In the first seven months of 2023, Big Tech companies have been fined nearly $2.34 billion for privacy violations and abusing their monopoly power. Since the European Union introduced the GDPR in 2018, these companies have been fined upwards of $7 billion.
These are massive amounts, but they don’t seem to have had any appreciable effect on Big Tech’s behavior. That’s because these fines, massive as they are, represent little more than an inconvenience to these companies.
It seems that Google, Facebook, and others view these fines as the price of doing business and will continue to pay these astronomical amounts if it means they can continue abusing your data and crushing alternative business models.
To truly defend our privacy and make the internet a level playing field, we need regulations with teeth, which means we need even bigger fines.
Big Tech’s cash on hand dwarfs their fines
It might be hard to believe a company wouldn’t care about paying over a billion dollars, but it’s easy to understand once you see how much cash on hand these companies have.
Cash on hand refers to a company’s cash after it has paid all its costs. It’s essentially a measure of how much free money a company has (or can easily obtain by selling liquid assets) at any given time.
| Company | Cash on hand |
|---|---|
| Apple(new window) | $55.87 billion (as of April 1, 2023) |
| Alphabet(new window) (Google) | $118.33 billion (as of June 30, 2023) |
| Meta(new window) (Facebook) | $37.44 billion (as of April 26, 2023) |
| Amazon(new window) | $64.40 billion (as of April 27, 2023) |
| Microsoft(new window) | $111.26 billion (as of June 30, 2023) |
For comparison’s sake, here is the largest fine each of these companies has received since 2018:
| Company | Largest fine in the past five years | Date |
|---|---|---|
| Apple | $371 million (by CNIL for anti-competitive behavior(new window)) | Original fine: March 16, 2020 Fine reduced on appeal: Oct. 6, 2022 |
| Alphabet (Google) | $4.13 billion (by the EU for illegally tying Chrome and search apps to Android devices(new window)) | Original fine: July 18, 2018 Fine reduced on appeal: Sept. 14, 2022 |
| Meta (Facebook) | $1.3 billion (by the Irish DPA for transferring data to the US without proper data protections(new window)) | Fine: May 22, 2023 |
| Amazon | $886 million (by the Luxembourgish DPA for not complying with EU law when processing user data(new window)) | Fine: July 30, 2021 |
| Microsoft | $64 million (by CNIL around cookies on (new window)Bing(new window)) | Fine: Dec. 22, 2022 |
There are a couple of things to note here. First, all of the highest fines have originated from the EU because they have aggressive anti-monopoly policies, and the GDPR provides a framework for fines for companies that violate their users’ privacy. Second, none of these fines caused any discomfort for these companies.
Alphabet, the parent company of Google, received the largest fine of any Big Tech company, but it could pay that fine a staggering 28 times before it ran out of cash. Microsoft could pay its biggest fine an incredible 1,738 times before it depleted its cash.
Big Tech can pay off most fines with a day’s worth of profit
Cash on hand can be deceiving — it can be inflated if a company recently sold off an asset or dip if a company invests heavily in research and development or infrastructure. This isn’t the case for most Big Tech companies. They’ve steadily carried large cash on hand reserves for years.
Still, revenue is a more accurate depiction of a company’s size and profitability. We can also look at how long it would take each of these companies to make enough revenue to pay off one of these fines.
| Company | Annual revenue |
|---|---|
| Apple(new window) | $394.33 billion (reported Sept. 24, 2022) |
| Alphabet(new window) (parent company of Google) | $282.84 billion (reported Dec. 31, 2022) |
| Meta(new window) (Facebook) | $116.61 billion (reported Dec. 31, 2022) |
| Amazon(new window) | $513.98 billion (reported Dec. 31, 2022) |
| Microsoft(new window) | $198.27 billion (reported June 30, 2022) |
These numbers are almost too big to comprehend, so it might be easier to benchmark them with how long it takes a company to generate enough revenue to pay off a $1 billion fine.
| Revenue earned per hour (based on 2022 figures) | How long it takes to earn $1 billion (based on 2022 figures) | |
|---|---|---|
| Apple | $45.01 million | 22 hours |
| Alphabet (parent company of Google) | $32.29 million | 1 day and 7 hours |
| Meta (Facebook) | $13.31 million | 3 days and 3 hours |
| Amazon | $58.67 million | 17 hours |
| Microsoft | $22.63 million | 1 day and 20 hours |
As this table demonstrates, Big Tech companies won’t notice any fine that’s less than $1 billion — in fact, Apple probably made enough revenue to cover its recent $8 million fine(new window) in less time than it took to finish reading the verdict.
Cumulatively, Big Tech companies make enough revenue to pay all the fines they’ve received throughout 2023 ($2.34 billion) in less than a week (six days and five hours).
Big fines require political will
If regulatory fines are meant to signal to companies that they need to change their behavior, then they must be big enough to get those companies’ attention. We know people want to tell these companies to stop collecting their data without their knowledge or permission and stop using their market dominance to box out competitors. Governments are attempting to deliver that message, but it isn’t getting through because the fines are tolerable.
This isn’t a surprise — the GDPR allows for fines up to 4% of annual global turnover (otherwise known as annual revenue). The maximum fines Big Tech could face under the GDPR are as follows:
| Company | Maximum fine allowed under the GDPR (based on 2022 revenue) |
|---|---|
| Apple | $15.77 billion |
| Alphabet (parent company of Google) | $11.31 billion |
| Meta (Facebook) | $4.66 billion |
| Amazon | $20.56 billion |
| Microsoft | $7.93 billion |
These figures might get Big Tech’s attention, but it comes down to the data protection agencies’ (DPAs) willingness to issue maximum fines. That’s never been on the table for a number of reasons, including the complexity of these cases, the armies of lawyers Big Tech employs to obfuscate and delay proceedings, and certain countries’ desire to maintain their “business friendly” reputation.
National DPAs have conflicting interests. They’re charged with protecting their citizens’ privacy rights, but if they adopt business-friendly, laissez-faire interpretations of the GDPR, their home country can attract Big Tech headquarters and the billions of dollars of investments and jobs that come with them.
For example, many Big Tech companies, including Meta and Apple, have chosen Ireland for their EU headquarters because of its favorable tax scheme, meaning Ireland’s DPA has an outsize impact when regulating and punishing Big Tech companies. While the Irish DPA did issue one of the largest GDPR fines ever to Meta ($1.3 billion), it only did so after 10 years of litigation by privacy advocates, such as NOYB(new window).
Afterward, NOYB’s founder, Max Schrems, had this comment(new window), “The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland — the EU Member State that did everything to ensure that this fine is not issued”.
Who is in charge – Big Tech or elected governments?
The EU has noticed that the DPAs of Ireland and Luxembourg — coincidentally countries that host the headquarters of many large and rich tech companies — have become bottlenecks, slowing down and watering down GDPR investigations. To ensure the DPAs take their mandate to protect people’s privacy seriously, the European Commission, the EU’s executive branch, is taking action.
Starting in January 2023, the Commission increased its scrutiny(new window) of DPAs, now requiring updates every two months on every DPA’s data-protection investigations. If the DPAs don’t comply with the Commission’s directives, they could be taken to the European Court of Justice.
This fight is important because Big Tech currently decides how much of your data is collected and how it is used. If we want an internet that respects people’s privacy, the fastest way to get there is to convince Big Tech that abusing people’s data is not only wrong, it’s unprofitable. Big Tech’s profits dwarf the penalties they’re paying. Why would a company jeopardize billions in revenue to avoid paying a fine it can cover with what it earns in a day?
It seems Big Tech’s current approach to these fines is to treat them as permits they have to pay to continue abusing people’s data, their armies of lawyers seemingly much more concerned about avoiding and delaying enforcement of the GDPR rather than complying with it. The EU and DPAs seem to recognize they must step up their approach to win compliance. We hope this inspires other countries, namely the US, to start taking this seriously as well.
But it’s not all on regulators’ shoulders. We, the people, can act as well. While big fines might finally get Big Tech’s attention, there’s one thing these companies are always paying attention to — user numbers. The only thing that could drive Big Tech to reconsider its business model is if it sees tens or hundreds millions of people leaving for privacy-focused alternatives.
Until then, these companies will try to monetize as much data as they can, happy to pay the minor fines they receive. Also, in the time it took you to read this article, Alphabet, Amazon, Apple, Meta, and Microsoft made about $28.65 million.
