twice upended transatlantic data-transfer arrangements—argues that enforcement has lagged badly: “We do have law in Europe… we have all this regulation, but people just simply don’t comply in very simple cases… The cases are just sitting around and nothing happens… You can have the most wonderful rights if there is no place to go to enforce your rights. Your rights are null. And that is a big part of the GDPR problem.”
This produces a paradox that many practitioners recognize: extravagant formal rights paired with uneven and politicized enforcement.
The World Follows Europe—but with Modifications
Despite the criticism, the global direction of travel is toward stronger, GDPR-inspired protection—though often with significant modifications. Brazil, China, South Africa, India, Singapore, Saudi Arabia, and numerous American states have adopted GDPR concepts such as data minimization, lawful bases for processing, data-subject rights, breach notification, and impact assessments—adapting them to local political economies.
The United Kingdom, post-Brexit, has explicitly sought to preserve “core protections while cutting red tape.” A recent study concludes that GDPR “didn’t reduce innovation but changed its form”—forcing companies into deeper reorganization of data management and improvement of existing products, while limiting their capacity for creating entirely new ones.
From this vantage point, European rules are not merely an “exaggeration”—they constitute a reference point that others selectively emulate or soften.
The regulation’s merits remain a matter of genuine dispute. What cannot be disputed is that it exists, and that it demands concrete action from any enterprise that processes personal data. Polish entrepreneurs—like their counterparts across the continent—must audit their existing procedures and documentation, then adapt them to the regulation’s requirements.
It is worth remembering that GDPR does not explicitly enumerate a catalog of required documentation, with the exception of records of processing activities. In all other respects, the regulation leaves room for discretion. This does not mean, however, that documentation is superfluous—quite the contrary. It remains the primary instrument for demonstrating compliance to supervisory authorities.
Kancelaria Prawna Skarbiec offers support in GDPR compliance audits and documentation review, preparation of required regulatory documents, representation in proceedings before the Polish Data Protection Authority, analysis of contractual compliance with data-protection requirements, assistance with cross-border data transfers, and data-protection certification.
Questions about data protection in your business are best asked before the supervisory authority asks them for you.
Our Services
Unfair Contract Terms: The Fine Print That Doesn’t Bind You
Website Terms of Service: A Guide to Getting Them Right
E-commerce Terms and Conditions: Why Templates Cost You Money | Legal Guide 2026
How to Protect Yourself From Unfair Contracts: A Consumer’s Guide
Unfair Contract Terms: The Court’s Duty to Review Ex Officio | EU Consumer Law Analysis
Skarbiec Law Firm provides comprehensive competition-law advisory services: antitrust audits, representation before the Polish Office of Competition and Consumer Protection and the European Commission, M&A due diligence, compliance programs, and executive training.
General Data Protection – Further Reading
Hashing, Pseudonymization, and the Evolving Boundaries of Personal Data Protection
How Hidden Phrases in Legal Documents Can Manipulate AI Review
