Earlier this month, European Commissioner Thierry Breton announced the European Union would consider levying daily fines on X (formerly Twitter) for extending its blue check verification system to eligible premium users. The change, Breton contended, “deceived users” and infringed the EU’s Digital Services Act (DSA), a 2022 package of regulations concerning illegal content, advertising, and “disinformation.”

Though the scale of the fine — which could total around 6% of the X’s annual global revenue — was unusual, the threat was not; in the last year alone, the EU levied dozens of fines, ranging from hundreds of thousands to billions of euros, on American tech companies for failing to comply with their extensive roster of digital regulations. High level, we could describe the phenomenon as follows: European regulators create vague, ever-shifting rules to govern the conduct of highly productive American tech companies, fine these companies for non-compliance, and then use the money they’ve earned to underwrite Europe’s stagnating economy — and pay their own salaries, of course.

American tech company shareholders ultimately bear the costs of the EU’s growing tariff-in-all-but-name scheme. Additionally, there’s evidence to believe the regulation is designed to extract from companies, rather than protect consumers: as we’ll see, the bloc often imposes massive, clearly premeditated fines immediately after compliance deadlines. And now, with its new DSA and Digital Markets Act (DMA) — which allow for fines of up to 6% and 10% of a company's worldwide yearly revenue — EU regulation threatens to significantly cut the profit margins necessary for R&D, capital expenditures and other strategic investments to maintain incumbency and increase shareholder value.

REGULATORY FINES, BY THE NUMBERS

As a bloc, the EU currently has three primary means of levying fines on American tech companies: the General Data Protection Regulation (GDPR), a 2016-vintage package of data privacy laws; the DSA mentioned above; and the DMA, a package of competition laws passed around the same time as the DSA.

Digital Services Act and Digital Markets Act

Enforcement of the DMA and DSA only began this year, so the full scope of the damage remains to be seen. But these regulatory packages threaten to exact enormous fines from tech companies, and almost exclusively target the biggest companies in the American sector. The DMA, which ensures “large online platforms [operating] in the EU behave fairly,” applies to six “gatekeepers” — Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft — while the DSA applies to only to “VLOPs” or “VLOSEs” (Very Large Online Platforms or Search Engines, a Brussels neologism for platforms with more than 45 million monthly users). Bing and Google are the only VLOSEs that qualify, while the list of qualifying VLOPs is overwhelmingly American. The fines permitted under both regulations are unprecedented; the DSA permits fines of up to 6% of a company’s global annual revenue, while the DMA permits fines of up to 10% of a company’s global annual revenue, and an egregious 20% for repeat offenses.

For context, per most recent company figures, a 10% DMA fine on Google would cost the company $30.5 billion and shave nearly 40% off its annual net income; on Meta, its net income would be reduced by over 30% with a $14.3 billion fine; and on Microsoft, the EU would claim over 27% of its net income with a $23.6 billion fine.

The EU often imposes fines mere weeks or days after compliance deadlines pass, suggesting this kind of extraction is a feature, not a bug, of the regulatory regime. For instance, immediately after DMA enforcement went into effect, the EU announced it was launching investigations into Apple and Alphabet on suspicion they were failing to comply with the regulation. Shortly after this, in June, the bloc announced Apple was non-compliant and warned the company could be fined up to $38 billion — equivalent to approximately 20% of its net income — if it failed to allow “steering,” or allowing app developers to direct customers to make purchases outside of apps. (Apple had previously been slapped with an over €1.8 billion antitrust fine on steering-related charges.)

Likewise, in response to the DMA’s requirement that Facebook and Instagram get users’ affirmative consent to data collection, Meta rolled out a “pay or consent” model for EU citizens — under which users have the option to consent to collection of their data or pay for an ad-free version that doesn’t collect their data. This July, the EU notified the company that this new model might violate consumer protection laws, and gave them less than two months to propose changes.

The bloc also announced it would open investigations into Facebook, Instagram and X over suspected non-compliance with the DSA — and Breton’s recent threat to levy daily fines on X appears to be the first shot on this front.

General Data Protection Regulation and other fines

Comprehensive data on GDPR fines is readily available. Per the GDPR Enforcement Tracker, a database maintained by an international law firm headquartered in Frankfurt, the EU has imposed around 2,150 GDPR fines, collectively totaling over €4.5 billion, since enforcement began in 2018. But the ten largest fines alone — eight of which were levied at American companies — account for over 84% (€3.8 billion) of this total.

Since GDPR fines tend to be lopsided, with a handful of enormous sanctions accounting for the vast majority of the plunder, tallying the cost to few major U.S. tech companies will suffice as a rough proxy of the regulations’ overall cost to industry. By far, Meta has paid the most the company has been fined over €2.1 billion for GDPR non-compliance since 2018 — of which the single, record-breaking €1.2 billion fine Ireland imposed on the company last May accounts for over half. Amazon, which has paid over €780 million in GDPR fines, is a distant second, and Google, which has paid at least €210 million is third.

Beyond GDPR, DMA and DSA, the EU also levies fines on American tech companies through antitrust investigations and country-specific regulations. For instance, besides the Apple antitrust fine — which, incidentally, stemmed from a lawsuit filed against Apple by Spotify, a European company — the bloc also fined Google $5.1 billion and $2.7 billion for anti-competitive practices in 2018 and 2017, respectively. And in 2019, Germany fined Facebook €2 million for violating its own, country-specific hate speech laws.

COMPLIANCE AND M&A COSTS

Non-compliance fines are easy to quantify. But the EU also imposes indirect costs on companies that must hire an army of lawyers and accountants to ensure compliance with vague, ever-changing rules, and fend off antitrust investigations. Back in 2017, before GDPR enforcement began, the Financial Times estimated that Fortune 500 companies would spend around $7.8 billion — almost $16 million each, on average — to bring their systems in compliance with the regulation.

Per a 2023 report from the Center for Strategic and International Studies (CSIS), a D.C.-based think tank, compliance costs related to the DMA and DSA could far exceed this; the report estimates the new regulations could “conservatively entail some $22 billion to $50 billion in new compliance and operational costs to U.S. digital services providers.” It further estimates that if these U.S. digital service providers raise costs by just 5 percent to offset these new compliance fees, U.S. companies more broadly could incur over $97 billion in cost increases — around half of which would be paid by small and medium-sized enterprises.

The EU’s aggressive antitrust policy also costs companies millions in legal fees and opportunity costs. Pre-Brexit, for example, the UK notoriously blocked Meta’s acquisition of GIPHY for $315 million on the grounds Meta could block other social media companies from accessing a popular GIF database. After a protracted legal battle, during which GIPHY was unable to operate its monetization business, Meta agreed to sell off GIPHY for $53 million to Shutterstock — a loss of over $260 million. The UK watchdog similarly forced Adobe to abandon its $20 billion bid to acquire Figma this past December.

Amid all of this regulatory action, it’s unclear whether European developers or consumers themselves actually stand to benefit. A substantial body of academic literature now suggests GDPR regulations crippled Europe’s (already small) startup space, mainly by increasing the costs of data storage and dissuading VCs from investing in the continent, a trend which further incentivizes European tech founders to move to America. And American companies are increasingly pulling out of the European market for fear of increased regulations — Meta recently announced it would not release its multimodal Llama model in the EU “due to the unpredictable nature of the European regulatory environment,” while Apple said it would not release its “Apple Intelligence” AI tool in the EU market for similar reasons. Would most European consumers favor stronger data protection laws over unfettered access to new technologies? Unclear, but it’s certain that the attendant economic cost of overregulation has tangibly contributed to the continent’s stagnation. Ultimately, the only party that stands to unequivocally benefit here are the EU regulators themselves, who’ve managed to cement their place as a profit-generating system by raiding American businesses under the guise of harm reduction.

— Sanjana Friedman