Proton

Why we need bigger fines for Big Tech

In the first seven months of 2023, Big Tech companies have been fined nearly $2.34 billion for privacy violations and abusing their monopoly power. Since the European Union introduced the GDPR in 2018, these companies have been fined upwards of $7 billion. 

These are massive amounts, but they don’t seem to have had any appreciable effect on Big Tech’s behavior. That’s because these fines, massive as they are, represent little more than an inconvenience to these companies. 

It seems that Google, Facebook, and others view these fines as the price of doing business and will continue to pay these astronomical amounts if it means they can continue abusing your data and crushing alternative business models. 

To truly defend our privacy and make the internet a level playing field, we need regulations with teeth, which means we need even bigger fines.

Big Tech’s cash on hand dwarfs their fines

It might be hard to believe a company wouldn’t care about paying over a billion dollars, but it’s easy to understand once you see how much cash on hand these companies have. 

Cash on hand refers to a company’s cash after it has paid all its costs. It’s essentially a measure of how much free money a company has (or can easily obtain by selling liquid assets) at any given time. 

CompanyCash on hand
Apple(new window)$55.87 billion (as of April 1, 2023)
Alphabet(new window) (Google)$118.33 billion (as of June 30, 2023)
Meta(new window) (Facebook)$37.44 billion (as of April 26, 2023)
Amazon(new window)$64.40 billion (as of April 27, 2023)
Microsoft(new window)$111.26 billion (as of June 30, 2023)

For comparison’s sake, here is the largest fine each of these companies has received since 2018:

CompanyLargest fine in the past five yearsDate
Apple$371 million (by CNIL for anti-competitive behavior(new window))Original fine: March 16, 2020
Fine reduced on appeal: Oct. 6, 2022
Alphabet (Google)$4.13 billion (by the EU for illegally tying Chrome and search apps to Android devices(new window))Original fine: July 18, 2018
Fine reduced on appeal: Sept. 14, 2022
Meta (Facebook)$1.3 billion (by the Irish DPA for transferring data to the US without proper data protections(new window))Fine: May 22, 2023
Amazon$886 million (by the Luxembourgish DPA for not complying with EU law when processing user data(new window))Fine: July 30, 2021
Microsoft$64 million (by CNIL around cookies on (new window)Bing(new window))Fine: Dec. 22, 2022

There are a couple of things to note here. First, all of the highest fines have originated from the EU because they have aggressive anti-monopoly policies, and the GDPR provides a framework for fines for companies that violate their users’ privacy. Second, none of these fines caused any discomfort for these companies. 

Alphabet, the parent company of Google, received the largest fine of any Big Tech company, but it could pay that fine a staggering 28 times before it ran out of cash. Microsoft could pay its biggest fine an incredible 1,738 times before it depleted its cash. 

Big Tech can pay off most fines with a day’s worth of profit

Cash on hand can be deceiving — it can be inflated if a company recently sold off an asset or dip if a company invests heavily in research and development or infrastructure. This isn’t the case for most Big Tech companies. They’ve steadily carried large cash on hand reserves for years.

Still, revenue is a more accurate depiction of a company’s size and profitability. We can also look at how long it would take each of these companies to make enough revenue to pay off one of these fines. 

CompanyAnnual revenue 
Apple(new window)$394.33 billion (reported Sept. 24, 2022)
Alphabet(new window) (parent company of Google)$282.84 billion (reported Dec. 31, 2022)
Meta(new window) (Facebook)$116.61 billion (reported Dec. 31, 2022)
Amazon(new window)$513.98 billion (reported Dec. 31, 2022)
Microsoft(new window)$198.27 billion (reported June 30, 2022)

These numbers are almost too big to comprehend, so it might be easier to benchmark them with how long it takes a company to generate enough revenue to pay off a $1 billion fine.

Revenue earned per hour (based on 2022 figures)How long it takes to earn $1 billion (based on 2022 figures)
Apple$45.01 million22 hours
Alphabet (parent company of Google)$32.29 million 1 day and 7 hours
Meta (Facebook)$13.31 million3 days and 3 hours
Amazon$58.67 million17 hours
Microsoft$22.63 million1 day and 20 hours

As this table demonstrates, Big Tech companies won’t notice any fine that’s less than $1 billion — in fact, Apple probably made enough revenue to cover its recent $8 million fine(new window) in less time than it took to finish reading the verdict. 

Cumulatively, Big Tech companies make enough revenue to pay all the fines they’ve received throughout 2023 ($2.34 billion) in less than a week (six days and five hours).

Big fines require political will

If regulatory fines are meant to signal to companies that they need to change their behavior, then they must be big enough to get those companies’ attention. We know people want to tell these companies to stop collecting their data without their knowledge or permission and stop using their market dominance to box out competitors. Governments are attempting to deliver that message, but it isn’t getting through because the fines are tolerable.

This isn’t a surprise — the GDPR allows for fines up to 4% of annual global turnover (otherwise known as annual revenue). The maximum fines Big Tech could face under the GDPR are as follows:

CompanyMaximum fine allowed under the GDPR (based on 2022 revenue)
Apple$15.77 billion
Alphabet (parent company of Google)$11.31 billion
Meta (Facebook)$4.66 billion
Amazon$20.56 billion
Microsoft$7.93 billion

These figures might get Big Tech’s attention, but it comes down to the data protection agencies’ (DPAs) willingness to issue maximum fines. That’s never been on the table for a number of reasons, including the complexity of these cases, the armies of lawyers Big Tech employs to obfuscate and delay proceedings, and certain countries’ desire to maintain their “business friendly” reputation.

National DPAs have conflicting interests. They’re charged with protecting their citizens’ privacy rights, but if they adopt business-friendly, laissez-faire interpretations of the GDPR, their home country can attract Big Tech headquarters and the billions of dollars of investments and jobs that come with them. 

For example, many Big Tech companies, including Meta and Apple, have chosen Ireland for their EU headquarters because of its favorable tax scheme, meaning Ireland’s DPA has an outsize impact when regulating and punishing Big Tech companies. While the Irish DPA did issue one of the largest GDPR fines ever to Meta ($1.3 billion), it only did so after 10 years of litigation by privacy advocates, such as NOYB(new window)

Afterward, NOYB’s founder, Max Schrems, had this comment(new window), “The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland — the EU Member State that did everything to ensure that this fine is not issued”.

Who is in charge – Big Tech or elected governments?

The EU has noticed that the DPAs of Ireland and Luxembourg — coincidentally countries that host the headquarters of many large and rich tech companies — have become bottlenecks, slowing down and watering down GDPR investigations. To ensure the DPAs take their mandate to protect people’s privacy seriously, the European Commission, the EU’s executive branch, is taking action. 

Starting in January 2023, the Commission increased its scrutiny(new window) of DPAs, now requiring updates every two months on every DPA’s data-protection investigations. If the DPAs don’t comply with the Commission’s directives, they could be taken to the European Court of Justice.

This fight is important because Big Tech currently decides how much of your data is collected and how it is used. If we want an internet that respects people’s privacy, the fastest way to get there is to convince Big Tech that abusing people’s data is not only wrong, it’s unprofitable. Big Tech’s profits dwarf the penalties they’re paying. Why would a company jeopardize billions in revenue to avoid paying a fine it can cover with what it earns in a day?

It seems Big Tech’s current approach to these fines is to treat them as permits they have to pay to continue abusing people’s data, their armies of lawyers seemingly much more concerned about avoiding and delaying enforcement of the GDPR rather than complying with it. The EU and DPAs seem to recognize they must step up their approach to win compliance. We hope this inspires other countries, namely the US, to start taking this seriously as well.

But it’s not all on regulators’ shoulders. We, the people, can act as well. While big fines might finally get Big Tech’s attention, there’s one thing these companies are always paying attention to — user numbers. The only thing that could drive Big Tech to reconsider its business model is if it sees tens or hundreds millions of people leaving for privacy-focused alternatives. 

Until then, these companies will try to monetize as much data as they can, happy to pay the minor fines they receive. Also, in the time it took you to read this article, Alphabet, Amazon, Apple, Meta, and Microsoft made about $28.65 million.  

2023 fines (year to date)

CompanyFineTime to pay off fine
Alphabet (Google)$160,000,000 (for Android’s market dominance in India(new window))5 hours
Apple$8,000,000 (by the French DPA for privacy violations(new window))11 minutes
Apple$17,000,000 (for dominant market activity in Russia(new window))23 minutes
Meta (Facebook)$5,950,000 (by the Irish DPA for breach of privacy laws(new window))27 minutes
Microsoft$64,000,000 (by French DPA for Bing’s use of cookies)(new window)2.5 hours
Meta (Facebook)$414,000,000 (by Irish DPA for breaches of GDPR by both Meta and Instagram(new window))1.5 days
Alphabet (Google)$32,000,000 (by South Korea for blocking mobile games on rival app stores(new window))1 hour
Amazon$30,000,000 (by FTC for privacy and data breaches relating to Ring and Alexa(new window))30 minutes
Meta (Facebook)$1,300,000,000 (by Irish DPA for transfer of personal data to the USA(new window)4 days
Alphabet (Google)$47,000,000 (for anticompetitive activity in video hosting market in Russia(new window))87 minutes
Microsoft$20,000,000 (by the FTC for violations of the Children’s Online Privacy Protection Act(new window))53 minutes
Amazon$25,000,000 (by FTC for violations of the Children’s Online Privacy Protection Act)(new window)26 minutes
Alphabet (Google)$2,000,000 (by France for failure to provide search rank criteria on Google search and the Play Store(new window))4 minutes
Apple$161,400,000 (by Spain, for price fixing Apple products on Amazon(new window))3.5 hours
Amazon$56,700,000 (by Spain, for price fixing Apple products on Amazon)(new window)58 minutes
Time to pay off fine$2,343,050,000.006 days 5 hours

Related articles

What is NIS2?
We look at how NIS2 will affect your organization, and at how Proton’s services can help it meet its compliance requirements. 
Find out how a password manager works, what it does, and how Proton Pass keeps your private information secure.
An image of a mortarboard cap, logos for Proton Drive, Mail, VPN, Pass, and Calendar, and a password field on a blog offering student discounts for all Proton products
As students build their lives online, Proton makes it safe for them to access educational resources, communicate with each other, and share knowledge online safely.
The cover image for a blog introducing the new Pass Family plan. Text saying 'Introducing Pass Family' next to an image of a family sitting together on their laptops
  • Product updates
  • Proton Pass
Pass Family helps you manage the passwords and logins of up to six family members and gives you more time to spend with your family.
Salt Typhoon
Chinese hackers have compromised US national security by exploiting government-mandated “backdoors”. The EU should learn from this.
An illustration of a laptop with chains and a padlock on the screen to represent a ransomware attack
A ransomware attack is a serious threat for an organization. Here's what they are, how to avoid them, and 11 of the most well-known incidents.