For long, European authorities were more efficient at making new rules than at enforcing them. Things have changed! Now, whenever new resolutions are taken, sanctions for offenders are part of the texts. Rules only make sense if law enforcement is adequate; this is not only a matter of efficiency but also of credibility.

Cybersecurity and privacy authorities are increasingly imposing fines on all kinds of players in the world relating to their activities in the European Union. The GDPR sanctions are imposed by member-states data privacy authorities. The record, so far, is held by Amazon since 2021, when it received a EUR 746 million fine by the Luxembourg authority for issues relating with cookie consent, further to a complaint made by French digital rights group “La Quadrature du Net” in 2018, which targeted the way Amazon obtains consent to target adverts. French Regulator CNIL (Commission Nationale de l'Informatique et des Libertés - National Commission on Informatics and Liberty) said the decision is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.”

Meta comes second on the list with an EUR 405 million fine for mishandling teenagers’ data on Instagram, as they allowed minors aged 13-17 to create business accounts on the platform, which made their contact information, such as phone numbers and email addresses, publicly available. Another EUR 265 million fine was imposed by the Irish Regulator, the Data Protection Commission, for Facebook breaching data protection rules after it was revealed that personal data had been made available on an online hacking forum. This included the full names, phone numbers, birth dates and locations of Facebook users using the site in 2018 and 2019. Meta has also been fined for its WhatsApp branch when the Irish regulator imposed a EUR 225 million penalty for having failed to properly explain its data processing practices in its privacy notice.

The cumulative amount for GDPR fines has reached EUR 2.4 trillion, a figure which may seem staggering at first sight, but is it a deterrent for the GAFAM and other large blue chip companies? At the same time, Amazon 2021 net income was US$ 33.4 billion (EUR 30.8 billion) and Meta 2021 net income reached US$ 39.4 billion (EUR 36.3 billion). In other words, fines in the hundreds of millions come equivalent to a single digit percentage of their corporate net income.

One may wonder whether the objective of the EU and its law enforcement bodies is to affect these companies’ net income or more to target their brand image.

But even higher than GDPR fines are the ones imposed by EU antitrust authorities. The record is still held by Google, which was fined EUR 4.34 billion in 2018 by the European Commission for breaching EU antitrust rules. The point was that Google had “imposed illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search.” Google was a repeat offender as they had already been fined EUR 2.4 billion in 2017 for having “abused their market dominance as a search engine by giving an illegal advantage to another Google product, its comparison shopping service,” as said in the EU Commission statement. Again, if we want to make a comparison, Alphabet, Google mother company, net income for 2021 was US$ 76 billion (EUR 70 billion).

There is no doubt fines are needed as the law enforcement arm of EU authorities, they also take place in an international context where the USA have been permanently imposing sanctions to corporations from other countries, not only for their business in the US but also for business in other places, thanks to the extraterritorial jurisdiction of US law imposed by American authorities.